I have a Kubernetes cluster setup with a cluster autoscaler, and I'm trying to get Istio behaving properly on this cluster.
In my setup, I'm stuck with a few things:
- There are standalone pods that get scheduled on my nodes (not under any deployment/replicaset)
- I have to use Istio CNI and can't use Istio init containers
The issue comes when the cluster autoscaler adds a new node when one of the aforementioned pods try to come up, but there aren't any resources available.
Istio CNI daemonset needs to finish bootstrapping the new node, but Kubernetes scheduler immediately schedules the pod when it sees that the node is in a ready state. There doesn't seem to be a way yet to stop kubernetes from marking the node ready until the daemonset finishes. This whole issue is covered in the Istio docs here.
For reasons I won't get into, I can't make the above pods a deployment/replicaset which probably rules out using Istio's recommended solution, since deleted pods won't spin up again.
The only solution I can think of right now is using a dynamic admission controller to mutate the pod spec and inject an init container that will watch the daemonset until it reaches the completed state.
So basically this leaves me with the following two questions:
- Does the istio-validation container always get injected as the first init container? If so, this would make the above solution invalid.
- This sounds like a bonkers way of handling this, and I can't help but believe there has got to be an easier way to do this. Any other ideas?
Any help would be much appreciated! Thanks in advance!
Cheers
