K8S中Pod调度之污点和容忍

污点和容忍

在 Kubernetes 中，污点（Taints）和容忍（Tolerations）是调度系统中的两个重要概念，它们允许管理员对节点（Node）进行标记，以此来影响 Pod 的调度行为。
前面的调度方式都是站在Pod的角度上，通过在Pod上添加属性，来确定Pod是否要调度到指定的Node上，其实我们也可以站在Node的角度上，通过在Node上添加污点属性，来决定是否允许Pod调度过来。
Node被设置上污点之后就和Pod之间存在了一种相斥的关系，进而拒绝Pod调度进来，甚至可以将已经存在的Pod驱逐出去。

污点（Taints）

污点是添加到节点上的标记，用来指示某种限制条件，它们可以阻止不符合特定条件的 Pod 被调度到这些节点上。污点的一般格式为：key=value:effect

key：污点的标识符。
value：污点的值，可以为空，用于进一步指定污点的条件。
effect：污点的效果，可以是以下几种之一：
- NoSchedule：这是默认的效果，如果未指定。带有此效果的污点会阻止新的 Pod 被调度到该节点上，但不影响已经在上面运行的 Pod。
- PreferNoSchedule：带有此效果的污点会推荐不要把 Pod 调度到该节点上，但不是强制的。如果实在没有其他节点可用，Pod 仍然可以被调度到这个节点。
- NoExecute：带有此效果的污点不仅阻止新的 Pod 被调度到该节点，还会驱逐（驱逐是指 Pod 被删除，其资源被释放）所有不容忍该污点的现有 Pod。

基本命令：

设置污点

$ kubectl taint nodes NODE_NAME key=value:effect- NODE_NAME 要添加污点的节点名称。
- key 是污点的标识符。
- value 是与污点相关联的值（如果需要）。
- effect 是污点的效果，可以是 NoSchedule, PreferNoSchedule 或 NoExecute。

去除污点

$ kubectl taint nodes NODE_NAME key=value:effect-- 将 effect 替换为 -（连字符），这告诉 Kubernetes 移除该特定 key 和 value 的污点。

