☑️ Ensure Rollout allows broadcasting IP table changes
When the Rollout changes the selector on a service, there is a propagation delay before all the nodes update their IP tables to send traffic to the new pods instead of the old. Traffic will be directed to the old pods if the nodes have not been updated yet during this delay. In order to prevent the packets from being sent to a node that killed the old pod, the rollout uses the scaleDownDelaySeconds field to give nodes enough time to broadcast the IP table changes.
The user can define this in spec.scaleDownDelaySeconds in Bluegreen Rollout. If omitted, the Rollout waits 30 seconds before scaling down the previous ReplicaSet.
A minimum of 30 seconds is recommended to ensure IP table propagation across the nodes in a cluster. The reason is because Kubernetes waits for a specified time called the termination grace period. By default, this is 30 seconds.
Targeted objects by this rule (types of kind): Rollout
Complexity: easy (What does this mean?)
Policy as code identifier: ARGO_ROLLOUT_INCORRECT_SCALE_DOWN_DELAY_VALUE_BELOW_30
This rule will fail
If the scaleDownDelaySeconds key is not set or set to a number lower than 30:
kind: Rollout
spec:
strategy:
blueGreen:
scaleDownDelaySeconds: 10
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Ensure Rollout allows broadcasting IP table changes [1 occurrence]
💡 Incorrect value for key `scaleDownDelaySeconds` - value should be at least 30 to prevent packets from being sent to a node that killed the pod
How to fix this failure
Set the scaleDownDelaySeconds key with value of at least 30:
kind: Rollout
spec:
strategy:
blueGreen:
scaleDownDelaySeconds: 30