From a027b439e58cc0ccae23991c8f25674138e97bc8 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Fri, 7 Mar 2025 15:21:52 +0100
Subject: [PATCH] DRA: add device taint eviction controller

The controller is derived from the node taint eviction controller.
In contrast to that controller it tracks the UID of pods to prevent
deleting the wrong pod when it got replaced.
---
 .../app/controllermanager.go                  |    1 +
 .../app/controllermanager_test.go             |    1 +
 cmd/kube-controller-manager/app/core.go       |   27 +
 .../names/controller_names.go                 |    1 +
 hack/verify-prometheus-imports.sh             |    1 +
 .../device_taint_eviction.go                  |  916 +++++++++
 .../device_taint_eviction_test.go             | 1754 +++++++++++++++++
 pkg/controller/devicetainteviction/doc.go     |    8 +-
 .../devicetainteviction/metrics/metrics.go    |   78 +-
 .../devicetainteviction/taint_eviction.go     |  614 ------
 .../taint_eviction_test.go                    |  941 ---------
 .../tainteviction/namespacedobject.go         |   50 +
 .../tainteviction/taint_eviction.go           |    8 +-
 pkg/controller/tainteviction/timed_workers.go |   47 +-
 .../dynamicresources/dynamicresources_test.go |    2 +-
 pkg/scheduler/testing/wrappers.go             |   20 +-
 .../rbac/bootstrappolicy/controller_policy.go |   18 +
 17 files changed, 2888 insertions(+), 1599 deletions(-)
 create mode 100644 pkg/controller/devicetainteviction/device_taint_eviction.go
 create mode 100644 pkg/controller/devicetainteviction/device_taint_eviction_test.go
 delete mode 100644 pkg/controller/devicetainteviction/taint_eviction.go
 delete mode 100644 pkg/controller/devicetainteviction/taint_eviction_test.go
 create mode 100644 pkg/controller/tainteviction/namespacedobject.go

diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go
index dc847d66e5d..822f334c94c 100644
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@@ -588,6 +588,7 @@ func NewControllerDescriptors() map[string]*ControllerDescriptor {
 	// feature gated
 	register(newStorageVersionGarbageCollectorControllerDescriptor())
 	register(newResourceClaimControllerDescriptor())
+	register(newDeviceTaintEvictionControllerDescriptor())
 	register(newLegacyServiceAccountTokenCleanerControllerDescriptor())
 	register(newValidatingAdmissionPolicyStatusControllerDescriptor())
 	register(newTaintEvictionControllerDescriptor())
diff --git a/cmd/kube-controller-manager/app/controllermanager_test.go b/cmd/kube-controller-manager/app/controllermanager_test.go
index 88af44ed6d6..dd99d4c8269 100644
--- a/cmd/kube-controller-manager/app/controllermanager_test.go
+++ b/cmd/kube-controller-manager/app/controllermanager_test.go
@@ -93,6 +93,7 @@ func TestControllerNamesDeclaration(t *testing.T) {
 		names.EphemeralVolumeController,
 		names.StorageVersionGarbageCollectorController,
 		names.ResourceClaimController,
+		names.DeviceTaintEvictionController,
 		names.LegacyServiceAccountTokenCleanerController,
 		names.ValidatingAdmissionPolicyStatusController,
 		names.ServiceCIDRController,
diff --git a/cmd/kube-controller-manager/app/core.go b/cmd/kube-controller-manager/app/core.go
index a6b9f5bb6e3..500903de4d0 100644
--- a/cmd/kube-controller-manager/app/core.go
+++ b/cmd/kube-controller-manager/app/core.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	pkgcontroller "k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction"
 	endpointcontroller "k8s.io/kubernetes/pkg/controller/endpoint"
 	"k8s.io/kubernetes/pkg/controller/garbagecollector"
 	namespacecontroller "k8s.io/kubernetes/pkg/controller/namespace"
@@ -231,6 +232,32 @@ func startTaintEvictionController(ctx context.Context, controllerContext Control
 	return nil, true, nil
 }
 
+func newDeviceTaintEvictionControllerDescriptor() *ControllerDescriptor {
+	return &ControllerDescriptor{
+		name:     names.DeviceTaintEvictionController,
+		initFunc: startDeviceTaintEvictionController,
+		requiredFeatureGates: []featuregate.Feature{
+			// TODO update app.TestFeatureGatedControllersShouldNotDefineAliases when removing these feature gates.
+			features.DynamicResourceAllocation,
+			features.DRADeviceTaints,
+		},
+	}
+}
+
+func startDeviceTaintEvictionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+	deviceTaintEvictionController := devicetainteviction.New(
+		controllerContext.ClientBuilder.ClientOrDie(names.DeviceTaintEvictionController),
+		controllerContext.InformerFactory.Core().V1().Pods(),
+		controllerContext.InformerFactory.Resource().V1beta1().ResourceClaims(),
+		controllerContext.InformerFactory.Resource().V1beta1().ResourceSlices(),
+		controllerContext.InformerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		controllerContext.InformerFactory.Resource().V1beta1().DeviceClasses(),
+		controllerName,
+	)
+	go deviceTaintEvictionController.Run(ctx)
+	return nil, true, nil
+}
+
 func newCloudNodeLifecycleControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
 		name:                      cpnames.CloudNodeLifecycleController,
diff --git a/cmd/kube-controller-manager/names/controller_names.go b/cmd/kube-controller-manager/names/controller_names.go
index db88935c4c7..7aa1b6998c0 100644
--- a/cmd/kube-controller-manager/names/controller_names.go
+++ b/cmd/kube-controller-manager/names/controller_names.go
@@ -69,6 +69,7 @@ const (
 	NodeIpamController                                 = "node-ipam-controller"
 	NodeLifecycleController                            = "node-lifecycle-controller"
 	TaintEvictionController                            = "taint-eviction-controller"
+	DeviceTaintEvictionController                      = "device-taint-eviction-controller"
 	PersistentVolumeBinderController                   = "persistentvolume-binder-controller"
 	PersistentVolumeAttachDetachController             = "persistentvolume-attach-detach-controller"
 	PersistentVolumeExpanderController                 = "persistentvolume-expander-controller"
diff --git a/hack/verify-prometheus-imports.sh b/hack/verify-prometheus-imports.sh
index ba1321e1e41..18a67e77922 100755
--- a/hack/verify-prometheus-imports.sh
+++ b/hack/verify-prometheus-imports.sh
@@ -37,6 +37,7 @@ source "${KUBE_ROOT}/hack/lib/util.sh"
 # See: https://github.com/kubernetes/kubernetes/issues/89267
 allowed_prometheus_importers=(
   ./cluster/images/etcd-version-monitor/etcd-version-monitor.go
+  ./pkg/controller/devicetainteviction/device_taint_eviction_test.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram_test.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram_vec.go
diff --git a/pkg/controller/devicetainteviction/device_taint_eviction.go b/pkg/controller/devicetainteviction/device_taint_eviction.go
new file mode 100644
index 00000000000..a2cc9354a58
--- /dev/null
+++ b/pkg/controller/devicetainteviction/device_taint_eviction.go
@@ -0,0 +1,916 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetainteviction
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"slices"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/google/go-cmp/cmp" //nolint:depguard // Discouraged for production use (https://github.com/kubernetes/kubernetes/issues/104821) but has no good alternative for logging.
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1beta1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	coreinformers "k8s.io/client-go/informers/core/v1"
+	resourcealphainformers "k8s.io/client-go/informers/resource/v1alpha3"
+	resourceinformers "k8s.io/client-go/informers/resource/v1beta1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+	corelisters "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/dynamic-resource-allocation/resourceclaim"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
+	"k8s.io/klog/v2"
+	apipod "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction/metrics"
+	"k8s.io/kubernetes/pkg/controller/tainteviction"
+	utilpod "k8s.io/kubernetes/pkg/util/pod"
+)
+
+const (
+	// retries is the number of times that the controller tries to delete a pod
+	// that needs to be evicted.
+	retries = 5
+)
+
+// Controller listens to Taint changes of DRA devices and Toleration changes of ResourceClaims,
+// then deletes Pods which use ResourceClaims that don't tolerate a NoExecute taint.
+// Pods which have already reached a final state (aka terminated) don't need to be deleted.
+//
+// All of the logic which identifies pods which need to be evicted runs in the
+// handle* event handlers. They don't call any blocking method. All the blocking
+// calls happen in a [tainteviction.TimedWorkerQueue], using the context passed to Run.
+//
+// The [resourceslicetracker] takes care of applying taints defined in DeviceTaintRules
+// to ResourceSlices. This controller here receives modified ResourceSlices with all
+// applicable taints from that tracker and doesn't need to care about where a
+// taint came from, the DRA driver or a DeviceTaintRule.
+type Controller struct {
+	name string
+
+	// logger is the general-purpose logger to be used for background activities.
+	logger klog.Logger
+
+	// handlerLogger is specifically for logging during event handling. It may be nil
+	// if no such logging is desired.
+	eventLogger *klog.Logger
+
+	client        clientset.Interface
+	recorder      record.EventRecorder
+	podInformer   coreinformers.PodInformer
+	podLister     corelisters.PodLister
+	claimInformer resourceinformers.ResourceClaimInformer
+	sliceInformer resourceinformers.ResourceSliceInformer
+	taintInformer resourcealphainformers.DeviceTaintRuleInformer
+	classInformer resourceinformers.DeviceClassInformer
+	haveSynced    []cache.InformerSynced
+	metrics       metrics.Metrics
+
+	// evictPod ensures that the pod gets evicted at the specified time.
+	// It doesn't block.
+	evictPod func(pod tainteviction.NamespacedObject, fireAt time.Time)
+
+	// cancelEvict cancels eviction set up with evictPod earlier.
+	// Idempotent, returns false if there was nothing to cancel.
+	cancelEvict func(pod tainteviction.NamespacedObject) bool
+
+	// allocatedClaims holds all currently known allocated claims.
+	allocatedClaims map[types.NamespacedName]allocatedClaim // A value is slightly more efficient in BenchmarkTaintUntaint (less allocations!).
+
+	// pools indexes all slices by driver and pool name.
+	pools map[poolID]pool
+
+	hasSynced atomic.Int32
+}
+
+type poolID struct {
+	driverName, poolName string
+}
+
+type pool struct {
+	slices        sets.Set[*resourceapi.ResourceSlice]
+	maxGeneration int64
+}
+
+// addSlice adds one slice to the pool.
+func (p *pool) addSlice(slice *resourceapi.ResourceSlice) {
+	if slice == nil {
+		return
+	}
+	if p.slices == nil {
+		p.slices = sets.New[*resourceapi.ResourceSlice]()
+		p.maxGeneration = math.MinInt64
+	}
+	p.slices.Insert(slice)
+
+	// Adding a slice can only increase the generation.
+	if slice.Spec.Pool.Generation > p.maxGeneration {
+		p.maxGeneration = slice.Spec.Pool.Generation
+	}
+}
+
+// removeSlice removes a slice. It must have been added before.
+func (p *pool) removeSlice(slice *resourceapi.ResourceSlice) {
+	if slice == nil {
+		return
+	}
+	p.slices.Delete(slice)
+
+	// Removing a slice might have decreased the generation to
+	// that of some other slice.
+	if slice.Spec.Pool.Generation == p.maxGeneration {
+		maxGeneration := int64(math.MinInt64)
+		for slice := range p.slices {
+			if slice.Spec.Pool.Generation > maxGeneration {
+				maxGeneration = slice.Spec.Pool.Generation
+			}
+		}
+		p.maxGeneration = maxGeneration
+	}
+}
+
+// getTaintedDevices appends all device taints with NoExecute effect.
+// The result is sorted by device name.
+func (p pool) getTaintedDevices() []taintedDevice {
+	var buffer []taintedDevice
+	for slice := range p.slices {
+		if slice.Spec.Pool.Generation != p.maxGeneration {
+			continue
+		}
+		for _, device := range slice.Spec.Devices {
+			if device.Basic == nil {
+				// Unknown device type, not supported.
+				continue
+			}
+			for _, taint := range device.Basic.Taints {
+				if taint.Effect != resourceapi.DeviceTaintEffectNoExecute {
+					continue
+				}
+				buffer = append(buffer, taintedDevice{deviceName: device.Name, taint: taint})
+			}
+		}
+	}
+
+	// slices.SortFunc is more efficient than sort.Slice here.
+	slices.SortFunc(buffer, func(a, b taintedDevice) int {
+		return strings.Compare(a.deviceName, b.deviceName)
+	})
+	return buffer
+}
+
+// getDevice looks up one device by name. Out-dated slices are ignored.
+func (p pool) getDevice(deviceName string) *resourceapi.BasicDevice {
+	for slice := range p.slices {
+		if slice.Spec.Pool.Generation != p.maxGeneration {
+			continue
+		}
+		for _, device := range slice.Spec.Devices {
+			if device.Basic == nil {
+				// Unknown device type, not supported.
+				continue
+			}
+			if device.Name == deviceName {
+				return device.Basic
+			}
+		}
+	}
+
+	return nil
+}
+
+type taintedDevice struct {
+	deviceName string
+	taint      resourceapi.DeviceTaint
+}
+
+// allocatedClaim is a ResourceClaim which has an allocation result. It
+// may or may not be tainted such that pods need to be evicted.