去除所有污点

$ kubectl taint nodes NODE_NAME key:effect-- 由于没有指定 key 的值，这将移除所有匹配该 key 的污点。

设置污点为PreferNoSchedule

将node2节点机器关机，只留master和node1节点

在node1节点上设置PreferNoSchedule污点

[root@k8s-master ~]# kubectl get nodes
NAME         STATUS     ROLES                  AGE   VERSION
k8s-master   Ready      control-plane,master   22d   v1.21.10
k8s-node1    Ready      <none>                 22d   v1.21.10
k8s-node2    NotReady   <none>                 22d   v1.21.10[root@k8s-master ~]# kubectl taint nodes k8s-node1 tag=wyx:PreferNoSchedule
node/k8s-node1 tainted[root@k8s-master ~]# kubectl describe nodes k8s-node1
Name:               k8s-node1
Roles:              <none>
Labels:             beta.kubernetes.io/arch=amd64beta.kubernetes.io/os=linuxkubernetes.io/arch=amd64kubernetes.io/hostname=k8s-node1kubernetes.io/os=linux
Annotations:        kubeadm.alpha.kubernetes.io/cri-socket: /var/run/dockershim.socknode.alpha.kubernetes.io/ttl: 0projectcalico.org/IPv4Address: 192.168.58.232/24projectcalico.org/IPv4IPIPTunnelAddr: 10.244.36.64volumes.kubernetes.io/controller-managed-attach-detach: true
CreationTimestamp:  Wed, 25 Dec 2024 07:56:26 -0500
Taints:             tag=wyx:PreferNoSchedule
Unschedulable:      false
Lease:HolderIdentity:  k8s-node1AcquireTime:     <unset>RenewTime:       Fri, 17 Jan 2025 03:27:42 -0500
Conditions:Type                 Status  LastHeartbeatTime                 LastTransitionTime                Reason                       Message----                 ------  -----------------                 ------------------                ------                       -------NetworkUnavailable   False   Fri, 17 Jan 2025 03:21:38 -0500   Fri, 17 Jan 2025 03:21:38 -0500   CalicoIsUp                   Calico is running on this nodeMemoryPressure       False   Fri, 17 Jan 2025 03:23:05 -0500   Wed, 25 Dec 2024 07:56:26 -0500   KubeletHasSufficientMemory   kubelet has sufficient memory availableDiskPressure         False   Fri, 17 Jan 2025 03:23:05 -0500   Wed, 25 Dec 2024 07:56:26 -0500   KubeletHasNoDiskPressure     kubelet has no disk pressurePIDPressure          False   Fri, 17 Jan 2025 03:23:05 -0500   Wed, 25 Dec 2024 07:56:26 -0500   KubeletHasSufficientPID      kubelet has sufficient PID availableReady                True    Fri, 17 Jan 2025 03:23:05 -0500   Wed, 25 Dec 2024 08:25:28 -0500   KubeletReady                 kubelet is posting ready status
Addresses:InternalIP:  192.168.58.232Hostname:    k8s-node1
Capacity:cpu:                2ephemeral-storage:  17394Mihugepages-1Gi:      0hugepages-2Mi:      0memory:             3861288Kipods:               110
Allocatable:cpu:                2ephemeral-storage:  16415037823hugepages-1Gi:      0hugepages-2Mi:      0memory:             3758888Kipods:               110
System Info:Machine ID:                 a34fc0322dfe4557acf75b76f37487fbSystem UUID:                CD4D4D56-2260-3BF8-7A19-6F45865B4C71Boot ID:                    b6caabb4-bcfd-4fef-b50a-8c9b0ff56f59Kernel Version:             3.10.0-1160.el7.x86_64OS Image:                   CentOS Linux 7 (Core)Operating System:           linuxArchitecture:               amd64Container Runtime Version:  docker://20.10.8Kubelet Version:            v1.21.10Kube-Proxy Version:         v1.21.10
PodCIDR:                      10.244.1.0/24
PodCIDRs:                     10.244.1.0/24
Non-terminated Pods:          (5 in total)Namespace                   Name                                        CPU Requests  CPU Limits  Memory Requests  Memory Limits  Age---------                   ----                                        ------------  ----------  ---------------  -------------  ---kube-system                 calico-kube-controllers-697d846cf4-79hpj    0 (0%)        0 (0%)      0 (0%)           0 (0%)         22dkube-system                 calico-node-gc547                           250m (12%)    0 (0%)      0 (0%)           0 (0%)         22dkube-system                 coredns-6f6b8cc4f6-5nbb6                    100m (5%)     0 (0%)      70Mi (1%)        170Mi (4%)     22dkube-system                 coredns-6f6b8cc4f6-q9rhc                    100m (5%)     0 (0%)      70Mi (1%)        170Mi (4%)     22dkube-system                 kube-proxy-7hp6l                            0 (0%)        0 (0%)      0 (0%)           0 (0%)         22d
Allocated resources:(Total limits may be over 100 percent, i.e., overcommitted.)Resource           Requests    Limits--------           --------    ------cpu                450m (22%)  0 (0%)memory             140Mi (3%)  340Mi (9%)ephemeral-storage  0 (0%)      0 (0%)hugepages-1Gi      0 (0%)      0 (0%)hugepages-2Mi      0 (0%)      0 (0%)
Events:Type    Reason     Age    From        Message----    ------     ----   ----        -------Normal  NodeReady  22d    kubelet     Node k8s-node1 status is now: NodeReadyNormal  Starting   6m39s  kube-proxy  Starting kube-proxy.
[root@k8s-master ~]# kubectl get nodes
NAME         STATUS     ROLES                  AGE   VERSION
k8s-master   Ready      control-plane,master   22d   v1.21.10
k8s-node1    Ready      <none>                 22d   v1.21.10
k8s-node2    NotReady   <none>                 22d   v1.21.10
[root@k8s-master ~]# kubectl create ns dev
namespace/dev created
[root@k8s-master ~]#  kubectl run taint1 --image=nginx:1.17.1 -n dev
pod/taint1 created
[root@k8s-master ~]# kubectl get pod taint1 -n dev -o wide
NAME     READY   STATUS              RESTARTS   AGE   IP       NODE        NOMINATED NODE   READINESS GATES
taint1   0/1     ContainerCreating   0          14s   <none>   k8s-node1   <none>           <none>
[root@k8s-master ~]# kubectl get pod taint1 -n dev -o wide -w
NAME     READY   STATUS              RESTARTS   AGE   IP       NODE        NOMINATED NODE   READINESS GATES
taint1   0/1     ContainerCreating   0          18s   <none>   k8s-node1   <none>           <none>
taint1   1/1     Running             0          24s   10.244.36.71   k8s-node1   <none>           <none>
^C[root@k8s-master ~]# kubectl describe pods taint1 -n dev
Name:         taint1
Namespace:    dev
Priority:     0
Node:         k8s-node1/192.168.58.232
Start Time:   Fri, 17 Jan 2025 03:29:06 -0500
Labels:       run=taint1
Annotations:  cni.projectcalico.org/containerID: a5db60ee3198eafa2d7e89b6a8f57030d33bb5bc6468d2b75431108f00da36d5cni.projectcalico.org/podIP: 10.244.36.71/32cni.projectcalico.org/podIPs: 10.244.36.71/32
Status:       Running
IP:           10.244.36.71
IPs:IP:  10.244.36.71
Containers:taint1:Container ID:   docker://b43c30799394daaf62e7b9712da5a3c6c9a8ffd7dd71d07a21f26004e9ae0a92Image:          nginx:1.17.1Image ID:       docker-pullable://nginx@sha256:b4b9b3eee194703fc2fa8afa5b7510c77ae70cfba567af1376a573a967c03dbbPort:           <none>Host Port:      <none>State:          RunningStarted:      Fri, 17 Jan 2025 03:29:30 -0500Ready:          TrueRestart Count:  0Environment:    <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-m47x8 (ro)
Conditions:Type              StatusInitialized       True Ready             True ContainersReady   True PodScheduled      True 
Volumes:kube-api-access-m47x8:Type:                    Projected (a volume that contains injected data from multiple sources)TokenExpirationSeconds:  3607ConfigMapName:           kube-root-ca.crtConfigMapOptional:       <nil>DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300snode.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:Type    Reason     Age   From               Message----    ------     ----  ----               -------Normal  Scheduled  56s   default-scheduler  Successfully assigned dev/taint1 to k8s-node1Normal  Pulling    54s   kubelet            Pulling image "nginx:1.17.1"Normal  Pulled     33s   kubelet            Successfully pulled image "nginx:1.17.1" in 20.507450779sNormal  Created    32s   kubelet            Created container taint1Normal  Started    32s   kubelet            Started container taint1

