filter failed pods to prevent Istiod from OOMKills (#58250)

ramaraochavali · web-flow · commit 4c126b0cdb22 · 2025-11-26T09:55:09.000-08:00
* filter failed pods

Signed-off-by: Rama Chavali &lt;rama.rao@salesforce.com&gt;

* change all pod clients

Signed-off-by: Rama Chavali &lt;rama.rao@salesforce.com&gt;

* add krt controllers

Signed-off-by: Rama Chavali &lt;rama.rao@salesforce.com&gt;

---------

Signed-off-by: Rama Chavali &lt;rama.rao@salesforce.com&gt;
diff --git a/pilot/pkg/config/kube/ingress/controller.go b/pilot/pkg/config/kube/ingress/controller.go
@@ -154,6 +154,7 @@ func NewController(
 		Pods: krt.NewInformerFiltered[*corev1.Pod](client, kclient.Filter{
 			ObjectFilter:    client.ObjectFilter(),
 			ObjectTransform: kube.StripPodUnusedFields,
+			FieldSelector:   "status.phase!=Failed",
 		}, opts.WithName("informer/Pods")...),
 		MeshConfig: meshConfig.AsCollection(),
 	}
diff --git a/pilot/pkg/config/kube/ingress/status_test.go b/pilot/pkg/config/kube/ingress/status_test.go
@@ -263,6 +263,7 @@ func makeTestInformers(t *testing.T, name string) informers {
 	pods := krt.NewInformerFiltered[*corev1.Pod](client, kclient.Filter{
 		ObjectFilter:    client.ObjectFilter(),
 		ObjectTransform: kube.StripPodUnusedFields,
+		FieldSelector:   "status.phase!=Failed",
 	}, opts.WithName("informer/Pods")...)
 	inf := informers{
 		mesh:            meshHolder,
diff --git a/pilot/pkg/controllers/untaint/nodeuntainter.go b/pilot/pkg/controllers/untaint/nodeuntainter.go
@@ -68,6 +68,7 @@ func NewNodeUntainter(stop <-chan struct{}, kubeClient kubelib.Client, cniNs, sy
 	podsClient := kclient.NewFiltered[*v1.Pod](kubeClient, kclient.Filter{
 		ObjectFilter:    kubetypes.NewStaticObjectFilter(filterNamespace(ns)),
 		ObjectTransform: kubelib.StripPodUnusedFields,
+		FieldSelector:   "status.phase!=Failed",
 	})
 	nodes := kclient.NewFiltered[*v1.Node](kubeClient, kclient.Filter{ObjectTransform: kubelib.StripNodeUnusedFields})
 	nt := &NodeUntainter{
diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go b/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex.go
@@ -205,6 +205,7 @@ func New(options Options) Index {
 	Pods := krt.NewInformerFiltered[*corev1.Pod](options.Client, kclient.Filter{
 		ObjectFilter:    options.Client.ObjectFilter(),
 		ObjectTransform: kubeclient.StripPodUnusedFields,
+		FieldSelector:   "status.phase!=Failed",
 	}, opts.With(
 		krt.WithName("informer/Pods"),
 		krt.WithMetadata(krt.Metadata{
diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/multicluster/cluster.go b/pilot/pkg/serviceregistry/kube/controller/ambient/multicluster/cluster.go
@@ -219,6 +219,7 @@ func (c *Cluster) Run(localMeshConfig meshwatcher.WatcherCollection, debugger *k
 	Pods := krt.NewInformerFiltered[*corev1.Pod](c.Client, kclient.Filter{
 		ObjectFilter:    c.Client.ObjectFilter(),
 		ObjectTransform: kube.StripPodUnusedFields,
+		FieldSelector:   "status.phase!=Failed",
 	}, opts.With(
 		krt.WithName("informer/Pods"),
 		krt.WithMetadata(krt.Metadata{
diff --git a/pilot/pkg/serviceregistry/kube/controller/controller.go b/pilot/pkg/serviceregistry/kube/controller/controller.go
@@ -293,6 +293,7 @@ func NewController(kubeClient kubelib.Client, options Options) *Controller {
 	c.podsClient = kclient.NewFiltered[*v1.Pod](kubeClient, kclient.Filter{
 		ObjectFilter:    kubeClient.ObjectFilter(),
 		ObjectTransform: kubelib.StripPodUnusedFields,
+		FieldSelector:   "status.phase!=Failed",
 	})
 	c.pods = newPodCache(c, c.podsClient, func(key types.NamespacedName) {
 		c.queue.Push(func() error {
diff --git a/security/pkg/server/ca/node_auth.go b/security/pkg/server/ca/node_auth.go
@@ -75,6 +75,7 @@ func NewClusterNodeAuthorizer(client kube.Client, trustedNodeAccounts sets.Set[t
 	pods := kclient.NewFiltered[*v1.Pod](client, kclient.Filter{
 		ObjectFilter:    client.ObjectFilter(),
 		ObjectTransform: kube.StripPodUnusedFields,
+		FieldSelector:   "status.phase!=Failed",
 	})
 	// Add an Index on the pods, storing the service account and node. This allows us to later efficiently query.
 	index := kclient.CreateIndex[SaNode, *v1.Pod](pods, "saNode", func(pod *v1.Pod) []SaNode {

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,7 @@ func NewController(`
`154`	`154`	`Pods: krt.NewInformerFiltered[*corev1.Pod](client, kclient.Filter{`
`155`	`155`	`ObjectFilter: client.ObjectFilter(),`
`156`	`156`	`ObjectTransform: kube.StripPodUnusedFields,`
	`157`	`+ FieldSelector: "status.phase!=Failed",`
`157`	`158`	`}, opts.WithName("informer/Pods")...),`
`158`	`159`	`MeshConfig: meshConfig.AsCollection(),`
`159`	`160`	`}`