docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon twistlock

Instruct how to add tolerations to defender daemonset

Open tahonen opened this issue 4 years ago • 2 comments

By default defender daemonset doesn't have any node selector. You assume that it will be deployed to every node in the cluster. OpenShift 4+ uses Taints to prevent workload to be scheduled to masters.

...
taints:
- effect: NoSchedule
  key: node-role.kubernetes.io/master
...

To deploy defender to masters you need to add matching Toleration to daemonset.

...      
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
   key: node-role.kubernetes.io/master
   operator: Exists
volumes:
...

This is documentation issue, if not implemented to installer script/templates.

tahonen avatar Aug 25 '20 06:08 tahonen

oc patch daemonset twistlock-defender-ds --type=merge -p '{"spec":{"template":{"spec":{"tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]}}}}'

tahonen avatar Aug 25 '20 07:08 tahonen

Thanks! I've made a dew changes in https://github.com/twistlock/docs/pull/160 that should take care of this.

solalraveh avatar Sep 23 '20 15:09 solalraveh