feat: Auto tolerate DaemonSets with mutating admission controller

[ajaysundark]

When requirements change or a new NodeReadinessRule with a new taint need to be managed, existing components (DaemonSets) don't tolerate it. This require the admin to manually update every DaemonSet manifest to add the toleration. This is not great for operational ergonomics as in a typical enterprise setup the ownership are spread across different teams.

Proposed Solution

For better UX, an optional mutating admission policy could automatically inject tolerations for readiness.k8s.io/* taints into DaemonSets.

How it works

• Watch DaemonSet create/update operations
• Automatically add tolerations for all NoSchedule taints with readiness.k8s.io/ prefix
• Disabled by default (separate deployment from main controller)

This will ensure no manual manifest updates are required when adding new readiness rules, and guarantee safer operations of critical daemon-sets during project evolution

[pehlicd]

Hi @ajaysundark , is this issue still relevant? If so I would like to work on this one.

/assign

[ajaysundark]

Hi @pehlicd , yes go for it.

This could be a Mutating Admission Policy to inject tolerations for known readiness taints into DaemonSet pods.

I'm imagining an optional deployable manifest that node-readiness-controller will ship for better UX when multiple cross-functional teams are involved.

[pehlicd]

Hi @ajaysundark,

Quick clarification question: When you mentioned "Mutating Admission Policy," did you mean:

1. Mutating Admission Webhook (custom webhook server with controller-runtime), or
2. ValidatingAdmissionPolicy with CEL?

I'm planning to implement a webhook server that:

• Intercepts DaemonSet CREATE/UPDATE
• Queries NodeReadinessRules for readiness.k8s.io/* taints
• Auto-injects tolerations into pods
• Deployed as optional separate manifest

Does this match what you had in mind?

Thanks!

[ajaysundark]

Hi @pehlicd yes, webhook server is one option. but I imagine https://kubernetes.io/docs/reference/access-authn-authz/mutating-admission-policy could be a better fit.

it has few limitations-

1. it does not help with earlier k8s versions.
2. cannot achieve Queries NodeReadinessRules for readiness.k8s.io/* taints for fully dynamic adaptation, but we could use parameter bindings to inject the readiness tolerations, maybe based on a simple configmap or a crd with array of tolerations?

cc @Karthik-K-N @Priyankasaggu11929

[pehlicd]

Thanks @ajaysundark! I've looked into MutatingAdmissionPolicy, but I think the webhook approach is better suited for this use case:

MutatingAdmissionPolicy limitations:

• Beta status (K8s 1.30+) limits adoption
• Cannot dynamically query NodeReadinessRules - would need ConfigMap/CRD updates
• Defeats the "zero manual intervention" goal

Webhook advantages:

• broader compatibility
• Fully dynamic - queries NodeReadinessRules automatically
• GA and production-ready

I've already implemented a working webhook with tests and docs. Would you be open to reviewing the webhook approach, or do you strongly prefer MAP? Happy to pivot if needed.

[Karthik-K-N]

My question is do we need to tolerate only deployed DaemonSets or want to add toleration for any upcoming DS as well?

[pehlicd]

@Karthik-K-N IMHO the webhook should handle any upcoming DaemonSets (CREATE/UPDATE operations only).

How it works:

• New DaemonSets: tolerations injected automatically on creation
• Updated DaemonSets: tolerations injected during update
• Existing DaemonSets: require manual update to trigger the webhook

This approach is forward-looking (prevents future manual work) rather than retroactive (avoids forcing rollout restarts on all existing workloads). Operators maintain control over when to apply changes to running DaemonSets.

[ajaysundark]

I imagine this being handled for incoming daemon-sets to keep it simpler.

I get the webhook vs MAP dilemma. Though MAP is currently in beta, it seems to be moving faster, and likely will be our preferred choice for safety in the future (with configurable options like wildcard tolerations - kubernetes/enhancements#5869 - in policy).

@pehlicd However, if you're open to exploring a webhook path for the interim, I'm good to consider it. if you're available, we could open up a discussion on slack #sig-node-readiness-controller

[pehlicd]

Thanks @ajaysundark, I've implemented the MutatingAdmissionPolicy approach with ConfigMap parameter resource and automated sync via the existing controller. Will open a PR shortly.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale