Prevent Pods from being scheduled on specific nodes - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Help improve this page

To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.

Prevent Pods from being scheduled on specific nodes

Nodes with specialized processors, such as GPUs, can be more expensive to run than nodes running on more standard machines. For that reason, you may want to protect those nodes from having workloads that don’t require special hardware from being deployed to those nodes. One way to do that is with taints.

Amazon EKS supports configuring Kubernetes taints through managed node groups. Taints and tolerations work together to ensure that Pods aren’t scheduled onto inappropriate nodes. One or more taints can be applied to a node. This marks that the node shouldn’t accept any Pods that don’t tolerate the taints. Tolerations are applied to Pods and allow, but don’t require, the Pods to schedule onto nodes with matching taints. For more information, see Taints and Tolerations in the Kubernetes documentation.

Kubernetes node taints can be applied to new and existing managed node groups using the Amazon Web Services Management Console or through the Amazon EKS API.

  • For information on creating a node group with a taint using the Amazon Web Services Management Console, see Create a managed node group for your cluster.

  • The following is an example of creating a node group with a taint using the Amazon CLI:

    aws eks create-nodegroup \
 --cli-input-json '
{
  "clusterName": "my-cluster",
  "nodegroupName": "node-taints-example",
  "subnets": [
     "subnet-1234567890abcdef0",
     "subnet-abcdef01234567890",
     "subnet-021345abcdef67890"
   ],
  "nodeRole": "arn:aws-cn:iam::111122223333:role/AmazonEKSNodeRole",
  "taints": [
     {
         "key": "dedicated",
         "value": "gpuGroup",
         "effect": "NO_SCHEDULE"
     }
   ]
}'

For more information and examples of usage, see taint in the Kubernetes reference documentation.

Note

  • Taints can be updated after you create the node group using the UpdateNodegroupConfig API.

  • The taint key must begin with a letter or number. It can contain letters, numbers, hyphens (-), periods (.), and underscores (_). It can be up to 63 characters long.

  • Optionally, the taint key can begin with a DNS subdomain prefix and a single /. If it begins with a DNS subdomain prefix, it can be 253 characters long.

  • The value is optional and must begin with a letter or number. It can contain letters, numbers, hyphens (-), periods (.), and underscores (_). It can be up to 63 characters long.

  • When using Kubernetes directly or the Amazon Web Services Management Console, the taint effect must be NoSchedule, PreferNoSchedule, or NoExecute. However, when using the Amazon CLI or API, the taint effect must be NO_SCHEDULE, PREFER_NO_SCHEDULE, or NO_EXECUTE.

  • A maximum of 50 taints are allowed per node group.

  • If taints that were created using a managed node group are removed manually from a node, then Amazon EKS doesn’t add the taints back to the node. This is true even if the taints are specified in the managed node group configuration.

You can use the aws eks update-nodegroup-config Amazon CLI command to add, remove, or replace taints for managed node groups.