You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> **Important**: Follow this order to avoid stuck resources due to finalizers.
101
-
102
-
The controller adds a finalizer (`readiness.node.x-k8s.io/cleanup-taints`) to each `NodeReadinessRule` to ensure node taints are cleaned up before the rule is deleted. This means you must delete CRs **while the controller is still running**.
103
-
104
-
```sh
105
-
# 1. Delete all rule instances first (while controller is running)
106
-
kubectl delete nodereadinessrules --all
107
-
108
-
# 2. Delete the controller
109
-
make undeploy
110
-
111
-
# 3. Delete the CRDs
112
-
make uninstall
113
-
```
114
-
115
-
#### Recovering from Stuck Resources
51
+
### Enforcement Modes
116
52
117
-
If you deleted the controller before removing the CRs, the finalizer will block CR deletion. To recover, manually remove the finalizer:
53
+
#### Bootstrap-only Mode
54
+
- Removes bootstrap taint when conditions are first satisfied
55
+
- Marks completion with node annotation
56
+
- Stops monitoring after successful removal (fail-safe)
57
+
- Ideal for one-time setup conditions (installing node daemons e.g: security agent or kernel-module update)
- Adds taint when any condition becomes unsatisfied
62
+
- Removes taint when all conditions become satisfied
63
+
- Ideal for ongoing health monitoring (network connectivity, resource availability)
122
64
123
65
## Operations
124
66
@@ -151,7 +93,7 @@ Test rules safely before applying:
151
93
spec:
152
94
dryRun: true # Enable dry run mode
153
95
conditions:
154
-
- type: "storage.kubernetes.io/CSIReady"
96
+
- type: "csi.example.net/NodePluginRegistered"
155
97
requiredStatus: "True"
156
98
# ... rest of spec
157
99
```
@@ -162,28 +104,73 @@ Check dry run results:
162
104
kubectl get nodereadinessrule <rule-name> -o jsonpath='{.status.dryRunResults}'
163
105
```
164
106
165
-
### Enforcement Modes
107
+
### Rule Validation and Constraints
166
108
167
-
#### Bootstrap-only Mode
168
-
- Removes bootstrap taint when conditions are first satisfied
169
-
- Marks completion with node annotation
170
-
- Stops monitoring after successful removal (fail-safe)
171
-
- Ideal for one-time setup conditions (storage, installing node daemons e.g: security agent or kernel-module update)
109
+
#### NoExecute Taint Effect Warning
172
110
173
-
#### Continuous Mode
174
-
- Continuously monitors conditions
175
-
- Adds taint when any condition becomes unsatisfied
176
-
- Removes taint when all conditions become satisfied
177
-
- Ideal for ongoing health monitoring (network connectivity, resource availability)
111
+
**`NoExecute` with `continuous` enforcement mode will evict existing workloads when conditions fail.**
178
112
179
-
## Configuration
113
+
If a critical component becomes temporarily unavailable (e.g., CNI daemon restart), all pods without matching tolerations are immediately evicted from the node. Use `NoSchedule` to prevent new scheduling without disrupting running workloads.
114
+
115
+
The admission webhook warns when using `NoExecute`.
116
+
117
+
See [Kubernetes taints documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for taint behavior details.
118
+
119
+
#### Avoiding Taint Key Conflicts
120
+
121
+
The admission webhook prevents multiple rules from using the same `taint.key` and `taint.effect` on overlapping node selectors.
0 commit comments