Taints and Tolerations in Kubernetes

In this blogpost, we'll learn about Taints and Tolerations in Kubernetes.

Taints
Taints are the property of nodes , that is used to repel the pods if they don't tolerate this taint.
Taints can be applied on the nodes just like labels.
This means that only those pods that are tolerant to the taints , will be scheduled on that node.

To apply a taint on a node:

kubectl taint nodes <node_name> key1=value1:taint_effect

places the taint on node.The taint has key=key1,value=value1 and a taint_effect

taint_effect can take 3 different values:

1. NoSchedule: If this effect is applied to the node , then the pods that are tolerant to all the taints applied on the node, are only scheduled on this node.
2. PreferNoSchedule: In this case, the system will try to avoid placing a pod that does not tolerate the taint on the node, but it is not required.
3. NoExecute: In this case, the new pods that do not match the taint are not scheduled on the node and existing pods on the node will also be evicted if they do not tolerate all the taints.

Tolerations
Tolerations are applied on the pods,that allow the pods to schedule on the nodes with matching taints.

We apply the toleration for a Pod in PodSpec.

tolerations:
    - key: "key1"
      operator: "Equal"
      value: "value1"
      effect: "NoSchedule"

By Default the value of operator is Equal
A toleration "matches" a taint if the keys are the same and the effects are the same, and:

• the operator is Exists (in which case no value should be specified), or
• the operator is Equal and the values are equal.

Let us take an example
Suppose we have two worker nodes node01 and node02
We apply the taints to nodes as follows:

kubectl taint nodes node01 key1=value1:NoSchedule
kubectl taint nodes node02 key2=value2:NoExecute

And then we apply toleration to a pod as:

apiVersion: v1
kind: Pod
metadata:
    name: nginx-pod
spec:
    containers:
       - image: nginx
         name: nginx-container
    tolerations:
        - key: "key1"
          operator: "Equals"
          value: "value1"
          effect: "NoSchedule"

In this case the pod will be scheduled on node01 since it has the toleration to its taint.

Ever wondered why the pods are not scheduled on master(controlplane) nodes?
Because it has a taint node-role.kubernetes.io/master=true:NoSchedule
which prevents pods from being scheduled unless otherwise untainted the master node.
Using Taints and Tolerations , we can create nodes that are reserved(dedicated) for specific pods.

Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/