Taints and tolerations in Kubernetes

Taints and tolerations are used to set restrictions on what pods can be scheduled on a node. Taints are set on nodes, tolerations - on pods.

To taint a node:

kubectl taint nodes node-name key=value:taint-effect
kubectl taint nodes node1 app=blue:NoSchedule

the taint-effect defines what will happen to the pods if they do not tolerate the taint:

• NoSchedule - pod will not be scheduled on the node
• PreferNoSchedule - the system will try to avoid placing the pod on the node, but that is not guaranteed
• NoExecute - new pods will not be scheduled on the node, and existing pods on the node if any - will be evicted if they do not tolerate the taint

To remove a taint from a node add a - (minus) at the end of taint:

kubectl taint nodes node-name key=value:taint-effect-

Tolerations are added to pods inside spec.tolerations of the Pod definition:

spec:
  tolerations:
  - key: "app"
    operator: "Equal"
    value: "blue"
    effect: "NoSchedule"

When the Kubernetes cluster is first setup, a taint is set to Master node automatically to prevent any pod to being scheduled on this Node. This is best practice. To see this taint:

kubectl describe node master | grep Taint