Each component eligible for running on any control plane node is expected to tolerate `node-role.kubernetes.io/contron-plane:NoExecute` taint. So in 4.17 each control plane node can be tainted with the taint. In parallel deploying a ValidatingAdmissionPolicy and its binding to allow only such components to be executed on control plane nodes.

Most likely by opening OCPBUGS (or on each team's jira board) tickets asking for adding the toleration. We need to reach out to every team in OpenShift (including products built on top of OpenShift) to let them know. Plus, documenting this through a KCS article (to allow customers to adjust their workloads targeting control plane nodes as well).

Optional: worth proposing to start tolerating `node-role.kubernetes.io/control-plane:NoSchedule` alongside so `node-role.kubernetes.io/master:NoSchedule` taint can be deprecated.