Instruct how to add tolerations to defender daemonset

[tahonen]

By default defender daemonset doesn't have any node selector. You assume that it will be deployed to every node in the cluster. OpenShift 4+ uses Taints to prevent workload to be scheduled to masters.

...
taints:
- effect: NoSchedule
  key: node-role.kubernetes.io/master
...

To deploy defender to masters you need to add matching Toleration to daemonset.

...      
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
   key: node-role.kubernetes.io/master
   operator: Exists
volumes:
...

This is documentation issue, if not implemented to installer script/templates.

[tahonen]

oc patch daemonset twistlock-defender-ds --type=merge -p '{"spec":{"template":{"spec":{"tolerations":[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]}}}}'

[solalraveh]

Thanks! I've made a dew changes in https://github.com/twistlock/docs/pull/160 that should take care of this.