+type allocatedClaim struct {
+	*resourceapi.ResourceClaim
+
+	// evictionTime, if non-nil, is the time at which pods using this claim need to be evicted.
+	// This is the smallest value of all such per-device values.
+	// For each device, the value is calculated as `<time of setting the taint> +
+	// <toleration seconds, 0 if not set>`.
+	evictionTime *metav1.Time
+}
+
+func (tc *Controller) deletePodHandler(c clientset.Interface, emitEventFunc func(tainteviction.NamespacedObject)) func(ctx context.Context, fireAt time.Time, args *tainteviction.WorkArgs) error {
+	return func(ctx context.Context, fireAt time.Time, args *tainteviction.WorkArgs) error {
+		klog.FromContext(ctx).Info("Deleting pod", "pod", args.Object)
+		var err error
+		for i := 0; i < retries; i++ {
+			err = addConditionAndDeletePod(ctx, c, args.Object, &emitEventFunc)
+			if apierrors.IsNotFound(err) {
+				// Not a problem, the work is done.
+				// But we didn't do it, so don't
+				// bump the metric.
+				return nil
+			}
+			if err == nil {
+				tc.metrics.PodDeletionsTotal.Inc()
+				tc.metrics.PodDeletionsLatency.Observe(float64(time.Since(fireAt).Seconds()))
+				return nil
+			}
+			time.Sleep(10 * time.Millisecond)
+		}
+		return err
+	}
+}
+
+func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, podRef tainteviction.NamespacedObject, emitEventFunc *func(tainteviction.NamespacedObject)) (err error) {
+	pod, err := c.CoreV1().Pods(podRef.Namespace).Get(ctx, podRef.Name, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	if pod.UID != podRef.UID {
+		// This special error suppresses event logging in our caller and prevents further retries.
+		// We can stop because the pod we were meant to evict is already gone and happens to
+		// be replaced by some other pod which reuses the same name.
+		return apierrors.NewNotFound(v1.SchemeGroupVersion.WithResource("pods").GroupResource(), pod.Name)
+	}
+
+	// Emit the event only once, and only if we are actually doing something.
+	if *emitEventFunc != nil {
+		(*emitEventFunc)(podRef)
+		*emitEventFunc = nil
+	}
+
+	newStatus := pod.Status.DeepCopy()
+	updated := apipod.UpdatePodCondition(newStatus, &v1.PodCondition{
+		Type:    v1.DisruptionTarget,
+		Status:  v1.ConditionTrue,
+		Reason:  "DeletionByDeviceTaintManager",
+		Message: "Device Taint manager: deleting due to NoExecute taint",
+	})
+	if updated {
+		if _, _, _, err := utilpod.PatchPodStatus(ctx, c, pod.Namespace, pod.Name, pod.UID, pod.Status, *newStatus); err != nil {
+			return err
+		}
+	}
+	// Unlikely, but it could happen that the pod we got above got replaced with
+	// another pod using the same name in the meantime. Include a precondition
+	// to prevent that race. This delete attempt then fails and the next one detects
+	// the new pod and stops retrying.
+	return c.CoreV1().Pods(podRef.Namespace).Delete(ctx, podRef.Name, metav1.DeleteOptions{
+		Preconditions: &metav1.Preconditions{
+			UID: &podRef.UID,
+		},
+	})
+}
+
+// New creates a new Controller that will use passed clientset to communicate with the API server.
+// Spawns no goroutines. That happens in Run.
+func New(c clientset.Interface, podInformer coreinformers.PodInformer, claimInformer resourceinformers.ResourceClaimInformer, sliceInformer resourceinformers.ResourceSliceInformer, taintInformer resourcealphainformers.DeviceTaintRuleInformer, classInformer resourceinformers.DeviceClassInformer, controllerName string) *Controller {
+	metrics.Register() // It would be nicer to pass the controller name here, but that probably would break generating https://kubernetes.io/docs/reference/instrumentation/metrics.
+
+	tc := &Controller{
+		name: controllerName,
+
+		client:          c,
+		podInformer:     podInformer,
+		podLister:       podInformer.Lister(),
+		claimInformer:   claimInformer,
+		sliceInformer:   sliceInformer,
+		taintInformer:   taintInformer,
+		classInformer:   classInformer,
+		allocatedClaims: make(map[types.NamespacedName]allocatedClaim),
+		pools:           make(map[poolID]pool),
+		// Instantiate all informers now to ensure that they get started.
+		haveSynced: []cache.InformerSynced{
+			podInformer.Informer().HasSynced,
+			claimInformer.Informer().HasSynced,
+			sliceInformer.Informer().HasSynced,
+			taintInformer.Informer().HasSynced,
+			classInformer.Informer().HasSynced,
+		},
+		metrics: metrics.Global,
+	}
+
+	return tc
+}
+
+// Run starts the controller which will run until the context is done.
+func (tc *Controller) Run(ctx context.Context) {
+	defer utilruntime.HandleCrash()
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting", "controller", tc.name)
+	defer logger.Info("Shutting down controller", "controller", tc.name)
+	tc.logger = logger
+
+	// Doing debug logging?
+	if loggerV := logger.V(6); loggerV.Enabled() {
+		tc.eventLogger = &loggerV
+	}
+
+	// Delayed construction of broadcaster because it spawns goroutines.
+	// tc.recorder.Eventf is a local in-memory operation which never
+	// blocks, so it is safe to call from an event handler. The
+	// actual API calls then happen in those spawned goroutines.
+	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
+	tc.recorder = eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: tc.name}).WithLogger(logger)
+	defer eventBroadcaster.Shutdown()
+
+	taintEvictionQueue := tainteviction.CreateWorkerQueue(tc.deletePodHandler(tc.client, tc.emitPodDeletionEvent))
+	evictPod := tc.evictPod
+	tc.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
+		// Only relevant for testing.
+		if evictPod != nil {
+			evictPod(podRef, fireAt)
+		}
+		taintEvictionQueue.UpdateWork(ctx, &tainteviction.WorkArgs{Object: podRef}, time.Now(), fireAt)
+	}
+	cancelEvict := tc.cancelEvict
+	tc.cancelEvict = func(podRef tainteviction.NamespacedObject) bool {
+		if cancelEvict != nil {
+			cancelEvict(podRef)
+		}
+		return taintEvictionQueue.CancelWork(logger, podRef.NamespacedName.String())
+	}
+
+	// Start events processing pipeline.
+	eventBroadcaster.StartStructuredLogging(3)
+	if tc.client != nil {
+		logger.Info("Sending events to api server")
+		eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: tc.client.CoreV1().Events("")})
+	} else {
+		logger.Error(nil, "kubeClient is nil", "controller", tc.name)
+		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+	}
+	defer eventBroadcaster.Shutdown()
+
+	// mutex serializes event processing.
+	var mutex sync.Mutex
+
+	claimHandler, _ := tc.claimInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			claim, ok := obj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleClaimChange(nil, claim)
+		},
+		UpdateFunc: func(oldObj, newObj any) {
+			oldClaim, ok := oldObj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", oldObj))
+				return
+			}
+			newClaim, ok := newObj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", newObj))
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleClaimChange(oldClaim, newClaim)
+		},
+		DeleteFunc: func(obj any) {
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+			claim, ok := obj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleClaimChange(claim, nil)
+		},
+	})
+	defer func() {
+		_ = tc.claimInformer.Informer().RemoveEventHandler(claimHandler)
+	}()
+	tc.haveSynced = append(tc.haveSynced, claimHandler.HasSynced)
+
+	podHandler, _ := tc.podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			pod, ok := obj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected ResourcePod", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handlePodChange(nil, pod)
+		},
+		UpdateFunc: func(oldObj, newObj any) {
+			oldPod, ok := oldObj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", oldObj))
+				return
+			}
+			newPod, ok := newObj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", newObj))
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handlePodChange(oldPod, newPod)
+		},
+		DeleteFunc: func(obj any) {
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+			pod, ok := obj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handlePodChange(pod, nil)
+		},
+	})
+	defer func() {
+		_ = tc.podInformer.Informer().RemoveEventHandler(podHandler)
+	}()
+	tc.haveSynced = append(tc.haveSynced, podHandler.HasSynced)
+
+	opts := resourceslicetracker.Options{
+		EnableDeviceTaints: true,
+		SliceInformer:      tc.sliceInformer,
+		TaintInformer:      tc.taintInformer,
+		ClassInformer:      tc.classInformer,
+		KubeClient:         tc.client,
+	}
+	sliceTracker, err := resourceslicetracker.StartTracker(ctx, opts)
+	if err != nil {
+		logger.Info("Failed to initialize ResourceSlice tracker; device taint processing leading to Pod eviction is now paused", "err", err)
+		return
+	}
+	tc.haveSynced = append(tc.haveSynced, sliceTracker.HasSynced)
+	defer sliceTracker.Stop()
+
+	// Wait for tracker to sync before we react to events.
+	// This doesn't have to be perfect, it merely avoids unnecessary
+	// work which might be done as events get emitted for intermediate
+	// state.
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.haveSynced...) {
+		return
+	}
+	logger.V(1).Info("Underlying informers have synced")
+
+	_, _ = sliceTracker.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			slice, ok := obj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleSliceChange(nil, slice)
+		},
+		UpdateFunc: func(oldObj, newObj any) {
+			oldSlice, ok := oldObj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", oldObj))
+				return
+			}
+			newSlice, ok := newObj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", newObj))
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleSliceChange(oldSlice, newSlice)
+		},
+		DeleteFunc: func(obj any) {
+			// No need to check for DeletedFinalStateUnknown here, the resourceslicetracker doesn't use that.
+			slice, ok := obj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleSliceChange(slice, nil)
+		},
+	})
+
+	// sliceTracker.AddEventHandler blocked while delivering events for all known
+	// ResourceSlices. Therefore our own state is up-to-date once we get here.
+	tc.hasSynced.Store(1)
+
+	<-ctx.Done()
+}
+
+func (tc *Controller) handleClaimChange(oldClaim, newClaim *resourceapi.ResourceClaim) {
+	claim := newClaim
+	if claim == nil {
+		claim = oldClaim
+	}
+	name := newNamespacedName(claim)
+	if tc.eventLogger != nil {
+		// This is intentionally very verbose for debugging.
+		tc.eventLogger.Info("ResourceClaim changed", "claimObject", name, "oldClaim", klog.Format(oldClaim), "newClaim", klog.Format(newClaim), "diff", cmp.Diff(oldClaim, newClaim))
+	}
+
+	// Deleted?
+	if newClaim == nil {
+		delete(tc.allocatedClaims, name)
+		tc.handlePods(claim)
+		return
+	}
+
+	// Added?
+	if oldClaim == nil {
+		if claim.Status.Allocation == nil {
+			return
+		}
+		tc.allocatedClaims[name] = allocatedClaim{
+			ResourceClaim: claim,
+			evictionTime:  tc.evictionTime(claim.Status.Allocation),
+		}
+		tc.handlePods(claim)
+		return
+	}
+
+	// If we have two claims, the UID might still be different. Unlikely, but not impossible...
+	// Treat this like a remove + add.
+	if oldClaim.UID != newClaim.UID {
+		tc.handleClaimChange(oldClaim, nil)
+		tc.handleClaimChange(nil, newClaim)
+		return
+	}
+
+	syncBothClaims := func() {
+		// ReservedFor may have changed. If it did, sync both old and new lists,
+		// otherwise only once (same list).
+		if !slices.Equal(oldClaim.Status.ReservedFor, newClaim.Status.ReservedFor) {
+			tc.handlePods(oldClaim)
+			tc.handlePods(newClaim)
+		} else {
+			tc.handlePods(claim)
+		}
+	}
+
+	// Allocation added?
+	if oldClaim.Status.Allocation == nil && newClaim.Status.Allocation != nil {
+		tc.allocatedClaims[name] = allocatedClaim{
+			ResourceClaim: claim,
+			evictionTime:  tc.evictionTime(claim.Status.Allocation),
+		}
+		syncBothClaims()
+		return
+	}
+
+	// Allocation removed?
+	if oldClaim.Status.Allocation != nil && newClaim.Status.Allocation == nil {
+		delete(tc.allocatedClaims, name)
+		syncBothClaims()
+		return
+	}
+
+	// Allocated before and after?
+	if claim.Status.Allocation != nil {
+		// The Allocation is immutable, so we don't need to recompute the eviction
+		// time. Storing the newer claim is enough.
+		tc.allocatedClaims[name] = allocatedClaim{
+			ResourceClaim: claim,
+			evictionTime:  tc.allocatedClaims[name].evictionTime,
+		}
+		syncBothClaims()
+		return
+	}
+
+	// If we get here, nothing changed.
+}
+
+// evictionTime returns the earliest TimeAdded of any NoExecute taint in any allocated device
+// unless that taint is tolerated, nil if none.
+func (tc *Controller) evictionTime(allocation *resourceapi.AllocationResult) *metav1.Time {
+	var evictionTime *metav1.Time
+
+	for _, allocatedDevice := range allocation.Devices.Results {
+		device := tc.pools[poolID{driverName: allocatedDevice.Driver, poolName: allocatedDevice.Pool}].getDevice(allocatedDevice.Device)
+		if device == nil {
+			// Unknown device? Can't be tainted...
