harsh's blog
Taints and Tolerations in Kubernetes: Control Pod Scheduling Like a Pro

Taints and Tolerations in Kubernetes: Control Pod Scheduling Like a Pro

HARSH VARDHAN SINGH's photo
HARSH VARDHAN SINGH
·

7 min read

Table of contents

Imagine a school classroom where the teacher is giving an important test. The teacher puts up a sign that says, "No talking allowed"—this is a "taint." Most students will follow the rules and stay quiet, avoiding the "no talking" area. However, one student has permission from the teacher to ask questions during the test—this student has a "toleration." They can talk, even though the rule says no one else can.

In Kubernetes:

  • The "taint" is like the "no talking" rule, which stops most students (or pods) from entering.

  • The "toleration" is like special permission, allowing a specific student (or pod) to be in the room (or node) despite the rule.

This helps the teacher (or Kubernetes administrator) manage who can be in certain spaces during special situations.

In this blog, we’ll explore taints and tolerations in Kubernetes in depth. We'll break it down step by step, provide real-world scenarios, explain how to apply and remove taints, and dive into various related concepts such as the effects of taints, tolerations, and how they influence pod scheduling.

Taints: The Repellent for Pods

A taint on a node works like a repellent for pods, controlling the scheduling process. Taints allow nodes to repel specific pods, based on conditions you specify. You can think of this as giving the node a label that says, “Pods with X characteristics are not allowed here.”

Taints consist of:

  • Key: A string that identifies what the taint is about (e.g., node-type or resource-limited).

  • Value: A value that further refines the key (e.g., database, gpu).

  • Effect: Defines what happens if the taint applies to a pod. There are three possible effects:

    1. NoSchedule: The pod will not be scheduled on the node.

    2. PreferNoSchedule: The pod will try to avoid the node but may be scheduled if necessary.

    3. NoExecute: The pod is immediately evicted if it is already running on the node and cannot be scheduled there in the future.

Let’s apply a taint to a node:

kubectl taint nodes node1 key1=value1:NoSchedule

This command adds a taint to node1 that prevents any pod without a matching toleration from being scheduled there.

Example Scenario: Resource-Constrained Nodes

Imagine you have a node that is running GPU workloads. You want only GPU-intensive pods to be scheduled on this node because others could overwhelm its resources. By adding a taint to the node, you can prevent non-GPU pods from being scheduled there.

kubectl taint nodes gpu-node type=gpu:NoSchedule

Now, any pod that doesn't have a matching toleration for the type=gpu taint will not be scheduled on gpu-node.

Tolerations: The Key to Unlock Tainted Nodes

While taints act as a repellent for pods, tolerations are the key that allows certain pods to bypass this repellent. A toleration allows a pod to be scheduled on a node despite the presence of a matching taint.

Here’s how you define a toleration in a pod manifest:

apiVersion: v1
kind: Pod
metadata:
  name: gpu-pod
spec:
  tolerations:
  - key: "type"
    operator: "Equal"
    value: "gpu"
    effect: "NoSchedule"
  containers:
  - name: gpu-container
    image: gpu-intensive-app

In this example:

  • The key is type, the same key used in the taint.

  • The value is gpu, matching the node taint.

  • The operator is Equal, meaning the pod will tolerate the taint if the key/value pair matches exactly.

  • The effect is NoSchedule, meaning the pod can be scheduled on a node with this taint.

Toleration Operators: Fine-Tuning the Match

Tolerations can have operators that allow for more flexibility when matching taints:

  • Equal: The toleration applies only if the key and value match exactly.

  • Exists: The toleration applies if the key exists, regardless of the value.

tolerations:
- key: "type"
  operator: "Exists"
  effect: "NoSchedule"

In this case, any pod with this toleration will be scheduled on nodes with a taint that has the key type, no matter the value of the taint.

Effects of Taints

Taints have three possible effects, each of which controls pod behavior in a specific way.

  1. NoSchedule:

    • Behavior: Pods without the appropriate toleration will not be scheduled on the node.