设置污点为NoSchedule

[root@k8s-master ~]# kubectl taint nodes k8s-node1 tag=wyx:PreferNoSchedule-
node/k8s-node1 untainted
[root@k8s-master ~]# kubectl taint nodes k8s-node1 tag=wyx:NoSchedule
node/k8s-node1 tainted
[root@k8s-master ~]# kubectl get nodes
NAME         STATUS     ROLES                  AGE   VERSION
k8s-master   Ready      control-plane,master   22d   v1.21.10
k8s-node1    Ready      <none>                 22d   v1.21.10
k8s-node2    NotReady   <none>                 22d   v1.21.10
[root@k8s-master ~]# kubectl get pod taint1 -n dev -o wide 
NAME     READY   STATUS    RESTARTS   AGE     IP             NODE        NOMINATED NODE   READINESS GATES
taint1   1/1     Running   0          2m58s   10.244.36.71   k8s-node1   <none>           <none>
[root@k8s-master ~]# kubectl run taint2 --image=nginx:1.17.1 -n dev
pod/taint2 created
[root@k8s-master ~]# kubectl get pod taint2 -n dev -o wide -w
NAME     READY   STATUS    RESTARTS   AGE   IP       NODE     NOMINATED NODE   READINESS GATES
taint2   0/1     Pending   0          10s   <none>   <none>   <none>           <none>[root@k8s-master ~]# kubectl  describe pods taint2 -n dev
Name:         taint2
Namespace:    dev
Priority:     0
Node:         <none>
Labels:       run=taint2
Annotations:  <none>
Status:       Pending
IP:           
IPs:          <none>
Containers:taint2:Image:        nginx:1.17.1Port:         <none>Host Port:    <none>Environment:  <none>Mounts:/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-cb226 (ro)
Conditions:Type           StatusPodScheduled   False 
Volumes:kube-api-access-cb226:Type:                    Projected (a volume that contains injected data from multiple sources)TokenExpirationSeconds:  3607ConfigMapName:           kube-root-ca.crtConfigMapOptional:       <nil>DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300snode.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:Type     Reason            Age   From               Message----     ------            ----  ----               -------Warning  FailedScheduling  49s   default-scheduler  0/3 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate, 1 node(s) had taint {node.kubernetes.io/unreachable: }, that the pod didn't tolerate, 1 node(s) had taint {tag: wyx}, that the pod didn't tolerate.Warning  FailedScheduling  48s   default-scheduler  0/3 nodes are available: 1 node(s) had taint {node-role.kubernetes.io/master: }, that the pod didn't tolerate, 1 node(s) had taint {node.kubernetes.io/unreachable: }, that the pod didn't tolerate, 1 node(s) had taint {tag: wyx}, that the pod didn't tolerate.

