-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unable to drain k8s node running Istio components with PDB #12602
Comments
I don't think this is related to the critical-pod annotation, but instead the PodDisruptionBudget. You can view with Try running 2 replicas of pilot. |
agreed, try scale out istio-policy first before drain the node as PDB requires 1 replica to be alive. |
@jansmets is this still an issue? |
The default helm installs are set up with 1 replica and a PDB for several deployments / HPAs. This seems like a case of a bad default config. PDBs are a feature for HA deployments, and HA deployments imply 2+ replicas. The reason this is bad is that it breaks Don't know if this is a feature or a bug but it's not a great default config for istio installs. I would either remove the PDBs or increase default replicas to 2. Affected deployments (spec.replicas = 1): certmanager, istio-galley |
Is there any plan to resolve this issue. It's still a blocker when using such a tool like kured. It results in a node being effectively locked out of action almost indefinitely. |
We also ran into this issue and worked around it by setting the Actually resolving this issue has some challenges from my which i'm not sure how to solve best: We want to create a
but what if you don't set the Probably a quick win would be to allow setting the |
Think this is still a valid issue for the new installer/operator. The resulting is we produce a production high availability profile that have multiple replicas and specifically targeted to resolve upgrade without down time prob. We don't want this to be a solution just for istio-policy as istio-policy is going away soon. How does that sound @johscheuer @jansmets @dwradcliffe? |
@dwradcliffe @linsun running in the same issue:
what to do to fix it? |
@Arnold1 you need to add one more replica for istio-policy & istio-galley. If you did install istio with helm you need to add the following lines to values.yaml
Then apply it:
|
citadel has the same problem in istio 1.4, except you don't appear to be able to specify its replicaCount, that I can see. |
@colincoghill for citadel it's the security section. values.yaml
|
aha, brilliant, that worked for me, thank you @vigohe |
@colincoghill @vigohe can I use this values.yaml file for istio 1.4? values.yaml:
@vigohe I get this error:
|
what worked is:
and than:
is that the recomended way for istio 1.4? |
So, what is Istio recommended solution to correctly drain node with any istio component? Istio 1.4.2 installed with istioctl has these values for prod (default) profile: k get pdb -n istio-system ALLOWED DISRUPTIONS = 0 for all components. Thanks! |
Hi all, I have this same issue only it is on a kubernetes cluster (v 17.2) with only 2 nodes, one master and one worker, meaning as pods are only scheduled on the worker then we can't get around this problem by autoscaling. He don't need HA but it would be nice to be able to drain the node properly, is there any way to disable the pdb (and hpa) for the ingress gateways and istiod? We are using istio 1.6 installed with istioctl and this is the current ingress gateway config but it still creates pdb components: If I remove the hpaSec then it sets a hpa with max replicas 5 which is definitely not what we want. Thanks, |
This can be avoided with the following spec:
which should probablt be default (the hpa values) |
Related: #24000 |
It is important to note that this solution only works if you installed Istio using the Istio Operator. (At least that was my experience.) |
Just scaling istiod deployment to 2 and after scaling it back to 1 worked for me. kubectl cordon <your node to drain>
kubectl scale --replicas=2 deployemnt/istiod
# Make sure it was scaled, when you scale it back, it will remove pod from cordoned node
kubectl scale --replicas=1 deployment/istiod
kubectl drain <your node to drain> PS. in my case, istiod was in separate node from other istio related services, and it worked. |
@Kostanos suggestion helped me during the AKS outage yesterday due to the Ubuntu 18.04 issues to heal the cluster. In addition I had to run the same command on |
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <[email protected]>
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <[email protected]>
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <[email protected]>
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <[email protected]>
* common: Add Istio v1.16.0 manifests Signed-off-by: Apostolos Gerakaris <[email protected]> * Update kustomization file in example to deploy istio-1-16 Signed-off-by: Apostolos Gerakaris <[email protected]> * tests: Update install Istio GH action script Use Istio 1.16 for testing Signed-off-by: Apostolos Gerakaris <[email protected]> * common: Remove PodDisruptionBudget resources for Istio Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: #1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: #2325 Signed-off-by: Apostolos Gerakaris <[email protected]> * Update README Use the --cluster-specific flag when generating Istio 1.16 manifests for K8s-1.25. See: * istio/istio#41220 Signed-off-by: Apostolos Gerakaris <[email protected]> * tests: Update GH Action workflows Trigger the workflows when the Istio version changes Signed-off-by: Apostolos Gerakaris <[email protected]> Signed-off-by: Apostolos Gerakaris <[email protected]>
You can save yourself a command @Kostanos. Once you've cordoned your Node, use the |
* common: Add Istio v1.16.0 manifests Signed-off-by: Apostolos Gerakaris <[email protected]> * Update kustomization file in example to deploy istio-1-16 Signed-off-by: Apostolos Gerakaris <[email protected]> * tests: Update install Istio GH action script Use Istio 1.16 for testing Signed-off-by: Apostolos Gerakaris <[email protected]> * common: Remove PodDisruptionBudget resources for Istio Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <[email protected]> * Update README Use the --cluster-specific flag when generating Istio 1.16 manifests for K8s-1.25. See: * istio/istio#41220 Signed-off-by: Apostolos Gerakaris <[email protected]> * tests: Update GH Action workflows Trigger the workflows when the Istio version changes Signed-off-by: Apostolos Gerakaris <[email protected]> Signed-off-by: Apostolos Gerakaris <[email protected]>
Deployed istio 1.1.0 RC with helm chart (not template)
I would like to drain out a specific node because it needs a reboot.
The PODs
prevents that.
(also note that annotation scheduler.alpha.kubernetes.io/critical-pod is deprecated and will be removed in k8s 1.14!)
The text was updated successfully, but these errors were encountered: