workload cluster node rolling update stuck on rancher-webhook PDB vs replicas issue

⚠️ Scheduled Pipeline Report Issue

The scheduled pipeline run for ☁️capo 🚀kadm 🎬nightly 🛠️ha 🐧suse on 2025-11-24 has failed.

Analysis

The node rolling update is blocked because of this:

Pod cattle-system/rancher-webhook-58dbd78784-k7mcn:
 cannot evict pod as it would violate the pod's disruption budget.
 The disruption budget rancher-webhook-pdb needs 1 healthy pods and has 1 currently

What we can observe in the dump is:

rancher-webhook-pdb has minAvailable: 1
this means that a pod eviction or replacement for rancher-webhook is only feasible if the Deployment has replicas: 2
but the rancher-webhook Deployment has spec.replica: 1

The [kustomize-units/rancher-init/components/webhook-ha/webhook-hardening-policy.yaml](https://gitlab.com/sylva-projects/sylva-core/-/blob/main/kustomize-units/rancher-init/components/webhook-ha/webhook-hardening-policy.yaml) policy apparently hasn't been able to set spec.replicas on rancher-webhook Deployment.

Report Details

Failing Jobs & Status

Overall Status: 🔴 Deployment/upgrade Failed
Failing Jobs:
update-workload-cluster (failed)

Edited Nov 24, 2025 by Thomas Morin