设置污点为NoExecute

可见之前存在的pod全部被清除，而且新pod也不会被创建

[root@k8s-master ~]# kubectl taint nodes k8s-node1 tag=wyx:NoSchedule-
node/k8s-node1 untainted
[root@k8s-master ~]#  kubectl taint nodes k8s-node1 tag=wyx:NoExecute
node/k8s-node1 tainted
[root@k8s-master ~]# kubectl get pod -n dev -o wide | grep k8s-node1
No resources found in dev namespace.
[root@k8s-master ~]#  kubectl get pod -n dev -o wide
No resources found in dev namespace.
[root@k8s-master ~]# kubectl run taint3 --image=nginx:1.17.1 -n dev
pod/taint3 created
[root@k8s-master ~]#  kubectl get pod -n dev -o wide -w
NAME     READY   STATUS    RESTARTS   AGE   IP       NODE     NOMINATED NODE   READINESS GATES
taint3   0/1     Pending   0          5s    <none>   <none>   <none>           <none>

问题：为什么创建pod时，pod不会被调度到master节点？

因为集群在创建时，master节点就默认加上了污点

容忍（Toleration）

在Kubernetes中，污点（Taint）是一种标记在节点上的特殊标记，用来指示该节点不希望某些Pods调度上去。而容忍（Toleration）是Pods的一个属性，它允许Pods忽视节点上的某些污点，从而允许Pods调度到这些节点上。

污点就是拒绝，容忍就是忽略，Node通过污点拒绝pod调度上去，Pod通过容忍忽略拒绝

[root@k8s-master ~]# kubectl describe node k8s-node1 | grep Taints
Taints:             tag=wyx:NoExecute#node1的污点为NoExecute，Pod是无法调度到node1的[root@k8s-master ~]# vim pod-toleration.yaml
[root@k8s-master ~]# cat pod-toleration.yaml 
---
apiVersion: v1
kind: Pod
metadata:name: pod-tolerationnamespace: dev
spec:containers:- name: nginximage: nginx:1.17.1tolerations:- key: "tag"operator: "Equal"value: "wyx"effect: "NoExecute"- key: "tag"，这是节点上污点的键。
- operator: "Equal"，这表明容忍将匹配具有相同键和值的污点。
- value: "wyx"，这是节点上污点的值。
- effect: "NoExecute"，这是污点的效果，表示如果Pod没有相应的容忍，则不会被调度到该节点上，如果已经存在，则会被驱逐。[root@k8s-master ~]#  kubectl apply -f pod-toleration.yaml 
pod/pod-toleration created
[root@k8s-master ~]# kubectl get pod pod-toleration -n dev -o wide
NAME             READY   STATUS    RESTARTS   AGE   IP             NODE        NOMINATED NODE   READINESS GATES
pod-toleration   1/1     Running   0          9s    10.244.36.73   k8s-node1   <none>           <none>