[Feature] Support RoleMaxUnavailable in RoleRollingUpdate

[LiZhenCheng9527]

What type of PR is this?
/kind feature

What this PR does / why we need it:

Previously, during a RoleRollingUpdate, all outdated roles in the servingGroup were deleted outright. This resulted in the service becoming unavailable when servingGroup.Replicas=1.

This PR introduces the RoleMaxUnavailable field, which sets the increment for role updates during a RoleRollingUpdate. This prevents all OutDatedRole entries from being deleted in one go.

Which issue(s) this PR fixes:
Fixes #1188

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yaozengzeng for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• charts/OWNERS
• client-go/OWNERS
• docs/OWNERS
• pkg/OWNERS
• test/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Code Review

This pull request introduces the roleMaxUnavailable configuration field to the RollingUpdateConfiguration for RoleRollingUpdate rollout strategies. This bounds the number of outdated Role replicas that can be simultaneously unavailable within a single ServingGroup during a rolling update, preventing service pauses. The changes include updates to API definitions, controller reconciliation logic, validation webhooks, unit tests, and E2E tests. A critical feedback item was raised regarding a potential nil pointer dereference in collectGroupRoleUpdateState when role.Replicas is omitted, which should be resolved by adding a nil check and defaulting to 1.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The role.Replicas field is optional and can be nil. Directly dereferencing it with *role.Replicas without a nil check will cause a panic (nil pointer dereference) if a user omits this field in the spec. Please add a nil check and default to 1 (similar to how it is handled in the validator).

Suggested change

	replicas := int(*role.Replicas)
	replicas := 1
	if role.Replicas != nil {
	replicas = int(*role.Replicas)
	}

[Copilot]

Pull request overview

Adds a new rollout budget (roleMaxUnavailable) for RoleRollingUpdate to prevent all outdated role replicas in a ServingGroup from being terminated at once (avoiding service downtime when spec.replicas=1), and wires it through API, validation, controller behavior, and tests.

Changes:

• Introduces spec.rolloutStrategy.rollingUpdateConfiguration.roleMaxUnavailable (API type, deepcopy/applyconfig, CRD, and docs).
• Adds webhook validation for roleMaxUnavailable (int/percent, non-zero, only valid for RoleRollingUpdate).
• Updates the controller’s RoleRollingUpdate eviction logic and adds/updates unit + e2e coverage for bounded role updates.

Reviewed changes

Copilot reviewed 10 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
test/e2e/controller-manager/model_serving_test.go	Adds e2e tests asserting readiness never drops below the RoleMaxUnavailable-derived minimum during RoleRollingUpdate (single-role and multi-role).
pkg/model-serving-controller/webhook/validator.go	Validates roleMaxUnavailable (format, non-zero after scaling, and only allowed for RoleRollingUpdate).
pkg/model-serving-controller/webhook/validator_test.go	Adds unit tests for the new validation rules.
pkg/model-serving-controller/utils/utils.go	Adds GetRoleMaxUnavailable helper and “unlimited” sentinel.
pkg/model-serving-controller/utils/utils_test.go	Adds unit tests for GetRoleMaxUnavailable.
pkg/model-serving-controller/controller/model_serving_controller.go	Implements bounded deletion of outdated role replicas during RoleRollingUpdate and adds role status transition to Creating when pods are missing.
pkg/model-serving-controller/controller/model_serving_controller_test.go	Reworks tests around RoleRollingUpdate deletions and adds coverage for role-level budget interactions.
pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go	Deepcopy support for RoleMaxUnavailable.
pkg/apis/workload/v1alpha1/model_serving_types.go	API type/docs for RoleMaxUnavailable.
docs/kthena/docs/reference/crd/workload.serving.volcano.sh.md	Documents the new CRD field.
client-go/applyconfiguration/workload/v1alpha1/rollingupdateconfiguration.go	Adds apply-configuration field and builder for RoleMaxUnavailable.
charts/kthena/charts/workload/crds/workload.serving.volcano.sh_modelservings.yaml	Updates Helm-packaged CRD schema to include roleMaxUnavailable.

Files not reviewed (2)

• client-go/applyconfiguration/workload/v1alpha1/rollingupdateconfiguration.go: Language not supported
• pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated 3 comments.

Files not reviewed (2)

• client-go/applyconfiguration/workload/v1alpha1/rollingupdateconfiguration.go: Language not supported
• pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go: Language not supported

[Copilot]

Pull request overview

Copilot reviewed 10 out of 12 changed files in this pull request and generated 5 comments.

