Update node-selection documentation with information about taints, tolerations, and alpha support for per-pod-configurable behavior when there are node problems

[davidopp]

@kevin-wangzefeng and/or @aveshagarwal could you review this?

cc/ @kubernetes/sig-scheduling-misc

---

This change is 

[davidopp]

@gmarek if you have time to take a look too that would be great, but I know you're going on vacation so don't worry about it

[gyliu513]

s/conceretely/concretely

[davidopp]

Done

[gyliu513]

s/toleate/tolerate

[davidopp]

Done

[gyliu513]

How about highlight as: preference or soft

[davidopp]

These are not official Kubernetes terminology (e.g. not an object or field name or field value), so I think putting them in quote marks is better than using backtick (which I believe is what you're suggesting?).

[gyliu513]

Thanks @davidopp , my thinking for when using backtick is that this may not limited to some Kubenretes terminology, but also some key words which we want to highlight something in the document, comments?

[davidopp]

I disagree. I think people interpret monospaced fonts as "computer font" and thus something that would go into a config or come out of the system as output. For highlighting key words I think it's better to use quotes, italics, or bold.

[gyliu513]

I see, thanks @davidopp

[gyliu513]

Could you please add a link to kubectl taint command here https://kubernetes.io/docs/user-guide/kubectl/kubectl_taint/

I have updated it a bit by adding NoExecute:

1. Updated user guide for kubectl taint by adding NoExecute. #2744
2. kubectl taint update for NoExecute. kubernetes#42775

[davidopp]

Done

[gyliu513]

s/unignored/un-ignored ?

Here an every other places

[davidopp]

Done

[gyliu513]

s/PodSpec/PodSpec

[davidopp]

Everywhere else in the doc I used PodSpec without backticks. I don't have a strong preference either way, but since you only mentioned it once, wasn't sure if you wanted me to change it everywhere.

[gyliu513]

Got it, then I think that we can address this in a separate PR.

[gyliu513]

As --feature-gates=FooBar=true,TaintBasedEvictions=true is also good, so how about update this as:

s/(--feature-gates=TaintBasedEvictions)/(include TaintBasedEvictions=true in --feature-gates, such as --feature-gates=FooBar=true,TaintBasedEvictions=true)

[davidopp]

Done, and reworded the first part of this paragraph a bit.

[gyliu513]

s/lmiting/limiting

How about

[subject to rate limiting] (https://kubernetes.io/docs/admin/node/#node-controller)

[davidopp]

Done

[gyliu513]

Fixed part of #2737

[gyliu513]

How about s/"node unreachable"/node unreachable and others here using ""?

[davidopp]

Same comment here as for "preference" and "soft" -- "node unreachable" is not official terminology (not an object or field name or field value), so I think putting them in quote marks is better than using backtick.

[gyliu513]

How about update this a bit as:

For node not ready case, just update the key for tolerations to node.alpha.kubernetes.io/notReady.

Also do you want to add sth for daemonset (https://kubernetes.io/docs/admin/daemons/ ) here? I'm planning to update the daemonset a bit and perhaps we can add a link here, I can follow up with a PR once this got merged.

[davidopp]

For node not ready case, just update the key for tolerations to node.alpha.kubernetes.io/notReady.

Done

Also do you want to add sth for daemonset (https://kubernetes.io/docs/admin/daemons/ ) here?

Let's wait to see what you write for DaemonSet. I agree pointing from DaemonSet to here makes sense, not sure if we should add anything here.

[gyliu513]

I also have the same thinking as you, perhaps adding sth here for Daemonset maybe better as you already have something for pod in last paragraph, does it make sense to extend the last paragraph to cover Daemonset then I can update https://kubernetes.io/docs/admin/daemons/ by adding a reference here same as your proposal for --enable-taint-manager and --use-taint-based-evictions. that you mentioned in the kubernetes dev list?

[gyliu513]

Write sth for daemonset here #2776

[davidopp]

Done (added a paragraph).

[gmarek]

I'm not sure that "pod template" is a good expression. Pod templates are only in "controllers", and one can (in theory) create a Pod directly. Tolerations are specified in PodSpec.

[davidopp]

Changed to PodSpec.

[gmarek]

I believe this should be put before examples in which Exists and Equal appear.

[davidopp]

The problem is that if you do that, then the reader hasn't seen "operator' anywhere yet. By putting an example toleration first, they at least have some idea what operator looks like.

[timothysc]

consider : before the bullets.

[davidopp]

Done

[gmarek]

and won't be scheduled on the Node

[davidopp]

Oh right, you did that in kubernetes/kubernetes#41068. I actually wonder whether we should have done that, since ideally "no schedule" and "no execute" should be orthogonal (we used to call NoExecute "NoScheduleNoExecute" but then changed it to make them orthogonal). Anyway, too late now. Changed the documentation to reflect reality.

