Question 31
Domain 2: Workloads & SchedulingWhich DaemonSet configuration ensures a monitoring agent runs on every node, including control plane nodes tainted with `node-role.kubernetes.io/control-plane:NoSchedule`?
Correct answer: A
Explanation
A DaemonSet schedules one pod per node, but taints like "node-role.kubernetes.io/control-plane:NoSchedule" block pods unless they have a matching toleration. Adding a toleration for "node-role.kubernetes.io/control-plane" with effect "NoSchedule" lets the monitoring agent run on control plane nodes, and the "datadog/agent:latest" image provides the agent container.
Why each option is right or wrong
A. Add a toleration for `node-role.kubernetes.io/control-plane` with effect `NoSchedule` and use the `datadog/agent:latest` image.
Kubernetes taints and tolerations are governed by the scheduling rules in the PodSpec: a node tainted with `node-role.kubernetes.io/control-plane:NoSchedule` will reject pods unless the pod includes a matching toleration for that key and effect (`NoSchedule`). Because a DaemonSet creates one pod per node, the agent will still be excluded from control plane nodes unless that toleration is present; using the `datadog/agent:latest` image simply identifies the monitoring container to deploy on each eligible node.
B. Set the DaemonSet replicas to match the number of nodes and use a nodeSelector for worker nodes only.
C. Create a Deployment with a higher replica count and add a toleration for `node.kubernetes.io/not-ready`.
D. Use a StatefulSet with `hostNetwork: true` to guarantee one pod per node.