DaemonSet

ADaemonSet ensures that all (or some) Nodes run a copy of a Pod. As nodes are added to thecluster, Pods are added to them. As nodes are removed from the cluster, those Pods are garbagecollected. Deleting a DaemonSet will clean up the Pods it created.

Some typical uses of a DaemonSet are:

• running a cluster storage daemon on every node
• running a logs collection daemon on every node
• running a node monitoring daemon on every node

In a simple case, one DaemonSet, covering all nodes, would be used for each type of daemon.A more complex setup might use multiple DaemonSets for a single type of daemon, but withdifferent flags and/or different memory and cpu requests for different hardware types.

Writing a DaemonSet Spec

Create a DaemonSet

You can describe a DaemonSet in a YAML file. For example, thedaemonset.yaml file belowdescribes a DaemonSet that runs the fluentd-elasticsearch Docker image:

controllers/daemonset.yaml

apiVersion:apps/v1kind:DaemonSetmetadata:name:fluentd-elasticsearchnamespace:kube-systemlabels:k8s-app:fluentd-loggingspec:selector:matchLabels:name:fluentd-elasticsearchtemplate:metadata:labels:name:fluentd-elasticsearchspec:tolerations:# these tolerations are to have the daemonset runnable on control plane nodes# remove them if your control plane nodes should not run pods-key:node-role.kubernetes.io/control-planeoperator:Existseffect:NoSchedule-key:node-role.kubernetes.io/masteroperator:Existseffect:NoSchedulecontainers:-name:fluentd-elasticsearchimage:quay.io/fluentd_elasticsearch/fluentd:v5.0.1resources:limits:memory:200Mirequests:cpu:100mmemory:200MivolumeMounts:-name:varlogmountPath:/var/log# it may be desirable to set a high priority class to ensure that a DaemonSet Pod# preempts running Pods# priorityClassName: importantterminationGracePeriodSeconds:30volumes:-name:varloghostPath:path:/var/log

Create a DaemonSet based on the YAML file:

kubectl apply -f https://k8s.io/examples/controllers/daemonset.yaml

Required Fields

As with all other Kubernetes config, a DaemonSet needsapiVersion,kind, andmetadata fields. Forgeneral information about working with config files, seerunning stateless applicationsandobject management using kubectl.

The name of a DaemonSet object must be a validDNS subdomain name.

A DaemonSet also needs a.specsection.

Pod Template

The.spec.template is one of the required fields in.spec.

The.spec.template is apod template.It has exactly the same schema as aPod,except it is nested and does not have anapiVersion orkind.

In addition to required fields for a Pod, a Pod template in a DaemonSet has to specify appropriatelabels (seepod selector).

A Pod Template in a DaemonSet must have aRestartPolicyequal toAlways, or be unspecified, which defaults toAlways.

Pod Selector

The.spec.selector field is a pod selector. It works the same as the.spec.selector ofaJob.

You must specify a pod selector that matches the labels of the.spec.template.Also, once a DaemonSet is created,its.spec.selector can not be mutated. Mutating the pod selector can lead to theunintentional orphaning of Pods, and it was found to be confusing to users.

The.spec.selector is an object consisting of two fields:

• matchLabels - works the same as the.spec.selector of aReplicationController.
• matchExpressions - allows to build more sophisticated selectors by specifying key,list of values and an operator that relates the key and values.

When the two are specified the result is ANDed.

The.spec.selector must match the.spec.template.metadata.labels.Config with these two not matching will be rejected by the API.

Running Pods on select Nodes

If you specify a.spec.template.spec.nodeSelector, then the DaemonSet controller willcreate Pods on nodes which match thatnode selector.Likewise if you specify a.spec.template.spec.affinity,then DaemonSet controller will create Pods on nodes which match thatnode affinity.If you do not specify either, then the DaemonSet controller will create Pods on all nodes.

How Daemon Pods are scheduled

A DaemonSet can be used to ensure that all eligible nodes run a copy of a Pod.The DaemonSet controller creates a Pod for each eligible node and adds thespec.affinity.nodeAffinity field of the Pod to match the target host. Afterthe Pod is created, the default scheduler typically takes over and then bindsthe Pod to the target host by setting the.spec.nodeName field. If the newPod cannot fit on the node, the default scheduler may preempt (evict) some ofthe existing Pods based on thepriorityof the new Pod.

The user can specify a different scheduler for the Pods of the DaemonSet, bysetting the.spec.template.spec.schedulerName field of the DaemonSet.

