mirror of
https://github.com/kubernetes-sigs/node-feature-discovery.git
synced 2025-03-06 08:47:04 +00:00
cc6c20ff5f
Disallow taints having a key with "kubernetes.io/" or "*.kubernetes.io/" prefix. This is a precaution to protect the user from messing up with the "official" well-known taints from Kubernetes itself. The only exception is that the "nfd.node.kubernetes.io/" prefix is allowed. However, there is one allowed NFD-specific namespace (and its sub-namespaces) i.e. "feature.node.kubernetes.io" under the kubernetes.io domain that can be used for NFD-managed taints. Also disallow unprefixed taint keys. We don't add a default prefix to unprefixed taints (like we do for labels) from NodeFeatureRules. This is to prevent unpleasant surprises to users that need to manage matching tolerations for their workloads.
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
apiVersion: nfd.k8s-sigs.io/v1alpha1
|
|
kind: NodeFeatureRule
|
|
metadata:
|
|
name: e2e-test-3
|
|
spec:
|
|
rules:
|
|
# Positive test expected to set the taints
|
|
- name: "e2e-taint-test-1"
|
|
taints:
|
|
- effect: PreferNoSchedule
|
|
key: "feature.node.kubernetes.io/fake-special-node"
|
|
value: "exists"
|
|
- effect: NoExecute
|
|
key: "feature.node.kubernetes.io/foo"
|
|
value: "true"
|
|
# The following taints should be filtered out by nfd-master
|
|
- effect: PreferNoSchedule
|
|
key: "kubernetes.io/denied-1"
|
|
- effect: PreferNoSchedule
|
|
key: "node.kubernetes.io/denied-2"
|
|
- effect: PreferNoSchedule
|
|
key: "unprefixed-taint"
|
|
matchFeatures:
|
|
- feature: "fake.attribute"
|
|
matchExpressions:
|
|
"attr_1": {op: IsTrue}
|
|
"attr_2": {op: IsFalse}
|
|
|
|
# Negative test not supposed to set the taints
|
|
- name: "e2e-taint-test-2"
|
|
taints:
|
|
- effect: PreferNoSchedule
|
|
key: "feature.node.kubernetes.io/fake-cpu"
|
|
value: "true"
|
|
matchFeatures:
|
|
- feature: "fake.attribute"
|
|
matchExpressions:
|
|
"attr_1": {op: IsTrue}
|
|
"attr_2": {op: IsTrue}
|