All of this can be done in k8s as well.
This file goes through how to only run ceartin workloads on a specific machine. In this case a infra node.
oc adm taint node infra-1a-fxb5b infra=reserved:NoSchedule
oc adm taint node infra-1a-fxb5b infra=reserved:NoExecute
This generates the following output in the node
spec:
providerID: openstack://269dc19f-ff7d-4d27-bd20-60d15dd5d616
taints:
- effect: NoExecute
key: infra
value: reserved
- effect: NoSchedule
key: infra
value: reserved
If you are using a MachineSet don't forget to add your taint
oc patch machineset infra-1a -n openshift-machine-api --type='merge' --patch='{"spec": {"template": {"spec": {"taints": [{"key": "infra","value": "reserved","effect": "NoSchedule"},{"key": "infra","value": "reserved","effect": "NoExecute"}]}}}}'
This will match the above node
Patching a CRD, note the "nodePlacement".
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec":{"nodePlacement": {"nodeSelector": {"matchLabels": {"node-role.kubernetes.io/infra": ""}},"tolerations": [{"effect":"NoSchedule","key": "infra","value": "reserved"},{"effect":"NoExecute","key": "infra","value": "reserved"}]}}}'
oc patch configs.imageregistry.operator.openshift.io/cluster -n openshift-image-registry --type=merge --patch '{"spec":{"nodeSelector":{"node-role.kubernetes.io/infra":""}}}'
To taint the openshift-monitoring operator aka prometheus you need to a create a configmap.
See config.yaml to see how it looks.