kubernetes: NoExecute taints should not evict static pods

From @gmarek in https://github.com/kubernetes/kubernetes/issues/42685#issuecomment-284987556: “When node is tainted TaintController tries to kill kube-proxy over and over again (and it fails, as this is a manifest Pod): […] I guess kubelet is just ignoring the request (or sth). Correct solution is to give kube-proxy infinite toleration for NoExecute taints.”

(This would involve changing the manifest for every static pod to add tolerations for taints node.alpha.kubernetes.io/unreachable and node.alpha.kubernetes.io/notReady)

I guess the alternative is to have the taint manager somehow detect that something is a static pod, and not bother to evict it.

cc/ @bowei @freehan @kubernetes/sig-node-feature-requests

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 20 (20 by maintainers)

Commits related to this issue

Merge pull request #43116 from dchen1107/master Automatic merge from submit-queue (batch tested with PRs 42828, 43116) Apply taint tolerations for NoExecute for all static pods. Fixed https://githu... — committed to kubernetes/kubernetes by deleted user 7 years ago

Most upvoted comments

One of the primary motivations of taints and tolerations is to make special rules directly visible. So I am not in favor of just having TaintController silently skip taints on static pods. Taints should only be ignored when there is a corresponding toleration.

@dchen1107 I wasn’t completely clear on your suggestion “Another way to achieve this is applying this default annotation to the file-based pods right after this line at Kubelet.” Did you mean “apply this toleration” ?

@smarterclayton I assume you meant “I actually liked the idea of the kubelet setting tolerations on static pods”

Anyway, having Kubelet add the toleration when it creates the pod seems like the best approach IMO.

davidopp on Mar 10, 2017