Scheduling Pods 1: Taint and Tolerance

 Node in the Kubernetes cluster are schedule the pods as per the Node level Taints will control the Pod creation on the Node. 

We can update the taints on one or more nodes with single command. The following are instructions from the kubectl label --help

• A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect. 
• The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 253 characters. 
• Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app. 
• The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters.  
• The effect must be NoSchedule, PreferNoSchedule or NoExecute. 
• Currently taint can only apply to node.

How does Taint - Tolerance works in Kubernetes?

• Taints allow a node to repel a set of pods.
• Tolerations are applied to pods, and allow the pods to schedule onto nodes with matching taints.
• Taints and tolerations work together to ensure that pods are not scheduled onto inappropriate nodes.
• One or more taints are applied to a node; this marks that the node should not accept any pods that do not tolerate the taints.
• 
  

How do you know how many worker nodes participating in the Kubernetes cluster?

kubectl get no

This list may includes the controlplane as well. 

How to check do any taints exist on a particular node say node01?

kubectl describe nodes/node01 |grep -i taint

Creating a taint on node01 with key of 'spray', value of 'mortein'and effect of NoSchedule.

kubectl taint nodes node01 spray=mortein:NoSchedule
# Verify the above
kubectl describe nodes/node01 |grep -i taint

Let's create a new pod with the nginx image and pod name as mosquito.

kubectl run mosquito --image=nginx
kubectl get po -w

Observe that pod name  mosquito status is in "Pending" continuously when pod trying to get inside, unable to enter into the node01 due to its spray taint. Here you can taint with any name that will stop pod to schedule it on a particular node.

What is the reason Pod is in pending state?

The main reason here is Pod mosquito connot tolerate taint 'Mortein' spray.

Let's create another pod named 'bamblebee' with the nginx image, which has a toleration set to the taint 'mortein'.

apiVersion: v1
kind: Pod
metadata:
  name: bamblebee
spec:
  containers:
  - image: nginx
    name: bee
  tolerations:
  - key: spray
    value: mortein
    effect: NoSchedule
    operator: Equal
  

Create with

kubectl apply -f toleration.yaml
kubectl get po -w

Noticed that the bee pod was scheduled on node node01 despite the taint. 

How do you check the ControlPlane is having any taints on it? 

It is simple, You can run the describe sub-command on the node/controlPlane

kubectl describe node controlplane

deafult following taint was used Taints: node-role.kubernetes.io/master:NoSchedule 

Remove from node 'controlplane' the taint with key 'node-role.kubernetes.io/master' and effect 'NoSchedule' if one of these key-value pair exists we can control the scheduling the pods.

kubectl taint nodes controlplane node-role.kubernetes.io/master:NoSchedule-

Most of the Pods in the real-time will be created under 'deployment' to have replication controllers the pods creation on the nodes. So most of the toleration declared in a section will be helpful.

Best practice is to take a back up of the original $HOME/.kube/config file then go for the overwrite the