What's the problem?
Right now, if you update spec.podTemplate.spec on a Sandbox — say, changing the container image or bumping resource limits — nothing happens. The running Pod keeps its old spec.
The controller's reconcilePod finds the existing Pod and updates its labels and ownerReference, but never checks whether the Pod spec has drifted from what the Sandbox declares. There's a TODO about this:
https://github.com/kubernetes-sigs/agent-sandbox/blob/main/controllers/sandbox_controller.go#L602
// TODO - Do we enforce (change) spec if a pod exists ?
// r.Patch(ctx, pod, client.Apply, client.ForceOwnership, ...)
The commented-out code suggests SSA Force Patch, but most Pod spec fields (image, command, resources, etc.) are immutable, so in-place patching won't work. The right approach would be to detect the change and recreate the Pod, similar to how Deployment and StatefulSet handle Pod template updates.
Current workaround
Scale to 0 and back to 1:
kubectl patch sandbox <name> -p '{"spec":{"replicas":0}}'
# wait for the pod to be deleted
kubectl patch sandbox <name> -p '{"spec":{"replicas":1}}'This works but is not obvious and a bit clunky.
What I'd expect
When spec.podTemplate.spec changes, the controller should:
- Detect the change (a hash annotation on the Pod would work — the WarmPool controller already does this via
computePodTemplateHash)
- Delete the old Pod
- Create a new Pod from the updated spec
- Preserve existing PVCs (the Sandbox CR still owns them)
This is a recreate strategy, not a rolling update — consistent with the pattern used in SandboxWarmPool (#323).
Related
What's the problem?
Right now, if you update
spec.podTemplate.specon a Sandbox — say, changing the container image or bumping resource limits — nothing happens. The running Pod keeps its old spec.The controller's
reconcilePodfinds the existing Pod and updates its labels and ownerReference, but never checks whether the Pod spec has drifted from what the Sandbox declares. There's a TODO about this:https://github.com/kubernetes-sigs/agent-sandbox/blob/main/controllers/sandbox_controller.go#L602
The commented-out code suggests SSA Force Patch, but most Pod spec fields (image, command, resources, etc.) are immutable, so in-place patching won't work. The right approach would be to detect the change and recreate the Pod, similar to how Deployment and StatefulSet handle Pod template updates.
Current workaround
Scale to 0 and back to 1:
This works but is not obvious and a bit clunky.
What I'd expect
When
spec.podTemplate.specchanges, the controller should:computePodTemplateHash)This is a recreate strategy, not a rolling update — consistent with the pattern used in SandboxWarmPool (#323).
Related