Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Preparing a CTE for Kubernetes Volume for Deployment

Using Taints and Tolerations

search

Please Note:

Using Taints and Tolerations

Note

Using Taints and Tolerations is optional.

You can apply Taints and Tolerations to the CTE for Kubernetes application pod that you are running. You can also create your staging pod with toleration.

Taints allow a node to repel a set of pods. Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints as long as it's allowed by the other associated parameters.

Taints and Tolerations work together to ensure that pods are not scheduled onto inappropriate nodes. Once one or more taints are applied to a node, the node should not accept any pods that do not tolerate the taints.

For more information, see Kubernetes Taints and Tolerations.

Using Taints and Tolerations with CTE for Kubernetes

CTE for Kubernetes now supports nodes with taints. You can specify a toleration in a pod_spec for the staging pod of a CTE for Kubernetes volume. To do this, CTE for Kubernetes added annotation support to a CTE for Kubernetes PVC. This annotation uses a base64 encoded string for input. Kubernetes requires the pod to pass the info to the cluster as a single base64 encoded string. The only way to create this is to manually encode the yaml file that contains the Taints and Tolerations. CTE for Kubernetes takes the yaml file and extracts any toleration definitions contained in it and appends them to the staging pod when that PVC is mounted anywhere in the cluster. Any values in the YAML file that are not related to toleration are ignored.

Note

To apply Taints and Tolerations to a pod, you must first shut down the pod. Additionally, support for toleration must be added at PVC creation time. Modifying an existing PVC with the added toleration is not supported because the CTE PVC was not created with the required immutable volume attributes.

Applying Taints and Tolerations

  1. Create and add the taint to a node, type:

    kubectl taint nodes <nodeName> <keyName>=<valueName>:<taintEffect>

    Example:

    kubectl taint nodes node1 key1=value1:NoExecute

  2. Create a tolerations yaml file. The tolerations must match the taint created in the previous step. The file should look similar to the following:

    cat <cte_tolerations>.yaml

    Response:

    spec:
    tolerations:
  - key: "key1"
    operator: "Equal"
    value: "value1"
    effect: "NoExecute"

    Note

    The taint effect NoSchedule does not work with Taints and Tolerations for CTE for Kubernetes.

  3. Write the tolerations yaml file to a text file while generating the base64 encoding and appending the file with the string, type:

    cat <cte_tolerations>.yaml | base64 -w0

    Response:

    c3BlYzoKICB0b2xlcmF0aW9uczoKICAtIGtleTogImtleTEiCiAgICBvcGVyYXRvcjogIkVxdWFsIgogICAgdmFsdWU6ICJ2YWx1ZTEiCiAgICBlZmZlY3Q6ICJOb0V4ZWN1dGUiCg==

  4. Once the base64 string is generated, the PVC is generated. Append the value to the PVC. For example:

    cat <cte_pvc_fileName>.yaml

    Response:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
    name: cte-csi-claim
    annotations:
        csi.cte.cpl.thalesgroup.com/policy: <policyName>
        csi.cte.cpl.thalesgroup.com/source_pvc: <pvcName>-claim
        csi.cte.cpl.thalesgroup.com/spec_append: c3BlYzoKICB0b2xlcmF0aW9uczoKICAtIGtleTogImtleTEiCiAgICBvcGVyYXRvcjogIkVxdWFsIgogICAgdmFsdWU6ICJ2YWx1ZTEiCiAgICBlZmZlY3Q6ICJOb0V4ZWN1dGUiCg==
spec:
    storageClassName: <storageClassName
    accessModes:
    - ReadWriteMany
resources:
    requests:
        storage: 10Gi

For more information, see the Command line tool (kubectl).

CTE Staging Container Resource Settings

This feature allows you to configure container resource settings for the CTE staging pod. This is useful if, for example, a default policy for resource settings is enabled for the container, but is not configured with CPU and memory resource limits, because this could cause the staging pod to terminate.

To configure:

  1. Create a yaml file which contains the container resources:

    a. Print the contents of the CTE tolerations file, type:

        cat <cte_tolerations>.yaml

    Response:

        spec:
     containers:
     - name: <container-name>
      resources:
       limits:
        cpu: "500m"
        memory: "200Mi"
      requests:
        cpu: "500m"
        memory: "100Mi"

  2. Generate the base64 encoded string, type:

    cat <cte_tolerations>.yaml | base64 -w0

    Response

    c3BlYzoKwqAgY29udGFpbmVyczoKwqAgLSzOgrCoCDCoCDCoCDCoCBjcHU6ICI1MDBtIgrCoCDCoCDCoCDCoCBtZW1..........sKgIMKgIMKgIMKgIG1lbW9yeTogIjEwME1pIgo=

  3. Append the PVC parameter csi.cte.cpl.thalesgroup.com/spec_append with the base64 string, type:

    cat <cte_pvc_fileName>.yaml

    Response:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
    name: cte-csi-claim
    annotations:
        csi.cte.cpl.thalesgroup.com/policy: <policyName>
        csi.cte.cpl.thalesgroup.com/source_pvc: <source-PVC-Claim>
        csi.cte.cpl.thalesgroup.com/spec_append: c3BlYzoKwqAgY29udGFpbmVyczoKwqAgLSzOgrCoCDCoCDCoCDCoCBjcHU6ICI1MDBtIgrCoCDCoCDCoCDCoCBtZW1..........sKgIMKgIMKgIMKgIG1lbW9yeTogIjEwME1pIgo= 
spec:
    storageClassName: <CTE-storageClassName>
    accessModes:
    - ReadWriteMany
resources:
    requests:
        storage: 10Gi

Note

You can use all of the supported spec append members with csi.cte.cpl.thalesgroup.com/spec_append. That means that you can enable/apply multiple features (toleration, container resource settings, or both features simultaneously).

For example, using both tolerations and container resource settings:

  • cat csi.cte.cpl.thalesgroup.com/spec_append

    Response:

    spec:
    tolerations:
- key: "testkey1"
 operator: "Equal"
 value: "testvalue1"
 effect: "NoExecute"
containers:
- name: ubuntu1
 resources:
  limits:
    cpu: "500m"
    memory: "200Mi"
  requests:
    cpu: "250m"
    memory: "100Mi"

On this page