feat: add Kubernetes taints support for worker nodes

mrclrchtr · claude · mrclrchtr · commit fc6512ae46a1 · 2025-09-05T11:04:06.000+02:00
- Add taints field to worker_nodes variable for workload isolation
- Implement registerWithTaints in kubelet configuration per Talos best practices
- Update README with taint configuration examples
- Add taints to both legacy and new worker configurations
- Remove unused debug variable in talos_patch_worker.tf

Based on Talos discussion #9895, taints are applied at node registration
using kubelet.registerWithTaints to comply with NodeRestriction admission.

🤖 Generated with Claude Code

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -234,13 +234,20 @@ module "talos" {
         "node.kubernetes.io/instance-type" = "cx22"
       }
     },
-    # ARM workers for specific workloads
+    # ARM workers for specific workloads with taints
     {
       type   = "cax22"
       labels = {
         "node.kubernetes.io/arch"          = "arm64"
         "affinity.example.com" = "example"
       }
+      taints = [
+        {
+          key    = "arm64-only"
+          value  = "true"
+          effect = "NoSchedule"
+        }
+      ]
     }
   ]
 }
@@ -250,6 +257,7 @@ module "talos" {
 > The `worker_nodes` variable allows you to:
 > - Mix different server types (x86 and ARM)
 > - Add custom labels to nodes
+> - Apply taints for workload isolation
 > - Control the count of each node type independently
 > 
 > The legacy `worker_count` and `worker_server_type` variables are still supported for backward compatibility but are deprecated in favor of `worker_nodes`.
diff --git a/server.tf b/server.tf
@@ -41,6 +41,7 @@ locals {
       ipv6_public_subnet  = var.enable_ipv6 ? local.worker_public_ipv6_subnet_list[i] : null
       ipv4_private        = local.worker_private_ipv4_list[i]
       labels              = {}
+      taints              = []
       node_group_index    = 0
       node_in_group_index = i
     }
@@ -62,6 +63,7 @@ locals {
       ipv6_public_subnet = var.enable_ipv6 ? local.worker_public_ipv6_subnet_list[local.legacy_worker_count + i] : null
       ipv4_private       = local.worker_private_ipv4_list[local.legacy_worker_count + i]
       labels             = worker.labels
+      taints             = worker.taints
     }
   ]
 
diff --git a/talos_patch_worker.tf b/talos_patch_worker.tf
@@ -10,6 +10,7 @@ locals {
     ipv6_public_subnet  = null                                # Fallback
     ipv4_private        = cidrhost(local.node_ipv4_cidr, 200) # Use a predictable dummy private IP
     labels              = {}
+    taints              = []
     node_group_index    = 0
     node_in_group_index = 0
   }] : []
@@ -29,20 +30,34 @@ locals {
           ]
         }
         certSANs = local.cert_SANs
-        kubelet = {
-          extraArgs = merge(
-            {
-              "cloud-provider"             = "external"
-              "rotate-server-certificates" = true
-            },
-            var.kubelet_extra_args
-          )
-          nodeIP = {
-            validSubnets = [
-              local.node_ipv4_cidr
-            ]
-          }
-        }
+        kubelet = merge(
+          {
+            extraArgs = merge(
+              {
+                "cloud-provider"             = "external"
+                "rotate-server-certificates" = true
+              },
+              var.kubelet_extra_args
+            )
+            nodeIP = {
+              validSubnets = [
+                local.node_ipv4_cidr
+              ]
+            }
+          },
+          # Add registerWithTaints if taints are defined
+          length(worker.taints) > 0 ? {
+            extraConfig = {
+              registerWithTaints = [
+                for taint in worker.taints : {
+                  key    = taint.key
+                  value  = taint.value
+                  effect = taint.effect
+                }
+              ]
+            }
+          } : {}
+        )
         network = {
           extraHostEntries = local.extra_host_entries
           kubespan = {
@@ -95,5 +110,4 @@ locals {
       }
     }
   }
-  value = ""
 }
diff --git a/variables.tf b/variables.tf
@@ -248,13 +248,19 @@ variable "worker_nodes" {
   type = list(object({
     type   = string
     labels = optional(map(string), {})
+    taints = optional(list(object({
+      key    = string
+      value  = string
+      effect = string
+    })), [])
   }))
   default     = []
   description = <<EOF
     List of worker node configurations. Each object defines a group of worker nodes with the same configuration.
     - type: Server type (cx11, cx21, cx22, cx31, cx32, cx41, cx42, cx51, cx52, cpx11, cpx21, cpx31, cpx41, cpx51, cax11, cax21, cax31, cax41, ccx13, ccx23, ccx33, ccx43, ccx53, ccx63)
     - count: Number of nodes of this type
     - labels: Map of Kubernetes labels to apply to these nodes (default: {})
+    - taints: List of Kubernetes taints to apply to these nodes (default: [])
     