Files not reviewed (2)

• client-go/applyconfiguration/workload/v1alpha1/rollingupdateconfiguration.go: Language not supported
• pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go: Language not supported

[Copilot]

Pull request overview

Copilot reviewed 11 out of 13 changed files in this pull request and generated 1 comment.

Files not reviewed (2)

• client-go/applyconfiguration/workload/v1alpha1/role.go: Language not supported
• pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go: Language not supported

[hzxuzhonghu]

PLease also file an issue

[LiZhenCheng9527]

PLease also file an issue

#1188

[hzxuzhonghu]

why should maxScaleDown <=0?

[LiZhenCheng9527]

It is possible that maxScaleDown == 0.

Fixed

[hzxuzhonghu]

Please make the vars name meaningful and readable

[hzxuzhonghu]

what does this mean

[LiZhenCheng9527]

Record the deletion of this role is being logged due to a Role RollingUpdate

[Copilot]

Pull request overview

Copilot reviewed 12 out of 14 changed files in this pull request and generated 3 comments.

Files not reviewed (2)

• client-go/applyconfiguration/workload/v1alpha1/role.go: Generated file
• pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go: Generated file

[hzxuzhonghu]

Though not quite sure why do you need such check
And i find this is not atomic, say if another thread update the status between these two steps.

[LiZhenCheng9527]

There is a lock in updateRoleStatus.

This is because, within the Role RollingUpdate, we check the status of the Role to determine whether the rolling update is in progress. Therefore, we need to update the Role in real time based on its current state.

[hzxuzhonghu]

Not understandable

[LiZhenCheng9527]

It records whether the rolling update for this group regarding the new revision has already begun.

An outdated replica of a role is being deleted, and the deletion is driven by a rolling update (the template hash has changed or the role has been removed from the spec), or a new revision of a role already exists, but an outdated copy remains (the update is halfway through).

[Copilot]

⚠️ Human review recommended

It significantly changes core rollout logic in the controller (budgeting/planning/state derivation), which warrants a final human review despite the added unit/e2e coverage.

Copilot's findings

Files not reviewed (2)

• client-go/applyconfiguration/workload/v1alpha1/role.go: Generated file
• pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go: Generated file

• Files reviewed: 12/14 changed files
• Comments generated: 3

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

[Copilot]

⚠️ Not ready to approve

There are critical correctness/compilation issues in the updated controller logic (unused parameter causing build failure and a maxUnavailable budget edge case that can be misinterpreted as “unlimited”).

Copilot's findings

Files not reviewed (2)

• client-go/applyconfiguration/workload/v1alpha1/role.go: Generated file
• pkg/apis/workload/v1alpha1/zz_generated.deepcopy.go: Generated file

• Files reviewed: 13/15 changed files
• Comments generated: 2

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

[hzxuzhonghu]

The return value is not used at all

[hzxuzhonghu]

demote not common, prefer update

[hzxuzhonghu]

why isRoleRollingUpdate still continue when maxScaleDown <= 0

[hzxuzhonghu]

when type is RollingUpdateStrategyType. ? seems not right

[hzxuzhonghu]

This check can be largely simplified by checking the role instances count not equal to the expected replicas. And it should be moved in front of the loop in L1285

[hzxuzhonghu]

TestModelServingRoleRollingUpdateRoleMaxUnavailable failure is related. And there are many bad smells.

[hzxuzhonghu]

Thanks for the RoleRollingUpdate work. I found two issues that should be addressed before merge:

1. [blocking] Legacy RoleTemplateHash compatibility was dropped

   In pkg/model-serving-controller/controller/model_serving_controller.go, the new rollout paths compare role.RoleTemplateHash directly against the expected hash in promoteServingGroupIfRolledOut and collectGroupRoleUpdateState.

   The previous implementation used resolveRoleTemplateHashForComparison, which handled legacy datastore roles with an empty RoleTemplateHash by resolving the hash from the ServingGroup revision. With the new direct comparison, upgraded controllers can treat existing legacy roles as outdated, unnecessarily delete them, or keep a finished group from being promoted back to Running.

   Please reuse the existing fallback helper in both paths, preserving the previous unresolved-hash behavior.

2. [important] GetRolesByGroup returns shared mutable *Role pointers

   pkg/model-serving-controller/datastore/store.go copies the role maps in GetRolesByGroup, but it still returns the original *Role values. The new rollout code reads those pointers after the store lock is released, while informer/worker paths can mutate the same objects via UpdateRoleStatus under the store lock.

   That creates an unsynchronized read/write race in rollout-critical state. Please deep-copy each Role in GetRolesByGroup or change the API to return value snapshots so callers never read internal mutable store objects outside the lock.