Taints and tolerations are used to restrict the pods to schedule them onto respective nodes. There is nothing to do with security.

If no restrictions are applied K8s scheduler places the pods in all respective nodes equally to balance all the pods

Assume we have certain resources assigned for application in a particular node, and we have tainted that node with some key value pair. By default pods doesn’t have tolerations, which means unless until specify, none of the pods scheduled into that tainted node, so this solves half of our requirement, no unwanted pod is going to place in that node.

To allow a pod to place in tainted node, we should add tolerations to that pod. How to add tolerations to that pod.

Lets 1^st taint a node

Kubectl taint nodes  

For example: kubectl taint nodes node1 app=blue:NoSchedule

Effects: NoSchedule, No execute, prefer no schedule

Tolerations to pod:

Under spec of pod definition file

    Tolerations:
    - Key: “app”
      Operator: “Equal”
      Value: “blue”
      Effect: “NoSchedule”

If pods are updated/created with new tolerations, either they are not scheduled on node or they evicted from the existed node depending on what effect is being set.

Taints and tolerations only meant to accept certain pods , it will define which pod has to go which node, for that we have node affinity concept which will be given in next blog

1^st case – all pods has to place in 1^st node because no tolerations applied to pods, and all pods will place in un-tainted node

2-case:

Pod A & B can place in 1^st node or node 3 only, and c  & D will be placed in node 2 or node 1.

Have your thought why pods are not scheduled in master node. Here is the answer for that;

Execute: kubectl describe node kubemaster | grep Taint

You will find it that, master has got tainted by default while creating the cluster