Is there a way to disallow pod schedule to a SchedulingDisabled master?
If a pod uses this toleration, it can be always scheduled:
tolerations:
- operator: ExistsThe master node has these taints:
Taints: node-role.kubernetes.io/master:NoSchedule
node.kubernetes.io/unschedulable:NoSchedule
Unschedulable: true$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deploy-b976f9795-rc2t5 1/1 Running 0 5m51s 192.168.0.15 master01 <none> <none>
$ kubectl get node -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
master01 Ready,SchedulingDisabled master 38h v1.15.3 10.12.0.51 <none> Ubuntu 18.04.3 LTS 4.15.0-62-generic docker://18.9.9
node01 Ready node 38h v1.15.3 10.12.0.62 <none> Ubuntu 18.04.3 LTS 4.15.0-62-generic docker://18.9.9As you mentioned, you are using TaintsTaints: node-role.kubernetes.io/master:NoSchedule
which should not allow Pods to be assigned to this node. However, you are using one of the special cases:
An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything
tolerations:
- operator: "Exists"An empty effect matches all effects with key key.
tolerations:
- key: "key"
operator: "Exists"The only thing that comes to my mind is to use Affinity, Node isolation or just use Node Name.