Merge pull request #1275 from louiznk/feat/toleration/control_plane

feat: add NoSchedule toleration on key node-role.kubernetes.io/master

manifests/coredns.yaml

@@ -99,6 +99,9 @@ spec:
       tolerations:
         - key: "CriticalAddonsOnly"
           operator: "Exists"
+        - key: "node-role.kubernetes.io/master"
+          operator: "Exists"
+          effect: "NoSchedule"
       nodeSelector:
         beta.kubernetes.io/os: linux
       containers:

manifests/local-storage.yaml

@@ -51,6 +51,12 @@ spec:
         app: local-path-provisioner
     spec:
       serviceAccountName: local-path-provisioner-service-account
+      tolerations:
+          - key: "CriticalAddonsOnly"
+            operator: "Exists"
+          - key: "node-role.kubernetes.io/master"
+            operator: "Exists"
+            effect: "NoSchedule"
       containers:
       - name: local-path-provisioner
         image: rancher/local-path-provisioner:v0.0.11

manifests/metrics-server/metrics-server-deployment.yaml

@@ -23,6 +23,12 @@ spec:
         k8s-app: metrics-server
     spec:
       serviceAccountName: metrics-server
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - key: "node-role.kubernetes.io/master"
+          operator: "Exists"
+          effect: "NoSchedule"
       volumes:
       # mount in tmp so we can safely use from-scratch images and/or read-only containers
       - name: tmp-dir

manifests/traefik.yaml

@@ -5,9 +5,21 @@ metadata:
   namespace: kube-system
 spec:
   chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
-  set:
+  valuesContent: |-
-    rbac.enabled: "true"
+    rbac:
-    ssl.enabled: "true"
+      enabled: true
-    metrics.prometheus.enabled: "true"
+    ssl:
-    kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
+      enabled: true
+    metrics:
+      prometheus:
+        enabled: true
+    kubernetes:
+      ingressEndpoint:
+        useDefaultPublishedService: true
     image: "rancher/library-traefik"
+    tolerations:
+      - key: "CriticalAddonsOnly"
+        operator: "Exists"
+      - key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+        effect: "NoSchedule"

pkg/servicelb/controller.go

@@ -356,6 +356,22 @@ func (h *handler) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 
 		ds.Spec.Template.Spec.Containers = append(ds.Spec.Template.Spec.Containers, container)
 	}
+
+	// Add toleration to noderole.kubernetes.io/master=*:NoSchedule
+	noScheduleToleration := core.Toleration{
+		Key:      "noderole.kubernetes.io/master",
+		Operator: "Exists",
+		Effect:   "NoSchedule",
+	}
+	ds.Spec.Template.Spec.Tolerations = append(ds.Spec.Template.Spec.Tolerations, noScheduleToleration)
+
+	// Add toleration to CriticalAddonsOnly
+	criticalAddonsOnlyToleration := core.Toleration{
+		Key:      "CriticalAddonsOnly",
+		Operator: "Exists",
+	}
+	ds.Spec.Template.Spec.Tolerations = append(ds.Spec.Template.Spec.Tolerations, criticalAddonsOnlyToleration)
+
 	// Add node selector only if label "svccontroller.k3s.cattle.io/enablelb" exists on the nodes
 	selector, err := labels.Parse(daemonsetNodeLabel)
 	if err != nil {