loft-sh
PodDisruptionBudget is not synced to host cluster despite sync.toHost.podDisruptionBudgets.enabled: true
What happened?
When creating a PodDisruptionBudget (PDB) inside the vcluster, the resource is not synced or created in the host cluster, even though the sync.toHost.podDisruptionBudgets.enabled option is set to true in the vcluster configuration. As a result, disruption protection expected by the PDB is not enforced on the host cluster, so workloads may be evicted without respecting the PDB. This occurs even when following the official documentation for vcluster PDB syncing.
What did you expect to happen?
Any PodDisruptionBudget created in the vcluster should be synced and visible in the host cluster, and should be enforced so that workload disruption is properly limited as configured.
How can we reproduce it (as minimally and precisely as possible)?
- Create a kind cluster and install vcluster using the configuration from the official vcluster documentation for PDB syncing:
sync:
toHost:
podDisruptionBudgets:
enabled: true
serviceAccounts:
enabled: true
fromHost:
nodes:
enabled: true
clearImageStatus: true
- Inside the vcluster, create a Deployment and a PodDisruptionBudget, e.g.:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:stable
ports:
- containerPort: 80
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "250m"
memory: "256Mi"
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb
spec:
minAvailable: 1
selector:
matchLabels:
app: nginx
-
Check the host cluster: the PDB is not present, and disruptions are not limited as expected.
-
Logs from the vcluster show repeated errors such as:
INFO commandwriter/commandwriter.go:128 quota admission added evaluator for: poddisruptionbudgets.policy {"component": "vcluster", "component": "apiserver", "location": "controller.go:667"}
INFO commandwriter/commandwriter.go:128 Unhandled Error {"component": "vcluster", "component": "controller-manager", "location": "disruption.go:647", "err": "Error syncing PodDisruptionBudget default/nginx-pdb, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"nginx-pdb\": the object has been modified; please apply your changes to the latest version and try again", "logger": "UnhandledError"}
Anything else we need to know?
Config copied from the official documentation: https://www.vcluster.com/docs/vcluster/configure/vcluster-yaml/sync/to-host/advanced/pod-disruption-budgets If you need further logs or details, I can provide them.
Host cluster Kubernetes version
$ kubectl version
Client Version: v1.33
Server Version: v1.33
vcluster version
$ vcluster --version
v0.28
VCluster Config
sync:
toHost:
podDisruptionBudgets:
enabled: true
serviceAccounts:
enabled: true
fromHost:
nodes:
enabled: true
clearImageStatus: true
Sorry for delay. I just tested this and it worked for me on 0.30. This is from host:
kubectl get pdb -A
NAMESPACE NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE
vcluster-pdb nginx-pdb-x-default-x-pdb 1 N/A 1 58s
That error is common transient error. Possible it was just operated on right before you applied:
Operation cannot be fulfilled on poddisruptionbudgets.policy "nginx-pdb": the object has been modified; please apply your changes to the latest version and try again"