+			continue
+		}
+
+	nextTaint:
+		for _, taint := range device.Taints {
+			if taint.Effect != resourceapi.DeviceTaintEffectNoExecute {
+				continue
+			}
+
+			newEvictionTime := taint.TimeAdded
+			haveToleration := false
+			tolerationSeconds := int64(math.MaxInt64)
+			for _, toleration := range allocatedDevice.Tolerations {
+				if toleration.Effect == resourceapi.DeviceTaintEffectNoExecute &&
+					resourceclaim.ToleratesTaint(toleration, taint) {
+					if toleration.TolerationSeconds == nil {
+						// Tolerate forever -> ignore taint.
+						continue nextTaint
+					}
+					newTolerationSeconds := *toleration.TolerationSeconds
+					if newTolerationSeconds < 0 {
+						newTolerationSeconds = 0
+					}
+					if newTolerationSeconds < tolerationSeconds {
+						tolerationSeconds = newTolerationSeconds
+					}
+					haveToleration = true
+				}
+			}
+			if haveToleration {
+				newEvictionTime = &metav1.Time{Time: newEvictionTime.Add(time.Duration(tolerationSeconds) * time.Second)}
+			}
+
+			if evictionTime == nil {
+				evictionTime = newEvictionTime
+				continue
+			}
+			if newEvictionTime != nil && newEvictionTime.Before(evictionTime) {
+				evictionTime = newEvictionTime
+			}
+		}
+	}
+
+	return evictionTime
+}
+
+func (tc *Controller) handleSliceChange(oldSlice, newSlice *resourceapi.ResourceSlice) {
+	slice := newSlice
+	if slice == nil {
+		slice = oldSlice
+	}
+	poolID := poolID{
+		driverName: slice.Spec.Driver,
+		poolName:   slice.Spec.Pool.Name,
+	}
+	if tc.eventLogger != nil {
+		// This is intentionally very verbose for debugging.
+		tc.eventLogger.Info("ResourceSlice changed", "pool", poolID, "oldSlice", klog.Format(oldSlice), "newSlice", klog.Format(newSlice), "diff", cmp.Diff(oldSlice, newSlice))
+	}
+
+	// Determine old and new device taints. Only devices
+	// where something changes trigger additional checks for claims
+	// using them.
+	//
+	// The pre-allocated slices are small enough to be allocated on
+	// the stack (https://stackoverflow.com/a/69187698/222305).
+	p := tc.pools[poolID]
+	oldDeviceTaints := p.getTaintedDevices()
+	p.removeSlice(oldSlice)
+	p.addSlice(newSlice)
+	if len(p.slices) == 0 {
+		delete(tc.pools, poolID)
+	} else {
+		tc.pools[poolID] = p
+	}
+	newDeviceTaints := p.getTaintedDevices()
+
+	// Now determine differences. This depends on both slices having been sorted
+	// by device name.
+	if len(oldDeviceTaints) == 0 && len(newDeviceTaints) == 0 {
+		// Both empty, no changes.
+		return
+	}
+	modifiedDevices := sets.New[string]()
+	o, n := 0, 0
+	for o < len(oldDeviceTaints) || n < len(newDeviceTaints) {
+		// Iterate over devices in both slices with the same name.
+		for o < len(oldDeviceTaints) && n < len(newDeviceTaints) && oldDeviceTaints[o].deviceName == newDeviceTaints[n].deviceName {
+			if !apiequality.Semantic.DeepEqual(oldDeviceTaints[o].taint, newDeviceTaints[n].taint) { // TODO: hard-code the comparison?
+				modifiedDevices.Insert(oldDeviceTaints[o].deviceName)
+			}
+			o++
+			n++
+		}
+
+		// Step over old devices which were removed.
+		newDeviceName := ""
+		if n < len(newDeviceTaints) {
+			newDeviceName = newDeviceTaints[n].deviceName
+		}
+		for o < len(oldDeviceTaints) && oldDeviceTaints[o].deviceName != newDeviceName {
+			modifiedDevices.Insert(oldDeviceTaints[o].deviceName)
+			o++
+		}
+
+		// Step over new devices which were added.
+		oldDeviceName := ""
+		if o < len(oldDeviceTaints) {
+			oldDeviceName = oldDeviceTaints[o].deviceName
+		}
+		if n < len(newDeviceTaints) && newDeviceTaints[n].deviceName != oldDeviceName {
+			modifiedDevices.Insert(newDeviceTaints[n].deviceName)
+			n++
+		}
+	}
+
+	// Now find all claims using at least one modified device,
+	// update their eviction time, and handle their consuming pods.
+	for name, claim := range tc.allocatedClaims {
+		if !usesDevice(claim.Status.Allocation, poolID, modifiedDevices) {
+			continue
+		}
+		newEvictionTime := tc.evictionTime(claim.ResourceClaim.Status.Allocation)
+		if newEvictionTime.Equal(claim.evictionTime) {
+			// No change.
+			continue
+		}
+		claim.evictionTime = newEvictionTime
+		tc.allocatedClaims[name] = claim
+		// We could collect pods which depend on claims with changes.
+		// In practice, most pods probably depend on one claim, so
+		// it is probably more efficient to avoid building such a map
+		// to make the common case simple.
+		tc.handlePods(claim.ResourceClaim)
+	}
+}
+
+func usesDevice(allocation *resourceapi.AllocationResult, pool poolID, modifiedDevices sets.Set[string]) bool {
+	for _, device := range allocation.Devices.Results {
+		if device.Driver == pool.driverName &&
+			device.Pool == pool.poolName &&
+			modifiedDevices.Has(device.Device) {
+			return true
+		}
+	}
+	return false
+}
+
+func (tc *Controller) handlePodChange(oldPod, newPod *v1.Pod) {
+	pod := newPod
+	if pod == nil {
+		pod = oldPod
+	}
+	if tc.eventLogger != nil {
+		// This is intentionally very verbose for debugging.
+		tc.eventLogger.Info("Pod changed", "pod", klog.KObj(pod), "oldPod", klog.Format(oldPod), "newPod", klog.Format(newPod), "diff", cmp.Diff(oldPod, newPod))
+	}
+	if newPod == nil {
+		// Nothing left to do for it. No need to emit an event here, it's gone.
+		tc.cancelEvict(newObject(oldPod))
+		return
+	}
+
+	// Pods get updated quite frequently. There's no need
+	// to check them again unless something changed regarding
+	// their claims.
+	//
+	// In particular this prevents adding the pod again
+	// directly after the eviction condition got added
+	// to it.
+	if oldPod != nil &&
+		apiequality.Semantic.DeepEqual(oldPod.Status.ResourceClaimStatuses, newPod.Status.ResourceClaimStatuses) {
+		return
+	}
+
+	tc.handlePod(newPod)
+}
+
+func (tc *Controller) handlePods(claim *resourceapi.ResourceClaim) {
+	for _, consumer := range claim.Status.ReservedFor {
+		if consumer.APIGroup == "" && consumer.Resource == "pods" {
+			pod, err := tc.podInformer.Lister().Pods(claim.Namespace).Get(consumer.Name)
+			if err != nil {
+				if apierrors.IsNotFound(err) {
+					return
+				}
+				// Should not happen.
+				utilruntime.HandleErrorWithLogger(tc.logger, err, "retrieve pod from cache")
+				return
+			}
+			if pod.UID != consumer.UID {
+				// Not the pod we were looking for.
+				return
+			}
+			tc.handlePod(pod)
+		}
+	}
+}
+
+func (tc *Controller) handlePod(pod *v1.Pod) {
+	// Not scheduled yet? No need to evict.
+	if pod.Spec.NodeName == "" {
+		return
+	}
+
+	// If any claim in use by the pod is tainted such that the taint is not tolerated,
+	// the pod needs to be evicted.
+	var evictionTime *metav1.Time
+	for i := range pod.Spec.ResourceClaims {
+		claimName, mustCheckOwner, err := resourceclaim.Name(pod, &pod.Spec.ResourceClaims[i])
+		if err != nil {
+			// Not created yet or unsupported. Definitely not tainted.
+			continue
+		}
+		if claimName == nil {
+			// Claim not needed.
+			continue
+		}
+		allocatedClaim, ok := tc.allocatedClaims[types.NamespacedName{Namespace: pod.Namespace, Name: *claimName}]
+		if !ok {
+			// Referenced, but not found or not allocated. Also not tainted.
+			continue
+		}
+		if mustCheckOwner && resourceclaim.IsForPod(pod, allocatedClaim.ResourceClaim) != nil {
+			// Claim and pod don't match. Ignore the claim.
+			continue
+		}
+		if !resourceclaim.IsReservedForPod(pod, allocatedClaim.ResourceClaim) {
+			// The pod isn't the one which is allowed and/or supposed to use the claim.
+			// Perhaps that pod instance already got deleted and we are looking at its
+			// replacement under the same name. Either way, ignore.
+			continue
+		}
+		if allocatedClaim.evictionTime == nil {
+			continue
+		}
+		if evictionTime == nil || allocatedClaim.evictionTime.Before(evictionTime) {
+			evictionTime = allocatedClaim.evictionTime
+		}
+	}
+
+	podRef := newObject(pod)
+	if evictionTime != nil {
+		tc.evictPod(podRef, evictionTime.Time)
+	} else {
+		tc.cancelWorkWithEvent(podRef)
+	}
+}
+
+func (tc *Controller) cancelWorkWithEvent(podRef tainteviction.NamespacedObject) {
+	if tc.cancelEvict(podRef) {
+		tc.emitCancelPodDeletionEvent(podRef)
+	}
+}
+
+func (tc *Controller) emitPodDeletionEvent(podRef tainteviction.NamespacedObject) {
+	if tc.recorder == nil {
+		return
+	}
+	ref := &v1.ObjectReference{
+		APIVersion: "v1",
+		Kind:       "Pod",
+		Name:       podRef.Name,
+		Namespace:  podRef.Namespace,
+		UID:        podRef.UID,
+	}
+	tc.recorder.Eventf(ref, v1.EventTypeNormal, "DeviceTaintManagerEviction", "Marking for deletion")
+}
+
+func (tc *Controller) emitCancelPodDeletionEvent(podRef tainteviction.NamespacedObject) {
+	if tc.recorder == nil {
+		return
+	}
+	ref := &v1.ObjectReference{
+		APIVersion: "v1",
+		Kind:       "Pod",
+		Name:       podRef.Name,
+		Namespace:  podRef.Namespace,
+		UID:        podRef.UID,
+	}
+	tc.recorder.Eventf(ref, v1.EventTypeNormal, "DeviceTaintManagerEviction", "Cancelling deletion")
+}
+
+func newNamespacedName(obj metav1.Object) types.NamespacedName {
+	return types.NamespacedName{
+		Namespace: obj.GetNamespace(),
+		Name:      obj.GetName(),
+	}
+}
+
+func newObject(obj metav1.Object) tainteviction.NamespacedObject {
+	return tainteviction.NamespacedObject{
+		NamespacedName: newNamespacedName(obj),
+		UID:            obj.GetUID(),
+	}
+}
diff --git a/pkg/controller/devicetainteviction/device_taint_eviction_test.go b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
new file mode 100644
index 00000000000..74afd0e9c66
--- /dev/null
+++ b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
@@ -0,0 +1,1754 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetainteviction
+
+import (
+	"errors"
+	"fmt"
+	"math"
+	"slices"
+	"sort"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/onsi/gomega"
+	"github.com/onsi/gomega/gstruct"
+	gomegatypes "github.com/onsi/gomega/types"
+	"github.com/prometheus/client_golang/prometheus"
+	dto "github.com/prometheus/client_model/go"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	core "k8s.io/client-go/testing"
+	metricstestutil "k8s.io/component-base/metrics/testutil"
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction/metrics"
+	"k8s.io/kubernetes/pkg/controller/tainteviction"
+	controllertestutil "k8s.io/kubernetes/pkg/controller/testutil"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
+	"k8s.io/utils/ptr"
+)
+
+// setup creates a controller which is ready to have its handle* methods called.
+func setup(tb testing.TB) *testContext {
+	tCtx := ktesting.Init(tb)
+	fakeClientset := fake.NewSimpleClientset()
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := New(fakeClientset,
+		informerFactory.Core().V1().Pods(),
+		informerFactory.Resource().V1beta1().ResourceClaims(),
+		informerFactory.Resource().V1beta1().ResourceSlices(),
+		informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		informerFactory.Resource().V1beta1().DeviceClasses(),
+		"device-taint-eviction",
+	)
+	tContext := &testContext{
+		TContext:        tCtx,
+		Controller:      controller,
+		recorder:        controllertestutil.NewFakeRecorder(),
+		client:          fakeClientset,
+		informerFactory: informerFactory,
+	}
+	tContext.logger = tCtx.Logger()
+	// Always log, not matter what the -v value is.
+	controller.eventLogger = &tContext.logger
+	tContext.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
+		// Always replace an existing entry for the same pod.
