Workload node deployment

By default, user workloads cannot run on manager nodes. This is to ensure that cluster management functionality remains performant and to enhance cluster security. You can, however, override this behavior.

⚠️

If a user deploys a malicious workload that can affect the node on which it is running, that workload will not be able to strike any other nodes in the cluster or have any impact on cluster management functionality.

Restrict workload deployment to Kubernetes worker nodes

By default, MKE clusters use Kubernetes taints and tolerations to prevent user workloads from deploying to MKE manager nodes.

To view the taints, run the following command:

$ kubectl get nodes <mkemanager> -o json | jq -r '.spec.taints | .[]'

Example of system response:

{
  "effect": "NoSchedule",
  "key": "node-role.kubernetes.io/master"
}

Allow workload deployment on Kubernetes MKE manager

You can circumvent the protections put in place by Kubernetes taints and tolerations.

To add a toleration to the Pod specification for existing workloads:

Add the following toleration to the Pod specification, either through the MKE web UI or using the kubectl edit <resource> <name> command:
```
tolerations:
- key: "node-role.kubernetes.io/master"
  operator: "Exists"
  effect: "NoSchedule"
```
Inspect the modified object to verify the successful application of the toleration.

Last updated on December 24, 2024

TLS certificates