Taints and tolerations are used to restrict the pods to schedule them onto respective nodes. There is nothing to do with security.
If no restrictions are applied K8s scheduler places the pods in all respective nodes equally to balance all the pods
Assume we have certain resources assigned for application in a particular node, and we have tainted that node with some key value pair. By default pods doesn’t have tolerations, which means unless until specify, none of the pods scheduled into that tainted node, so this solves half of our requirement, no unwanted pod is going to place in that node.
To allow a pod to place in tainted node, we should add tolerations to that pod. How to add tolerations to that pod.
Lets 1st taint a node
Kubectl taint nodes <node-name> <key=value:taint-effect>
For example: kubectl taint nodes node1 app=blue:NoSchedule
Effects: NoSchedule, No execute, prefer no schedule
Tolerations to pod:
Under spec of pod definition file
Tolerations: - Key: “app” Operator: “Equal” Value: “blue” Effect: “NoSchedule”
If pods are updated/created with new tolerations, either they are not scheduled on node or they evicted from the existed node depending on what effect is being set.
Taints and tolerations only meant to accept certain pods , it will define which pod has to go which node, for that we have node affinity concept which will be given in next blog
1st case – all pods has to place in 1st node because no tolerations applied to pods, and all pods will place in un-tainted node
Pod A & B can place in 1st node or node 3 only, and c & D will be placed in node 2 or node 1.
Have your thought why pods are not scheduled in master node. Here is the answer for that;
Execute: kubectl describe node kubemaster | grep Taint
You will find it that, master has got tainted by default while creating the cluster