+		index := slices.IndexFunc(tContext.evicting, func(e evictAt) bool {
+			return e.podRef == podRef
+		})
+		e := evictAt{podRef, fireAt}
+		if index == -1 {
+			tContext.evicting = append(tContext.evicting, e)
+		} else {
+			tContext.evicting[index] = e
+		}
+		sort.Slice(tContext.evicting, func(i, j int) bool {
+			switch strings.Compare(tContext.evicting[i].podRef.Namespace, tContext.evicting[j].podRef.Namespace) {
+			case 1:
+				return false
+			case -1:
+				return true
+			}
+			return tContext.evicting[i].podRef.Name < tContext.evicting[j].podRef.Name
+		})
+	}
+	tContext.cancelEvict = func(pod tainteviction.NamespacedObject) bool {
+		index := slices.IndexFunc(tContext.evicting, func(e evictAt) bool { return e.podRef == pod })
+		if index >= 0 {
+			tContext.evicting = slices.Delete(tContext.evicting, index, index+1)
+			return true
+		}
+		return false
+	}
+	tContext.Controller.recorder = tContext.recorder
+
+	return tContext
+}
+
+type testContext struct {
+	ktesting.TContext
+	*Controller
+	evicting        []evictAt // sorted by namespace, name
+	recorder        *controllertestutil.FakeRecorder
+	client          *fake.Clientset
+	informerFactory informers.SharedInformerFactory
+}
+
+type evictAt struct {
+	podRef tainteviction.NamespacedObject
+	fireAt time.Time
+}
+
+type state struct {
+	pods            []*v1.Pod
+	allocatedClaims []allocatedClaim
+	slices          []*resourceapi.ResourceSlice
+	evicting        []evictAt
+}
+
+func (s state) allocatedClaimsAsMap() map[types.NamespacedName]allocatedClaim {
+	claims := make(map[types.NamespacedName]allocatedClaim)
+	for _, claim := range s.allocatedClaims {
+		claims[types.NamespacedName{Namespace: claim.Namespace, Name: claim.Name}] = claim
+	}
+	return claims
+}
+
+func (s state) slicesAsMap() map[poolID]pool {
+	pools := make(map[poolID]pool)
+	for _, slice := range s.slices {
+		id := poolID{driverName: slice.Spec.Driver, poolName: slice.Spec.Pool.Name}
+		pool := pools[id]
+		if pool.slices == nil {
+			pool.slices = sets.New[*resourceapi.ResourceSlice]()
+		}
+		pool.slices.Insert(slice)
+		pools[id] = pool
+	}
+	for id, pool := range pools {
+		maxGeneration := int64(math.MinInt64)
+		for slice := range pool.slices {
+			if slice.Spec.Pool.Generation > maxGeneration {
+				maxGeneration = slice.Spec.Pool.Generation
+			}
+		}
+		pool.maxGeneration = maxGeneration
+		pools[id] = pool
+	}
+	return pools
+}
+
+type testCase struct {
+	initialState state
+
+	// events contains pairs of old and new objects which will
+	// be passed to handle* methods.
+	// Objects can be slices, claims, and pods.
+	// [add], [remove], and [update] can be used to produce
+	// such pairs.
+	//
+	// Alternatively, it can also contain a list of such pairs.
+	// Those will be applied in the order in which they appear
+	// in each event entry.
+	events []any
+
+	finalState state
+	wantEvents []*v1.Event
+}
+
+func add[T any](obj *T) [2]*T {
+	return [2]*T{nil, obj}
+}
+
+func remove[T any](obj *T) [2]*T {
+	return [2]*T{obj, nil}
+}
+
+func update[T any](oldObj, newObj *T) [2]*T {
+	return [2]*T{oldObj, newObj}
+}
+
+var (
+	podKind      = v1.SchemeGroupVersion.WithKind("Pod")
+	nodeName     = "worker"
+	nodeName2    = "worker-2"
+	driver       = "some-driver"
+	podName      = "my-pod"
+	podUID       = "1234"
+	className    = "my-resource-class"
+	resourceName = "my-resource"
+	claimName    = podName + "-" + resourceName
+	namespace    = "default"
+	taintTime    = metav1.Now() // This cannot be a fixed value in the past, otherwise the "seconds since taint time" delta overflows.
+	taintKey     = "example.com/taint"
+	taintValue   = "something"
+	simpleSlice  = st.MakeResourceSlice(nodeName, driver).
+			Device("instance").
+			Obj()
+	slice = st.MakeResourceSlice(nodeName, driver).
+		Device("instance").
+		Device("instance-no-schedule", resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoSchedule}).
+		Device("instance-no-execute", resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime}).
+		Obj()
+	sliceReplaced = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Name += "-updated"
+		slice.Spec.Pool.Generation++
+		return slice
+	}()
+	sliceUnknownDevices = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		for i := range slice.Spec.Devices {
+			slice.Spec.Devices[i].Basic = nil
+		}
+		return slice
+	}()
+	sliceTainted = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Spec.Devices[0].Basic.Taints = []resourceapi.DeviceTaint{{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, Value: taintValue, TimeAdded: &taintTime}}
+		return slice
+	}()
+	sliceTaintedExtended = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		slice.Spec.Devices = append(slice.Spec.Devices, *slice.Spec.Devices[0].DeepCopy())
+		slice.Spec.Devices[len(slice.Spec.Devices)-1].Name += "-other"
+		return slice
+	}()
+	sliceTaintedNoSchedule = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		for i := range slice.Spec.Devices {
+			for j := range slice.Spec.Devices[i].Basic.Taints {
+				slice.Spec.Devices[i].Basic.Taints[j].Effect = resourceapi.DeviceTaintEffectNoSchedule
+			}
+		}
+		return slice
+	}()
+	sliceTaintedValueOther = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		for i := range slice.Spec.Devices {
+			for j := range slice.Spec.Devices[i].Basic.Taints {
+				slice.Spec.Devices[i].Basic.Taints[j].Value += "-other"
+			}
+		}
+		return slice
+	}()
+	sliceTaintedTwice = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Spec.Devices[0].Basic.Taints = []resourceapi.DeviceTaint{
+			{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime},
+			{Key: taintKey + "-other", Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime},
+		}
+		return slice
+	}()
+	sliceUntainted = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Spec.Devices[1].Basic.Taints = nil
+		slice.Spec.Devices[2].Basic.Taints = nil
+		return slice
+	}()
+	slice2 = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Name += "-2"
+		slice.Spec.NodeName = nodeName2
+		slice.Spec.Pool.Name = nodeName2
+		slice.Spec.Pool.Generation++
+		return slice
+	}()
+	claim = st.MakeResourceClaim().
+		Name(claimName).
+		Namespace(namespace).
+		Request(className).
+		Obj()
+	allocationResult = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Driver:  driver,
+				Pool:    nodeName,
+				Device:  "instance",
+				Request: "req-1",
+			}},
+		},
+	}
+	inUseClaim = st.FromResourceClaim(claim).
+			OwnerReference(podName, podUID, podKind).
+			Allocation(allocationResult).
+			ReservedForPod(podName, types.UID(podUID)).
+			Obj()
+	// A test may run for an hour without reaching the end of this period.
+	tolerationDuration       = 60 * 60 * time.Second
+	inUseClaimWithToleration = func() *resourceapi.ResourceClaim {
+		claim := inUseClaim.DeepCopy()
+		claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+			Key:               taintKey,
+			Operator:          resourceapi.DeviceTolerationOpEqual,
+			Value:             taintValue,
+			Effect:            resourceapi.DeviceTaintEffectNoExecute,
+			TolerationSeconds: ptr.To(int64(tolerationDuration.Seconds())),
+		}}
+		return claim
+	}()
+	inUseClaimOld = st.FromResourceClaim(inUseClaim).
+			OwnerReference(podName, podUID+"-other", podKind).
+			UID("other").
+			Obj()
+	podWithClaimName = st.MakePod().Name(podName).Namespace(namespace).
+				UID(podUID).
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
+				Node(nodeName).
+				Obj()
+	podWithClaimNameOther = st.MakePod().Name(podName).Namespace(namespace).
+				UID(podUID + "-other").
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
+				Node(nodeName).
+				Obj()
+	podWithClaimTemplate = st.MakePod().Name(podName).Namespace(namespace).
+				UID(podUID).
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimTemplateName: &claimName}).
+				Node(nodeName).
+				Obj()
+	podWithClaimTemplateInStatus = func() *v1.Pod {
+		pod := podWithClaimTemplate.DeepCopy()
+		pod.Status.ResourceClaimStatuses = []v1.PodResourceClaimStatus{
+			{
+				Name:              pod.Spec.ResourceClaims[0].Name,
+				ResourceClaimName: &claimName,
+			},
+		}
+		return pod
+	}()
+	podWithClaimTemplateNoClaimInStatus = func() *v1.Pod {
+		pod := podWithClaimTemplate.DeepCopy()
+		pod.Status.ResourceClaimStatuses = []v1.PodResourceClaimStatus{
+			{
+				Name: pod.Spec.ResourceClaims[0].Name,
+				// This is valid: it was decided that the pod should run without
+				// its claim generated for it. Not used in practice.
+				ResourceClaimName: nil,
+			},
+		}
+		return pod
+	}()
+	cancelPodEviction = &v1.Event{
+		InvolvedObject: v1.ObjectReference{
+			Kind:       "Pod",
+			APIVersion: "v1",
+			Namespace:  namespace,
+			Name:       podName,
+			UID:        types.UID(podUID),
+		},
+		Reason:  "DeviceTaintManagerEviction",
+		Message: "Cancelling deletion",
+		Type:    v1.EventTypeNormal,
+		Source: v1.EventSource{
+			Component: "nodeControllerTest",
+		},
+		Count: 1,
+	}
+)
+
+func matchDeletionEvent() gomegatypes.GomegaMatcher {
+	return matchEvent("Marking for deletion")
+}
+
+func matchCancellationEvent() gomegatypes.GomegaMatcher {
+	return matchEvent("Cancelling deletion")
+}
+
+func matchEvent(message string) gomegatypes.GomegaMatcher {
+	return gomega.ConsistOf(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+		"Source":  gomega.HaveField("Component", gomega.Equal("device-taint-eviction")),
+		"Reason":  gomega.Equal("DeviceTaintManagerEviction"),
+		"Message": gomega.Equal(message),
+		"Count":   gomega.Equal(int32(1)),
+		"InvolvedObject": gomega.Equal(v1.ObjectReference{
+			Kind:       "Pod",
+			APIVersion: "v1",
+			Namespace:  namespace,
+			Name:       podName,
+			UID:        types.UID(podUID),
+		}),
+	}))
+}
+
+func listEvents(tCtx ktesting.TContext) []v1.Event {
+	events, err := tCtx.Client().CoreV1().Events("").List(tCtx, metav1.ListOptions{})
+	tCtx.ExpectNoError(err, "list events")
+	return events.Items
+}
+
+// TestHandlers covers the event handler logic. Each test case starts with
+// some known state, applies a sequence of independent events in all
+// permutations of their order, then checks against the expected final
+// state. The final state must be the same in all permutations. This simulates
+// the random order in which informer updates can be perceived.
+func TestHandlers(t *testing.T) {
+	t.Parallel()
+
+	for name, tc := range map[string]testCase{
+		"empty": {},
+		"populate-pools": {
+			events: []any{
+				add(slice),
+				add(slice2),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{slice, slice2},
+			},
+		},
+		"update-pools": {
+			initialState: state{
+				slices: []*resourceapi.ResourceSlice{slice, slice2},
+			},
+			events: []any{
+				update(slice, sliceUntainted),
+				remove(slice2),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceUntainted},
+			},
+		},
+		"untainted-claim": {
+			events: []any{
+				add(slice),
+				add(slice2),
+				add(inUseClaim),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{slice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"tainted-claim": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"evict-pod-resourceclaim": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"evict-pod-resourceclaim-again": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimName},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+			events: []any{
+				[]any{remove(sliceTainted), add(sliceTainted)},
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+			// It is debatable whether the controller should react
+			// to slice changes (a deletion in this case)
+			// quickly. On the one hand we want to cancel eviction
+			// quickly in case that a taint goes away, on the other
+			// hand it can also restore the previous state and emit
+			// an event, as in this test case.
+			//
+			// At the moment, the code reliably cancels right away.
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"evict-pod-resourceclaim-unrelated-changes": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimName},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+			events: []any{
+				update(sliceTainted, sliceTaintedExtended),
+				update(inUseClaim, inUseClaim),             // No real change here, good enough for testing some code paths.
+				update(podWithClaimName, podWithClaimName), // Same here.
