simu
commented
1 year ago One other option might be to keep the current node selector annotation, and instead patch the istio-operator deployment (or pod) node selector with the patch-operator mutating webhook mechanism (cf. https://github.com/redhat-cop/patch-operator/#creation-time-patch-injection)
Context
The initial implementation (cf. #1) annotates the service mesh namespace with
openshift.io/node-selector: '', which allows the istio CNI pods to be scheduled on all nodes. It might be nicer to have a more restrictive node selector (e.g. only app nodes), but when leaving out the annotation completely the DaemonSet misschedules some pods.We could set annotation
openshift.io/node-selector: node-role.kubernetes.io/app=, but depending on the use-case this might be too restrictive. Settingopenshift.io/node-selector: node-role.kubernetes.io/worker=is another option, but would probably lead to pods stuck inPendingon clusters which have storage nodes.Ideally, the operator would be scheduled on infra nodes and the istio-cni daemonset on app nodes. This might be tricky or even not possible.
Also consider making the node selector configurable through a component parameter.