    • When applied: If a node has a NoSchedule taint, any new pod without a toleration for that taint cannot be placed on the node.

    • Effect on existing pods: If there are already pods on the node before the NoSchedule taint was applied, they will not be evicted or removed. They will continue running.

  2. PreferNoSchedule:

    • Behavior: The scheduler will try to avoid placing pods on nodes with this taint, but it’s not a hard rule. Pods can still be scheduled on these nodes if no other suitable node is available.

    • When applied: If a node has a PreferNoSchedule taint, Kubernetes will make an effort to schedule pods on other nodes without the taint, but it will still allow pods to be placed on the tainted node if necessary.

    • Effect on existing pods: Like NoSchedule, it does not evict existing pods already running on the node.

  3. NoExecute:

    • Behavior: Pods without the appropriate toleration will be evicted from the node immediately.

    • When applied: If a node has a NoExecute taint, any pod already running without a toleration for that taint will be removed from the node.

    • Effect on new pods: New pods without the toleration will not be scheduled, similar to NoSchedule.

kubectl taint nodes node1 key1=value1:NoExecute

This command would immediately evict any pods without a matching toleration.

Untainting Nodes

To remove a taint from a node, you simply need to specify the taint you want to remove. Use the following command:

kubectl taint nodes node1 key1=value1:NoSchedule-

The - at the end of the command tells Kubernetes to remove the taint from the node.

Real-World Scenarios for Taints and Tolerations

Scenario 1: Dedicated Database Nodes

In a production environment, you might have nodes dedicated solely to database workloads (e.g., MongoDB, PostgreSQL). You don’t want web or batch processing pods to be scheduled on these nodes, as they could interfere with the performance of the database.

You could add a taint to those nodes:

kubectl taint nodes db-node workload=database:NoSchedule

And add a toleration in the pod specs of your database pods:

tolerations:
- key: "workload"
  operator: "Equal"
  value: "database"
  effect: "NoSchedule"

Now, only database pods with the correct toleration will be scheduled on db-node.

Scenario 2: High-Priority Production Nodes

In another scenario, you might have a set of nodes with higher CPU and memory resources that you want to reserve for critical, high-priority workloads. For all other pods, you prefer these nodes not be used unless necessary. In this case, you can use the PreferNoSchedule effect.

kubectl taint nodes prod-node priority=high:PreferNoSchedule

Now, Kubernetes will try to avoid scheduling non-critical pods on these high-priority nodes, but if no other nodes are available, it will still schedule them.

Taints and Tolerations: Ensuring Proper Pod Placement

Taints and tolerations are used to prevent pods from being scheduled on certain nodes, but they do not explicitly tell Kubernetes where pods should be scheduled. To control where pods should be scheduled, Kubernetes uses mechanisms like node selectors or node affinity rules.

However, taints and tolerations help ensure that certain nodes only accept specific types of pods. They provide a flexible way to control pod placement and maintain cluster performance, resource allocation, and stability.

By using taints and tolerations effectively, you can ensure:

  • Resource-heavy pods like databases or GPU-based workloads are scheduled on the right nodes.

  • High-priority workloads have the resources they need, without interference from lower-priority workloads.

  • Nodes are protected from running workloads they aren't suited for, improving the overall efficiency of your Kubernetes cluster.

Conclusion

Taints and tolerations in Kubernetes are powerful mechanisms for controlling pod scheduling across your cluster. They allow you to define which pods should or should not run on specific nodes, ensuring the right workloads are scheduled on the right resources.

  • Taints act as repellents, preventing pods from being scheduled on nodes.

  • Tolerations are the keys that allow pods to bypass taints and be scheduled on tainted nodes.

  • The three taint effects—NoSchedule, PreferNoSchedule, and NoExecute—offer flexible ways to control pod behavior.

By mastering these tools, you can optimize resource allocation, protect sensitive workloads, and ensure that your Kubernetes cluster runs smoothly and efficiently.

KubernetesDevopssoftware developmentgolangCloud ComputingCloud