Recommend 'NoExecute' instead of 'NoSchedule'.

To prevent situations in which the GKE node is forcibly stopped and
re-created from causing unmanaged pods, and building on the observation
that the node comes back with the same name and pods are already
scheduled there, we change the recommended taint effect from NoSchedule
to NoExecute, to cause any previously scheduled pods to be evicted,
preventing them from getting IPs assigned by the default CNI. This
should not impact other environments due to the nature of 'NoExecute',
so we recommend it everywhere.

[ cilium/cilium commit b049574 ]

Signed-off-by: Bruno Miguel Custódio <[email protected]>
Co-authored-by: Tam Mach <[email protected]>

.github/workflows/aks.yaml

@@ -101,14 +101,14 @@ jobs:
             ${{ env.cost_reduction }} \
             --no-wait
 
-          # Create user node pool tainted with `node.cilium.io/agent-not-ready=true:NoSchedule`
+          # Create user node pool tainted with `node.cilium.io/agent-not-ready=true:NoExecute`
           az aks nodepool add \
             --resource-group ${{ env.name }} \
             --cluster-name ${{ env.name }} \
             --name userpool \
             --mode user \
             --node-count 2 \
-            --node-taints "node.cilium.io/agent-not-ready=true:NoSchedule" \
+            --node-taints "node.cilium.io/agent-not-ready=true:NoExecute" \
             ${{ env.cost_reduction }} \
             --no-wait
 

.github/workflows/eks-tunnel.yaml

@@ -95,7 +95,7 @@ jobs:
               taints:
                - key: "node.cilium.io/agent-not-ready"
                  value: "true"
-                 effect: "NoSchedule"
+                 effect: "NoExecute"
           EOF
 
           eksctl create cluster -f ./eks-config.yaml

.github/workflows/eks.yaml

@@ -95,7 +95,7 @@ jobs:
             taints:
              - key: "node.cilium.io/agent-not-ready"
                value: "true"
-               effect: "NoSchedule"
+               effect: "NoExecute"
           EOF
 
           eksctl create cluster -f ./eks-config.yaml

.github/workflows/externalworkloads.yaml

@@ -99,7 +99,7 @@ jobs:
             --machine-type e2-custom-2-4096 \
             --disk-type pd-standard \
             --disk-size 10GB \
-            --node-taints node.cilium.io/agent-not-ready=true:NoSchedule \
+            --node-taints node.cilium.io/agent-not-ready=true:NoExecute \
             --preemptible
           CLUSTER_CIDR=$(gcloud container clusters describe ${{ env.clusterName }} --zone ${{ env.zone }} --format="value(clusterIpv4Cidr)")
           echo ::set-output name=cluster_cidr::${CLUSTER_CIDR}

.github/workflows/gke.yaml

@@ -78,7 +78,7 @@ jobs:
             --machine-type e2-custom-2-4096 \
             --disk-type pd-standard \
             --disk-size 10GB \
-            --node-taints node.cilium.io/agent-not-ready=true:NoSchedule \
+            --node-taints node.cilium.io/agent-not-ready=true:NoExecute \
             --preemptible
           CLUSTER_CIDR=$(gcloud container clusters describe ${{ env.clusterName }} --zone ${{ env.zone }} --format="value(clusterIpv4Cidr)")
           echo ::set-output name=cluster_cidr::${CLUSTER_CIDR}

.github/workflows/multicluster.yaml

@@ -84,7 +84,7 @@ jobs:
             --machine-type e2-custom-2-4096 \
             --disk-type pd-standard \
             --disk-size 10GB \
-            --node-taints node.cilium.io/agent-not-ready=true:NoSchedule \
+            --node-taints node.cilium.io/agent-not-ready=true:NoExecute \
             --preemptible \
             --enable-ip-alias
 
@@ -107,7 +107,7 @@ jobs:
             --machine-type e2-custom-2-4096 \
             --disk-type pd-standard \
             --disk-size 10GB \
-            --node-taints node.cilium.io/agent-not-ready=true:NoSchedule \
+            --node-taints node.cilium.io/agent-not-ready=true:NoExecute \
             --preemptible \
             --enable-ip-alias