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTaintedExtended, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"evict-pod-resourceclaimtemplate": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplateInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+		},
+		"evict-pod-later": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaimWithToleration),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &metav1.Time{Time: taintTime.Add(tolerationDuration)}}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(tolerationDuration)}},
+			},
+		},
+		"evict-pod-later-many": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Key:               taintKey + "-other",
+							Operator:          resourceapi.DeviceTolerationOpEqual,
+							Value:             taintValue,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(20)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Key:               taintKey + "-other",
+							Operator:          resourceapi.DeviceTolerationOpEqual,
+							Value:             taintValue,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(20)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(30 * time.Second)}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(30 * time.Second)}},
+			},
+		},
+		"evict-pod-toleration-mismatch": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Key:               taintKey + "-other",
+						Operator:          resourceapi.DeviceTolerationOpEqual,
+						Value:             taintValue,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Key:               taintKey + "-other",
+						Operator:          resourceapi.DeviceTolerationOpEqual,
+						Value:             taintValue,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Time}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"no-evict-pod-toleration-forever": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}()}},
+			},
+		},
+		"no-evict-pod-toleration-forever-many": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator: resourceapi.DeviceTolerationOpExists,
+							Effect:   resourceapi.DeviceTaintEffectNoExecute,
+						},
+					}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator: resourceapi.DeviceTolerationOpExists,
+							Effect:   resourceapi.DeviceTaintEffectNoExecute,
+						},
+					}
+					return claim
+				}()}},
+			},
+		},
+		"evict-pod-partial-toleration": {
+			events: []any{
+				add(sliceTaintedTwice),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Key:      taintKey,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTaintedTwice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Key:      taintKey,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}(), evictionTime: &taintTime}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"evict-pod-many-taints": {
+			events: []any{
+				add(sliceTaintedTwice),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey + "-other",
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTaintedTwice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey + "-other",
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(30 * time.Second)}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(30 * time.Second)}},
+			},
+		},
+		"no-evict-pod-not-scheduled": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(func() *v1.Pod {
+					pod := podWithClaimName.DeepCopy()
+					pod.Spec.NodeName = ""
+					return pod
+				}()),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"no-evict-no-taint": {
+			events: []any{
+				add(simpleSlice),
+				add(inUseClaim),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{simpleSlice},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"no-evict-no-taint-update": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimName},
+				slices:          []*resourceapi.ResourceSlice{simpleSlice},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			events: []any{
+				update(simpleSlice, simpleSlice),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{simpleSlice},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"no-evict-pod-resourceclaimtemplate-no-status": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplate),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"no-evict-pod-resourceclaimtemplate-no-claim": {
+			// It doesn't make sense to have a claim generated for the pod and
+			// then have no claim listed for the pod, but for the sake of completeness...
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplateNoClaimInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"no-evict-unknown-device": {
+			events: []any{
+				add(sliceUnknownDevices),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplateInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceUnknownDevices, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"no-evict-wrong-pod": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimNameOther),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"evict-wrong-pod-replaced": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimNameOther},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+			events: []any{
+				[]any{remove(podWithClaimNameOther), add(podWithClaimName)},
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"cancel-eviction-remove-taint": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				update(sliceTainted, slice),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{slice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"cancel-eviction-reduce-taint": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				update(sliceTainted, sliceTaintedNoSchedule),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTaintedNoSchedule, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"eviction-change-taint": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &metav1.Time{Time: taintTime.Add(tolerationDuration)}}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time.Add(tolerationDuration)}},
+			},
+			events: []any{
+				// Going from a taint which is tolerated for 60 seconds to one which isn't.
+				update(sliceTainted, sliceTaintedValueOther),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTaintedValueOther, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+		},
+		"cancel-eviction-remove-taint-in-new-slice": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				// This moves the in-use device from one slice to another and removes the taint at the same time.
+				remove(sliceTainted),
+				add(sliceReplaced),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceReplaced, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"cancel-eviction-remove-slice": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				remove(sliceTainted),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"cancel-eviction-pod-deletion": {
+			initialState: state{
+				pods:   []*v1.Pod{podWithClaimName},
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator:          resourceapi.DeviceTolerationOpExists,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(60 * time.Second)}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(60 * time.Second)}},
+			},
+			events: []any{
+				remove(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator:          resourceapi.DeviceTolerationOpExists,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(60 * time.Second)}}},
+			},
+		},
+		"no-evict-wrong-resourceclaim": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaimOld), // pod not the owner
+				add(podWithClaimTemplateInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimOld, evictionTime: &taintTime}},
+			},
+		},
+		"evict-wrong-resourceclaim-replaced": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimOld, evictionTime: &taintTime}},
+			},
+			events: []any{
+				update(inUseClaimOld, inUseClaim),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+		},
+		"no-evict-resourceclaim-deallocated": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				// This removes the allocation while the pod is scheduled.
+				// The normal situation for this is when the pod has terminated.
+				// The abnormal one is a forced status update, which is similar
+				// to a forced removal.
+				//
+				// It is debatable whether controller should try to "fix" the
+				// cluster in those abnormal situations by evicting the pod.
+				// Currently it doesn't because that is not it's job and
+				// could cause problems by itself if not done carefully,
+				// like killing a pod that still can run.
+				update(inUseClaim, claim),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"no-evict-resourceclaim-deleted": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				// Same as for "no-evict-resourceclaim-deallocated" this can be normal
+				// (pod has terminated) and abnormal (force-delete).
+				remove(inUseClaim),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			numEvents := len(tc.events)
+			if numEvents <= 1 {
+				// No permutations.
+				tContext := setup(t)
+				testHandlers(tContext, tc)
+				return
+			}
+
+			permutation := make([]int, numEvents)
+			var permutate func(depth int)
+			permutate = func(depth int) {
+				if depth >= numEvents {
+					// Define a sub-test which runs the current permutation of events.
+					events := make([]any, numEvents)
+					for i := 0; i < numEvents; i++ {
+						events[i] = tc.events[permutation[i]]
+					}
+					tc := tc
+					tc.events = events
+					name := strings.Trim(fmt.Sprintf("%v", permutation), "[]")
+					t.Run(name, func(t *testing.T) {
+						tContext := setup(t)
+						testHandlers(tContext, tc)
+					})
+					return
+				}
+				for i := 0; i < numEvents; i++ {
+					if slices.Index(permutation[0:depth], i) != -1 {
+						// Already taken.
+						continue
+					}
+					// Pick it for the current position in permutation,
+					// continue with next position.
+					permutation[depth] = i
+					permutate(depth + 1)
+				}
+			}
+			permutate(0)
+		})
+	}
+}
+
+func testHandlers(tContext *testContext, tc testCase) {
+	// Shallow copy of slice and maps is sufficient for now.
+	tContext.evicting = slices.Clone(tc.initialState.evicting)
+	tContext.allocatedClaims = tc.initialState.allocatedClaimsAsMap()
+	tContext.pools = tc.initialState.slicesAsMap()
+
+	// Pods are the only items which get retrieved from the informer cache,
+	// so for those (and only those) we have to keep the store up-to-date.
+	store := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+	for _, pod := range tc.initialState.pods {
+		tContext.ExpectNoError(store.Add(pod))
+	}
+
+	for _, event := range tc.events {
+		switch event := event.(type) {
+		case []any:
+			for _, event := range event {
+				applyEventPair(tContext, event)
+			}
+		default:
+			applyEventPair(tContext, event)
+		}
+	}
+
+	// Use nil instead of empty map or slice to avoid nil vs. empty differences.
+	if len(tContext.evicting) == 0 {
+		tContext.evicting = nil
+	}
+	if len(tContext.recorder.Events) == 0 {
+		tContext.recorder.Events = nil
+	}
+	assert.Equal(tContext, tc.finalState.evicting, tContext.evicting, "evicting pods")
+	assert.Equal(tContext, tc.finalState.allocatedClaimsAsMap(), tContext.allocatedClaims, "allocated claims")
+	if !assert.Equal(tContext, tc.finalState.slicesAsMap(), tContext.pools, "pools") {
+		for key := range tContext.pools {
+			assert.Equal(tContext, tc.finalState.slicesAsMap()[key], tContext.pools[key], "pool")
+		}
+	}
+	if diff := cmp.Diff(tc.wantEvents, tContext.recorder.Events, cmpopts.IgnoreTypes(metav1.ObjectMeta{}, metav1.Time{})); diff != "" {
+		tContext.Errorf("unexpected events (-want, +got):\n%s", diff)
+	}
+}
+
+func applyEventPair(tContext *testContext, event any) {
+	store := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+
+	switch pair := event.(type) {
+	case [2]*resourceapi.ResourceSlice:
+		tContext.handleSliceChange(pair[0], pair[1])
+	case [2]*resourceapi.ResourceClaim:
+		tContext.handleClaimChange(pair[0], pair[1])
+	case [2]*v1.Pod:
+		switch {
+		case pair[0] != nil && pair[1] != nil:
+			tContext.ExpectNoError(store.Update(pair[1]))
+		case pair[0] != nil:
+			tContext.ExpectNoError(store.Delete(pair[0]))
+		default:
+			tContext.ExpectNoError(store.Add(pair[1]))
+		}
+		tContext.handlePodChange(pair[0], pair[1])
+	default:
+		tContext.Fatalf("unexpected event type %T", event)
+	}
+}
+
+func startTestController(tCtx ktesting.TContext, informerFactory informers.SharedInformerFactory) *Controller {
+	controller := New(tCtx.Client(),
+		informerFactory.Core().V1().Pods(),
+		informerFactory.Resource().V1beta1().ResourceClaims(),
+		informerFactory.Resource().V1beta1().ResourceSlices(),
+		informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		informerFactory.Resource().V1beta1().DeviceClasses(),
+		"device-taint-eviction",
+	)
+	controller.metrics = metrics.New(300 /* one large initial bucket for testing */)
+	// Always log, not matter what the -v value is.
+	logger := klog.FromContext(tCtx)
+	controller.eventLogger = &logger
+	informerFactory.Start(tCtx.Done())
+	return controller
+}
+
+func testPodDeletionsMetrics(controller *Controller, total int) error {
+	// We cannot predict the sum of the latencies. Therefore we leave it at zero here
+	// and replace expected (>= 0) values when gathering.
+	expectedMetric := fmt.Sprintf(`# HELP device_taint_eviction_controller_pod_deletion_duration_seconds [ALPHA] Latency, in seconds, between the time when a device taint effect has been activated and a Pod's deletion via DeviceTaintEvictionController.
+# TYPE device_taint_eviction_controller_pod_deletion_duration_seconds histogram
+device_taint_eviction_controller_pod_deletion_duration_seconds_bucket{le="300"} %[1]d
+device_taint_eviction_controller_pod_deletion_duration_seconds_bucket{le="+Inf"} %[1]d
+device_taint_eviction_controller_pod_deletion_duration_seconds_sum 0
+device_taint_eviction_controller_pod_deletion_duration_seconds_count %[1]d
+# HELP device_taint_eviction_controller_pod_deletions_total [ALPHA] Total number of Pods deleted by DeviceTaintEvictionController since its start.
+# TYPE device_taint_eviction_controller_pod_deletions_total counter
+device_taint_eviction_controller_pod_deletions_total %[1]d
+`, total)
+	names := []string{
+		controller.metrics.PodDeletionsTotal.FQName(),
+		controller.metrics.PodDeletionsLatency.FQName(),
+	}
+	gather := func() ([]*dto.MetricFamily, error) {
+		got, err := controller.metrics.Gather()
+		for _, mf := range got {
+			for _, m := range mf.Metric {
+				if m.Histogram == nil || m.Histogram.SampleSum == nil || *m.Histogram.SampleSum < 0 {
+					continue
+				}
+				m.Histogram.SampleSum = ptr.To(float64(0))
+			}
+		}
+		return got, err
+	}
+
+	return metricstestutil.GatherAndCompare(prometheus.GathererFunc(gather), strings.NewReader(expectedMetric), names...)
+}
+
+// TestEviction runs through the full flow of starting the controller and evicting one pod.
+// This scenario is the same as "evict-pod-resourceclaim" above. It also covers all
+// event handlers by leading to the same end state through several different combinations
+// of initial objects and add/update/delete calls.
+func TestEviction(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	pod := podWithClaimName.DeepCopy()
+	for name, tt := range map[string]struct {
+		initialObjects []runtime.Object
+		afterSync      func(tCtx ktesting.TContext)
+	}{
+		"initial": {
+			initialObjects: []runtime.Object{
+				sliceTainted,
+				inUseClaim,
+				pod,
+			},
+		},
+		"add": {
+			afterSync: func(tCtx ktesting.TContext) {
+				var err error
+				_, err = tCtx.Client().CoreV1().Pods(pod.Namespace).Create(tCtx, pod, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create pod")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceSlices().Create(tCtx, sliceTainted, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create slice")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).Create(tCtx, inUseClaim, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create claim")
+			},
+		},
+		"update": {
+			initialObjects: []runtime.Object{
+				slice,
+				claim,
+				func() *v1.Pod {
+					pod := pod.DeepCopy()
+					pod.Spec.NodeName = ""
+					return pod
+				}(),
+			},
+			afterSync: func(tCtx ktesting.TContext) {
+				var err error
+				_, err = tCtx.Client().CoreV1().Pods(pod.Namespace).Update(tCtx, pod, metav1.UpdateOptions{})
+				require.NoError(tCtx, err, "update pod")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceSlices().Update(tCtx, sliceTainted, metav1.UpdateOptions{})
+				require.NoError(tCtx, err, "update slice")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).UpdateStatus(tCtx, inUseClaim, metav1.UpdateOptions{})
+				require.NoError(tCtx, err, "update claim")
+			},
+		},
+		"delete": {
+			initialObjects: []runtime.Object{
+				sliceTainted,
+				func() *resourceapi.ResourceSlice {
+					// This has a higher generation and thus "shadows" sliceTainted until it gets removed.
+					slice := slice.DeepCopy()
+					slice.Name += "-other"
+					slice.Spec.Pool.Generation += 100
+					return slice
+				}(),
+				claim,
+				pod,
+			},
+			afterSync: func(tCtx ktesting.TContext) {
+				var err error
+
+				err = tCtx.Client().ResourceV1beta1().ResourceSlices().Delete(tCtx, slice.Name+"-other", metav1.DeleteOptions{})
+				require.NoError(tCtx, err, "delete slice")
+				err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).Delete(tCtx, inUseClaim.Name, metav1.DeleteOptions{})
+				require.NoError(tCtx, err, "delete claim")
+
+				// Re-create after deletion to enabled the normal flow.
