Keeping workloads off the control plane

By default kubeadm puts a taint on the control-plane node:

node-role.kubernetes.io/control-plane:NoSchedule

A taint is a "keep out" sign. NoSchedule means: don't place a pod here unless that pod explicitly tolerates this taint. The control plane's own components (and a few system DaemonSets like the CNI and CSI node agents) carry that toleration, so they still run there. Ordinary workloads don't, so they land only on the workers.

A lot of tutorials tell you to remove this taint so the master can run apps too. I kept it. On a tiny cluster it's tempting to reclaim the master's capacity, but the control plane (especially etcd) is the one thing you never want starved by a noisy workload. Keeping the taint means a runaway pod can't take down the API server.

Lesson learned / a habit worth forming: treat the control plane as infrastructure, not as a worker. Three workers is plenty of room for a lab's workloads; the master's job is to stay healthy and keep the cluster's brain running. The taint is one line of "don't do the tempting thing."

That's the whole cluster: four Ready nodes, a readable CNI, a firewall that actually allows the cluster to talk to itself, and a protected control plane. Everything in the Kubernetes Platform shelf is built on top of this.