diff --git a/deploy/daemonset.yaml b/deploy/daemonset.yaml
index c130c3e..dbd104d 100644
--- a/deploy/daemonset.yaml
+++ b/deploy/daemonset.yaml
@@ -41,15 +41,10 @@ spec:
       nodeSelector:
         flock.fritzlab.net/agent: ""
       tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: NoSchedule
-        - key: node.kubernetes.io/not-ready
-          operator: Exists
-          effect: NoExecute
-        - key: node.kubernetes.io/unreachable
-          operator: Exists
-          effect: NoExecute
+        # CNI must schedule on a fresh node before it becomes Ready —
+        # the node has not-ready:NoSchedule until flock installs the CNI conflist.
+        # Catch-all tolerates all taints so the agent always runs.
+        - operator: Exists
       initContainers:
         - name: install-cni
           image: code.fritzlab.net/fritzlab/flock:latest
diff --git a/deploy/install.yaml b/deploy/install.yaml
index 4eb0252..40175b4 100644
--- a/deploy/install.yaml
+++ b/deploy/install.yaml
@@ -182,19 +182,10 @@ spec:
       nodeSelector:
         flock.fritzlab.net/agent: ""
       tolerations:
-        - key: fritzlab.net/cni-test
-          operator: Equal
-          value: "true"
-          effect: NoSchedule
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-          effect: NoSchedule
-        - key: node.kubernetes.io/not-ready
-          operator: Exists
-          effect: NoExecute
-        - key: node.kubernetes.io/unreachable
-          operator: Exists
-          effect: NoExecute
+        # CNI must schedule on a fresh node before it becomes Ready —
+        # the node has not-ready:NoSchedule until flock installs the CNI conflist.
+        # Catch-all tolerates all taints so the agent always runs.
+        - operator: Exists
       initContainers:
         - name: install-cni
           image: code.fritzlab.net/fritzlab/flock:latest