+				_, err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).Create(tCtx, inUseClaim, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create claim")
+			},
+		},
+	} {
+		tCtx.Run(name, func(tCtx ktesting.TContext) {
+			tCtx.Parallel()
+			fakeClientset := fake.NewSimpleClientset(tt.initialObjects...)
+			tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+			var mutex sync.Mutex
+			var podUpdates int
+			var updatedPod *v1.Pod
+			var podDeletions int
+
+			fakeClientset.PrependReactor("patch", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+				mutex.Lock()
+				defer mutex.Unlock()
+				podUpdates++
+				podName := action.(core.PatchAction).GetName()
+				assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+				return false, nil, nil
+			})
+			fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+				mutex.Lock()
+				defer mutex.Unlock()
+				podDeletions++
+				podName := action.(core.DeleteAction).GetName()
+				assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+				obj, err := fakeClientset.Tracker().Get(v1.SchemeGroupVersion.WithResource("pods"), pod.Namespace, pod.Name)
+				require.NoError(tCtx, err)
+				updatedPod = obj.(*v1.Pod)
+				return false, nil, nil
+			})
+			informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+			controller := startTestController(tCtx, informerFactory)
+			defer informerFactory.Shutdown()
+
+			var wg sync.WaitGroup
+			defer func() {
+				tCtx.Log("Waiting for goroutine termination...")
+				tCtx.Cancel("time to stop")
+				wg.Wait()
+			}()
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				controller.Run(tCtx)
+			}()
+
+			// Eventually the controller should have synced it's informers.
+			require.Eventually(tCtx, func() bool {
+				return controller.hasSynced.Load() > 0
+			}, 30*time.Second, time.Millisecond, "controller synced")
+			if tt.afterSync != nil {
+				tt.afterSync(tCtx)
+			}
+
+			// Eventually the pod gets deleted (= evicted).
+			assert.Eventually(tCtx, func() bool {
+				_, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+				return apierrors.IsNotFound(err)
+			}, 30*time.Second, time.Millisecond, "pod evicted")
+
+			pod := pod.DeepCopy()
+			pod.Status.Conditions = []v1.PodCondition{{
+				Type:    v1.DisruptionTarget,
+				Status:  v1.ConditionTrue,
+				Reason:  "DeletionByDeviceTaintManager",
+				Message: "Device Taint manager: deleting due to NoExecute taint",
+			}}
+			if diff := cmp.Diff(pod, updatedPod, cmpopts.IgnoreTypes(metav1.Time{})); diff != "" {
+				tCtx.Errorf("unexpected modified pod (-want, +got):\n%s", diff)
+			}
+
+			// Shortly after deletion we should also see updated metrics.
+			// This is the last thing the controller does for a pod.
+			ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
+				return testPodDeletionsMetrics(controller, 1)
+			}).WithTimeout(30*time.Second).Should(gomega.Succeed(), "pod eviction done")
+
+			// We also don't want any other events, in particular not a cancellation event
+			// because the pod deletion was observed or another occurrence of the same event.
+			ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+				mutex.Lock()
+				defer mutex.Unlock()
+				assert.Equal(tCtx, 1, podUpdates, "number of pod update calls")
+				assert.Equal(tCtx, 1, podDeletions, "number of pod delete calls")
+				gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+				tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 1))
+				return nil
+			}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+		})
+	}
+}
+
+// TestCancelEviction deletes the pod before the controller deletes it
+// or removes the slice. Either way, eviction gets cancelled.
+func TestCancelEviction(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	tCtx.Run("pod-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, true) })
+	tCtx.Run("slice-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, false) })
+}
+
+func testCancelEviction(tCtx ktesting.TContext, deletePod bool) {
+	// The claim tolerates the taint long enough for us to
+	// do something which cancels eviction.
+	pod := podWithClaimName.DeepCopy()
+	slice := sliceTainted.DeepCopy()
+	slice.Spec.Devices[0].Basic.Taints[0].TimeAdded = &metav1.Time{Time: time.Now()}
+	claim := inUseClaim.DeepCopy()
+	claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+		Operator:          resourceapi.DeviceTolerationOpExists,
+		Effect:            resourceapi.DeviceTaintEffectNoExecute,
+		TolerationSeconds: ptr.To(int64(60)),
+	}}
+	fakeClientset := fake.NewSimpleClientset(
+		slice,
+		claim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var mutex sync.Mutex
+	podEvicting := false
+	controller.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
+		assert.Equal(tCtx, newObject(pod), podRef)
+		mutex.Lock()
+		defer mutex.Unlock()
+		podEvicting = true
+	}
+	controller.cancelEvict = func(podRef tainteviction.NamespacedObject) bool {
+		assert.Equal(tCtx, newObject(pod), podRef)
+		mutex.Lock()
+		defer mutex.Unlock()
+		podEvicting = false
+		return false
+	}
+
+	var wg sync.WaitGroup
+	defer func() {
+		tCtx.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually the pod gets scheduled for eviction.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podEvicting
+	}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("pod pending eviction"))
+
+	// Now we can delete the pod or slice.
+	if deletePod {
+		tCtx.ExpectNoError(fakeClientset.CoreV1().Pods(pod.Namespace).Delete(tCtx, pod.Name, metav1.DeleteOptions{}))
+	} else {
+		tCtx.ExpectNoError(fakeClientset.ResourceV1beta1().ResourceSlices().Delete(tCtx, slice.Name, metav1.DeleteOptions{}))
+	}
+
+	// Shortly after deletion we should also see the cancellation.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podEvicting
+	}).WithTimeout(30 * time.Second).Should(gomega.BeFalseBecause("pod no longer pending eviction"))
+
+	// Whether we get an event depends on whether the pod still exists.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		matchEvents := matchCancellationEvent()
+		if deletePod {
+			matchEvents = gomega.BeEmpty()
+		}
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchEvents)
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// TestParallelPodDeletion covers the scenario that a pod gets deleted right before
+// trying to evict it.
+func TestParallelPodDeletion(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	// This scenario is the same as "evict-pod-resourceclaim" above.
+	pod := podWithClaimName.DeepCopy()
+	fakeClientset := fake.NewSimpleClientset(
+		sliceTainted,
+		slice2,
+		inUseClaim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	var mutex sync.Mutex
+	var podGets int
+	var podDeletions int
+
+	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podGets++
+		podName := action.(core.GetAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+
+		// This gets called directly before eviction. Pretend that it is deleted.
+		err = fakeClientset.Tracker().Delete(v1.SchemeGroupVersion.WithResource("pods"), pod.Namespace, pod.Name)
+		assert.NoError(tCtx, err, "delete pod") //nolint:testifylint // Here recording an unknown error and continuing is okay.
+		return true, nil, apierrors.NewNotFound(v1.SchemeGroupVersion.WithResource("pods").GroupResource(), pod.Name)
+	})
+	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podDeletions++
+		podName := action.(core.DeleteAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+		return false, nil, nil
+	})
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var wg sync.WaitGroup
+	defer func() {
+		tCtx.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually the pod gets deleted, in this test by us.
+	assert.Eventually(tCtx, func() bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podGets >= 1
+	}, 30*time.Second, time.Millisecond, "pod eviction started")
+
+	// We don't want any events.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		mutex.Lock()
+		defer mutex.Unlock()
+		assert.Equal(tCtx, 1, podGets, "number of pod get calls")
+		assert.Equal(tCtx, 0, podDeletions, "number of pod delete calls")
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(gomega.BeEmpty())
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// TestRetry covers the scenario that an eviction attempt must be retried.
+func TestRetry(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	// This scenario is the same as "evict-pod-resourceclaim" above.
+	pod := podWithClaimName.DeepCopy()
+	fakeClientset := fake.NewSimpleClientset(
+		sliceTainted,
+		slice2,
+		inUseClaim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	var mutex sync.Mutex
+	var podGets int
+	var podDeletions int
+
+	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podGets++
+		podName := action.(core.GetAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+
+		// This gets called directly before eviction. Pretend that there is an intermittent error.
+		if podGets == 1 {
+			return true, nil, apierrors.NewInternalError(errors.New("fake error"))
+		}
+		return false, nil, nil
+	})
+	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podDeletions++
+		podName := action.(core.DeleteAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+		return false, nil, nil
+	})
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var wg sync.WaitGroup
+	defer func() {
+		t.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually the pod gets deleted.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
+		return testPodDeletionsMetrics(controller, 1)
+	}).WithTimeout(30*time.Second).Should(gomega.Succeed(), "pod eviction done")
+
+	// Now we can check the API calls.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		mutex.Lock()
+		defer mutex.Unlock()
+		assert.Equal(tCtx, 2, podGets, "number of pod get calls")
+		assert.Equal(tCtx, 1, podDeletions, "number of pod delete calls")
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 1))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// TestRetry covers the scenario that an eviction attempt fails.
+func TestEvictionFailure(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	// This scenario is the same as "evict-pod-resourceclaim" above.
+	pod := podWithClaimName.DeepCopy()
+	fakeClientset := fake.NewSimpleClientset(
+		sliceTainted,
+		slice2,
+		inUseClaim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	var mutex sync.Mutex
+	var podGets int
+	var podDeletions int
+
+	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podGets++
+		podName := action.(core.GetAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+		return false, nil, nil
+	})
+	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podDeletions++
+		podName := action.(core.DeleteAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+		return true, nil, apierrors.NewInternalError(errors.New("fake error"))
+	})
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var wg sync.WaitGroup
+	defer func() {
+		t.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually deletion is attempted a few times.
+	assert.Eventually(tCtx, func() bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podDeletions >= retries
+	}, 30*time.Second, time.Millisecond, "pod eviction failed")
+
+	// Now we can check the API calls.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		mutex.Lock()
+		defer mutex.Unlock()
+		assert.Equal(tCtx, retries, podGets, "number of pod get calls")
+		assert.Equal(tCtx, retries, podDeletions, "number of pod delete calls")
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// BenchTaintUntaint checks the full flow of detecting a claim as
+// tainted because of a new DeviceTaintRule, starting to evict its
+// consumer, and then undoing that when the DeviceTaintRule is removed.
+func BenchmarkTaintUntaint(b *testing.B) {
+	tContext := setup(b)
+	podStore := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+	// No output, comment out if output is desired.
+	tContext.Controller.eventLogger = nil
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		// Add objects...
+		tContext.handleSliceChange(nil, slice)
+		tContext.handleClaimChange(nil, inUseClaimWithToleration)
+		require.NoError(tContext, podStore.Add(podWithClaimName), "add pod")
+		tContext.handlePodChange(nil, podWithClaimName)
+		require.Empty(tContext, tContext.evicting)
+
+		// Now evict.
+		tContext.handleSliceChange(slice, sliceTainted)
+
+		// Because informer event handlers are synchronous, we get the expected result immediately.
+		require.NotEmpty(tContext, tContext.evicting)
+
+		// ... and remove them again.
+		tContext.handleSliceChange(sliceTainted, slice)
+		require.Empty(tContext, tContext.evicting)
+
+		tContext.handlePodChange(podWithClaimName, nil)
+		require.NoError(tContext, podStore.Delete(podWithClaimName), "remove pod")
+		tContext.handleClaimChange(inUseClaimWithToleration, nil)
+		tContext.handleSliceChange(slice, nil)
+	}
+}
diff --git a/pkg/controller/devicetainteviction/doc.go b/pkg/controller/devicetainteviction/doc.go
index aac6640aa28..84157386c6c 100644
--- a/pkg/controller/devicetainteviction/doc.go
+++ b/pkg/controller/devicetainteviction/doc.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2023 The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package tainteviction contains the logic implementing taint-based eviction
-// for Pods running on Nodes with NoExecute taints.
-package tainteviction
+// Package devicetainteviction contains the logic implementing taint-based eviction
+// for Pods using tainted devices (https://github.com/kubernetes/enhancements/issues/5055).
+package devicetainteviction
diff --git a/pkg/controller/devicetainteviction/metrics/metrics.go b/pkg/controller/devicetainteviction/metrics/metrics.go
index 600c22c81e7..977ed70b74b 100644
--- a/pkg/controller/devicetainteviction/metrics/metrics.go
+++ b/pkg/controller/devicetainteviction/metrics/metrics.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2023 The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -23,30 +23,11 @@ import (
 	"k8s.io/component-base/metrics/legacyregistry"
 )
 
-const taintEvictionControllerSubsystem = "taint_eviction_controller"
+// controllerSubsystem must be kept in sync with the controller name in cmd/kube-controller-manager/names.
+const controllerSubsystem = "device_taint_eviction_controller"
 
 var (
-	// PodDeletionsTotal counts the number of Pods deleted by TaintEvictionController since its start.
-	PodDeletionsTotal = metrics.NewCounter(
-		&metrics.CounterOpts{
-			Subsystem:      taintEvictionControllerSubsystem,
-			Name:           "pod_deletions_total",
-			Help:           "Total number of Pods deleted by TaintEvictionController since its start.",
-			StabilityLevel: metrics.ALPHA,
-		},
-	)
-
-	// PodDeletionsLatency tracks the latency, in seconds, between the time when a taint effect has been activated
-	// for the Pod and its deletion.
