Taints, Tolerations, and Node Cordoning

You just ran kubectl drain on a node before a kernel upgrade, and five minutes later a pod is still sitting there. Or you tainted a GPU node pool to keep general workloads off it, yet somehow a logging agent landed on it anyway. Both situations come down to the same mechanism: taints and tolerations.

Taints are the repulsive counterpart to node affinity. Where affinity attracts pods to specific nodes, taints push pods away. Tolerations are the exemptions: a pod that tolerates a taint can still schedule (or keep running) on a tainted node. Together with kubectl cordon and kubectl drain, they form the node-maintenance workflow you'll use regularly as a cluster administrator.