diff --git a/defaults/defaults.go b/defaults/defaults.go
index a0f3c083a1..52a407f23a 100644
--- a/defaults/defaults.go
+++ b/defaults/defaults.go
@@ -173,4 +173,12 @@ var (
 		"operator.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator=NotIn",
 		"operator.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]=true",
 	}
+
+	// SpireAgentScheduleAffinity is the node affinity to prevent the SPIRE agent from being scheduled on
+	// nodes labeled with CiliumNoScheduleLabel.
+	SpireAgentScheduleAffinity = []string{
+		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key=" + CiliumNoScheduleLabel,
+		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].authentication.mutual.spire.install.agent=NotIn",
+		"authentication.mutual.spire.install.agent.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]=true",
+	}
 )
diff --git a/install/helm.go b/install/helm.go
index 94e1affbb1..2b3d8bb992 100644
--- a/install/helm.go
+++ b/install/helm.go
@@ -301,6 +301,7 @@ func (k *K8sInstaller) getHelmValues() (map[string]interface{}, error) {
 	if len(k.params.NodesWithoutCilium) != 0 {
 		k.params.HelmOpts.StringValues = append(k.params.HelmOpts.StringValues, defaults.CiliumScheduleAffinity...)
 		k.params.HelmOpts.StringValues = append(k.params.HelmOpts.StringValues, defaults.CiliumOperatorScheduleAffinity...)
+		k.params.HelmOpts.StringValues = append(k.params.HelmOpts.StringValues, defaults.SpireAgentScheduleAffinity...)
 	}
 
 	// Store all the options passed by --config into helm extraConfig