Back to Policies

Add Tolerations

Pod tolerations are used to schedule on Nodes which have a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule` if existing tolerations do not contain the key `org.com/role`.

View on GitHub

Policy Definition 

apiVersion: policies.kyverno.io/v1alpha1
kind: MutatingPolicy
metadata:
  name: add-tolerations
  annotations:
    policies.kyverno.io/title: Add Tolerations
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    kyverno.io/kyverno-version: 1.15.0
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: Pod tolerations are used to schedule on Nodes which have a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule` if existing tolerations do not contain the key `org.com/role`.
spec:
  matchConstraints:
    resourceRules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - pods
  matchConditions:
    - name: skip-if-toleration-exists
      expression: |
        !has(object.spec.tolerations) || 
        object.spec.tolerations == null || 
        !object.spec.tolerations.exists(t, t.key == "org.com/role")
  mutations:
    - patchType: JSONPatch
      jsonPatch:
        expression: |
          (!has(object.spec.tolerations) || object.spec.tolerations == null) ?
            [
              JSONPatch{
                op: "add",
                path: "/spec/tolerations",
                value: [dyn({
                  "key": "org.com/role",
                  "operator": "Equal",
                  "value": "service",
                  "effect": "NoSchedule"
                })]
              }
            ] :
            [
              JSONPatch{
                op: "add",
                path: "/spec/tolerations/-",
                value: dyn({
                  "key": "org.com/role",
                  "operator": "Equal",
                  "value": "service",
                  "effect": "NoSchedule"
                })
              }
            ]

Related Policies

MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add CAST AI Removal Disabled

CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.

Job