-	PodDeletionsLatency = metrics.NewHistogram(
-		&metrics.HistogramOpts{
-			Subsystem:      taintEvictionControllerSubsystem,
-			Name:           "pod_deletion_duration_seconds",
-			Help:           "Latency, in seconds, between the time when a taint effect has been activated for the Pod and its deletion via TaintEvictionController.",
-			Buckets:        []float64{0.005, 0.025, 0.1, 0.5, 1, 2.5, 10, 30, 60, 120, 180, 240}, // 5ms to 4m
-			StabilityLevel: metrics.ALPHA,
-		},
-	)
+	Global = New()
 )
 
 var registerMetrics sync.Once
@@ -54,7 +35,54 @@ var registerMetrics sync.Once
 // Register registers TaintEvictionController metrics.
 func Register() {
 	registerMetrics.Do(func() {
-		legacyregistry.MustRegister(PodDeletionsTotal)
-		legacyregistry.MustRegister(PodDeletionsLatency)
+		legacyregistry.MustRegister(Global.PodDeletionsTotal)
+		legacyregistry.MustRegister(Global.PodDeletionsLatency)
 	})
 }
+
+// New returns new instances of all metrics for testing in parallel.
+// Optionally, buckets for the histograms can be specified.
+func New(buckets ...float64) Metrics {
+	if len(buckets) == 0 {
+		buckets = []float64{0.005, 0.025, 0.1, 0.5, 1, 2.5, 10, 30, 60, 120, 180, 240} // 5ms to 4m
+	}
+	m := Metrics{
+		KubeRegistry: metrics.NewKubeRegistry(),
+		PodDeletionsTotal: metrics.NewCounter(
+			&metrics.CounterOpts{
+				Subsystem:      controllerSubsystem,
+				Name:           "pod_deletions_total",
+				Help:           "Total number of Pods deleted by DeviceTaintEvictionController since its start.",
+				StabilityLevel: metrics.ALPHA,
+			},
+		),
+		PodDeletionsLatency: metrics.NewHistogram(
+			&metrics.HistogramOpts{
+				Subsystem:      controllerSubsystem,
+				Name:           "pod_deletion_duration_seconds",
+				Help:           "Latency, in seconds, between the time when a device taint effect has been activated and a Pod's deletion via DeviceTaintEvictionController.",
+				Buckets:        []float64{0.005, 0.025, 0.1, 0.5, 1, 2.5, 10, 30, 60, 120, 180, 240}, // 5ms to 4m,
+				StabilityLevel: metrics.ALPHA,
+			},
+		),
+	}
+
+	// This has to be done after construction, otherwise ./hack/update-generated-stable-metrics.sh
+	// fails to find the default buckets.
+	if len(buckets) > 0 {
+		m.PodDeletionsLatency.HistogramOpts.Buckets = buckets
+	}
+
+	m.KubeRegistry.MustRegister(m.PodDeletionsTotal, m.PodDeletionsLatency)
+	return m
+}
+
+// Metrics contains all metrics supported by the device taint eviction controller.
+// It implements [metrics.Gatherer].
+type Metrics struct {
+	metrics.KubeRegistry
+	PodDeletionsTotal   *metrics.Counter
+	PodDeletionsLatency *metrics.Histogram
+}
+
+var _ metrics.Gatherer = Metrics{}
diff --git a/pkg/controller/devicetainteviction/taint_eviction.go b/pkg/controller/devicetainteviction/taint_eviction.go
deleted file mode 100644
index 48ab6f0ec51..00000000000
--- a/pkg/controller/devicetainteviction/taint_eviction.go
+++ /dev/null
@@ -1,614 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package tainteviction
-
-import (
-	"context"
-	"fmt"
-	"hash/fnv"
-	"io"
-	"math"
-	"sync"
-	"time"
-
-	v1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	corev1informers "k8s.io/client-go/informers/core/v1"
-	clientset "k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/scheme"
-	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
-	corelisters "k8s.io/client-go/listers/core/v1"
-	"k8s.io/client-go/tools/cache"
-	"k8s.io/client-go/tools/record"
-	"k8s.io/client-go/util/workqueue"
-	"k8s.io/klog/v2"
-	apipod "k8s.io/kubernetes/pkg/api/v1/pod"
-	"k8s.io/kubernetes/pkg/apis/core/helper"
-	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
-	"k8s.io/kubernetes/pkg/controller/tainteviction/metrics"
-	controllerutil "k8s.io/kubernetes/pkg/controller/util/node"
-	utilpod "k8s.io/kubernetes/pkg/util/pod"
-)
-
-const (
-	// TODO (k82cn): Figure out a reasonable number of workers/channels and propagate
-	// the number of workers up making it a parameter of Run() function.
-
-	// NodeUpdateChannelSize defines the size of channel for node update events.
-	NodeUpdateChannelSize = 10
-	// UpdateWorkerSize defines the size of workers for node update or/and pod update.
-	UpdateWorkerSize     = 8
-	podUpdateChannelSize = 1
-	retries              = 5
-)
-
-type nodeUpdateItem struct {
-	nodeName string
-}
-
-type podUpdateItem struct {
-	podName      string
-	podNamespace string
-	nodeName     string
-}
-
-func hash(val string, max int) int {
-	hasher := fnv.New32a()
-	io.WriteString(hasher, val)
-	return int(hasher.Sum32() % uint32(max))
-}
-
-// GetPodsByNodeNameFunc returns the list of pods assigned to the specified node.
-type GetPodsByNodeNameFunc func(nodeName string) ([]*v1.Pod, error)
-
-// Controller listens to Taint/Toleration changes and is responsible for removing Pods
-// from Nodes tainted with NoExecute Taints.
-type Controller struct {
-	name string
-
-	client                clientset.Interface
-	broadcaster           record.EventBroadcaster
-	recorder              record.EventRecorder
-	podLister             corelisters.PodLister
-	podListerSynced       cache.InformerSynced
-	nodeLister            corelisters.NodeLister
-	nodeListerSynced      cache.InformerSynced
-	getPodsAssignedToNode GetPodsByNodeNameFunc
-
-	taintEvictionQueue *TimedWorkerQueue
-	// keeps a map from nodeName to all noExecute taints on that Node
-	taintedNodesLock sync.Mutex
-	taintedNodes     map[string][]v1.Taint
-
-	nodeUpdateChannels []chan nodeUpdateItem
-	podUpdateChannels  []chan podUpdateItem
-
-	nodeUpdateQueue workqueue.TypedInterface[nodeUpdateItem]
-	podUpdateQueue  workqueue.TypedInterface[podUpdateItem]
-}
-
-func deletePodHandler(c clientset.Interface, emitEventFunc func(types.NamespacedName), controllerName string) func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
-	return func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
-		ns := args.NamespacedName.Namespace
-		name := args.NamespacedName.Name
-		klog.FromContext(ctx).Info("Deleting pod", "controller", controllerName, "pod", args.NamespacedName)
-		if emitEventFunc != nil {
-			emitEventFunc(args.NamespacedName)
-		}
-		var err error
-		for i := 0; i < retries; i++ {
-			err = addConditionAndDeletePod(ctx, c, name, ns)
-			if err == nil {
-				metrics.PodDeletionsTotal.Inc()
-				metrics.PodDeletionsLatency.Observe(float64(time.Since(fireAt) * time.Second))
-				break
-			}
-			time.Sleep(10 * time.Millisecond)
-		}
-		return err
-	}
-}
-
-func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, name, ns string) (err error) {
-	pod, err := c.CoreV1().Pods(ns).Get(ctx, name, metav1.GetOptions{})
-	if err != nil {
-		return err
-	}
-	newStatus := pod.Status.DeepCopy()
-	updated := apipod.UpdatePodCondition(newStatus, &v1.PodCondition{
-		Type:    v1.DisruptionTarget,
-		Status:  v1.ConditionTrue,
-		Reason:  "DeletionByTaintManager",
-		Message: "Taint manager: deleting due to NoExecute taint",
-	})
-	if updated {
-		if _, _, _, err := utilpod.PatchPodStatus(ctx, c, pod.Namespace, pod.Name, pod.UID, pod.Status, *newStatus); err != nil {
-			return err
-		}
-	}
-	return c.CoreV1().Pods(ns).Delete(ctx, name, metav1.DeleteOptions{})
-}
-
-func getNoExecuteTaints(taints []v1.Taint) []v1.Taint {
-	result := []v1.Taint{}
-	for i := range taints {
-		if taints[i].Effect == v1.TaintEffectNoExecute {
-			result = append(result, taints[i])
-		}
-	}
-	return result
-}
-
-// getMinTolerationTime returns minimal toleration time from the given slice, or -1 if it's infinite.
-func getMinTolerationTime(tolerations []v1.Toleration) time.Duration {
-	minTolerationTime := int64(math.MaxInt64)
-	if len(tolerations) == 0 {
-		return 0
-	}
-
-	for i := range tolerations {
-		if tolerations[i].TolerationSeconds != nil {
-			tolerationSeconds := *(tolerations[i].TolerationSeconds)
-			if tolerationSeconds <= 0 {
-				return 0
-			} else if tolerationSeconds < minTolerationTime {
-				minTolerationTime = tolerationSeconds
-			}
-		}
-	}
-
-	if minTolerationTime == int64(math.MaxInt64) {
-		return -1
-	}
-	return time.Duration(minTolerationTime) * time.Second
-}
-
-// New creates a new Controller that will use passed clientset to communicate with the API server.
-func New(ctx context.Context, c clientset.Interface, podInformer corev1informers.PodInformer, nodeInformer corev1informers.NodeInformer, controllerName string) (*Controller, error) {
-	logger := klog.FromContext(ctx)
-	metrics.Register()
-	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
-	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: controllerName})
-
-	podIndexer := podInformer.Informer().GetIndexer()
-
-	tm := &Controller{
-		name: controllerName,
-
-		client:           c,
-		broadcaster:      eventBroadcaster,
-		recorder:         recorder,
-		podLister:        podInformer.Lister(),
-		podListerSynced:  podInformer.Informer().HasSynced,
-		nodeLister:       nodeInformer.Lister(),
-		nodeListerSynced: nodeInformer.Informer().HasSynced,
-		getPodsAssignedToNode: func(nodeName string) ([]*v1.Pod, error) {
-			objs, err := podIndexer.ByIndex("spec.nodeName", nodeName)
-			if err != nil {
-				return nil, err
-			}
-			pods := make([]*v1.Pod, 0, len(objs))
-			for _, obj := range objs {
-				pod, ok := obj.(*v1.Pod)
-				if !ok {
-					continue
-				}
-				pods = append(pods, pod)
-			}
-			return pods, nil
-		},
-		taintedNodes: make(map[string][]v1.Taint),
-
-		nodeUpdateQueue: workqueue.NewTypedWithConfig(workqueue.TypedQueueConfig[nodeUpdateItem]{Name: "noexec_taint_node"}),
-		podUpdateQueue:  workqueue.NewTypedWithConfig(workqueue.TypedQueueConfig[podUpdateItem]{Name: "noexec_taint_pod"}),
-	}
-	tm.taintEvictionQueue = CreateWorkerQueue(deletePodHandler(c, tm.emitPodDeletionEvent, tm.name))
-
-	_, err := podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: func(obj interface{}) {
-			pod := obj.(*v1.Pod)
-			tm.PodUpdated(nil, pod)
-		},
-		UpdateFunc: func(prev, obj interface{}) {
-			prevPod := prev.(*v1.Pod)
-			newPod := obj.(*v1.Pod)
-			tm.PodUpdated(prevPod, newPod)
-		},
-		DeleteFunc: func(obj interface{}) {
-			pod, isPod := obj.(*v1.Pod)
-			// We can get DeletedFinalStateUnknown instead of *v1.Pod here and we need to handle that correctly.
-			if !isPod {
-				deletedState, ok := obj.(cache.DeletedFinalStateUnknown)
-				if !ok {
-					logger.Error(nil, "Received unexpected object", "object", obj)
-					return
-				}
-				pod, ok = deletedState.Obj.(*v1.Pod)
-				if !ok {
-					logger.Error(nil, "DeletedFinalStateUnknown contained non-Pod object", "object", deletedState.Obj)
-					return
-				}
-			}
-			tm.PodUpdated(pod, nil)
-		},
-	})
-	if err != nil {
-		return nil, fmt.Errorf("unable to add pod event handler: %w", err)
-	}
-
-	_, err = nodeInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: controllerutil.CreateAddNodeHandler(func(node *v1.Node) error {
-			tm.NodeUpdated(nil, node)
-			return nil
-		}),
-		UpdateFunc: controllerutil.CreateUpdateNodeHandler(func(oldNode, newNode *v1.Node) error {
-			tm.NodeUpdated(oldNode, newNode)
-			return nil
-		}),
-		DeleteFunc: controllerutil.CreateDeleteNodeHandler(logger, func(node *v1.Node) error {
-			tm.NodeUpdated(node, nil)
-			return nil
-		}),
-	})
-	if err != nil {
-		return nil, fmt.Errorf("unable to add node event handler: %w", err)
-	}
-
-	return tm, nil
-}
-
-// Run starts the controller which will run in loop until `stopCh` is closed.
