From 4c28ff7b56541097e720af2c5d7db83605bd5747 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Thu, 11 Jun 2026 17:57:35 -0400 Subject: [PATCH 1/5] fix: change priorityclass default Signed-off-by: Case Wylie --- pkg/component/worker/nllb/envoy.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/component/worker/nllb/envoy.go b/pkg/component/worker/nllb/envoy.go index 8e3d3d382bc2..9ee91fb429ff 100644 --- a/pkg/component/worker/nllb/envoy.go +++ b/pkg/component/worker/nllb/envoy.go @@ -264,6 +264,10 @@ func makePodManifest(params *envoyParams, podParams *envoyPodParams) corev1.Pod }, Spec: corev1.PodSpec{ HostNetwork: true, + // The Envoy Pod is the worker's load-balanced path to the control + // plane, so it must outlive ordinary workloads during graceful node + // shutdown and be protected from node-pressure eviction. + PriorityClassName: "system-node-critical", SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptr.To(true), }, From 7763ba1fccf2a766d7e3d25109e398e49a6ecaf8 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Sun, 14 Jun 2026 09:32:57 -0400 Subject: [PATCH 2/5] chore: system-node-critical priority value Signed-off-by: Case Wylie --- pkg/component/worker/nllb/envoy.go | 6 ++++-- pkg/component/worker/nllb/traefik.go | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/component/worker/nllb/envoy.go b/pkg/component/worker/nllb/envoy.go index 9ee91fb429ff..ec7c5f2775bd 100644 --- a/pkg/component/worker/nllb/envoy.go +++ b/pkg/component/worker/nllb/envoy.go @@ -266,8 +266,10 @@ func makePodManifest(params *envoyParams, podParams *envoyPodParams) corev1.Pod HostNetwork: true, // The Envoy Pod is the worker's load-balanced path to the control // plane, so it must outlive ordinary workloads during graceful node - // shutdown and be protected from node-pressure eviction. - PriorityClassName: "system-node-critical", + // shutdown and be protected from node-pressure eviction. As a static + // Pod, the kubelet doesn't resolve PriorityClassName, so the numeric + // Priority is set directly to the value of system-node-critical. + Priority: ptr.To(int32(2000001000)), SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptr.To(true), }, diff --git a/pkg/component/worker/nllb/traefik.go b/pkg/component/worker/nllb/traefik.go index 35d913287a2d..d7b66d29390c 100644 --- a/pkg/component/worker/nllb/traefik.go +++ b/pkg/component/worker/nllb/traefik.go @@ -236,6 +236,12 @@ func makeTraefikPodManifest(podParams *traefikPodParams, installConfig *traefikI }, Spec: corev1.PodSpec{ HostNetwork: true, + // The Traefik Pod is the worker's load-balanced path to the control + // plane, so it must outlive ordinary workloads during graceful node + // shutdown and be protected from node-pressure eviction. As a static + // Pod, the kubelet doesn't resolve PriorityClassName, so the numeric + // Priority is set directly to the value of system-node-critical. + Priority: ptr.To(int32(2000001000)), SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptr.To(true), // https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ From 30966f31e113918221dc1feafe8eae7c3a182b9b Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Tue, 16 Jun 2026 20:40:46 -0400 Subject: [PATCH 3/5] chore: fix test Signed-off-by: Case Wylie --- pkg/component/worker/nllb/envoy.go | 15 +++++++++++---- pkg/component/worker/nllb/traefik.go | 15 +++++++++++---- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/pkg/component/worker/nllb/envoy.go b/pkg/component/worker/nllb/envoy.go index ec7c5f2775bd..b70d258f9466 100644 --- a/pkg/component/worker/nllb/envoy.go +++ b/pkg/component/worker/nllb/envoy.go @@ -266,10 +266,17 @@ func makePodManifest(params *envoyParams, podParams *envoyPodParams) corev1.Pod HostNetwork: true, // The Envoy Pod is the worker's load-balanced path to the control // plane, so it must outlive