Skip to main content

Nodegroups

NameInstance TypePurposeTaint
unkeyc7a.xlargeInfrastructure, control plane, Unkey servicesnode-class=unkey:NoSchedule
untrustedc7a.4xlargeUntrusted customer workloads (isolated)node-class=untrusted:NoSchedule
All nodegroups are tainted. Pods must have correct nodeSelector and tolerations.

YAML Configuration

unkey

Infrastructure and Unkey services (ArgoCD, cert-manager, control, gw, krane, restate, etc.) 
spec:
  nodeSelector:
    node-class: unkey
  tolerations:
    - key: node-class
      operator: Equal
      value: unkey
      effect: NoSchedule

untrusted

Untrusted customer workloads only. No persistent volumes, no AWS identity. 
spec:
  nodeSelector:
    node-class: untrusted
  tolerations:
    - key: node-class
      operator: Equal
      value: untrusted
      effect: NoSchedule
Only kube-proxy and vpc-cni run on untrusted nodes.

Troubleshooting

Pod stuck in pending? Check nodeSelector and tolerations: 
kubectl describe pod <pod-name>
Look for:
  • 0/X nodes are available: X node(s) had taints that the pod didn't tolerate
  • 0/X nodes are available: X node(s) didn't match Pod's node affinity/selector
Other useful commands: 
# nodes with labels
kubectl get nodes --show-labels

# taints on a node
kubectl describe node <node-name> | grep -A5 Taints

# pods on a specific node
kubectl get pods -A -o wide --field-selector spec.nodeName=<node-name>