π§ Kubernetes Scheduling Control: Taints, Tolerations, Node Selectors, and Node Affinity¶
A complete intellectual journey from why to how, exploring how Kubernetes gives you control over where Pods run, using taints, tolerations, selectors, and affinities.
𧩠PROBLEM STATEMENT #1 β Unwanted Pods Are Scheduled on Certain Nodes¶
Imagine you have a special node meant only for specific workloads β high CPU, sensitive data, or GPU jobs. But Kubernetes, by default, sees every node as equal and might schedule general-purpose Pods there too.
π§ SOLUTION β Taint the Node & Add Tolerate in Pod¶
A taint repels all Pods unless those Pods have a matching toleration.
Taint = Applied to the node (it repels Pods)
Toleration = Applied to the Pod (it tolerates the taint)
π§ͺ Real-Life Analogy¶
A tainted node is like a VIP lounge β only those with a matching wristband (toleration) can enter. Others are not allowed in.
π¨ Imperative Command¶
kubectl taint node ibtisam-worker flower=rose:NoSchedule
kubectl describe node ibtisam-worker | grep -i taint -A 5
kubectl taint node ibtisam-worker flower=rose:NoSchedule-
The
-at the end removes the taint.
π± Example Manifest (Tolerating a Taint)¶
apiVersion: v1
kind: Pod
metadata:
name: tol-po
spec:
containers:
- name: abcd
image: busybox
command: ["sleep", "3600"]
tolerations:
- key: "flower"
operator: "Equal"
value: "rose"
effect: "NoSchedule"
π― Effects of Taint¶
| Effect | Behavior |
|---|---|
NoSchedule | Pod will not schedule on the node unless it has a toleration. |
PreferNoSchedule | Scheduler will avoid placing Pod here, but it's not guaranteed. |
NoExecute | Pod will be evicted if it doesn't tolerate the taint. |
β οΈ PROBLEM #2 β Even Tolerated Pods May Go to the Wrong Node¶
Even after a Pod tolerates a taint, Kubernetes might still schedule it on any other untainted node.
You want a Pod to go to a specific node β but toleration alone doesn't guarantee where it goes, just that it can go.
π§ SOLUTION β Add a Node Label & Use nodeName, nodeSelector or affinity¶
kubectl label node ibtisam-worker cpu=large
kubectl label node ibtisam-worker cpu- # remove the label
Example: Node Name¶
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx
nodeName: kube-01
The above Pod will only run on the node kube-01.
π± Example: Node Selector¶
apiVersion: v1
kind: Pod
metadata:
name: nodeselector-po
spec:
containers:
- name: abcd
image: busybox
command: ["sleep", "3600"]
nodeSelector:
cpu: large
β οΈ Limitation of Node Selector¶
- Only supports
=operator - No fallback or flexible logic
- Can only match one label
This is where Node Affinity enters the picture
π Node Affinity β Flexible and Declarative¶
nodeAffinitygives you expressive control over scheduling using multiple operators and terms.
𧩠Syntax Inside Pod Spec¶
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution: # Hard rule
preferredDuringSchedulingIgnoredDuringExecution: # Soft rule
π§ͺ Real-Life Analogy¶
Itβs like saying: "I require a hotel with Wi-Fi (hard rule), but prefer one with a pool too (soft rule)."
π Node Affinity Types Explained¶
1. requiredDuringSchedulingIgnoredDuringExecution (Hard)¶
Pod must be scheduled on a matching node or stay pending.
apiVersion: v1
kind: Pod
metadata:
name: ha-po
spec:
containers:
- name: abcd
image: busybox
command: ["sleep", "3600"]
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: disktype
operator: In
values:
- ssd
- hdd
2. preferredDuringSchedulingIgnoredDuringExecution (Soft)¶
Kubernetes will try to match, but falls back if needed.
apiVersion: v1
kind: Pod
metadata:
name: sa-po
spec:
containers:
- name: abcd
image: busybox
command: ["sleep", "3600"]
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: disktype
operator: In
values:
- ssd
- hdd
3. requiredDuringSchedulingRequiredDuringExecution¶
(Proposed feature) Enforces node match even after scheduling.
βοΈ Operators in Node Affinity¶
| Operator | Description |
|---|---|
In | Node must have label value in list |
NotIn | Node must not have label value in list |
Exists | Node must have the label, any value |
DoesNotExist | Node must not have the label at all |
Gt | Label value must be greater than the given number (lexical comparison) |
Lt | Label value must be less than the given number (lexical comparison) |
π Combined Example β Toleration + Node Affinity¶
apiVersion: v1
kind: Pod
metadata:
name: tol-ha-po
spec:
containers:
- name: abcd
image: busybox
command: ["sleep", "3600"]
tolerations:
- key: "flower"
operator: "Equal"
value: "rose"
effect: "NoSchedule"
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: disktype
operator: In
values:
- ssd
- hdd
By-default Taint on Control Plane Nodes¶
Taints: node-role.kubernetes.io/control-plane:NoSchedule
kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
controlplane Ready control-plane 10m v1.32.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=controlplane,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
node01 Ready <none> 10m v1.32.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux
¶
Taints: node-role.kubernetes.io/control-plane:NoSchedule
kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
controlplane Ready control-plane 10m v1.32.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=controlplane,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
node01 Ready <none> 10m v1.32.0 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux
π Final Thoughts β When to Use What?¶
| Use Case | Use This Feature |
|---|---|
| Block pods from nodes unless explicitly allowed | Taints + Tolerations |
| Ensure pods go to nodes with specific labels | Node Affinity or Node Selector |
| Simple matching on single label | Node Selector |
| Advanced label logic | Node Affinity |
| Prevent running pods from staying on node | NoExecute effect in Taint |
𧡠Conclusion: How Everything Connects¶
| Concept | Applied On | Enforces | Purpose |
|---|---|---|---|
| Taint | Node | Repulsion | Prevent unwanted pods |
| Toleration | Pod | Toleration | Allow pod to ignore a taint |
| nodeSelector | Pod | Constraint | Target specific node label |
| Node Affinity | Pod | Constraint | Advanced matching with rules |
Together, taints + tolerations repel and allow selectively, while labels + nodeSelector/affinity attract and guide where pods land.
β Use taints when you want to protect a node from unwanted workloads. β Use tolerations when you want specific pods to enter protected nodes. β Use nodeSelector/affinity when you want specific pods to land on specific nodes.
That's how you gain full control over pod placement in your cluster β like an air traffic controller for your workloads. βοΈ
Want to learn more? π€¶
Please click here for understanding this topic in more depth.