[gmarek]

Does this work?

[gyliu513]

root@k8s001:~/go/src/k8s.io/kubernetes# kubectl taint nodes 127.0.0.1 key1=value1:NoSchedule
node "127.0.0.1" tainted
root@k8s001:~/go/src/k8s.io/kubernetes# kubectl taint nodes 127.0.0.1 key1=value1:NoExecute
node "127.0.0.1" tainted
root@k8s001:~/go/src/k8s.io/kubernetes# kubectl taint nodes 127.0.0.1 key1=value2:NoSchedule
error: Node '127.0.0.1' already has a taint with key (key1) and effect (NoSchedule), and --overwrite is false

Seems we need to update the third command as kubectl taint nodes node1 key2=value2:NoSchedule

[davidopp]

Good point. Changed as @gyliu513 suggested.

[gmarek]

indent.

[davidopp]

Sorry, what's wrong with the current indent?

[davidopp]

Oh never mind, fixed it.

[gmarek]

I think you need at least mention that adding those taints is rate limited, to prevent "massive pod eviction". We rate limit adding taints, so we won't need to maintain special logic in taint controller for handling NC taints.

[davidopp]

Done

[gyliu513]

How about mention the tolerations are for NoExecute taint? https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/daemon/daemoncontroller.go#L843-L867

[davidopp]

Done

[gyliu513]

root@k8s001:~/go/src/k8s.io/kubernetes# kubectl taint nodes 127.0.0.1 key1=value1:NoSchedule
node "127.0.0.1" tainted
root@k8s001:~/go/src/k8s.io/kubernetes# kubectl taint nodes 127.0.0.1 key1=value1:NoExecute
node "127.0.0.1" tainted
root@k8s001:~/go/src/k8s.io/kubernetes# kubectl taint nodes 127.0.0.1 key1=value2:NoSchedule
error: Node '127.0.0.1' already has a taint with key (key1) and effect (NoSchedule), and --overwrite is false

Seems we need to update the third command as kubectl taint nodes node1 key2=value2:NoSchedule

[cmluciano]

I tried to be thorough from a readability perspective. Overall the information is super valuable. There are a few sentences that should be split up more to avoid run-on sentences.

[cmluciano]

Described earlier can probably be dropped. It would be best to make node affinity a hyperlink to it's description.

[devin-donnelly]

This paragraph could use some rework. Further comments below.

[cmluciano]

If keys and effects are either singular or plural than the s after them should be in parens like so (s)

[cmluciano]

And: should probably be split out into another sentence.

[cmluciano]

The Alternatively sentence feels like a run-on sentence. It should be split up into several sentences.

[mburke5678]

Making The system will... the start of a new sentence should help.

[davidopp]

Split into two sentences as suggested.

[cmluciano]

remove comma and link to the description instead. Ex is described here

[cmluciano]

This is quite a long sentence. It should probably be broken up into multiple sentences.

[aveshagarwal]

s/taints and tolerations/taints

[davidopp]

s/taints and tolerations/taints

Changed to "You can put multiple taints on the same node and multiple tolerations on the same pod."

[cmluciano]

Sentence in parentheses should be a separate sentence

[cmluciano]

Thus doesn't read well in this sentence. Consider removing it and rephrasing the sentence a bit.

[davidopp]

Rephrased

[cmluciano]

This feels like a comma splice. I think it should be rephrased or split into multiple sentences.

[cmluciano]

Run-on sentence

[cmluciano]

Consider combining this information with the following to mitigate the run-on sentence and increase clarity.

[davidopp]

Made some changes to make it clearer.

[aveshagarwal]

FYI: for taint and tolerations @mburke5678

[aveshagarwal]

Would it be helpful to mention about empty key in general, before stating this special case?

[davidopp]

Empty key is not allowed except in this one special case, so I don't think there is anything else to say about it.

[aveshagarwal]

So it seems that a pod with a toleration with Exists operator and empty key, value and effect, can be placed on any node in a cluster? I wonder should be disallow this or do we do this already?

[davidopp]

We don't have any security/access control around tolerations in general, so I'm not sure the case you're describing is any worse than what people could do anyway (e.g. examine all the taints in the cluster and create explicit tolerations for each of them).

[aveshagarwal]

Regarding this "...nodes as well as any other nodes in the cluster." I think it would be helpful to specify this somewhere in the beginning to make it more explicit to avoid any confusion related to their placement as in this issue: kubernetes/kubernetes#39818

[aveshagarwal]

typo: dedicated->dedicate

[davidopp]

typo: dedicated->dedicate

Fixed.