     Example:
     worker_nodes = [
@@ -266,6 +272,13 @@ variable "worker_nodes" {
         labels = {
           "node.kubernetes.io/arch" = "arm64"
         }
+        taints = [
+          {
+            key    = "workload-type"
+            value  = "gpu"
+            effect = "NoSchedule"
+          }
+        ]
       }
     ]
   EOF

Original file line number	Diff line number	Diff line change
`@@ -234,13 +234,20 @@ module "talos" {`
`234`	`234`	`"node.kubernetes.io/instance-type" = "cx22"`
`235`	`235`	`}`
`236`	`236`	`},`
`237`		`- # ARM workers for specific workloads`
	`237`	`+ # ARM workers for specific workloads with taints`
`238`	`238`	`{`
`239`	`239`	`type = "cax22"`
`240`	`240`	`labels = {`
`241`	`241`	`"node.kubernetes.io/arch" = "arm64"`
`242`	`242`	`"affinity.example.com" = "example"`
`243`	`243`	`}`
	`244`	`+ taints = [`
	`245`	`+ {`
	`246`	`+ key = "arm64-only"`
	`247`	`+ value = "true"`
	`248`	`+ effect = "NoSchedule"`
	`249`	`+ }`
	`250`	`+ ]`
`244`	`251`	`}`
`245`	`252`	`]`
`246`	`253`	`}`
`@@ -250,6 +257,7 @@ module "talos" {`
`250`	`257`	> The `worker_nodes` variable allows you to:
`251`	`258`	`> - Mix different server types (x86 and ARM)`
`252`	`259`	`> - Add custom labels to nodes`
	`260`	`+> - Apply taints for workload isolation`
`253`	`261`	`> - Control the count of each node type independently`
`254`	`262`	`>`
`255`	`263`	> The legacy `worker_count` and `worker_server_type` variables are still supported for backward compatibility but are deprecated in favor of `worker_nodes`.
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ locals {`
`41`	`41`	`ipv6_public_subnet = var.enable_ipv6 ? local.worker_public_ipv6_subnet_list[i] : null`
`42`	`42`	`ipv4_private = local.worker_private_ipv4_list[i]`
`43`	`43`	`labels = {}`
	`44`	`+ taints = []`
`44`	`45`	`node_group_index = 0`
`45`	`46`	`node_in_group_index = i`
`46`	`47`	`}`
`@@ -62,6 +63,7 @@ locals {`
`62`	`63`	`ipv6_public_subnet = var.enable_ipv6 ? local.worker_public_ipv6_subnet_list[local.legacy_worker_count + i] : null`
`63`	`64`	`ipv4_private = local.worker_private_ipv4_list[local.legacy_worker_count + i]`
`64`	`65`	`labels = worker.labels`
	`66`	`+ taints = worker.taints`
`65`	`67`	`}`
`66`	`68`	`]`
`67`	`69`