ordinary workloads during graceful node - // shutdown and be protected from node-pressure eviction. As a static - // Pod, the kubelet doesn't resolve PriorityClassName, so the numeric - // Priority is set directly to the value of system-node-critical. - Priority: ptr.To(int32(2000001000)), + // shutdown and be protected from node-pressure eviction. + // + // PriorityClassName satisfies the kube-apiserver Priority admission + // controller, which validates the mirror Pod the kubelet registers + // for this static Pod. The numeric Priority is also set so the local + // kubelet (which does not resolve PriorityClassName for static Pods) + // uses it for shutdown/eviction ordering. The two must agree: + // admission computes the integer from the class name and rejects the + // mirror Pod if an explicit, mismatched Priority is provided. + PriorityClassName: "system-node-critical", + Priority: ptr.To(int32(2000001000)), SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptr.To(true), }, diff --git a/pkg/component/worker/nllb/traefik.go b/pkg/component/worker/nllb/traefik.go index d7b66d29390c..bfc0c751a276 100644 --- a/pkg/component/worker/nllb/traefik.go +++ b/pkg/component/worker/nllb/traefik.go @@ -238,10 +238,17 @@ func makeTraefikPodManifest(podParams *traefikPodParams, installConfig *traefikI HostNetwork: true, // The Traefik Pod is the worker's load-balanced path to the control // plane, so it must outlive ordinary workloads during graceful node - // shutdown and be protected from node-pressure eviction. As a static - // Pod, the kubelet doesn't resolve PriorityClassName, so the numeric - // Priority is set directly to the value of system-node-critical. - Priority: ptr.To(int32(2000001000)), + // shutdown and be protected from node-pressure eviction. + // + // PriorityClassName satisfies the kube-apiserver Priority admission + // controller, which validates the mirror Pod the kubelet registers + // for this static Pod. The numeric Priority is also set so the local + // kubelet (which does not resolve PriorityClassName for static Pods) + // uses it for shutdown/eviction ordering. The two must agree: + // admission computes the integer from the class name and rejects the + // mirror Pod if an explicit, mismatched Priority is provided. + PriorityClassName: "system-node-critical", + Priority: ptr.To(int32(2000001000)), SecurityContext: &corev1.PodSecurityContext{ RunAsNonRoot: ptr.To(true), // https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ From edd056631833bc91518634184be8791df011e238 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Thu, 18 Jun 2026 14:00:07 -0400 Subject: [PATCH 4/5] chore: bump timeout Signed-off-by: Case Wylie --- inttest/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inttest/Makefile b/inttest/Makefile index 28ba7d370d66..79ec13efe66c 100644 --- a/inttest/Makefile +++ b/inttest/Makefile @@ -95,8 +95,8 @@ check-network-conformance-kuberouter-ipv6-nft: TIMEOUT=15m check-nllb: TIMEOUT=15m check-nllb-traefik: TIMEOUT=15m -check-nllb-ipv6: TIMEOUT=15m -check-nllb-traefik-ipv6: TIMEOUT=15m +check-nllb-ipv6: TIMEOUT=20m +check-nllb-traefik-ipv6: TIMEOUT=20m .PHONY: $(smoketests) From c809852a1b74c75a57a932a6c32fbcab20f73ed0 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Thu, 18 Jun 2026 14:26:34 -0400 Subject: [PATCH 5/5] chore: revert timeout Signed-off-by: Case Wylie --- inttest/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/inttest/Makefile b/inttest/Makefile index 79ec13efe66c..28ba7d370d66 100644 --- a/inttest/Makefile +++ b/inttest/Makefile @@ -95,8 +95,8 @@ check-network-conformance-kuberouter-ipv6-nft: TIMEOUT=15m check-nllb: TIMEOUT=15m check-nllb-traefik: TIMEOUT=15m -check-nllb-ipv6: TIMEOUT=20m -check-nllb-traefik-ipv6: TIMEOUT=20m +check-nllb-ipv6: TIMEOUT=15m +check-nllb-traefik-ipv6: TIMEOUT=15m .PHONY: $(smoketests)