If you are not familiar with the oc command, refer to OpenShift - Getting Started with the oc command.

There are a few different ways to run a pod on a specific node.

• Using nodeSelector (nodes are labeled with a key=value - if a pods "nodeSelector" is an exact match of a nodes key=value label, then the pod can be scheduled run on the node)
• Using nodeAffinity (nodes are labeled with a key=value - if a pods "nodeAffinity" regular expression matches a nodes key=value label, the pod can be scheduled to run on the node)
• Using podAffinity (nodes are labeled with a key=value - if a pods "podAffinity" regular expression matches another pods key=value label, the pod can be scheduled to run on the same node as the other pod)
• Using Taint and Toleration (this article)
  • Nodes are labeled with a key=value:taint (e.g. region=east:NoSchedule)
  • If a pods tolerations uses "Exists" and the pods tolerations key matches the nodes toleration key, the pod is allowed to run on the node
  • If a pods tolerations uses "Equal" and the pods tolerations key and value is an exact match of the nodes tolerations key and value, the pod is allowed to run on the node

The scheduler is responsible for determining which node a resource should get created on. For example, when deploying a new application to OpenShift, the scheduler determines which worker node the pod should be created on, typically the worker node with the most available memory and CPU. Check out my article on the default scheduler.

The oc adm taint command can be used to apply a taint to a node. The taint takes three fields: key=value:effect.

Following are the effects.

• NoSchedule
  • If a pods tolerations uses "Equal" and the pods tolerations key and value are NOT an exact match of the nodes tolerations key and value, the pod will not be created on the node
  • If a pods toleration key/value/effect are not an exact match of a nodes key/value/effect, the pod will not be created on the node
• NoExecute
  • ​If a pods tolerations uses "Equal" and the pods tolerations key and value are NOT an exact match of the nodes tolerations key and value, the pod will be terminated
  • If a pods toleration key/value/effect are not an exact match of a nodes key/value/effect, the pod will be terminated
• PreferNoSchedule
  • If a pods tolerations uses "Equal" and the pods tolerations key and value are NOT an exact match of the nodes tolerations key and value, the pod might not be created on the node
  • If a pods toleration key/value/effect are not an exact match of a nodes key/value/effect, the pod might not be created on the node

In this example, two worker nodes are tainted.

~]$ oc adm taint node my-node-worker-5n4fj region=east:NoSchedule
node/my-node-worker-5n4fj tainted

~]$ oc adm taint node my-node-worker-v8r9r region=west:NoSchedule
node/my-node-worker-v8r9r tainted

The oc describe node command can be used to see the taint that have been applied to the worker nodes.

~]$ oc describe node my-node-worker-5n4fj
Taints:             region=east:NoSchedule

~]$ oc describe node my-node-worker-v8r9r
Taints:             region=west:NoSchedule

The operator can be Equal or Exists. If operator is not included, the Equal operator will be used by default.

If Equal is used, the deployment key and value (region and east in this example) must be an exact match of the node taint key and value for the pod to "tolerate the taint".

spec:
  template:
    spec:
      tolerations:
      - key: region
        value: east
        operator: Equal
        effect: NoSchedule <- optional

If Exists is used, the deploment key (region in this example) must be an exact match of the node taint key for the pod to "tolerate the taint".

spec:
  template:
    spec:
      tolerations:
      - key: region
        operator: Exists
        effect: NoSchedule <- optional
        tolerationSeconds: 60 <- optional

Here is an example of how to update a deployment YAML using the oc patch command.

oc patch deployment my-deployment --patch '{"spec":{"template":{"spec":{"tolerations":[{"key":"region","value":"east","operator":"Equal","effect":"NoSchedule"}]}}}}'

Here is how you would remove a taint from a node, replacing "region" with whatever key the node has been tainted with.

~]$ oc adm taint node my-node-worker-5n4fj region-
node/my-node-worker-5n4fj untainted

~]$ oc adm taint node my-node-worker-v8r9r region-
node/my-node-worker-v8r9r untainted