As for your other comment, the first sentence of the taints and tolerations section says

Node affinity, described earlier, allows a pod to "be attracted to" a set of nodes
(either as a preference or a hard requirement). Taints are the opposite -- they allow
a *node* to *repel* a set of pods.

I am worried that trying to explain the confusion in the issue you mentioned, will just confuse people. My hope is that the examples here make it clear that you additionally need to add a node affinity if you want to steer a pod (whether or not it has a toleation) towards particular node(s). But if you want to send a PR with some suggested wording after this PR merges, we can discuss. I just can't think of a way to do it without confusing people.

[aveshagarwal]

node.alpha.kubernetes.io/unreachable

[davidopp]

Fixed

[aveshagarwal]

some minor comments, otherwise LGTM.

[aveshagarwal]

Also I noticed that in the issue kubernetes/kubernetes#42753, the plan is that kubelet add infinite tolerations to static and mirror pods so that these pods are not evicted by taint controller ever. Should we mention that somewhere in this doc?

[davidopp]

Thanks again everyone. I added LGTM label.

[gyliu513]

Thanks @davidopp , lgtm now, hope this can be merged soon ;-)

[kevin-wangzefeng]

Minor changes, thanks.

[kevin-wangzefeng]

s/You/You can/

[kevin-wangzefeng]

s/schedule on/schedule onto/

[davidopp]

ping @kubernetes/sig-docs-maintainers

[davidopp]

ping again

[davidopp]

@kevin-wangzefeng Thanks for the feedback, we can fix those in a followup, I'd like to get this merged.

[devin-donnelly]

Delete this heading; the paragraphs after explain what Taints and Tolerations are, not how to set them.

[davidopp]

Done.

[devin-donnelly]

This paragraph could use some rework. Further comments below.

[devin-donnelly]

Rather than trying to explain Taints and Tolerations as the opposite of Affinity (which assumes that people have read/want to read the Affinity documentation), I suggest starting like this:

"Taints and tolerations are features that work together to ensure that pods are not scheduled onto inappropriate nodes. Taints are applied to nodes, and are a way of marking that a node should not accept pods that have a given toleration. Tolerations are applied to pods, and specify that those pods should avoid nodes with a given taint.

"

[davidopp]

It's a tough concept to explain. I think that contrasting with affinity is the most straightforward way to do it. Taints and tolerations are a newer-in-Kubernetes and more sophisticated concept than affinity, so I think people reading this section are likely to have some familiarity with affinity. Just to be on the safe side, I explain the salient properties of affinity in the sentence itself, so it should be self-contained even if the reader did not read the section on affinity.

I reworded the first paragraph a bit, and replaced the second paragraph with a modified version of the text you suggested.

[devin-donnelly]

You haven't mentioned "tolerations" yet, so it seems weird to drop the term in here. The whole "more concretely" paragraph can probably be folded into the introduction, as in my suggested comment above.

[davidopp]

I used a modified version of your suggested text as the second paragraph, which I think resolves this issue.

[devin-donnelly]

"You specify a toleration for a pod in the PodSpec".

[davidopp]

Done.

[mburke5678]

Consider making a separate sentence out of the information in parentheses.

[davidopp]

I don't think that makes it clearer.

[mburke5678]

Do we need to list/define the values that can be entered here and in the taints?

[davidopp]

The doc does it in prose, starting at A toleration "matches" a taint...
For a more computer-oriented description, they can look at the API definition.

[mburke5678]

s/shedule/schedule

[davidopp]

Done.

[davidopp]

This PR is ready for a final docs review.

[devin-donnelly]

Looks good. Thanks, @davidopp .

[davidopp]

Thanks!

[gyliu513]

So this will only be merged to release 1.6 branch? How about master? Does all of the PRs here #2737 should goto release 1.6 branch? @davidopp @devin-donnelly

[davidopp]

@gyliu513 Yeah, the docs PRs are supposed to go in release-1.6 branch. I'm not sure what happens if you submit to master, but @kubernetes/sig-docs-maintainers should know.

[gyliu513]

Thanks @davidopp All of the PRs here #2737 are not merged yet, do I need to resubmit those patches to 1.6 branch? @kubernetes/sig-docs-maintainers

[aveshagarwal]

@gyliu513 yes those PRs should be against 1.6 branches. May be you could just change the base branch to 1.6 in docs repo when resubmitting prs?

[davidopp]

I already changed all of @gyliu513 RPs to 1.6 base branch. They are just waiting docs review.

[gyliu513]

Yes, all of the PRs are now based on 1.6, but did not get review comments from @kubernetes/sig-docs-maintainers till now. @aveshagarwal