Recipe: Prevent pods from being scheduled on specific nodes

Overview

Nodes with specialized processors, such as GPUs, can be more expensive to run than nodes on standard machines. To protect these nodes from workloads that don’t require special hardware, you can use Kubernetes taints. Taints mark nodes to repel pods that don’t have matching tolerations, ensuring only compatible workloads are scheduled. For more information, see Taints and Tolerations in the Kubernetes documentation.

Kubernetes node taints can be applied to new and existing managed node groups using the AWS Management Console or through the Amazon EKS API. This recipe shows how to apply taints to Amazon EKS managed node groups using the AWS CLI. For information on creating a node group with a taint using the AWS Management Console, see Create a managed node group for your cluster.

Prerequisites

An existing Amazon EKS cluster.
AWS CLI installed and configured with appropriate permissions.

Steps

Step 1: Create a node group with taints

Use the aws eks create-nodegroup command to create a new managed node group with taints. This example applies a taint with key dedicated, value gpuGroup, and effect NO_SCHEDULE.


aws eks create-nodegroup \
 --cli-input-json '
{
  "clusterName": "my-cluster",
  "nodegroupName": "node-taints-example",
  "subnets": [
     "subnet-1234567890abcdef0",
     "subnet-abcdef01234567890",
     "subnet-021345abcdef67890"
   ],
  "nodeRole": "arn:aws:iam::111122223333:role/AmazonEKSNodeRole",
  "taints": [
     {
         "key": "dedicated",
         "value": "gpuGroup",
         "effect": "NO_SCHEDULE"
     }
   ]
}'

For more information and examples, see taint in the Kubernetes reference documentation.

Step 2: Update taints on an existing node group

Use the aws eks update-nodegroup-config AWS CLI command to add, remove, or replace taints for managed node groups.


aws eks update-nodegroup-config
  --cluster-name my-cluster
  --nodegroup-name node-taints-example
  --taints 'removeTaints=[{key=dedicated,value=gpuGroup,effect=NO_SCHEDULE}]'

Notes

Taints can be updated after you create the node group using the UpdateNodegroupConfig API.
The taint key must begin with a letter or number. It can contain letters, numbers, hyphens (-), periods (.), and underscores (_). It can be up to 63 characters long.
Optionally, the taint key can begin with a DNS subdomain prefix and a single /. If it begins with a DNS subdomain prefix, it can be 253 characters long.
The value is optional and must begin with a letter or number. It can contain letters, numbers, hyphens (-), periods (.), and underscores (_). It can be up to 63 characters long.
When using Kubernetes directly or the AWS Management Console, the taint effect must be NoSchedule, PreferNoSchedule, or NoExecute. However, when using the AWS CLI or API, the taint effect must be NO_SCHEDULE, PREFER_NO_SCHEDULE, or NO_EXECUTE.
A maximum of 50 taints are allowed per node group.
If taints that were created using a managed node group are removed manually from a node, then Amazon EKS doesn’t add the taints back to the node. This is true even if the taints are specified in the managed node group configuration.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Recipes

Resources