All Policies
Add Tolerations
Pod tolerations are used to schedule on Nodes which have a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule` if existing tolerations do not contain the key `org.com/role`.
Policy Definition
/other-mpol/add-tolerations/add-tolerations.yaml
1apiVersion: policies.kyverno.io/v1alpha1
2kind: MutatingPolicy
3metadata:
4 name: add-tolerations
5 annotations:
6 policies.kyverno.io/title: Add Tolerations
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: "1.15.0"
11 policies.kyverno.io/minversion: 1.6.0
12 kyverno.io/kubernetes-version: "1.23"
13 policies.kyverno.io/description: >-
14 Pod tolerations are used to schedule on Nodes which have
15 a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule`
16 if existing tolerations do not contain the key `org.com/role`.
17spec:
18 matchConstraints:
19 resourceRules:
20 - apiGroups: [""]
21 apiVersions: ["v1"]
22 operations: ["CREATE", "UPDATE"]
23 resources: ["pods"]
24 matchConditions:
25 - name: skip-if-toleration-exists
26 expression: |
27 !has(object.spec.tolerations) ||
28 object.spec.tolerations == null ||
29 !object.spec.tolerations.exists(t, t.key == "org.com/role")
30 mutations:
31 - patchType: JSONPatch
32 jsonPatch:
33 expression: |
34 (!has(object.spec.tolerations) || object.spec.tolerations == null) ?
35 [
36 JSONPatch{
37 op: "add",
38 path: "/spec/tolerations",
39 value: [dyn({
40 "key": "org.com/role",
41 "operator": "Equal",
42 "value": "service",
43 "effect": "NoSchedule"
44 })]
45 }
46 ] :
47 [
48 JSONPatch{
49 op: "add",
50 path: "/spec/tolerations/-",
51 value: dyn({
52 "key": "org.com/role",
53 "operator": "Equal",
54 "value": "service",
55 "effect": "NoSchedule"
56 })
57 }
58 ]