Add Tolerations Policy not working as expected as its adding toleration key even though its existing in pod specifications
Discussed in https://github.com/kyverno/policies/discussions/1234
Originally posted by kishorech816 February 15, 2025 I have Installed Kyverno version 1.13.2 using helm : helm upgrade -I kyverno kyverno/kyverno -n kyverno --create-namespace —version 3.3.4 and trying to add missing tolerations from pod specifications as below
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: add-tolerations
namespace: kyvernotest
annotations:
policies.kyverno.io/title: Add Tolerations
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.13.2
spec:
rules:
- name: service-toleration
match:
any:
- resources:
kinds:
- Pod
preconditions:
any:
- key: "org.com/role"
operator: AnyNotIn
value: "{{ request.object.spec.tolerations[].key || `[]` }}"
mutate:
patchesJson6902: |-
- op: add
path: "/spec/tolerations/-"
value:
key: org.com/role
operator: Equal
value: service
effect: NoSchedule sample pod spec.yaml
apiVersion: v1
kind: Pod
metadata:
name: python-pod
spec:
containers:
- name: python-container
image: python:3.9
command: ["python","-m","http.server","8080"]
#volumeMounts:
#- name: host-root
# mountPath: /host
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Existswhen I apply the above spec its working as expected but if I change the yaml and add "org.com/role", mutation webhook adding another duplicate tolerations as below.
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: org.com/role
operator: Equal
value: service
- effect: NoSchedule
key: org.com/role
operator: Equal
value: serviceideally expected behaviour it should ignore if its already added tolerations in the pod specifically. surprisingly its working as expected in kyverno playground