Pod tolerations are used to schedule on Nodes which have a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule` if existing tolerations do not contain the key `org.com/role`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-tolerationsannotations:policies.kyverno.io/title: Add Tolerationspolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.7.1policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: Pod tolerations are used to schedule on Nodes which have a matching taint. This policy adds the toleration `org.com/role=service:NoSchedule` if existing tolerations do not contain the key `org.com/role`.spec:rules:- name: service-tolerationmatch:any:- resources:kinds:- Podpreconditions:any:- key: org.com/roleoperator: AnyNotInvalue: "{{ request.object.spec.tolerations[].key || `[]` }}"mutate:patchesJson6902: |-- op: addpath: "/spec/tolerations/-"value:key: org.com/roleoperator: Equalvalue: serviceeffect: NoSchedule
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.