tolerations not honoured

[sybadm]

tolerations: for spod not setting up and spod not able to schedule on AKS nodepools with taints set

What happened:

1. the ptach/merge statement adds new tolerations but wipes out below existing tolerations, (see below how to reproduce)
    
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Exists
      - effect: NoExecute
        key: node.kubernetes.io/not-ready
        operator: Exists

2. the new tolerations is not honoured and spod does not get schedule on the nodepool.

What you expected to happen:

Expect SPOD to be scheduled on the nodepool with tolerations settings.

How to reproduce it (as minimally and precisely as possible):

az aks nodepool add \
    --resource-group XXXX \
    --cluster-name XXXXX \
    --name developernp \
    --node-vm-size Standard_E16ds_v5\
    --min-count 0 \
    --max-count 5 \
    --zones 1 2 3 \
    --enable-cluster-autoscaler \
    --node-osdisk-type Managed \
    --scale-down-mode Deallocate \
    --node-taints seccomp-role=seccomp:NoSchedule

kubectl -n security-profiles-operator patch spod spod --type merge -p '{"spec":{"tolerations":[{"key":"seccomp-role","operator":"Exists","effect":"NoSchedule"}]}}'

Anything else we need to know?:

Environment:

• Cloud provider or hardware configuration: AKS 1.27.3
• OS (e.g: cat /etc/os-release):
• Kernel (e.g. uname -a):
• Others:

[sybadm]

my fault.... didn't realised there was default tolerations

[saschagrunert]

@sybadm anyways thank you for the report!

[sybadm]

@sybadm anyways thank you for the report!

thank you. However the patch commands with --type merge should overwrite existing tolerations? Not a big deal but it helps in automation

[saschagrunert]

@sybadm yes that’s correct. 👍