In the Knowledge Base

https://docs.openshift.com/container-platform/4.17/post_installation_configuration/cluster-tasks.html#binding-infra-node-workloads-using-taints-tolerations_post-install-cluster-tasks

we document on how to add NoSchedule taints to infra nodes.

If customer follow this process they will be hit by two problems at the least for Daemonsets that are not capable dealing with taints:

Ingress-canary: https://issues.redhat.com/browse/OCPSTRAT-214
iptables-router: https://issues.redhat.com/browse/OCPBUGS-38367

Beside fixing the issue in the Daemonsets which is handled in other JIRA items I am expecting documentation on where these pods are expected to run as it's hard to tell for the customer if when adding taints these pods should continue to be scheduled to worker or not and what effect it has when they don't run there.

It should look similar to what we explain in https://docs.openshift.com/container-platform/4.17/post_installation_configuration/cluster-tasks.html#moving-resources-to-infrastructure-machinesets when moving workload to infra nodes or https://docs.openshift.com/container-platform/4.17/machine_management/creating-infrastructure-machinesets.html#creating-infrastructure-machinesets-clouds which has a specific section for the DNS pods

"After adding the NoSchedule taint on the infrastructure node, existing DNS pods running on that node are marked as misscheduled. You must either delete or add toleration on misscheduled DNS pods."

So there is a gap in documentation for others than the DNS pods affected by adding a NoSchedule taint.