kubernetes: Kubelet doesn't check taints

What happened:

The GeneralPredicates method doesn’t check taints and tolerations.

https://github.com/kubernetes/kubernetes/blob/5ae856c36f2ea338a6f26301e368ef8331ef2e73/pkg/kubelet/lifecycle/predicate.go#L224

This is problematic in 2 scenarios:

  • If the users bypass scheduler by setting a value in .spec.nodeName
  • If the node restarts. The node would try to restart scheduled pods once it comes back up, even if it’s not ready (has a not-ready taint).

What you expected to happen:

Kubelet to check taints and tolerations.

How to reproduce it (as minimally and precisely as possible):

  1. Set a taint in a node.
  2. Create a Pod with .spec.nodeName set to the Node above, without a matching toleration.

/sig node /sig scheduling

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 2
  • Comments: 15 (12 by maintainers)

Most upvoted comments

/remove-lifecycle stale

PR in review: https://github.com/kubernetes/kubernetes/pull/101218

+1
neolit123 on Jul 28, 2021

Please add me as reviewer

+1
alculquicondor on Mar 23, 2021
Read more comments on GitHub
← kubernetes: kubelet doesn't clean up the termination-log file on the host
kubernetes: kubelet doesn't merge multiple 'options' lines from node /etc/resolv.conf →