kubernetes taint on master allows pods

Question

The kubernetes master have the taint which will not schedlue the normal workloads on the master. But it schedules the pods on the master though it has the taint applied as noschedule.

How is this possible, is the k8s environment behaving differently or my understanding wrong. I expect, the master should allow the pods to be scheduled only after removing the taint on the master.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  -  image: nginx
     name: nginx
  nodeName: master

Snapshot of what I see in the lab environment.

If you read the description of [tag:kubernetes] by either hovering your mouse over the tag or going to its tag wiki (click the tag and then *Learn about* on the following page), it specifically says that questions asked here need to be about coding, and not about configuration. Those questions should be asked on [sf] instead. — Ken White, May 15 '20 at 00:46
@KenWhite A big +1 for learning me what is actual usage difference of SO and other Stack Exchange websites. — Ali Tou, May 15 '20 at 00:54
I myself ask where to post questions and all code goes to SO and OS and environment specific questions goes to Server fault and finally landed here. If possible, I will try to move the question. — intechops6, May 15 '20 at 00:57
@arunp When you explicitly provide `nodeName`, the other scheduling considerations (taints and tolerations, etc) are ignored. Check this section of docs: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename — Ali Tou, May 15 '20 at 01:00
@Ali Tou - If it is non-empty, the scheduler ignores the pod and the kubelet running on the named node tries to run the pod. if nodeName is provided in the PodSpec, it takes precedence over the above methods for node selection.If node name is non empty,kubelet starts the pod but it doesn't say, taint will not be considered or ignored. Only the scheduler will not take decision and kubelet on the node takes precedence. Even though kubelet runs the pod, if there is no taint it can run the pod on master otherwise it should not be in running state or kubelet should fail the pod bcoz taint is there. — intechops6, May 15 '20 at 01:08
Kubelet doesn't do anything about failing the pod because of taints. Taints are only used during Pod scheduling, and using `nodeName` actually short circuits the process of scheduling and directly assigns the Pod to that node. Kubelet is only in charge of getting a pod from scheduler and run its containers. — Ali Tou, May 15 '20 at 01:15
@Ali Tou - make sense now. This explanation deserves upvote thanks. — intechops6, May 15 '20 at 01:18
I moved my descriptions to an answer, as your question seems to be also interesting to other people. — Ali Tou, May 15 '20 at 01:38
@arunp: You're welcome. Now that you know. you should delete your post here and ask it on the proper site instead. It's off-topic here, and should not be asked here. [sf] is the proper site for this question. General cmputer and OS questions go to [su], server related questions go to [sf], and programming questions belong here. You can find a list of all of the [se] sites by looking at the Community section in the footer of this page. — Ken White, May 15 '20 at 02:10
(continued): The easiest way to move it yourself is to [edit] the question, select all the text, copy it to the clipboard, and then cancel the edit. Delete the post using the link below the tags, and then go to the other site and click *Ask Question*. Paste the clipboard contents into the body of the question, add a title and tags, and you're done. All sites use the same Markup formatting, so everything will transfer from here to there properly. — Ken White, May 15 '20 at 02:14
@KenWhite Just for curiosity, don't you agree the fact that SO is the most popular in the Stack Exchange websites, causes if someone needs a fast help, she will check-in and ask here first? People doesn't normally think about how a community should work, when they're in trouble. — Ali Tou, May 15 '20 at 10:28
@AliTou: Yes, it's the most popular for **programming related quesions**. The other sites exist for a reason, which is to give you a place to ask questions that are **not** programming related. Using the proper site keeps the noise and clutter down, and helps keep this working for the purpose it exists. It doesn't matter if SO is *most popular* or not; you **still** cannot ask off-topic questions here. Period. No exceptions. And as you can see above, this question has been closed for that exact reason; the question is not suitable for this site because it **does not meet the SSO guidelines**. — Ken White, May 15 '20 at 12:05

score 1 · Accepted Answer · answered May 15 '20 at 01:38

While taints are meant to be a way for a Node to repel some Pods, when you explicitly provide nodeName in PodSpec, it takes precedence over the other methods for node selection (taints and tolerations, etc.) and Kubernetes scheduler actually short circuits the process of scheduling by directly assigning the Pod to that node.

However, as docs mentions, after assigning a Pod to a Node, it may fail to run because of resource limitations. But the scheduling job is done.

kubernetes taint on master allows pods

1 Answers1