Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now

Update the taints on one or more nodes in Kubernetes

What is meaning of taint?

a trace of a bad or undesirable substance or quality.

What is tainted?

spoiled; damaged in quality, taste, or value:

Follwing are workload which run in a cluster’s node….

  • DaemonSet
  • Deployment
  • Pod
  • ReplicaSet
  • ReplicationController
  • StatefulSet

When you submit a workload, The scheduler determines where to place the Pods associated with the workload. The scheduler is free to place a Pod on any node that satisfies the Pod’s CPU, memory, and custom resource requirements.

If your cluster runs a variety of workloads, you might want to exercise some control over which workloads can run on a particular pool of nodes.

A node taint lets you mark a node so that the scheduler avoids or prevents using it for certain Pods. A complementary feature, tolerations, lets you designate Pods that can be used on “tainted” nodes.

A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect.

The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 253 characters. The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters.

The effect must be NoSchedule, PreferNoSchedule or NoExecute. Currently taint can only apply to node. Here are the available effects:

  • NoSchedule: Pods that do not tolerate this taint are not scheduled on the node.
  • PreferNoSchedule: Kubernetes avoids scheduling Pods that do not tolerate this taint onto the node.
  • NoExecute: Pod is evicted from the node if it is already running on the node, and is not scheduled onto the node if it is not yet running on the node.

Adding / Inspecting / Removing a taint to an existing node using NoSchedule


# Update node 'node1' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'.
# Adding a taint to an existing node using NoSchedule
$ kubectl taint nodes node1 dedicated=special-user:NoSchedule

Inspecting a node’s taints


$ kubectl describe nodes node1 | grep -i taint
$ kubectl run nginx --image=nginx --replicas=8
$ kubectl get pod -o wide

Removing a taint from a node. Remove from node ‘node1’ the taint with key ‘dedicated’ and effect ‘NoSchedule’ if one exists.


$ kubectl taint nodes node1 dedicated:NoSchedule-
$ kubectl taint nodes ip-172-31-24-84.ap-south-1.compute.internal node-role.kubernetes.io/master:NoSchedule-

Adding / Inspecting / Removing a taint to an existing node using PreferNoSchedule


Add a taint with key 'dedicated' on nodes having label mylabel=X
$ kubectl taint node -l myLabel=X  dedicated=foo:PreferNoSchedule
$ kubectl taint node node1 dedicated=foo:PreferNoSchedule

Inspecting a node's taints
$ kubectl describe nodes node1 | grep -i taint
$ kubectl run nginx --image=nginx --replicas=8
$ kubectl get pod -o wide

Removing a taint from a node
$ kubectl taint nodes node1 dedicated:PreferNoSchedule-

Adding / Inspecting / Removing a taint to an existing node using NoExecute


$ kubectl taint nodes node2 node2=DoNotSchedulePods:NoExecute

Inspecting a node's taints
$ kubectl describe nodes node2 | grep Taint
# Because of that, all the pods on node2 are terminated and created on node3.
$ kubectl run nginx --image=nginx --replicas=8
$ kubectl get pod -o wide

Removing a taint from a node
$ kubectl taint nodes node2 node2:NoExecute-
$ kubectl describe nodes node2 | grep Taint

# Add to node 'foo' a taint with key 'bar' and no value
$ kubectl taint nodes foo bar:NoSchedule

Let’s verify the status of Taints on Master Node.
$ kubectl describe nodes node1 | grep Taints
Taints:             node-role.kubernetes.io/master:NoSchedule

Untaint the node and verify as below:


$ kubectl taint nodes --all node-role.kubernetes.io/master-
$ kubectl describe nodes node1 | grep -i taint

Run Test deployment in Untaint Node
$ kubectl run testsvr --image=nginx --replicas=7
$ kubectl get pods -o wide | grep testsvr

Untaint the setting on node2


$ kubectl taint nodes node3 node3=DoNotSchedulePods:NoSchedule
$ kubectl describe nodes node3 | grep Taint
$ kubectl run nginx --image=nginx --replicas=8

By default, kubernetes cluster will not schedule pods on the master node for security reasons. But if we would like to be able to schedule pods on the master node, e.g: for a single-node kubernetes cluster for testing and development purposes, we can run following commands.

$ kubectl taint nodes ip-172-31-24-84.ap-south-1.compute.internal node-role.kubernetes.io/master:NoSchedule-
Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)