What is a DaemonSet, and what's a common use case?
Quick Answer
A DaemonSet ensures that exactly one copy of a Pod runs on every node in the cluster (or every node matching a selector) — as nodes are added, a Pod is automatically scheduled onto them; as nodes are removed, their Pod goes with them. It's the standard way to run node-level infrastructure agents that genuinely need to exist on every machine: log collectors, monitoring/metrics agents, and CNI network plugins.
Detailed Answer
What makes a DaemonSet different from a Deployment
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: log-collector
spec:
selector:
matchLabels:
app: log-collector
template:
metadata:
labels:
app: log-collector
spec:
containers:
- name: fluentd
image: fluentd:latest
Notice there's no replicas field — a DaemonSet doesn't have a fixed count you specify; instead, it runs exactly one Pod per eligible node, automatically. Add a new node to the cluster, and the DaemonSet controller schedules a Pod onto it immediately, with no manual action needed; remove a node (or drain and delete it), and its DaemonSet Pod goes with it. This is fundamentally different from a Deployment, whose replica count is a fixed number that has no inherent relationship to the number of nodes in the cluster.
Common use cases
- Log collection agents (Fluentd, Filebeat, Fluent Bit) — need to run on every node to read and forward container logs written to that node's local disk.
- Monitoring/metrics agents (Prometheus Node Exporter, Datadog Agent) — need node-level visibility (CPU, memory, disk) that can only be gathered by something running directly on each machine.
- CNI network plugins (Calico, Cilium, Flannel) — network configuration that must be set up identically on every node for pod-to-pod networking to work cluster-wide (see the networking topic).
- Storage daemons (Ceph, GlusterFS node agents) — some distributed storage systems need an agent on every node that might mount their volumes.
Restricting a DaemonSet to a subset of nodes
spec:
template:
spec:
nodeSelector:
disktype: ssd # only run on nodes labeled disktype=ssd
Despite the name suggesting "every node," a DaemonSet can be scoped with a nodeSelector or node affinity rules (see the scheduling topic) to only run on a labeled subset — useful for something like a specialized storage agent that only needs to run on nodes actually equipped with the relevant hardware/disk type.
Interaction with taints and tolerations
By default, most Pods won't be scheduled onto a control-plane/master node (which is typically tainted to repel ordinary workloads — see the scheduling topic). DaemonSets commonly include a toleration for these taints specifically because infrastructure agents like log collectors and monitoring tools usually do need to run even on control-plane nodes, unlike ordinary application workloads.
spec:
template:
spec:
tolerations:
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
Rolling updates for DaemonSets
DaemonSets support a rolling update strategy conceptually similar to Deployments (RollingUpdate or OnDelete), updating one node's Pod at a time rather than all at once — important for infrastructure-critical DaemonSets (like a CNI plugin) where updating every node's networking agent simultaneously could cause a cluster-wide networking outage.