Opensearch-security POD cannot be schedule to specific nodepool

GTGabaaron · April 1, 2026, 5:57pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): Opensearch and Dashboard version is 3.0.0. Opensearch-controller is 2.7.0

Describe the issue: Opensearch-security POD definition does not support any option to specify a node pool (nodeSelector, nodeAffinity or taints/tolerations). In my values-files I can indicate to the manager, nodes, bootstrap and dashboard PODs the nodepool I want to deploy to, but it seems this options is not available for the opsearch-security POD.

I ran kubectl explain and cannot find it anywhere under opensearchcluster.spec.security.

Is there a way to actually do it at deployment time ?

I’ve been following the user guide for my deployment.

github.com/opensearch-project/opensearch-k8s-operator

docs/userguide/main.md

main

# Opensearch Operator User Guide

This guide is intended for users of the Opensearch Operator. If you want to contribute to the development of the Operator, please see the [Design documents](../designs/high-level.md) and the [Developer guide](../developing.md) instead.

> **API Group Migration Notice**: The operator is migrating from `opensearch.opster.io` to `opensearch.org` API group. Both are currently supported, but `opensearch.opster.io` is deprecated. Please see the [Migration Guide](./migration-guide.md) for details.

## Installation

The Operator can be easily installed using Helm:

1. Add the helm repo: `helm repo add opensearch-operator https://opensearch-project.github.io/opensearch-k8s-operator/`
2. Install the Operator: `helm install opensearch-operator opensearch-operator/opensearch-operator`

Follow the instructions in this video to install the Operator:

[![Watch the video](https://github.com/user-attachments/assets/3e8881b4-4b93-4322-86e2-f46baa01cad0)](https://pulse.support/kb/running-opensearch-on-kubernetes-video-tutorial-series)

A few notes on operator releases:

- Please see the project README for a compatibility matrix which operator release is compatible with which OpenSearch release.

This file has been truncated. show original

Configuration:

Relevant Logs or Screenshots:

Anthony · April 2, 2026, 2:53pm

@GTGabaaron You can use the following configuration:

security:
  config:
    updateJob:
      nodeSelector:
        dedicated: opensearch
      tolerations:
        - key: "dedicated"
          operator: "Equal"
          value: "opensearch"
          effect: "NoSchedule"

However this would need to be used with opensearch-operator-3.0.0 or later (or build from source), as the current image (alpha) doesnt seem to be updated to action this configuration.

Hope this helps

Topic		Replies	Views
How to specify nodeselector in opensearch stateful set OpenSearch	8	752	August 9, 2024
Opensearch nodePool Data nodes Not getting Initialized and change to Running state OpenSearch install	4	358	October 23, 2024
Support running with container-level security context in namespaces labeled as Pod Security: restricted in Opensearch operator Security	6	97	November 12, 2025
Opensearch data nodes do not connect to the masters when deploying in kind clusters OpenSearch troubleshoot	9	893	October 31, 2024
Opensearch configure using helm char OpenSearch	16	551	September 19, 2025

Opensearch-security POD cannot be schedule to specific nodepool

Related topics