diff --git a/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content b/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content index 24c42b2212..cc2cacbc5a 100644 --- a/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content +++ b/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-bootstrap_content @@ -53,7 +53,7 @@ spec: version: 9.99.0 - id: k8s-1.16 manifest: eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml - manifestHash: 781012ab6de0bc9188332dd94f232d3d771332f062005c769d5ddf452f77dc11 + manifestHash: 9d92eb7408dee4f5d9be3cba887e8dc8f8c4a9480f6dbdccda32c920384f8505 name: eks-pod-identity-webhook.addons.k8s.io needsPKI: true selector: diff --git a/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-eks-pod-identity-webhook.addons.k8s.io-k8s-1.16_content b/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-eks-pod-identity-webhook.addons.k8s.io-k8s-1.16_content index 7939670ad5..2023b8cd14 100644 --- a/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-eks-pod-identity-webhook.addons.k8s.io-k8s-1.16_content +++ b/tests/integration/update_cluster/irsa/data/aws_s3_bucket_object_minimal.example.com-addons-eks-pod-identity-webhook.addons.k8s.io-k8s-1.16_content @@ -136,6 +136,19 @@ spec: name: cert readOnly: true serviceAccountName: pod-identity-webhook + topologySpreadConstraints: + - labelSelector: + matchLabels: + app: pod-identity-webhook + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app: pod-identity-webhook + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule volumes: - name: cert secret: @@ -253,3 +266,21 @@ metadata: k8s-addon: eks-pod-identity-webhook.addons.k8s.io name: pod-identity-webhook namespace: kube-system + +--- + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + creationTimestamp: null + labels: + addon.kops.k8s.io/name: eks-pod-identity-webhook.addons.k8s.io + app.kubernetes.io/managed-by: kops + k8s-addon: eks-pod-identity-webhook.addons.k8s.io + name: pod-identity-webhook + namespace: kube-system +spec: + maxUnavailable: 50% + selector: + matchLabels: + app: pod-identity-webhook diff --git a/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template index f72edb3358..fc26346b48 100644 --- a/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/eks-pod-identity-webhook.addons.k8s.io/k8s-1.16.yaml.template @@ -96,6 +96,19 @@ spec: - name: cert mountPath: "/etc/webhook/certs" readOnly: true + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "topology.kubernetes.io/zone" + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: pod-identity-webhook + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app: pod-identity-webhook volumes: - name: cert secret: @@ -180,4 +193,15 @@ metadata: prometheus.io/scheme: "https" prometheus.io/scrape: "true" data: - config: {{ PodIdentityWebhookConfigMapData }} \ No newline at end of file + config: {{ PodIdentityWebhookConfigMapData }} +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: pod-identity-webhook + namespace: kube-system +spec: + selector: + matchLabels: + app: pod-identity-webhook + maxUnavailable: 50% \ No newline at end of file