Merge pull request #3808 from telepresenceio/thallgren/evict-by-patch

Rollout workload when disruption budget prevents pod eviction

Author: thallgren

charts/telepresence-oss/templates/trafficManagerRbac/cluster-scope.yaml

@@ -56,6 +56,9 @@ rules:
   - get
   - list
   - watch
+{{- if .agentInjector.enabled }}
+  - patch
+{{- end }}
 {{- if .workloads.argoRollouts.enabled }}
 - apiGroups:
   - "argoproj.io"
@@ -65,6 +68,9 @@ rules:
   - get
   - list
   - watch
+{{- if .agentInjector.enabled }}
+  - patch
+{{- end }}
 {{- end }}
 - apiGroups:
     - "events.k8s.io"

charts/telepresence-oss/templates/trafficManagerRbac/namespace-scope.yaml

@@ -73,6 +73,9 @@ rules:
   - get
   - list
   - watch
+{{- if $interceptEnabled }}
+  - patch
+{{- end }}
 {{- if $argoRolloutsEnabled }}
 - apiGroups:
   - "argoproj.io"

cmd/traffic/cmd/manager/cluster/podwatcher.go

@@ -19,14 +19,6 @@ import (
 	"github.com/telepresenceio/telepresence/v2/pkg/subnet"
 )
 
-// PodLister helps list Pods.
-// All objects returned here must be treated as read-only.
-type PodLister interface {
-	// List lists all Pods in the indexer.
-	// Objects returned here must be treated as read-only.
-	List(selector labels.Selector) (ret []*corev1.Pod, err error)
-}
-
 type podWatcher struct {
 	ipsMap    map[netip.Addr]struct{}
 	timer     *time.Timer

cmd/traffic/cmd/manager/mutator/agent_injector.go

@@ -134,7 +134,7 @@ func (a *agentInjector) Inject(ctx context.Context, req *admission.AdmissionRequ
 			uwkError := k8sapi.UnsupportedWorkloadKindError("")
 			switch {
 			case k8sErrors.IsNotFound(err):
-				dlog.Debugf(ctx, "No workload owner found for pod %s.%s", pod.Name, pod.Namespace)
+				dlog.Tracef(ctx, "No workload owner found for pod %s.%s", pod.Name, pod.Namespace)
 			case errors.As(err, &uwkError):
 				dlog.Debugf(ctx, "Workload owner with %s found for pod %s.%s", uwkError.Error(), pod.Name, pod.Namespace)
 			default:
@@ -146,19 +146,21 @@ func (a *agentInjector) Inject(ctx context.Context, req *admission.AdmissionRequ
 		scx = a.agentConfigs.Get(wl.GetName(), wl.GetNamespace())
 		switch {
 		case scx == nil:
-			dlog.Debugf(ctx, "Skipping %s.%s (no agent config)", wl.GetName(), wl.GetNamespace())
+			dlog.Tracef(ctx, "Skipping %s (no agent config)", wl)
 			return nil, nil
 		case scx.AgentConfig().Manual:
-			dlog.Debugf(ctx, "Skipping webhook where agent is manually injected %s.%s", wl.GetName(), wl.GetNamespace())
+			dlog.Tracef(ctx, "Skipping webhook where agent is manually injected %s", wl.GetNamespace())
 			return nil, nil
 		}
 	default:
 		return nil, fmt.Errorf("invalid value %q for annotation %s", ia, agentconfig.InjectAnnotation)
 	}
+	return createPatch(ctx, scx.AgentConfig(), pod)
+}
 
+func createPatch(ctx context.Context, config *agentconfig.Sidecar, pod *core.Pod) (PatchOps, error) {
 	var patches PatchOps
 	var annotations map[string]string
-	config := scx.AgentConfig()
 	patches = addInitContainer(pod, config, patches)
 	patches, annotations = addAgentContainer(ctx, pod, config, patches)
 	patches = addPullSecrets(pod, config, patches)