OCPCLOUD-3436: use AlwaysAllow UnhealthyPodEvictionPolicy option in PDBs

[atiratree]

Allow eviction of unhealthy (not ready) pods even if there are no disruptions
allowed on a PodDisruptionBudget. This can help to drain/maintain a node and
recover without a manual intervention when multiple instances of nodes or pods
are misbehaving.

Conventions change: openshift/enhancements#1995

Summary by CodeRabbit

• Bug Fixes

  • PodDisruptionBudgets now explicitly set the unhealthy-pod eviction policy to always allow evictions, ensuring consistent eviction behavior during node or pod disruptions.

• Tests

  • Test coverage updated to include cases where existing and desired PodDisruptionBudget eviction policies differ, ensuring correct detection and apply behavior.

[openshift-ci-robot]

@atiratree: This pull request references OCPCLOUD-3436 which is a valid jira issue.

Details

In response to this:

Allow eviction of unhealthy (not ready) pods even if there are no disruptions
allowed on a PodDisruptionBudget. This can help to drain/maintain a node and
recover without a manual intervention when multiple instances of nodes or pods
are misbehaving.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b76c6818-d1f9-4e7a-a7b6-ac8faf4fc37a

📥 Commits

Reviewing files that changed from the base of the PR and between d1d8381 and aa7f75f.

📒 Files selected for processing (2)

• pkg/cloud/common/resources.go
• pkg/controllers/resourceapply/resourceapply_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/controllers/resourceapply/resourceapply_test.go

---

Walkthrough

getPDB now sets Spec.UnhealthyPodEvictionPolicy to policy/v1's AlwaysAllow using a pointer. Tests were updated: the podDisruptionBudget test helper defaults the field, and a table test asserts applyPodDisruptionBudget reports a modification when an existing PDB has a nil eviction policy but the desired PDB has a non-nil value.

Changes

PodDisruptionBudget UnhealthyPodEvictionPolicy

Layer / File(s)	Summary
API/Value Addition pkg/cloud/common/resources.go	getPDB sets Spec.UnhealthyPodEvictionPolicy to ptr.To(policyv1.AlwaysAllow) and adds k8s.io/utils/ptr import.
Test Helpers pkg/controllers/resourceapply/resourceapply_test.go	podDisruptionBudget test helper now defaults Spec.UnhealthyPodEvictionPolicy to ptr.To(policyv1.AlwaysAllow).
Behavioral Tests pkg/controllers/resourceapply/resourceapply_test.go	Added table test case asserting applyPodDisruptionBudget reports a modification when existing PDB has Spec.UnhealthyPodEvictionPolicy: nil and desired PDB has a non-nil value.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: configuring PodDisruptionBudgets to use the AlwaysAllow UnhealthyPodEvictionPolicy option, which is reflected in both modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are stable and deterministic. New test entry uses only static, descriptive strings with no dynamic information. Test parameters are passed via functions, not embedded in titles.
Test Structure And Quality	✅ Passed	Test meets all quality criteria: single responsibility, proper setup/cleanup, assertion messages, and codebase consistency.
Microshift Test Compatibility	✅ Passed	No new e2e tests added. The changes are to unit tests using envtest, not e2e. Tests use only standard Kubernetes APIs available on MicroShift.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only a unit test using kubebuilder envtest, not OpenShift e2e tests. SNO compatibility check applies only to e2e tests that run on actual clusters, not unit tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PDB with minAvailable:1 only created on non-SNO. Replicas: 2 (2+ nodes), 1 on SNO. UnhealthyPodEvictionPolicy change improves disruption handling without topology issues.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes detected. Changes are confined to function/test bodies setting Kubernetes spec fields and adding Ginkgo test cases, with no non-JSON output to stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Tests contain no IPv4 assumptions or external connectivity requirements. New test cases create PodDisruptionBudget resources with no hardcoded IPs, CIDRs, or external references.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign theobarberbany for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/controllers/resourceapply/resourceapply_test.go`:
- Around line 859-869: The test currently sets the desired PDB's
UnhealthyPodEvictionPolicy to nil and expects an update, but the PR intends to
verify reconciling from nil -> AlwaysAllow; update the table entry so that
applyPodDisruptionBudgetArguments.inputFn returns a PDB with
Spec.UnhealthyPodEvictionPolicy set to
policyv1.UnhealthyPodEvictionPolicyType("AlwaysAllow") (or the helper that
produces that), and existingFn returns a PDB with
Spec.UnhealthyPodEvictionPolicy == nil (use podDisruptionBudget for existing and
modify inputFn accordingly), keeping expectModified: true and leaving
applyPodDisruptionBudgetArguments and podDisruptionBudget references to locate
the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6b8fc36b-42f6-4c8e-b472-dd49b1a097db

📥 Commits

Reviewing files that changed from the base of the PR and between 06a87c3 and 6a9661b.

