Skip to main content
HashnodeDevOps Journey with M Hassan

Command Palette

Search for a command to run...

11: Mastering Kubernetes Taints, Tolerations, and DaemonSets

Updated
3 min read
11: Mastering Kubernetes Taints, Tolerations, and DaemonSets
M
Muhammad Hassan

Kubernetes provides advanced mechanisms for managing and scheduling pods efficiently. This blog explores taints and tolerations for fine-grained control over pod placement and DaemonSets for ensuring specific workloads are deployed consistently across all nodes.

Understanding Taints and Tolerations

Kubernetes traditionally allowed pods to use node selectors or node affinity to target specific nodes. However, nodes could not directly refuse pods that didn’t meet criteria. To address this, Kubernetes introduced taints and tolerations.

What Are Taints and Tolerations?

  • Taints: A "bad smell" or label added to nodes, indicating certain restrictions or special conditions.

  • Tolerations: A pod's ability to "bear the smell," allowing it to run on tainted nodes.

This mechanism ensures precise control over where pods can and cannot run.

Applying Taints

Taints are applied to nodes using the kubectl taint command. The syntax is:

kubectl taint nodes <node-name> <key>=<value>:<effect>

Effects of Taints

  1. NoSchedule: Prevents new pods from being scheduled on the node unless they have the required toleration.
    Example:

     kubectl taint nodes worker2 dedicated=critical:NoSchedule

  2. NoExecute:

    • Prevents new pods without the toleration from being scheduled.

    • Evicts existing pods without the required toleration.
      Example:

    kubectl taint nodes worker2 dedicated=critical:NoExecute

  1. Removing Taints:
    To remove a taint, use a - at the end of the taint definition.
    Example:

     kubectl taint nodes worker2 dedicated:NoExecute-

Adding Tolerations to Pods

To allow pods to run on tainted nodes, you define tolerations in the pod's manifest file. Here's an example:

apiVersion: v1
kind: Pod
metadata:
  name: toleration-example
spec:
  tolerations:
    - key: "dedicated"
      operator: "Equal"
      value: "critical"
      effect: "NoSchedule"
  containers:
  - name: nginx
    image: nginx

This pod tolerates the dedicated=critical:NoSchedule taint and can be scheduled on the tainted node.

Best Practices for Taints and Tolerations

  1. Environment Isolation: Assign workloads like dev, QA, and staging to specific nodes using taints and tolerations.

  2. Resource Optimization: Reserve critical resources or hardware for specific workloads.

  3. Controlled Deployment: Combine taints and tolerations with node selectors or node affinity for granular control over workload placement.

Example: Assigning QA workloads to specific nodes:

  • Taint the node:

      kubectl taint nodes worker2 environment=qa:NoSchedule

  • Pod toleration and node selector:

      yamlCopy codeapiVersion: v1
  kind: Pod
  metadata:
    name: qa-pod
  spec:
    nodeSelector:
      environment: qa
    tolerations:
      - key: "environment"
        operator: "Equal"
        value: "qa"
        effect: "NoSchedule"
    containers:
    - name: busybox
      image: busybox

DaemonSets in Kubernetes

A DaemonSet ensures that a specific pod runs on every node (or a subset of nodes) in a cluster. It is particularly useful for deploying agents or tools like:

  • Log collectors

  • Monitoring agents

  • Backup tools

DaemonSet Example

Here’s a basic example of a DaemonSet for deploying a monitoring agent:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: monitoring-agent
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: monitoring-agent
  template:
    metadata:
      labels:
        app: monitoring-agent
    spec:
      containers:
      - name: agent
        image: monitoring-agent:latest

Best Practices for DaemonSets

  1. Namespace Isolation: Always run DaemonSets in a dedicated namespace for clarity and control.

  2. Critical Workloads Only: Use DaemonSets for essential cluster-wide functions.

  3. Resource Requests and Limits: Define resource constraints to avoid overloading nodes.

Combining Taints, Tolerations, and DaemonSets

To deploy a DaemonSet only on specific nodes, combine taints and tolerations:

  1. Add a taint to the target nodes:

     kubectl taint nodes worker3 monitoring=enabled:NoSchedule

  2. Define a DaemonSet with the corresponding toleration:

     apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: monitoring-agent
   namespace: monitoring
 spec:
   selector:
     matchLabels:
       app: monitoring-agent
   template:
     metadata:
       labels:
         app: monitoring-agent
     spec:
       tolerations:
       - key: "monitoring"
         operator: "Equal"
         value: "enabled"
         effect: "NoSchedule"
       containers:
       - name: agent
         image: monitoring-agent:latest

Conclusion

By leveraging taints and tolerations, you gain precise control over pod scheduling and node usage, ensuring workload isolation and resource efficiency. Meanwhile, DaemonSets allow you to deploy cluster-wide agents for logging, monitoring, and other critical tasks. Combining these features creates a robust, flexible, and scalable Kubernetes setup.

#kubernetes

More from this blog

DevOps Journey with M Hassan

174 posts

I am writing these blogs because I recently completed a comprehensive DevOps course where I gained in-depth knowledge of the topics mentioned. As I progressed through the course, I realized the importance of having a concise and accessible resource to revise and reinforce my understanding of each topic. Therefore, I decided to create cheat sheets in the form of blog posts. These cheat sheets will not only serve as a handy reference for myself but also benefit others who are also interested in mastering DevOps concepts. By documenting each topic and providing concise explanations, I aim to create a valuable resource that simplifies complex concepts and facilitates hands-on practice. This way, I can solidify my own understanding while helping others on their DevOps journey.