docs: document NoExecute taint risks and add admission warning by ketanjani21 · Pull Request #120 · kubernetes-sigs/node-readiness-controller

ketanjani21 · 2026-02-05T11:52:48Z

Description

Addresses the risk of using NoExecute taints with continuous enforcement mode, which can cause unintended pod evictions.

Changes:

Add "Choosing a Taint Effect" section to concepts.md explaining the implications of each taint effect and when to use them
Return admission warnings when creating/updating rules with NoExecute effect
Add tests for the new warning logic
Update taint field godoc with brief caution note

Type of Change

/kind documentation
/kind feature

Testing

Checklist

make test passes
make lint passes

Does this PR introduce a user-facing change?

Add admission warning when creating NodeReadinessRule with NoExecute taint effect. Using NoExecute with continuous enforcement can cause pod evictions during transient condition failures. The webhook now returns a warning guiding users toward safer configurations.

Doc #9

k8s-ci-robot · 2026-02-05T11:52:57Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ketanjani21
Once this PR has been reviewed and has the lgtm label, please assign haircommander for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot · 2026-02-05T11:52:58Z

Welcome @ketanjani21!

It looks like this is your first PR to kubernetes-sigs/node-readiness-controller 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/node-readiness-controller has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

netlify · 2026-02-05T11:53:47Z

✅ Deploy Preview for node-readiness-controller canceled.

Name	Link
🔨 Latest commit	`8c9de75`
🔍 Latest deploy log	https://app.netlify.com/projects/node-readiness-controller/deploys/698c17487d90030009cabc78

ajaysundark · 2026-02-07T23:55:36Z

docs/book/src/user-guide/concepts.md


 This allows you to preview exactly which nodes would be affected and identifying any potential misconfigurations (like a typo in a label selector) before they impact your cluster.
+
+## Choosing a Taint Effect


IMO, taint introduction doesnt need to be here. Maybe we could link to the official documentation?

And what do you think about creating a separate page under user-guide for creating rules? More like how-to or getting started page?

I'm thinking aspects like #46, prefix restrictions introduced by #106 could also go in there.

I imagine this is generated with some llm help? IMO, I'm generally open to AI generating docs, but it could be concise to give more value to reader from reading less. just my thought.

@ajaysundark Thank you for the feedback. I noticed there was a getting-started.md already under docs, so I moved it under user-guide, updated it, and re-arranged few sections.

I also updated the information about prefix restrictions.

The maximum limits for the controller are already documented here, so I didn't duplicate the info again.

Happy to make further updates based on your feedback.

sounds fair. we could leave the limits at the reference spec.

^it looks to me that docs/spec.md is a missed clean up as it is not maintained (crd-ref-docs only updates docs/book/src/reference/api-spec.md).
Would you be able to help on this as a follow-up PR?

cc @sreeram-venkitesh

yes, happy to do a follow-up PR to cleanup docs/spec.md 👍

ajaysundark · 2026-02-10T06:02:32Z

/assign @ketanjani21

ajaysundark · 2026-02-10T18:54:18Z

docs/book/src/user-guide/installation.md

 This is the priority class used by other critical cluster components (eg: core-dns).

-**Images**: The official releases use multi-arch images (AMD64, Arm64).
+**Images**: The official releases use multi-arch images (AMD64, Arm64) available in the Kubernetes staging registry:


this is not correct. staging registry is different than 'registry.k8s.io/xx' which is where the official images can be consumed.

Thank you for catching, it got carried over from the root level getting-started.md. updated 👍

ajaysundark · 2026-02-10T19:01:33Z

docs/book/src/user-guide/installation.md

+**Images**: The official releases use multi-arch images (AMD64, Arm64) available in the Kubernetes staging registry:

-### Option 2: Deploy Using Kustomize
+```sh


we already have installation flows captured: simple consume from official release images, and using kustomize for advanced setup.

I think documenting 3 different installation paths would just be confusing the reader. Maybe we could hold on to this for now and come back to updating the installation section for #94.

makes sense, I've simplified the installation method for now, we can re-visit later as per your suggestion.

restructure docs update taint key naming instructions update registry url, simplify installation methods

ajaysundark

@ketanjani21 Left some suggestions, ptal.
Thanks for looking into this.

ajaysundark · 2026-02-12T18:50:37Z

docs/book/src/user-guide/installation.md

@@ -36,16 +34,10 @@ This is the priority class used by other critical cluster components (eg: core-d

 **Images**: The official releases use multi-arch images (AMD64, Arm64).


Suggested change

**Images**: The official releases use multi-arch images (AMD64, Arm64).

#### Images

The official releases use multi-arch images (AMD64, Arm64) and are available at `registry.k8s.io/node-readiness-controller/node-readiness-controller`

ajaysundark · 2026-02-12T18:50:56Z

docs/book/src/user-guide/installation.md

-
-If you have cloned the repository and want to deploy from source, you can use Kustomize.
-
 ```sh


I think we could skip this detail

ajaysundark · 2026-02-12T18:51:47Z

docs/book/src/user-guide/installation.md


 ## Deployment Options

-### Option 1: Install Official Release (Recommended)


we could keep this as well

ajaysundark · 2026-02-12T18:51:54Z

docs/book/src/user-guide/installation.md


 **Images**: The official releases use multi-arch images (AMD64, Arm64).

-### Option 2: Deploy Using Kustomize


please revert to existing, let us keep the kustomize option

ajaysundark · 2026-02-12T19:04:53Z