Restrict services deployment to Kubernetes worker nodes¶
By default, MKE clusters use Kubernetes taints and tolerations to prevent user workloads from deploying to MKE manager or MSR nodes.
Note
Workloads deployed by an administrator in the kube-system
namespace do
not follow scheduling constraints. If an administrator deploys a
workload in the kube-system
namespace, a toleration is applied to bypass
the taint, and the workload is scheduled on all node types.
To view the taints, run the following command:
$ kubectl get nodes <mkemanager> -o json | jq -r '.spec.taints | .[]'
Example of system response:
{
"effect": "NoSchedule",
"key": "com.docker.ucp.manager"
}