Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Tolerations Policy not working as expected as its adding toleration key even though its existing in pod specifications #1235

Open
kishorech816 opened this issue Feb 15, 2025 · 0 comments
Open

Add Tolerations Policy not working as expected as its adding toleration key even though its existing in pod specifications #1235

kishorech816 opened this issue Feb 15, 2025 · 0 comments

Comments

@kishorech816
Copy link

Discussed in #1234

Originally posted by kishorech816 February 15, 2025
I have Installed Kyverno version 1.13.2 using helm : helm upgrade -I kyverno kyverno/kyverno -n kyverno --create-namespace —version 3.3.4 and trying to add missing tolerations from pod specifications as below

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: add-tolerations
  namespace: kyvernotest
  annotations:
    policies.kyverno.io/title: Add Tolerations
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    kyverno.io/kyverno-version: 1.13.2
spec:
  rules:
  - name: service-toleration
    match:
      any:
      - resources:
          kinds:
          - Pod
    preconditions:
      any:
      - key: "org.com/role"
        operator: AnyNotIn
        value: "{{ request.object.spec.tolerations[].key || `[]` }}"
    mutate:
      patchesJson6902: |-
        - op: add
          path: "/spec/tolerations/-"
          value:
            key: org.com/role
            operator: Equal
            value: service
            effect: NoSchedule

sample pod spec.yaml

    apiVersion: v1
    kind: Pod
    metadata:
      name: python-pod
    spec:
      containers:
      - name: python-container
        image: python:3.9
        command: ["python","-m","http.server","8080"]
        #volumeMounts:
        #- name: host-root
        #  mountPath: /host
      tolerations:
      - effect: NoExecute
        key: node.kubernetes.io/not-ready
        operator: Exists

when I apply the above spec its working as expected but if I change the yaml and add "org.com/role", mutation webhook adding another duplicate tolerations as below.

      serviceAccount: default
      serviceAccountName: default
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: org.com/role
        operator: Equal
        value: service
      - effect: NoSchedule
        key: org.com/role
        operator: Equal
        value: service

ideally expected behaviour it should ignore if its already added tolerations in the pod specifically. surprisingly its working as expected in kyverno playground
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kishorech816