Using Taints and Tolerations
Note
Using Taints and Tolerations is optional.
You can apply Taints and Tolerations to the CTE for Kubernetes application pod that you are running. You can also create your staging pod with toleration.
Taints allow a node to repel a set of pods. Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints as long as it's allowed by the other associated parameters.
Taints and Tolerations work together to ensure that pods are not scheduled onto inappropriate nodes. Once one or more taints are applied to a node, the node should not accept any pods that do not tolerate the taints.
For more information, see Kubernetes Taints and Tolerations.
Using Taints and Tolerations with CTE for Kubernetes
CTE for Kubernetes now supports nodes with taints. You can specify a toleration in a pod_spec for the staging pod of a CTE for Kubernetes volume. To do this, CTE for Kubernetes added annotation support to a CTE for Kubernetes PVC. This annotation uses a base64 encoded string for input. Kubernetes requires the pod to pass the info to the cluster as a single base64 encoded string. The only way to create this is to manually encode the yaml file that contains the Taints and Tolerations. CTE for Kubernetes takes the yaml file and extracts any toleration definitions contained in it and appends them to the staging pod when that PVC is mounted anywhere in the cluster. Any values in the YAML file that are not related to toleration are ignored.
Note
To apply Taints and Tolerations to a pod, you must first shut down the pod. Additionally, support for toleration must be added at PVC creation time. Modifying an existing PVC with the added toleration is not supported because the CTE PVC was not created with the required immutable volume attributes.
Applying Taints and Tolerations
-
Create and add the taint to a node, type:
kubectl taint nodes <nodeName> <keyName>=<valueName>:<taintEffect>
Example:
kubectl taint nodes node1 key1=value1:NoExecute
-
Create a tolerations yaml file. The tolerations must match the taint created in the previous step. The file should look similar to the following:
cat <cte_tolerations>.yaml
Response:
spec: tolerations: - key: "key1" operator: "Equal" value: "value1" effect: "NoExecute"
Note
The taint effect NoSchedule does not work with Taints and Tolerations for CTE for Kubernetes.
-
Write the tolerations yaml file to a text file while generating the base64 encoding and appending the file with the string, type:
cat <cte_tolerations>.yaml | base64 -w0
Response:
c3BlYzoKICB0b2xlcmF0aW9uczoKICAtIGtleTogImtleTEiCiAgICBvcGVyYXRvcjogIkVxdWFsIgogICAgdmFsdWU6ICJ2YWx1ZTEiCiAgICBlZmZlY3Q6ICJOb0V4ZWN1dGUiCg==
-
Once the base64 string is generated, the PVC is appended with the string. For example:
cat <cte_pvc_fileName>.yaml
Response:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: cte-csi-claim annotations: csi.cte.cpl.thalesgroup.com/policy: <policyName> csi.cte.cpl.thalesgroup.com/source_pvc: <pvcName>-claim csi.cte.cpl.thalesgroup.com/spec_append: c3BlYzoKICB0b2xlcmF0aW9uczoKICAtIGtleTogImtleTEiCiAgICBvcGVyYXRvcjogIkVxdWFsIgogICAgdmFsdWU6ICJ2YWx1ZTEiCiAgICBlZmZlY3Q6ICJOb0V4ZWN1dGUiCg== spec: storageClassName: <storageClassName accessModes: - ReadWriteMany resources: requests: storage: 10Gi
For more information, see the Command line tool (kubectl).