Kubernetes
Pods
Scheduling
Master Node
Container Orchestration

Allow scheduling of pods on Kubernetes master?

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

Kubernetes normally keeps ordinary workloads off control-plane nodes, which older documentation often calls master nodes. If you want pods to run there, the scheduler is usually being blocked by a taint on purpose rather than ignoring your workload by accident.

Why Scheduling Is Blocked

Control-plane nodes run core services such as the API server, scheduler, and controller manager. To protect those components, Kubernetes commonly applies a NoSchedule taint to the node.

On newer clusters the taint key is typically node-role.kubernetes.io/control-plane. On older clusters you may still see node-role.kubernetes.io/master.

Inspect the node first:

bash
kubectl describe node my-control-plane

In the output, look for a taint similar to one of these:

text
node-role.kubernetes.io/control-plane:NoSchedule
node-role.kubernetes.io/master:NoSchedule

That taint is why a normal pod does not land there.

Option 1: Remove the Taint

If this is a local cluster, lab environment, or single-node setup, removing the taint is the simplest solution.

For the current control-plane key:

bash
kubectl taint nodes my-control-plane node-role.kubernetes.io/control-plane:NoSchedule-

For older clusters:

bash
kubectl taint nodes my-control-plane node-role.kubernetes.io/master:NoSchedule-

The trailing dash removes the taint. After that, ordinary pods become eligible to schedule on that node.

This is common in development clusters created with kubeadm, kind, or other small test setups where there is little or no worker capacity.

Option 2: Keep the Taint and Add a Toleration

If you only want one workload to be allowed on the control-plane node, add a toleration instead of changing the whole node policy.

yaml
1apiVersion: v1
2kind: Pod
3metadata:
4  name: debug-on-control-plane
5spec:
6  tolerations:
7    - key: node-role.kubernetes.io/control-plane
8      operator: Exists
9      effect: NoSchedule
10  containers:
11    - name: shell
12      image: busybox:1.36
13      command: ["sh", "-c", "sleep 3600"]

That tells the scheduler the pod is allowed to tolerate the taint.

Important detail: a toleration allows placement, but it does not force placement. The pod may still be scheduled onto a worker node if one is available.

Option 3: Add a Node Selector Too

If you want the pod to specifically target the control-plane node, combine the toleration with node selection.

yaml
1apiVersion: apps/v1
2kind: Deployment
3metadata:
4  name: control-plane-tool
5spec:
6  replicas: 1
7  selector:
8    matchLabels:
9      app: control-plane-tool
10  template:
11    metadata:
12      labels:
13        app: control-plane-tool
14    spec:
15      nodeSelector:
16        node-role.kubernetes.io/control-plane: ""
17      tolerations:
18        - key: node-role.kubernetes.io/control-plane
19          operator: Exists
20          effect: NoSchedule
21      containers:
22        - name: tool
23          image: busybox:1.36
24          command: ["sh", "-c", "sleep 3600"]

If your cluster uses the older master label and taint, update both keys accordingly.

When This Is a Good Idea

Scheduling onto control-plane nodes is reasonable in these cases:

  • single-node development clusters
  • home lab clusters with limited hardware
  • temporary debugging or recovery work
  • infrastructure add-ons placed there intentionally

For general production workloads, it is usually the wrong tradeoff. Application traffic can compete with cluster-critical services for CPU, memory, and disk I/O.

Common Pitfalls

A common mistake is adding only a toleration and expecting the pod to move onto the control-plane node. A toleration merely permits placement. It does not express a preference or requirement.

Another mistake is following older blog posts without checking whether the cluster uses the master key or the modern control-plane key. Both exist in the wild, and using the wrong one makes it seem like the YAML has no effect.

A third issue is removing the taint on a production cluster just to make scheduling easier. That can create control-plane instability that is much harder to diagnose later.

Summary

  • Control-plane nodes are usually protected by a NoSchedule taint
  • You can allow pods there by removing the taint or by adding a matching toleration
  • Use the control-plane key on newer clusters and master on older ones
  • A toleration allows placement but does not force placement
  • Keep ordinary production workloads off control-plane nodes unless the tradeoff is deliberate

Course illustration
Course illustration

All Rights Reserved.