fix: Disable syncing taints from nodeclaims to nodes (#8029)

Author: JeremyBolster

pkg/providers/amifamily/suite_test.go

@@ -359,9 +359,9 @@ var _ = Describe("AMIProvider", func() {
 				},
 			}
 		})
-		It("should priortize the older non-deprecated ami without deprecation time", func() {
+		It("should prioritize the older non-deprecated ami without deprecation time", func() {
 			// Here we have two AMIs one which is deprecated and newer and one which is older and non-deprecated without a deprecation time
-			// List operation will priortize the non-deprecated AMI without the deprecation time
+			// List operation will prioritize the non-deprecated AMI without the deprecation time
 			awsEnv.EC2API.DescribeImagesOutput.Set(&ec2.DescribeImagesOutput{
 				Images: []ec2types.Image{
 					{
@@ -401,9 +401,9 @@ var _ = Describe("AMIProvider", func() {
 				),
 			}))
 		})
-		It("should priortize the non-deprecated ami with deprecation time when both have same creation time", func() {
+		It("should prioritize the non-deprecated ami with deprecation time when both have same creation time", func() {
 			// Here we have two AMIs one which is deprecated and one which is non-deprecated both with the same creation time
-			// List operation will priortize the non-deprecated AMI
+			// List operation will prioritize the non-deprecated AMI
 			awsEnv.EC2API.DescribeImagesOutput.Set(&ec2.DescribeImagesOutput{
 				Images: []ec2types.Image{
 					{
@@ -445,9 +445,9 @@ var _ = Describe("AMIProvider", func() {
 				),
 			}))
 		})
-		It("should priortize the non-deprecated ami with deprecation time when both have same creation time and different name", func() {
+		It("should prioritize the non-deprecated ami with deprecation time when both have same creation time and different name", func() {
 			// Here we have two AMIs one which is deprecated and one which is non-deprecated both with the same creation time but with different names
-			// List operation will priortize the non-deprecated AMI
+			// List operation will prioritize the non-deprecated AMI
 			awsEnv.EC2API.DescribeImagesOutput.Set(&ec2.DescribeImagesOutput{
 				Images: []ec2types.Image{
 					{
@@ -489,7 +489,7 @@ var _ = Describe("AMIProvider", func() {
 				),
 			}))
 		})
-		It("should priortize the newer ami if both are deprecated", func() {
+		It("should prioritize the newer ami if both are deprecated", func() {
 			//Both amis are deprecated and have the same deprecation time
 			awsEnv.EC2API.DescribeImagesOutput.Set(&ec2.DescribeImagesOutput{
 				Images: []ec2types.Image{

pkg/providers/launchtemplate/launchtemplate.go

@@ -171,6 +171,7 @@ func (p *DefaultProvider) CreateAMIOptions(ctx context.Context, nodeClass *v1.EC
 			delete(labels, k)
 		}
 	}
+	labels = InjectDoNotSyncTaintsLabel(nodeClass.AMIFamily(), labels)
 	// Relying on the status rather than an API call means that Karpenter is subject to a race
 	// condition where EC2NodeClass spec changes haven't propagated to the status once a node
 	// has launched.
@@ -498,3 +499,16 @@ func (p *DefaultProvider) ResolveClusterCIDR(ctx context.Context) error {
 	}
 	return fmt.Errorf("no CIDR found in DescribeCluster response")
 }
+
+// InjectDoNotSyncTaintsLabel adds a label for all non-custom AMI families. It is exported just for ease
+// of testing.
+// This label is to tell karpenter that it should *not* sync taints. This is to work around a race condition.
+// By default, this label is not added to the custom AMI family as users may still want their taints synced. Startup
+// taints will be racy for custom AMIs if they do not add this label, however.
+// https://github.com/kubernetes-sigs/karpenter/issues/1772
+func InjectDoNotSyncTaintsLabel(amiFamilyName string, labels map[string]string) map[string]string {
+	if amiFamilyName != v1.AMIFamilyCustom {
+		return lo.Assign(labels, map[string]string{karpv1.NodeDoNotSyncTaintsLabelKey: "true"})
+	}
+	return labels
+}

pkg/providers/launchtemplate/suite_test.go

@@ -196,6 +196,34 @@ var _ = Describe("LaunchTemplate Provider", func() {
 		Expect(awsEnv.InstanceTypesProvider.UpdateInstanceTypes(ctx)).To(Succeed())
 		Expect(awsEnv.InstanceTypesProvider.UpdateInstanceTypeOfferings(ctx)).To(Succeed())
 	})
+	It("should not add the do not sync taints label to nodes when AMI type is custom", func() {
+		labels := launchtemplate.InjectDoNotSyncTaintsLabel("Custom", make(map[string]string))
+		Expect(labels).To(HaveLen(0))
+	})
+
+	It("should add the do not sync taints label to nodes when AMI type is al2", func() {
+		labels := launchtemplate.InjectDoNotSyncTaintsLabel("AL2", make(map[string]string))
+		Expect(labels).To(HaveLen(1))
+		Expect(labels).Should(HaveKeyWithValue(karpv1.NodeDoNotSyncTaintsLabelKey, "true"))
+	})
+
+	It("should add the do not sync taints label to nodes when AMI type is al2023", func() {
+		labels := launchtemplate.InjectDoNotSyncTaintsLabel("AL2023", make(map[string]string))
+		Expect(labels).To(HaveLen(1))
+		Expect(labels).Should(HaveKeyWithValue(karpv1.NodeDoNotSyncTaintsLabelKey, "true"))
+	})
+
+	It("should add the do not sync taints label to nodes when AMI type is br", func() {
+		labels := launchtemplate.InjectDoNotSyncTaintsLabel("Bottlerocket", make(map[string]string))
+		Expect(labels).To(HaveLen(1))
+		Expect(labels).Should(HaveKeyWithValue(karpv1.NodeDoNotSyncTaintsLabelKey, "true"))
+	})
+
+	It("should add the do not sync taints label to nodes when AMI type is windows", func() {
+		labels := launchtemplate.InjectDoNotSyncTaintsLabel("Windows", make(map[string]string))
+		Expect(labels).To(HaveLen(1))
+		Expect(labels).Should(HaveKeyWithValue(karpv1.NodeDoNotSyncTaintsLabelKey, "true"))
+	})
 	It("should create unique launch templates for multiple identical nodeClasses", func() {
 		nodeClass2 := test.EC2NodeClass(v1.EC2NodeClass{
 			Status: v1.EC2NodeClassStatus{

pkg/providers/launchtemplate/testdata/al2023_mime_userdata_merged.golden

@@ -46,6 +46,6 @@ spec:
       - effect: NoExecute
         key: karpenter.sh/unregistered
     flags:
-    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,%s=%s,testing/cluster=unspecified"
+    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified"
 
 --//--

pkg/providers/launchtemplate/testdata/al2023_shell_userdata_merged.golden

@@ -32,6 +32,6 @@ spec:
       - effect: NoExecute
         key: karpenter.sh/unregistered
     flags:
-    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,%s=%s,testing/cluster=unspecified"
+    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified"
 
 --//--

pkg/providers/launchtemplate/testdata/al2023_userdata_unmerged.golden

@@ -27,6 +27,6 @@ spec:
       - effect: NoExecute
         key: karpenter.sh/unregistered
     flags:
-    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,%s=%s,testing/cluster=unspecified"
+    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified"
 
 --//--

pkg/providers/launchtemplate/testdata/al2023_yaml_userdata_merged.golden

@@ -41,6 +41,6 @@ spec:
       - effect: NoExecute
         key: karpenter.sh/unregistered
     flags:
-    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,%s=%s,testing/cluster=unspecified"
+    - --node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified"
 
 --//--

pkg/providers/launchtemplate/testdata/al2_userdata_merged.golden

@@ -15,5 +15,5 @@ exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
 /etc/eks/bootstrap.sh 'test-cluster' --apiserver-endpoint 'https://test-cluster' --b64-cluster-ca 'ca-bundle' \
 --dns-cluster-ip '10.0.100.10' \
 --use-max-pods false \
---kubelet-extra-args '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110'
+--kubelet-extra-args '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110'
 --//--

pkg/providers/launchtemplate/testdata/al2_userdata_unmerged.golden

@@ -9,5 +9,5 @@ exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
 /etc/eks/bootstrap.sh 'test-cluster' --apiserver-endpoint 'https://test-cluster' --b64-cluster-ca 'ca-bundle' \
 --dns-cluster-ip '10.0.100.10' \
 --use-max-pods false \
---kubelet-extra-args '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110'
+--kubelet-extra-args '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=on-demand,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110'
 --//--

pkg/providers/launchtemplate/testdata/br_userdata_merged.golden

@@ -11,6 +11,7 @@ max-pods = 110
 custom-node-label = 'custom'
 'karpenter.k8s.aws/ec2nodeclass' = '%s'
 'karpenter.sh/capacity-type' = 'on-demand'
+'karpenter.sh/do-not-sync-taints' = 'true'
 '%s' = '%s'
 'testing/cluster' = 'unspecified'
 

pkg/providers/launchtemplate/testdata/br_userdata_unmerged.golden

@@ -9,6 +9,7 @@ max-pods = 110
 [settings.kubernetes.node-labels]
 'karpenter.k8s.aws/ec2nodeclass' = '%s'
 'karpenter.sh/capacity-type' = 'on-demand'
+'karpenter.sh/do-not-sync-taints' = 'true'
 '%s' = '%s'
 'testing/cluster' = 'unspecified'
 

pkg/providers/launchtemplate/testdata/windows_userdata_merged.golden

@@ -2,5 +2,5 @@
 Write-Host "Running custom user data script"
 Write-Host "Finished running custom user data script"
 [string]$EKSBootstrapScriptFile = "$env:ProgramFiles\Amazon\EKS\Start-EKSBootstrap.ps1"
-& $EKSBootstrapScriptFile -EKSClusterName 'test-cluster' -APIServerEndpoint 'https://test-cluster' -Base64ClusterCA 'ca-bundle' -KubeletExtraArgs '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=spot,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110' -DNSClusterIP '10.0.100.10'
+& $EKSBootstrapScriptFile -EKSClusterName 'test-cluster' -APIServerEndpoint 'https://test-cluster' -Base64ClusterCA 'ca-bundle' -KubeletExtraArgs '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=spot,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110' -DNSClusterIP '10.0.100.10'
 </powershell>

pkg/providers/launchtemplate/testdata/windows_userdata_unmerged.golden

@@ -1,4 +1,4 @@
 <powershell>
 [string]$EKSBootstrapScriptFile = "$env:ProgramFiles\Amazon\EKS\Start-EKSBootstrap.ps1"
-& $EKSBootstrapScriptFile -EKSClusterName 'test-cluster' -APIServerEndpoint 'https://test-cluster' -Base64ClusterCA 'ca-bundle' -KubeletExtraArgs '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=spot,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110' -DNSClusterIP '10.0.100.10'
+& $EKSBootstrapScriptFile -EKSClusterName 'test-cluster' -APIServerEndpoint 'https://test-cluster' -Base64ClusterCA 'ca-bundle' -KubeletExtraArgs '--node-labels="karpenter.k8s.aws/ec2nodeclass=%s,karpenter.sh/capacity-type=spot,karpenter.sh/do-not-sync-taints=true,%s=%s,testing/cluster=unspecified" --register-with-taints="karpenter.sh/unregistered:NoExecute" --max-pods=110' -DNSClusterIP '10.0.100.10'
 </powershell>

test/suites/ami/suite_test.go

@@ -312,6 +312,7 @@ var _ = Describe("AMI", func() {
 			// Since the node has joined the cluster, we know our bootstrapping was correct.
 			// Just verify if the UserData contains our custom content too, rather than doing a byte-wise comparison.
 			Expect(string(actualUserData)).To(ContainSubstring("Running custom user data script"))
+			Expect(string(actualUserData)).To(ContainSubstring("karpenter.sh/do-not-sync-taints=true"))
 		})
 		It("should merge non-MIME UserData contents for AL2 AMIFamily", func() {
 			content, err := os.ReadFile("testdata/al2_no_mime_userdata_input.sh")
@@ -333,6 +334,7 @@ var _ = Describe("AMI", func() {
 			// Since the node has joined the cluster, we know our bootstrapping was correct.
 			// Just verify if the UserData contains our custom content too, rather than doing a byte-wise comparison.
 			Expect(string(actualUserData)).To(ContainSubstring("Running custom user data script"))
+			Expect(string(actualUserData)).To(ContainSubstring("karpenter.sh/do-not-sync-taints=true"))
 		})
 		It("should merge UserData contents for Bottlerocket AMIFamily", func() {
 			content, err := os.ReadFile("testdata/br_userdata_input.sh")
@@ -352,6 +354,7 @@ var _ = Describe("AMI", func() {
 			actualUserData, err := base64.StdEncoding.DecodeString(*getInstanceAttribute(pod.Spec.NodeName, "userData").UserData.Value)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(string(actualUserData)).To(ContainSubstring("kube-api-qps = 30"))
+			Expect(string(actualUserData)).To(ContainSubstring("'karpenter.sh/do-not-sync-taints' = 'true'"))
 			Expect(string(actualUserData)).To(ContainSubstring("eviction-max-pod-grace-period = 40"))
 			Expect(string(actualUserData)).To(ContainSubstring("[settings.kubernetes.eviction-soft]\n'memory.available' = '100Mi'"))
 			Expect(string(actualUserData)).To(ContainSubstring("[settings.kubernetes.eviction-soft-grace-period]\n'memory.available' = '30s'"))
@@ -402,6 +405,7 @@ var _ = Describe("AMI", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(string(actualUserData)).To(ContainSubstring("Write-Host \"Running custom user data script\""))
 			Expect(string(actualUserData)).To(ContainSubstring("[string]$EKSBootstrapScriptFile = \"$env:ProgramFiles\\Amazon\\EKS\\Start-EKSBootstrap.ps1\""))
+			Expect(string(actualUserData)).To(ContainSubstring("karpenter.sh/do-not-sync-taints=true"))
 		})
 	})
 })