add operational gotchas to readme

Author: cornerman

README.md

@@ -121,6 +121,16 @@ The CI pipeline keeps versions in sync automatically:
 
 For local testing the kind script (`devbox run test`) builds the image and loads it directly into the cluster, so no registry push is required.
 
+## Operational gotchas
+
+- **Node termination grace vs schedule**: The CronJob only reacts on its schedule (default 1 minute). Ensure your node termination grace period (e.g., Karpenter’s default 2 minutes) comfortably exceeds `schedule interval + controller runtime`, otherwise the node may terminate before the rollout finishes.
+- **Rolling update strategy required**: Deployments must use the standard rolling update strategy so that a new pod starts before the old pod is deleted. StatefulSets or Deployments using `Recreate` will still experience downtime.
+- **Single replica + PDB**: Remember to pair single-replica workloads with a `PodDisruptionBudget` (`minAvailable: 1` / `maxUnavailable: 0`). Without it, Kubernetes can evict the pod immediately even if the controller is running.
+- **Annotation opt-in**: Only pods whose template contains the configured annotation (default `evict-with-rollout: "true"`) are handled. Forgetting the annotation means eviction proceeds as usual.
+- **RBAC scope**: The included ClusterRole grants read access to nodes/pods and patch access to deployments. Tighten or namespace-scope it if your environment requires stricter permissions.
+
+Missing something? [Open an issue](https://github.com/HivemindTechnologies/evict-to-rollout/issues/new) with details so we can cover your use-case.
+
 ## References
 
 Related issues: