docs: update cilium setup guide with --network-policy requirement and…#4417
Open
sharifnasser wants to merge 1 commit into
Open
docs: update cilium setup guide with --network-policy requirement and…#4417sharifnasser wants to merge 1 commit into
sharifnasser wants to merge 1 commit into
Conversation
… PDB workaround The az aks update command requires both --network-dataplane cilium and --network-policy cilium flags. Without --network-policy, the API returns a BadRequest error. Also documents a workaround for single-node pool clusters where PDBs (konnectivity-agent, coredns) block node drain during the upgrade. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Swiftv2 managed Cilium setup guide to reflect current AKS CLI requirements and to document an upgrade workaround for single-node system pools where PDBs can block drain during upgrade.
Changes:
- Updates the
az aks updateexample to include--network-policy ciliumalongside--network-dataplane cilium. - Adds a NOTE explaining that both flags are required (API rejects requests missing
--network-policy). - Adds a TIP documenting a PDB deletion workaround for single system node pool upgrades that fail with
PodDrainFailure.
QxBytes
reviewed
May 21, 2026
| > [!TIP] | ||
| > If your cluster has a single system node pool, the upgrade may fail with a `PodDrainFailure` due to Pod Disruption Budgets (e.g., `konnectivity-agent`). To work around this, delete the blocking PDBs before running the update — AKS addon manager will recreate them after the upgrade: | ||
| > ``` | ||
| > kubectl delete pdb konnectivity-agent -n kube-system --ignore-not-found |
Contributor
There was a problem hiding this comment.
If you delete the pdb like this, does aks reconcile and recreate the pdb?
| > Both `--network-dataplane cilium` and `--network-policy cilium` are required. The API will reject the request if only `--network-dataplane cilium` is specified. | ||
|
|
||
| > [!TIP] | ||
| > If your cluster has a single system node pool, the upgrade may fail with a `PodDrainFailure` due to Pod Disruption Budgets (e.g., `konnectivity-agent`). To work around this, delete the blocking PDBs before running the update — AKS addon manager will recreate them after the upgrade: |
Contributor
There was a problem hiding this comment.
did konnectivity agent try to come up on the byo node during upgrade by any chance?
|
This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… PDB workaround
The az aks update command requires both --network-dataplane cilium and --network-policy cilium flags. Without --network-policy, the API returns a BadRequest error.
Also documents a workaround for single-node pool clusters where PDBs (konnectivity-agent, coredns) block node drain during the upgrade.
Reason for Change:
Issue Fixed:
Requirements:
Notes: