PodDisruptionBudget is not synced to host cluster despite sync.toHost.podDisruptionBudgets.enabled: true

[irizzant]

What happened?

When creating a PodDisruptionBudget (PDB) inside the vcluster, the resource is not synced or created in the host cluster, even though the sync.toHost.podDisruptionBudgets.enabled option is set to true in the vcluster configuration. As a result, disruption protection expected by the PDB is not enforced on the host cluster, so workloads may be evicted without respecting the PDB. This occurs even when following the official documentation for vcluster PDB syncing.

What did you expect to happen?

Any PodDisruptionBudget created in the vcluster should be synced and visible in the host cluster, and should be enforced so that workload disruption is properly limited as configured.

How can we reproduce it (as minimally and precisely as possible)?

1. Create a kind cluster and install vcluster using the configuration from the official vcluster documentation for PDB syncing:

sync:
  toHost:
    podDisruptionBudgets:
      enabled: true
    serviceAccounts:
      enabled: true
  fromHost:
    nodes:
      enabled: true
      clearImageStatus: true

2. Inside the vcluster, create a Deployment and a PodDisruptionBudget, e.g.:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
      app: nginx
spec:
  replicas: 2
  selector:
      matchLabels:
          app: nginx
  template:
      metadata:
          labels:
              app: nginx
      spec:
          containers:
          - name: nginx
            image: nginx:stable
            ports:
            - containerPort: 80
            resources:
                requests:
                    cpu: "100m"
                    memory: "128Mi"
                limits:
                    cpu: "250m"
                    memory: "256Mi"
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
    name: nginx-pdb
spec:
    minAvailable: 1
    selector:
        matchLabels:
            app: nginx

3. Check the host cluster: the PDB is not present, and disruptions are not limited as expected.
4. Logs from the vcluster show repeated errors such as:

INFO    commandwriter/commandwriter.go:128      quota admission added evaluator for: poddisruptionbudgets.policy        {"component": "vcluster", "component": "apiserver", "location": "controller.go:667"}
INFO    commandwriter/commandwriter.go:128      Unhandled Error {"component": "vcluster", "component": "controller-manager", "location": "disruption.go:647", "err": "Error syncing PodDisruptionBudget default/nginx-pdb, requeuing: Operation cannot be fulfilled on poddisruptionbudgets.policy \"nginx-pdb\": the object has been modified; please apply your changes to the latest version and try again", "logger": "UnhandledError"}

Anything else we need to know?

Config copied from the official documentation: https://www.vcluster.com/docs/vcluster/configure/vcluster-yaml/sync/to-host/advanced/pod-disruption-budgets
If you need further logs or details, I can provide them.

Host cluster Kubernetes version

\`\`\`console

$ kubectl version
Client Version: v1.33
Server Version: v1.33

vcluster version

\`\`\`console

$ vcluster --version
v0.28

VCluster Config

\`\`\`

sync:
toHost:
podDisruptionBudgets:
enabled: true
serviceAccounts:
enabled: true
fromHost:
nodes:
enabled: true
clearImageStatus: true

[cbron]

Sorry for delay. I just tested this and it worked for me on 0.30. This is from host:

kubectl get pdb -A
NAMESPACE      NAME                        MIN AVAILABLE   MAX UNAVAILABLE   ALLOWED DISRUPTIONS   AGE
vcluster-pdb   nginx-pdb-x-default-x-pdb   1               N/A               1                     58s

That error is common transient error. Possible it was just operated on right before you applied:

Operation cannot be fulfilled on poddisruptionbudgets.policy "nginx-pdb": the object has been modified; please apply your changes to the latest version and try again"