Skip to content

KEP-5869: Wildcard Toleration Keys #5880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ajaysundark wants to merge 3 commits into
base: master
Choose a base branch
from
Open

KEP-5869: Wildcard Toleration Keys #5880

ajaysundark wants to merge 3 commits into from
+536 −0

Conversation

@ajaysundark
Copy link

@ajaysundark ajaysundark commented Feb 3, 2026
edited
Loading

  • One-line PR description: adding new KEP for wildcard toleration keys
  • Other comments:cc @kubernetes/sig-scheduling-misc @kubernetes/sig-apps-misc

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ajaysundark
Once this PR has been reviewed and has the lgtm label, please assign deads2k, sanposhiho for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. labels Feb 3, 2026
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 3, 2026
@ajaysundark ajaysundark mentioned this pull request Feb 3, 2026
Open
4 tasks
@helayoty
Copy link
Member

helayoty commented Feb 3, 2026

/cc

@k8s-ci-robot k8s-ci-robot requested a review from helayoty February 3, 2026 18:21
@helayoty helayoty moved this to Needs Review in SIG Scheduling Feb 3, 2026
x0rw
x0rw reviewed Feb 3, 2026
View reviewed changes
keps/sig-scheduling/5869-wildcard-toleration-keys/README.md
- Running pods will continue running.
- New pods if they use `*` in tolerations, validation will fail (if disabled at
`kube-apiserver`). If only disabled in `kube-scheduler`, they will
schedule but the wildcard will be treated literally matching nothing.
Copy link

@x0rw x0rw Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ajaysundark,
Here the rollback plan is too optimistic. If the feature is disabled, we face two major 'broken' states:

  1. Mass Evictions: Pods using wildcards to tolerate NoExecute taints will no longer be protected and will be evicted immediately.
  2. Stalled Controllers: Existing Deployments or DaemonSets with wildcards in their templates will fail to create new Pods because the API server will reject the * during validation.

How are you planning to solve this issue?

keps/sig-scheduling/5869-wildcard-toleration-keys/README.md

###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?

Due to regex parsing and validation overhead, it could add to the time taken for
Copy link

@x0rw x0rw Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mentioned using glob-matching in the Design section, but mention regex here. Which one is the intended implementation?

keps/sig-scheduling/5869-wildcard-toleration-keys/README.md

###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components?

No
Copy link

@x0rw x0rw Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree with a flat 'No' here. Increased string matching in the scheduler's hot path will inevitably increase CPU cycles. While it may be 'negligible' for small clusters, we need to define what happens at scale. Can we add a metric to track scheduler_wildcard_match_duration_seconds to verify this during this Alpha?

helayoty
helayoty reviewed Feb 3, 2026
View reviewed changes
keps/sig-scheduling/5869-wildcard-toleration-keys/README.md
Comment on lines +156 to +161
```yaml
tolerations:
- key: "readiness.k8s.io/*"
operator: "Exists"
effect: "NoSchedule"
```
Copy link
Member

@helayoty helayoty Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem stated for this KEP and user stories can be achieved by the CEL support #5500, which will be a general solution for wildcard and others cases. I'd suggest to add the wildcard as a user stroy on the current PR #5822

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kikisdeliveryservice kikisdeliveryservice Awaiting requested review from kikisdeliveryservice

@macsko macsko Awaiting requested review from macsko

2 more reviewers

@x0rw x0rw x0rw left review comments

@helayoty helayoty helayoty left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

SIG Scheduling
Status: Needs Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ajaysundark @k8s-ci-robot @helayoty @x0rw