· 6 min read ·

The Hidden Timing Budget Inside Every Kubernetes Rolling Update

Source: lobsters

Cloudflare recently published a post about a single-line configuration change that reclaimed 600 hours of developer time per year. The number sounds implausible until you work through the math, and then it becomes a straightforward consequence of running hundreds of services at scale with sensible-but-wrong defaults.

The fix itself is almost beside the point. What matters is the class of problem it represents: dead time that compounds silently inside the Kubernetes rolling update lifecycle, invisible unless you instrument it, and entirely fixable once you understand the sequence.

What Actually Happens When You Roll a Deployment

Most engineers have an intuition that a rolling update replaces old pods with new ones. The mechanics underneath that intuition are worth tracing carefully, because each step has a time budget attached to it.

When you push a new image or change a Deployment spec, the Kubernetes controller creates a new ReplicaSet. The rollout engine then scales up the new set and scales down the old one, subject to two parameters in spec.strategy.rollingUpdate:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 1
    maxUnavailable: 0

With maxUnavailable: 0, Kubernetes won’t terminate any old pod until a new pod is confirmed Ready. That confirmation has its own latency: the readiness probe must pass, and if minReadySeconds is set, the pod must stay healthy for that many additional seconds before Kubernetes considers it truly available.

Once a new pod clears those gates, an old pod enters termination. This is where the hidden budget lives.

The Pod Termination Sequence

The Kubernetes documentation describes the termination sequence in detail, but the timing implications deserve emphasis.

When a pod is marked for deletion:

  1. The pod moves to Terminating state. kubelet sets a deletion timestamp.
  2. If a preStop lifecycle hook is configured, it runs to completion.
  3. kubelet sends SIGTERM to PID 1 in each container.
  4. The terminationGracePeriodSeconds timer runs. Default: 30 seconds.
  5. If containers are still running when the timer expires, kubelet sends SIGKILL.

The grace period and the preStop hook share the same timer. A preStop hook that sleeps for 5 seconds leaves 25 seconds of grace period for the application to finish. A preStop hook that sleeps for 15 seconds leaves 15. If your hook or your application shutdown takes longer than terminationGracePeriodSeconds, the pod gets forcibly killed.

The default 30-second grace period exists for a real reason: it accommodates long-running requests, database connection draining, and in-flight work that an application might need time to finish. The problem is that for most stateless HTTP services, the actual shutdown time is under a second. The application catches SIGTERM, stops accepting new connections, drains the handful of in-flight requests in 100-200ms, and exits. Then Kubernetes waits 29.8 more seconds for nothing.

Why the Defaults Are What They Are

Kubernetes defaults are generally conservative because they need to work for the full range of workloads, from a tiny Go binary that shuts down in 50ms to a Java application server that needs 20 seconds to drain its connection pool. The 30-second default is a lowest-common-denominator safety margin, not a performance target.

The problem is that developers tend to inherit these defaults without examining whether they apply. A Deployment created by copying a template carries the original author’s assumptions, or the absence of any explicit assumption, which defaults to 30 seconds.

At Cloudflare’s scale, with continuous delivery pipelines pushing updates to hundreds of services throughout the day, this becomes a substantial throughput constraint. If you have 20 pods per deployment and each pod termination wastes 25 seconds waiting on a grace period that will never be used, a single deployment costs 500 seconds of unnecessary wall-clock time. Roll out 10 services a day and that’s 5,000 seconds per day, roughly 1,400 hours per year. The 600-hour figure in their post lands squarely in this order of magnitude.

The preStop Sleep Pattern and Its Trade-offs

Before reducing terminationGracePeriodSeconds, it’s worth understanding why some teams deliberately add artificial delay during termination. The pattern looks like this:

containers:
- name: app
  lifecycle:
    preStop:
      exec:
        command: ["/bin/sh", "-c", "sleep 5"]

This exists to address a genuine race condition. When a pod begins terminating, the Kubernetes control plane notifies the endpoints controller, which removes the pod from Service endpoints. kube-proxy then has to propagate that change to iptables or IPVS rules on every node. This propagation is not instantaneous. On a large cluster, it can take several seconds.

During that window, a load balancer or other pod using the Service may still route traffic to the terminating pod. The SIGTERM has already been sent, but new connections can still arrive. A 5-second preStop sleep gives the control plane time to remove the pod from rotation before the application begins shutting down.

The right response to this is not to set terminationGracePeriodSeconds to zero or to a value smaller than your preStop sleep plus your actual shutdown time. The correct configuration is:

spec:
  terminationGracePeriodSeconds: 15  # preStop sleep + actual shutdown time + margin
  containers:
  - name: app
    lifecycle:
      preStop:
        exec:
          command: ["/bin/sh", "-c", "sleep 5"]

If your service handles only internal traffic behind a load balancer with fast health checks, you may not need the preStop sleep at all. If you’re directly exposed to external traffic via an ingress, the sleep is usually worth keeping.

Where Else Dead Time Hides

terminationGracePeriodSeconds is one of several places that accumulate unnecessary latency in a rollout pipeline. The others are less commonly audited.

initialDelaySeconds on readiness probes. This tells kubelet to wait before starting probe checks. Many teams copy a conservative value like 30 seconds because it was appropriate for a different service or a heavier application. A service that starts in 2 seconds paying a 30-second initial delay on every pod start is leaving time on the table.

readinessProbe:
  httpGet:
    path: /health
    port: 8080
  initialDelaySeconds: 5   # not 30
  periodSeconds: 2
  failureThreshold: 3

minReadySeconds. This field holds a new pod in a transitional state after it passes its readiness probe, before Kubernetes counts it as a replacement for an old pod. The default is 0, which is usually correct. Teams that set it to 30 or 60 seconds as extra caution are adding that delay to every single pod replacement in every rollout.

progressDeadlineSeconds. This controls how long Kubernetes waits before marking a Deployment as failed. The default is 600 seconds. It does not slow down successful rollouts, but it does mean that a hung deployment won’t surface as a failure for 10 minutes. Reducing this to something closer to your expected rollout time makes failures visible faster.

Measuring Your Own Rollout Budget

The fastest way to see where your deployments are spending time is kubectl rollout status with timestamps, or better, pushing deployment events into your existing observability stack. Most teams have Prometheus and can instrument the kube_pod_status_phase metric along with kube_pod_deletion_timestamp to measure actual termination duration per pod.

A simpler one-time audit:

# Trigger a rollout and watch pod timestamps
kubectl rollout restart deployment/your-service -n your-namespace
kubectl get pods -n your-namespace -w | awk '{print $1, $3, strftime("%T", systime())}'

Watch how long pods spend in Terminating. If they consistently sit there for 25-30 seconds and your application logs show it exited in under a second, you’ve found the problem.

The Broader Lesson

Kubernetes configuration is declarative and easy to copy, which means teams frequently inherit assumptions from templates, tutorials, or other services without evaluating whether those assumptions apply. The Cloudflare finding is a good reminder that defaults are starting points, not recommendations, and that the cost of conservative defaults is invisible until you measure it.

For stateless HTTP services doing continuous delivery, a reasonable baseline is terminationGracePeriodSeconds set to your measured shutdown time plus 10 seconds of margin, initialDelaySeconds set to your measured startup time plus a small buffer, and minReadySeconds at 0 unless you have a specific reason for it. These are not aggressive settings; they are just honest ones.

The 600 hours per year Cloudflare recovered were not the result of a complex optimization. They were the result of someone actually looking at what was happening during a pod shutdown and noticing that the clock kept running long after there was anything left to wait for.

Was this interesting?