-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spire-agent not able to run on tainted nodes #27228
Labels
area/helm
Impacts helm charts and user deployment experience
feature/authentication
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
sig/agent
Cilium agent related.
Comments
tvonhacht-apple
added
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
needs/triage
This issue requires triaging to establish severity and next steps.
labels
Aug 3, 2023
6 tasks
dylandreimerink
added
area/helm
Impacts helm charts and user deployment experience
sig/agent
Cilium agent related.
feature/authentication
and removed
needs/triage
This issue requires triaging to establish severity and next steps.
labels
Aug 3, 2023
tvonhacht-apple
added a commit
to tvonhacht-apple/cilium
that referenced
this issue
Aug 10, 2023
Previously, it was not possible to run the spire-agent on nodes with taints like the cilium-agent does by default. This feature matches similar behaviour. Added as well options to define affinity, nodeSelector and tolerations for spire-server. Fixes: cilium#27228 Signed-off-by: Thorben von Hacht <tvonhacht@apple.com>
lmb
pushed a commit
that referenced
this issue
Aug 16, 2023
Previously, it was not possible to run the spire-agent on nodes with taints like the cilium-agent does by default. This feature matches similar behaviour. Added as well options to define affinity, nodeSelector and tolerations for spire-server. Fixes: #27228 Signed-off-by: Thorben von Hacht <tvonhacht@apple.com>
tklauser
pushed a commit
to tklauser/cilium
that referenced
this issue
Oct 24, 2023
[ upstream commit b599370 ] Previously, it was not possible to run the spire-agent on nodes with taints like the cilium-agent does by default. This feature matches similar behaviour. Added as well options to define affinity, nodeSelector and tolerations for spire-server. Fixes: cilium#27228 Signed-off-by: Thorben von Hacht <tvonhacht@apple.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
dylandreimerink
pushed a commit
that referenced
this issue
Oct 25, 2023
[ upstream commit b599370 ] Previously, it was not possible to run the spire-agent on nodes with taints like the cilium-agent does by default. This feature matches similar behaviour. Added as well options to define affinity, nodeSelector and tolerations for spire-server. Fixes: #27228 Signed-off-by: Thorben von Hacht <tvonhacht@apple.com> Signed-off-by: Tobias Klauser <tobias@cilium.io>
sayboras
pushed a commit
that referenced
this issue
Nov 25, 2023
[ upstream commit b599370 ] Previously, it was not possible to run the spire-agent on nodes with taints like the cilium-agent does by default. This feature matches similar behaviour. Added as well options to define affinity, nodeSelector and tolerations for spire-server. Fixes: #27228 Signed-off-by: Thorben von Hacht <tvonhacht@apple.com> Signed-off-by: Tobias Klauser <tobias@cilium.io> Signed-off-by: Tobias Klauser <tobias@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/helm
Impacts helm charts and user deployment experience
feature/authentication
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
sig/agent
Cilium agent related.
Is there an existing issue for this?
What happened?
spire-agent
is not running on tainted nodes by default or does not provide option to add tolerations.For example
cilium-agent
by default runs on every node as an allow all toleration is added by default. (https://github.com/cilium/cilium/blob/main/install/kubernetes/cilium/values.yaml#L168-L169)This results in 2 problems:
cilium-operator
runs on tainted node, nocilium:mutual-auth
identity can be createdCilium Version
1.14.0
Kernel Version
irrelevant to bug
Kubernetes Version
1.27
Sysdump
No response
Relevant log output
The text was updated successfully, but these errors were encountered: