Interview Kubernetes, Docker, Helm & Podman

What are taints and tolerations, and how do they differ from affinity?

Kubernetes, Docker, Helm & Podman · Intermediate level

Answer

Taints repel Pods from nodes unless the Pods tolerate them. Affinity attracts or avoids placement based on labels. Taints are usually node-owned guardrails, while affinity is usually workload-owned scheduling intent.

Technical explanation

Tolerating a taint does not force placement on that node; it only allows the Pod to be scheduled there.

NoSchedule prevents new Pods, PreferNoSchedule is soft, and NoExecute can evict existing Pods.

Scheduling controls place workloads correctly; RBAC and ServiceAccounts decide what identities can do after placement.

Use labels consistently because Services, Deployments, affinities, policies, and topology spread all depend on label selection.

Every constraint should be testable with events: FailedScheduling, denied API calls, or observed placement.

Hands-on example

1. Create a lab namespace for this exercise with explicit labels, ServiceAccounts, roles, node labels, or taints: taint a node and schedule only Pods with matching tolerations.

2. Use kubectl auth can-i, kubectl describe pod, and scheduling events to verify the expected decision.

3. Test a negative case, such as missing permission, missing toleration, or impossible affinity, and capture the exact error.

4. Convert the validated YAML into a reusable platform pattern with clear naming and labels.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Kubernetes, Docker, Helm & Podman interview questions

← All Kubernetes, Docker, Helm & Podman questions