What is Taint? | DevOps Dictionary

Taint — Extended Technical Detail

What is a Taint in Simple Terms?

A taint is like putting a "No Entry" sign on a node. By default, no pod will be scheduled on a tainted node. Only pods that explicitly say "I am allowed to go here" (via a Toleration) will be scheduled there.

◈ DIAGRAM

+------------------------------------------+
| Without Taint                            |
|                                          |
| gpu-node-1  <- any pod can land here    | <- Regular API pods, batch jobs,
| gpu-node-2  <- any pod can land here    |    and GPU workloads all compete
|                                          |    for expensive GPU nodes
+------------------------------------------+
 
+------------------------------------------+
| With Taint: workload=gpu:NoSchedule      |
|                                          |
| gpu-node-1  [TAINTED]                   | <- Only pods with matching
| gpu-node-2  [TAINTED]                   |    Toleration can land here.
|                                          |    API pods are repelled.
+------------------------------------------+

Real Use Case

At Hotstar, GPU nodes for video transcoding are expensive (10x the cost of regular nodes). Tainting them ensures only transcoding pods run there — not regular API pods accidentally consuming GPU capacity during a traffic spike.

Taint Effects — The Three Modes

◈ DIAGRAM

+------------------------+    +------------------------+    +------------------------+
| NoSchedule             |    | PreferNoSchedule       |    | NoExecute              |
|                        |    |                        |    |                        |
| New pods without       |    | Kubernetes will TRY    |    | New pods repelled AND  |
| Toleration will NOT    |    | to avoid this node     |    | existing pods without  |
| be scheduled here      |    | but may use it if no   |    | Toleration are EVICTED |
|                        |    | other node is free     |    |                        |
| Existing pods: safe    |    | Existing pods: safe    |    | Use for: maintenance   |
| Use for: isolation     |    | Use for: soft hints    |    | and node draining      |
+------------------------+    +------------------------+    +------------------------+

How to Add a Taint to a Node

Bash

1# Taint a node — only GPU workloads allowed
2kubectl taint nodes gpu-node-1 workload=gpu:NoSchedule
3# Taint format: key=value:effect
4 
5# Taint for node maintenance — evicts non-tolerating pods immediately
6kubectl taint nodes mumbai-worker-3 maintenance=patching:NoExecute
7 
8# Taint without a value (key-only taint)
9kubectl taint nodes gpu-node-1 dedicated:NoSchedule
10 
11# Verify the taint was applied
12kubectl describe node gpu-node-1 | grep -A 5 Taints
13# Taints: workload=gpu:NoSchedule

How to Remove a Taint

Bash

1# Add a minus sign at the end to remove — exact key=value:effect match required
2kubectl taint nodes gpu-node-1 workload=gpu:NoSchedule-
3 
4# Remove a key-only taint
5kubectl taint nodes gpu-node-1 dedicated:NoSchedule-
6 
7# Verify taint is gone
8kubectl describe node gpu-node-1 | grep Taints
9# Taints: <none>

The Matching Toleration in Pod Spec

A taint does nothing without a matching Toleration in the pod spec:

YAML

1# deployment.yaml — GPU transcoding pod that tolerates the taint
2apiVersion: apps/v1
3kind: Deployment
4metadata:
5  name: video-transcoder
6  namespace: streaming-prod
7spec:
8  template:
9    spec:
10      tolerations:
11        - key: "workload"
12          operator: "Equal"
13          value: "gpu"
14          effect: "NoSchedule"    # Must match the taint effect exactly
15      nodeSelector:
16        workload: gpu             # Also add nodeSelector to PREFER GPU nodes
17      containers:
18        - name: transcoder
19          image: registry.hotstar.in/transcoder:v4.2.1
20          resources:
21            limits:
22              nvidia.com/gpu: "1"  # Request 1 GPU

How to View Taints on All Nodes

Bash

1# Custom column output — quick overview
2kubectl get nodes -o custom-columns=NAME:.metadata.name,TAINTS:.spec.taints
3 
4# Full taint details including key, value, effect
5kubectl get nodes -o json | \
6  jq '.items[] | {name: .metadata.name, taints: .spec.taints}'
7 
8# Check a specific node
9kubectl describe node mumbai-worker-3 | grep -A 10 Taints

Taint + Toleration + NodeAffinity — The Complete Pattern

For hard node dedication (only GPU pods on GPU nodes, and GPU pods ONLY on GPU nodes), combine all three:

YAML

1spec:
2  tolerations:
3    - key: "workload"
4      operator: "Equal"
5      value: "gpu"
6      effect: "NoSchedule"
7  affinity:
8    nodeAffinity:
9      requiredDuringSchedulingIgnoredDuringExecution:
10        nodeSelectorTerms:
11          - matchExpressions:
12              - key: workload
13                operator: In
14                values: ["gpu"]

◈ DIAGRAM

+------------------------------------------+
| Taint on node                            | <- Repels non-GPU pods
+------------------------------------------+
| Toleration on pod                        | <- Allows GPU pod past the repel
+------------------------------------------+
| NodeAffinity on pod                      | <- Ensures GPU pod goes ONLY to
|                                          |    GPU nodes (not just tolerates)
+------------------------------------------+

Troubleshooting Common Taint Problems

Problem	Symptom	Fix
Pod stuck in `Pending` with taint	`0/5 nodes are available: 5 node(s) had taint`	Pod missing Toleration — add matching `tolerations` block to pod spec
Toleration set but pod still Pending	Pod has Toleration but won't schedule	Toleration `effect` doesn't match taint `effect` — they must be identical
Non-GPU pods landing on GPU nodes	Cost spike on GPU instance billing	Taint is set but pods have a catch-all Toleration (`operator: Exists`) — scope the Toleration to a specific key and value
NoExecute evicting critical pods	Running pods evicted unexpectedly	Wrong node tainted — verify `kubectl get nodes` names before applying `NoExecute`
Taint not removed after maintenance	Node still repelling pods after patch	Forgot the trailing `-` in `kubectl taint` remove command — re-run with `-` suffix

📌 Remember: Taints and Tolerations work together. A taint on a node does nothing unless the pod also has the matching Toleration. Forgetting the Toleration means the pod stays in Pending forever — and kubectl describe pod will show node(s) had taint in the Events section.

💡 Tip: Use NoExecute taint effect during node maintenance. It automatically evicts all non-tolerating pods, so you can safely patch the node without running kubectl drain manually. The system daemonsets (kube-proxy, CNI) always have built-in Tolerations for system taints and will not be evicted.

⚠️ Security: On PCI-DSS workloads like Razorpay's card processing pods, use NoSchedule taints on dedicated nodes to ensure no other workload can co-reside on those nodes. Co-tenancy on the same node means potential side-channel attacks via shared CPU caches — taint-based isolation is a critical compliance control.

🔴 Common Mistake: Using operator: Exists without a key in a Toleration. This creates a wildcard Toleration that matches ALL taints on ALL nodes — effectively defeating every taint in the cluster for that pod. Always scope Tolerations to a specific key.

Syncing Data

Taint

Technical Explanation & Usage

Taint — Extended Technical Detail

What is a Taint in Simple Terms?

Real Use Case

Taint Effects — The Three Modes

How to Add a Taint to a Node

How to Remove a Taint

The Matching Toleration in Pod Spec

How to View Taints on All Nodes

Taint + Toleration + NodeAffinity — The Complete Pattern

Troubleshooting Common Taint Problems

Related Terms

Namespace

Pod

Deployment