CKA Day 14 — Taints and Tolerations in Kubernetes
Day 14 of the 40-day CKA Certification course by Tech Tutorials with Piyush. This lesson dives deep into the negative scheduling primitive that keeps workloads off unsuitable nodes and enables dedicated node pools.
Core Concepts
Taints are applied to nodes. They act as a “Do Not Disturb” sign that repels Pods unless the Pod explicitly tolerates the condition. Tolerations are applied to Pods. They declare that a Pod is willing to run on a node with a matching taint. Together they form the inverse of nodeSelector: instead of attracting Pods to nodes, they exclude Pods from nodes.
The kube-scheduler respects taints during its filtering phase. If a node carries a taint and the candidate Pod lacks a matching toleration, the node is removed from consideration. Existing Pods already running on a node are not affected by NoSchedule taints, but they are evicted by NoExecute taints.
Taint Effects
| Effect | Behavior |
|---|---|
NoSchedule | New Pods without a toleration are not scheduled on the node |
PreferNoSchedule | Soft rule — scheduler tries to avoid the node but will place if no alternative exists |
NoExecute | Evicts existing Pods without a toleration; also prevents new scheduling |
NoExecute is the most aggressive effect. It is used during node drains, maintenance windows, and when the node controller automatically taints unhealthy nodes. A Pod must have an exact toleration (including effect) to survive on a NoExecute tainted node.
Imperative Commands
# Taint a node
kubectl taint node worker-1 gpu=true:NoSchedule
# Remove a taint (append minus sign)
kubectl taint node worker-1 gpu=true:NoSchedule-
# View node taints
kubectl describe node worker-1 | grep Taints
# Taint all nodes in a pool (useful for maintenance)
kubectl taint nodes -l env=staging maintenance=true:NoExecuteYAML Toleration Patterns
spec:
tolerations:
- key: "gpu"
operator: "Equal"
value: "true"
effect: "NoSchedule"The operator can be Equal (key, value, and effect must match exactly) or Exists (only the key and effect must match; the value is ignored). The Exists operator is useful for tolerating any value of a given taint key.
Built-In and Common Taints
node-role.kubernetes.io/control-plane:NoSchedule— applied by kubeadm to keep user workloads off control plane nodesnode.kubernetes.io/not-ready:NoSchedule— applied automatically when a node becomes NotReadynode.kubernetes.io/unreachable:NoExecute— applied when the node controller loses contact with a nodenode.kubernetes.io/disk-pressure:NoSchedule— applied when the node is low on disknode.kubernetes.io/memory-pressure:NoSchedule— applied when the node is low on memory
Exam Trap: DaemonSets like
kube-proxyand CNI agents must tolerate thecontrol-planetaint to run on master nodes. If you create a custom DaemonSet and it is missing from control plane nodes, the first thing to check is tolerations.
Taints vs. Node Affinity vs. nodeSelector
| Feature | Attracts or Repels? | Scope | Flexibility | Production Use |
|---|---|---|---|---|
nodeSelector | Attracts | Pod spec | Low (exact match) | Simple constraints |
nodeAffinity | Attracts | Pod spec | High (soft/hard) | Complex preference |
taints | Repels | Node | Medium (exact key-value-effect) | Node isolation, maintenance |
tolerations | Overrides repel | Pod spec | Medium | Allow onto tainted nodes |
In practice, production clusters combine all three: nodeSelector or nodeAffinity to prefer a node pool, and taints/tolerations to protect critical nodes from noisy neighbors.
CKA Exam Relevance
- Workloads & Scheduling (~15%): Expect tasks to add a toleration so a Pod runs on a tainted node, or to taint a node to prevent scheduling.
- Troubleshooting (~30%): A Pod stuck in
Pendingwith message0/3 nodes are available: 3 node(s) had taint ...is the classic taint mismatch symptom. - Speed Pattern: Use
--overrideswithkubectl runto inject tolerations imperatively, or edit the manifest directly. Know the toleration field structure by heart.
See Also
Wiki Concepts
- Taints and Tolerations — deep-dive concept page with full YAML anatomy and exam commands
- Kubernetes Manual Scheduling —
nodeName,nodeSelector, andnodeAffinityalongside taints - Kubernetes DaemonSet — why DaemonSets need tolerations to run on control plane nodes
- Kubernetes Architecture — kube-scheduler filtering phase
- Pod Fundamentals — the object that carries tolerations
- Kubernetes Labels and Selectors — the positive scheduling counterpart
Related Sources
- CKA Day 13: Static Pods, Manual Scheduling, Labels, and Selectors — covers introductory taints/tolerations
- CKA Day 12: DaemonSet, Job & CronJob Explained — DaemonSet toleration patterns
Creator / Entity
- Tech Tutorials with Piyush — 40-day CKA free course
Ingested on 2026-06-08. Part of the Consumed Videos library.