📒 Files selected for processing (2)

• pkg/cloud/common/resources.go
• pkg/controllers/resourceapply/resourceapply_test.go

[coderabbitai]

♻️ Duplicate comments (1)

pkg/controllers/resourceapply/resourceapply_test.go (1)

859-869: ⚠️ Potential issue | 🟠 Major

Test the nil -> AlwaysAllow direction instead of the reverse.

This entry still sets the desired PDB to nil and the existing one to AlwaysAllow, so it validates the opposite transition from the one this PR is meant to guarantee. Please swap the fixtures so the desired object carries AlwaysAllow and the existing object is nil.

🔁 Suggested fix

 Entry("When there is a mismatch of UnhealthyPodEvictionPolicy it is updated",
     applyPodDisruptionBudgetArguments{
-        inputFn: func(namespace string) *policyv1.PodDisruptionBudget {
-            pdb := podDisruptionBudget(namespace)
-            pdb.Spec.UnhealthyPodEvictionPolicy = nil
-            return pdb
-        },
-        existingFn:     podDisruptionBudget,
+        inputFn:        podDisruptionBudget,
+        existingFn: func(namespace string) *policyv1.PodDisruptionBudget {
+            pdb := podDisruptionBudget(namespace)
+            pdb.Spec.UnhealthyPodEvictionPolicy = nil
+            return pdb
+        },
         expectModified: true,
     },
 ),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/controllers/resourceapply/resourceapply_test.go` around lines 859 - 869,
The test entry in resourceapply_test.go currently validates the reverse
transition by setting inputFn to return a PDB with UnhealthyPodEvictionPolicy =
nil and existingFn to return podDisruptionBudget (which is AlwaysAllow); swap
those fixtures so the desired (inputFn) PDB carries AlwaysAllow and the
existingFn returns nil. Update the applyPodDisruptionBudgetArguments entry
(inputFn, existingFn) for this case so inputFn builds the PDB with
Spec.UnhealthyPodEvictionPolicy = pointer to
policyv1.UnhealthyPodEvictionPolicyType("AlwaysAllow") and existingFn returns
podDisruptionBudget with Spec.UnhealthyPodEvictionPolicy = nil, keeping
expectModified: true.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/controllers/resourceapply/resourceapply_test.go`:
- Around line 859-869: The test entry in resourceapply_test.go currently
validates the reverse transition by setting inputFn to return a PDB with
UnhealthyPodEvictionPolicy = nil and existingFn to return podDisruptionBudget
(which is AlwaysAllow); swap those fixtures so the desired (inputFn) PDB carries
AlwaysAllow and the existingFn returns nil. Update the
applyPodDisruptionBudgetArguments entry (inputFn, existingFn) for this case so
inputFn builds the PDB with Spec.UnhealthyPodEvictionPolicy = pointer to
policyv1.UnhealthyPodEvictionPolicyType("AlwaysAllow") and existingFn returns
podDisruptionBudget with Spec.UnhealthyPodEvictionPolicy = nil, keeping
expectModified: true.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b4cef41e-c0b0-4371-92ab-c3fba1d61924

📥 Commits

Reviewing files that changed from the base of the PR and between 6a9661b and 3a0253e.

📒 Files selected for processing (2)

• pkg/cloud/common/resources.go
• pkg/controllers/resourceapply/resourceapply_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/cloud/common/resources.go

[atiratree]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controllers/resourceapply/resourceapply_test.go`:
- Line 861: A goimports formatting error affects the test file near the table
entry using inputFn: podDisruptionBudget; run goimports (or gofmt then
goimports) on that file to fix imports and formatting, then stage the updated
file so the linter passes — ensure imports are grouped/ordered and any unused
imports removed before committing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 400ff8c1-7409-4db9-bf9c-0cedba2d0566

📥 Commits

Reviewing files that changed from the base of the PR and between 3a0253e and d1d8381.

📒 Files selected for processing (2)

• pkg/cloud/common/resources.go
• pkg/controllers/resourceapply/resourceapply_test.go

[openshift-ci]

@atiratree: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn	aa7f75f	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.