Preventing app workloads from running on edge worker nodes

A benefit of edge worker nodes is that they can be specified to run networking services only.

You can prevent workloads from running on edge worker nodes and consuming worker node resources by using Kubernetes taints.

Complete the following steps to prevent other workloads from running on edge worker nodes.

Before you begin

• Ensure that you have the following IAM roles:
  • Any platform access role for the cluster
  • Manager service access role for all namespaces
• Log in to your account. If applicable, target the appropriate resource group. Set the context for your cluster.

1. Create a worker pool with the label dedicated=edge or add the label to one of your existing worker pools.

   • To create a Classic worker pool, you can use the worker-pool create classic command.

     ibmcloud oc worker-pool create classic --name POOL_NAME --cluster CLUSTER --flavor FLAVOR --size-per-zone WORKERS_PER_ZONE --hardware ISOLATION --label dedicated=edge
     

   • To create a VPC worker pool, you can use the worker-pool create vpc-gen2 command.

     ibmcloud oc worker-pool create vpc-gen2 --name POOL_NAME --cluster CLUSTER --flavor FLAVOR --size-per-zone WORKERS_PER_ZONE --hardware ISOLATION --label dedicated=edge
     

   • To label an existing worker pool, you can use the worker-pool label set command.

     ibmcloud oc worker-pool label set --cluster CLUSTER --worker-pool POOL --label dedicated=edge
     

2. Verify that the worker pool and worker nodes have the dedicated=edge label.

   • To check the worker pool, run the get command.

     ibmcloud ks worker-pool get --cluster <cluster_name_or_ID> --worker-pool <worker_pool_name_or_ID>
     

   • To check individual worker nodes, review the Labels field of the output of the following command.

     kubectl describe node <worker_node_private_IP>
     

3. Apply a taint to the worker nodes with the dedicated=edge label. The taint prevents pods from running on the worker node and removes pods that don't have the dedicated=edge label from the worker node. The pods that are removed are redeployed to other worker nodes with capacity.

   To apply a taint to all existing and future worker nodes in a worker pool:

   ibmcloud ks worker-pool taint set -c <cluster_name_or_ID> --worker-pool <worker_pool_name_or_ID> --taint dedicated=edge:NoExecute
   

   To apply a taint to individual worker nodes:

   kubectl taint node -l dedicated=edge dedicated=edge:NoExecute
   

   Now, only pods with the dedicated=edge toleration are deployed to your edge worker nodes.

4. Verify that your edge nodes are tainted.

   kubectl describe nodes -l dedicated=edge | egrep "Taints|Hostname"
   

   Example output

   Taints:             dedicated=edge:NoExecute
       Hostname:    10.176.48.83
     Taints:             dedicated=edge:NoExecute
   Hostname:    10.184.58.7