The original node affinity specified at the.spec.template.spec.affinity.nodeAffinity field (if specified) is taken intoconsideration by the DaemonSet controller when evaluating the eligible nodes,but is replaced on the created Pod with the node affinity that matches the nameof the eligible node.

nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:-matchFields:-key:metadata.nameoperator:Invalues:- target-host-name

Taints and tolerations

The DaemonSet controller automatically adds a set oftolerations to DaemonSet Pods:

You can add your own tolerations to the Pods of a DaemonSet as well, bydefining these in the Pod template of the DaemonSet.

Because the DaemonSet controller sets thenode.kubernetes.io/unschedulable:NoSchedule toleration automatically,Kubernetes can run DaemonSet Pods on nodes that are marked asunschedulable.

If you use a DaemonSet to provide an important node-level function, such ascluster networking, it ishelpful that Kubernetes places DaemonSet Pods on nodes before they are ready.For example, without that special toleration, you could end up in a deadlocksituation where the node is not marked as ready because the network plugin isnot running there, and at the same time the network plugin is not running onthat node because the node is not yet ready.

Communicating with Daemon Pods

Some possible patterns for communicating with Pods in a DaemonSet are:

• Push: Pods in the DaemonSet are configured to send updates to another service, suchas a stats database. They do not have clients.
• NodeIP and Known Port: Pods in the DaemonSet can use ahostPort, so that the podsare reachable via the node IPs.Clients know the list of node IPs somehow, and know the port by convention.
• DNS: Create aheadless servicewith the same pod selector, and then discover DaemonSets using theendpointsresource or retrieve multiple A records from DNS.
• Service: Create a service with the same Pod selector, and use the service to reach adaemon on a random node. UseService Internal Traffic Policyto limit to pods on the same node.

Updating a DaemonSet

If node labels are changed, the DaemonSet will promptly add Pods to newly matching nodes and deletePods from newly not-matching nodes.

You can modify the Pods that a DaemonSet creates. However, Pods do not allow allfields to be updated. Also, the DaemonSet controller will use the original template the nexttime a node (even with the same name) is created.

You can delete a DaemonSet. If you specify--cascade=orphan withkubectl, then the Podswill be left on the nodes. If you subsequently create a new DaemonSet with the same selector,the new DaemonSet adopts the existing Pods. If any Pods need replacing the DaemonSet replacesthem according to itsupdateStrategy.

You canperform a rolling update on a DaemonSet.

Alternatives to DaemonSet

Init scripts

It is certainly possible to run daemon processes by directly starting them on a node (e.g. usinginit,upstartd, orsystemd). This is perfectly fine. However, there are several advantages torunning such processes via a DaemonSet:

• Ability to monitor and manage logs for daemons in the same way as applications.
• Same config language and tools (e.g. Pod templates,kubectl) for daemons and applications.
• Running daemons in containers with resource limits increases isolation between daemons from appcontainers. However, this can also be accomplished by running the daemons in a container but not in a Pod.

Bare Pods

It is possible to create Pods directly which specify a particular node to run on. However,a DaemonSet replaces Pods that are deleted or terminated for any reason, such as in the case ofnode failure or disruptive node maintenance, such as a kernel upgrade. For this reason, you shoulduse a DaemonSet rather than creating individual Pods.

Static Pods

It is possible to create Pods by writing a file to a certain directory watched by Kubelet. Theseare calledstatic pods.Unlike DaemonSet, static Pods cannot be managed with kubectlor other Kubernetes API clients. Static Pods do not depend on the apiserver, making them usefulin cluster bootstrapping cases. Also, static Pods may be deprecated in the future.

Deployments

DaemonSets are similar toDeployments in thatthey both create Pods, and those Pods have processes which are not expected to terminate (e.g. web servers,storage servers).

Use a Deployment for stateless services, like frontends, where scaling up and down thenumber of replicas and rolling out updates are more important than controlling exactly which hostthe Pod runs on. Use a DaemonSet when it is important that a copy of a Pod always run onall or certain hosts, if the DaemonSet provides node-level functionality that allows other Pods to run correctly on that particular node.

For example,network plugins often include a component that runs as a DaemonSet. The DaemonSet component makes sure that the node where it's running has working cluster networking.

What's next

• Learn aboutPods:
  • Learn aboutstatic Pods, which are useful for running Kubernetescontrol plane components.
• Find out how to use DaemonSets:
  • Perform a rolling update on a DaemonSet.
  • Perform a rollback on a DaemonSet(for example, if a roll out didn't work how you expected).
• Understandhow Kubernetes assigns Pods to Nodes.
• Learn aboutdevice plugins andadd ons, which often run as DaemonSets.
• DaemonSet is a top-level resource in the Kubernetes REST API.Read theDaemonSetobject definition to understand the API for daemon sets.