-func (tc *Controller) Run(ctx context.Context) {
-	defer utilruntime.HandleCrash()
-	logger := klog.FromContext(ctx)
-	logger.Info("Starting", "controller", tc.name)
-	defer logger.Info("Shutting down controller", "controller", tc.name)
-
-	// Start events processing pipeline.
-	tc.broadcaster.StartStructuredLogging(3)
-	if tc.client != nil {
-		logger.Info("Sending events to api server")
-		tc.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: tc.client.CoreV1().Events("")})
-	} else {
-		logger.Error(nil, "kubeClient is nil", "controller", tc.name)
-		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
-	}
-	defer tc.broadcaster.Shutdown()
-	defer tc.nodeUpdateQueue.ShutDown()
-	defer tc.podUpdateQueue.ShutDown()
-
-	// wait for the cache to be synced
-	if !cache.WaitForNamedCacheSync(tc.name, ctx.Done(), tc.podListerSynced, tc.nodeListerSynced) {
-		return
-	}
-
-	for i := 0; i < UpdateWorkerSize; i++ {
-		tc.nodeUpdateChannels = append(tc.nodeUpdateChannels, make(chan nodeUpdateItem, NodeUpdateChannelSize))
-		tc.podUpdateChannels = append(tc.podUpdateChannels, make(chan podUpdateItem, podUpdateChannelSize))
-	}
-
-	// Functions that are responsible for taking work items out of the workqueues and putting them
-	// into channels.
-	go func(stopCh <-chan struct{}) {
-		for {
-			nodeUpdate, shutdown := tc.nodeUpdateQueue.Get()
-			if shutdown {
-				break
-			}
-			hash := hash(nodeUpdate.nodeName, UpdateWorkerSize)
-			select {
-			case <-stopCh:
-				tc.nodeUpdateQueue.Done(nodeUpdate)
-				return
-			case tc.nodeUpdateChannels[hash] <- nodeUpdate:
-				// tc.nodeUpdateQueue.Done is called by the nodeUpdateChannels worker
-			}
-		}
-	}(ctx.Done())
-
-	go func(stopCh <-chan struct{}) {
-		for {
-			podUpdate, shutdown := tc.podUpdateQueue.Get()
-			if shutdown {
-				break
-			}
-			// The fact that pods are processed by the same worker as nodes is used to avoid races
-			// between node worker setting tc.taintedNodes and pod worker reading this to decide
-			// whether to delete pod.
-			// It's possible that even without this assumption this code is still correct.
-			hash := hash(podUpdate.nodeName, UpdateWorkerSize)
-			select {
-			case <-stopCh:
-				tc.podUpdateQueue.Done(podUpdate)
-				return
-			case tc.podUpdateChannels[hash] <- podUpdate:
-				// tc.podUpdateQueue.Done is called by the podUpdateChannels worker
-			}
-		}
-	}(ctx.Done())
-
-	wg := sync.WaitGroup{}
-	wg.Add(UpdateWorkerSize)
-	for i := 0; i < UpdateWorkerSize; i++ {
-		go tc.worker(ctx, i, wg.Done, ctx.Done())
-	}
-	wg.Wait()
-}
-
-func (tc *Controller) worker(ctx context.Context, worker int, done func(), stopCh <-chan struct{}) {
-	defer done()
-
-	// When processing events we want to prioritize Node updates over Pod updates,
-	// as NodeUpdates that interest the controller should be handled as soon as possible -
-	// we don't want user (or system) to wait until PodUpdate queue is drained before it can
-	// start evicting Pods from tainted Nodes.
-	for {
-		select {
-		case <-stopCh:
-			return
-		case nodeUpdate := <-tc.nodeUpdateChannels[worker]:
-			tc.handleNodeUpdate(ctx, nodeUpdate)
-			tc.nodeUpdateQueue.Done(nodeUpdate)
-		case podUpdate := <-tc.podUpdateChannels[worker]:
-			// If we found a Pod update we need to empty Node queue first.
-		priority:
-			for {
-				select {
-				case nodeUpdate := <-tc.nodeUpdateChannels[worker]:
-					tc.handleNodeUpdate(ctx, nodeUpdate)
-					tc.nodeUpdateQueue.Done(nodeUpdate)
-				default:
-					break priority
-				}
-			}
-			// After Node queue is emptied we process podUpdate.
-			tc.handlePodUpdate(ctx, podUpdate)
-			tc.podUpdateQueue.Done(podUpdate)
-		}
-	}
-}
-
-// PodUpdated is used to notify NoExecuteTaintManager about Pod changes.
-func (tc *Controller) PodUpdated(oldPod *v1.Pod, newPod *v1.Pod) {
-	podName := ""
-	podNamespace := ""
-	nodeName := ""
-	oldTolerations := []v1.Toleration{}
-	if oldPod != nil {
-		podName = oldPod.Name
-		podNamespace = oldPod.Namespace
-		nodeName = oldPod.Spec.NodeName
-		oldTolerations = oldPod.Spec.Tolerations
-	}
-	newTolerations := []v1.Toleration{}
-	if newPod != nil {
-		podName = newPod.Name
-		podNamespace = newPod.Namespace
-		nodeName = newPod.Spec.NodeName
-		newTolerations = newPod.Spec.Tolerations
-	}
-
-	if oldPod != nil && newPod != nil && helper.Semantic.DeepEqual(oldTolerations, newTolerations) && oldPod.Spec.NodeName == newPod.Spec.NodeName {
-		return
-	}
-	updateItem := podUpdateItem{
-		podName:      podName,
-		podNamespace: podNamespace,
-		nodeName:     nodeName,
-	}
-
-	tc.podUpdateQueue.Add(updateItem)
-}
-
-// NodeUpdated is used to notify NoExecuteTaintManager about Node changes.
-func (tc *Controller) NodeUpdated(oldNode *v1.Node, newNode *v1.Node) {
-	nodeName := ""
-	oldTaints := []v1.Taint{}
-	if oldNode != nil {
-		nodeName = oldNode.Name
-		oldTaints = getNoExecuteTaints(oldNode.Spec.Taints)
-	}
-
-	newTaints := []v1.Taint{}
-	if newNode != nil {
-		nodeName = newNode.Name
-		newTaints = getNoExecuteTaints(newNode.Spec.Taints)
-	}
-
-	if oldNode != nil && newNode != nil && helper.Semantic.DeepEqual(oldTaints, newTaints) {
-		return
-	}
-	updateItem := nodeUpdateItem{
-		nodeName: nodeName,
-	}
-
-	tc.nodeUpdateQueue.Add(updateItem)
-}
-
-func (tc *Controller) cancelWorkWithEvent(logger klog.Logger, nsName types.NamespacedName) {
-	if tc.taintEvictionQueue.CancelWork(logger, nsName.String()) {
-		tc.emitCancelPodDeletionEvent(nsName)
-	}
-}
-
-func (tc *Controller) processPodOnNode(
-	ctx context.Context,
-	podNamespacedName types.NamespacedName,
-	nodeName string,
-	tolerations []v1.Toleration,
-	taints []v1.Taint,
-	now time.Time,
-) {
-	logger := klog.FromContext(ctx)
-	if len(taints) == 0 {
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-	}
-	allTolerated, usedTolerations := v1helper.GetMatchingTolerations(taints, tolerations)
-	if !allTolerated {
-		logger.V(2).Info("Not all taints are tolerated after update for pod on node", "pod", podNamespacedName.String(), "node", klog.KRef("", nodeName))
-		// We're canceling scheduled work (if any), as we're going to delete the Pod right away.
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-		tc.taintEvictionQueue.AddWork(ctx, NewWorkArgs(podNamespacedName.Name, podNamespacedName.Namespace), now, now)
-		return
-	}
-	minTolerationTime := getMinTolerationTime(usedTolerations)
-	// getMinTolerationTime returns negative value to denote infinite toleration.
-	if minTolerationTime < 0 {
-		logger.V(4).Info("Current tolerations for pod tolerate forever, cancelling any scheduled deletion", "pod", podNamespacedName.String())
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-		return
-	}
-
-	startTime := now
-	triggerTime := startTime.Add(minTolerationTime)
-	scheduledEviction := tc.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String())
-	if scheduledEviction != nil {
-		startTime = scheduledEviction.CreatedAt
-		if startTime.Add(minTolerationTime).Before(triggerTime) {
-			return
-		}
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-	}
-	tc.taintEvictionQueue.AddWork(ctx, NewWorkArgs(podNamespacedName.Name, podNamespacedName.Namespace), startTime, triggerTime)
-}
-
-func (tc *Controller) handlePodUpdate(ctx context.Context, podUpdate podUpdateItem) {
-	pod, err := tc.podLister.Pods(podUpdate.podNamespace).Get(podUpdate.podName)
-	logger := klog.FromContext(ctx)
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			// Delete
-			podNamespacedName := types.NamespacedName{Namespace: podUpdate.podNamespace, Name: podUpdate.podName}
-			logger.V(4).Info("Noticed pod deletion", "pod", podNamespacedName)
-			tc.cancelWorkWithEvent(logger, podNamespacedName)
-			return
-		}
-		utilruntime.HandleError(fmt.Errorf("could not get pod %s/%s: %v", podUpdate.podName, podUpdate.podNamespace, err))
-		return
-	}
-
-	// We key the workqueue and shard workers by nodeName. If we don't match the current state we should not be the one processing the current object.
-	if pod.Spec.NodeName != podUpdate.nodeName {
-		return
-	}
-
-	// Create or Update
-	podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
-	logger.V(4).Info("Noticed pod update", "pod", podNamespacedName)
-	nodeName := pod.Spec.NodeName
-	if nodeName == "" {
-		return
-	}
-	taints, ok := func() ([]v1.Taint, bool) {
-		tc.taintedNodesLock.Lock()
-		defer tc.taintedNodesLock.Unlock()
-		taints, ok := tc.taintedNodes[nodeName]
-		return taints, ok
-	}()
-	// It's possible that Node was deleted, or Taints were removed before, which triggered
-	// eviction cancelling if it was needed.
-	if !ok {
-		return
-	}
-	tc.processPodOnNode(ctx, podNamespacedName, nodeName, pod.Spec.Tolerations, taints, time.Now())
-}
-
-func (tc *Controller) handleNodeUpdate(ctx context.Context, nodeUpdate nodeUpdateItem) {
-	node, err := tc.nodeLister.Get(nodeUpdate.nodeName)
-	logger := klog.FromContext(ctx)
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			// Delete
-			logger.V(4).Info("Noticed node deletion", "node", klog.KRef("", nodeUpdate.nodeName))
-			tc.taintedNodesLock.Lock()
-			defer tc.taintedNodesLock.Unlock()
-			delete(tc.taintedNodes, nodeUpdate.nodeName)
-			return
-		}
-		utilruntime.HandleError(fmt.Errorf("cannot get node %s: %v", nodeUpdate.nodeName, err))
-		return
-	}
-
-	// Create or Update
-	logger.V(4).Info("Noticed node update", "node", klog.KObj(node))
-	taints := getNoExecuteTaints(node.Spec.Taints)
-	func() {
-		tc.taintedNodesLock.Lock()
-		defer tc.taintedNodesLock.Unlock()
-		logger.V(4).Info("Updating known taints on node", "node", klog.KObj(node), "taints", taints)
-		if len(taints) == 0 {
-			delete(tc.taintedNodes, node.Name)
-		} else {
-			tc.taintedNodes[node.Name] = taints
-		}
-	}()
-
-	// This is critical that we update tc.taintedNodes before we call getPodsAssignedToNode:
-	// getPodsAssignedToNode can be delayed as long as all future updates to pods will call
-	// tc.PodUpdated which will use tc.taintedNodes to potentially delete delayed pods.
-	pods, err := tc.getPodsAssignedToNode(node.Name)
-	if err != nil {
-		logger.Error(err, "Failed to get pods assigned to node", "node", klog.KObj(node))
-		return
-	}
-	if len(pods) == 0 {
-		return
-	}
-	// Short circuit, to make this controller a bit faster.
-	if len(taints) == 0 {
-		logger.V(4).Info("All taints were removed from the node. Cancelling all evictions...", "node", klog.KObj(node))
-		for i := range pods {
-			tc.cancelWorkWithEvent(logger, types.NamespacedName{Namespace: pods[i].Namespace, Name: pods[i].Name})
-		}
-		return
-	}
-
-	now := time.Now()
-	for _, pod := range pods {
-		podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
-		tc.processPodOnNode(ctx, podNamespacedName, node.Name, pod.Spec.Tolerations, taints, now)
-	}
-}
-
-func (tc *Controller) emitPodDeletionEvent(nsName types.NamespacedName) {
-	if tc.recorder == nil {
-		return
-	}
-	ref := &v1.ObjectReference{
-		APIVersion: "v1",
-		Kind:       "Pod",
-		Name:       nsName.Name,
-		Namespace:  nsName.Namespace,
-	}
-	tc.recorder.Eventf(ref, v1.EventTypeNormal, "TaintManagerEviction", "Marking for deletion Pod %s", nsName.String())
-}
-
-func (tc *Controller) emitCancelPodDeletionEvent(nsName types.NamespacedName) {
-	if tc.recorder == nil {
-		return
-	}
-	ref := &v1.ObjectReference{
-		APIVersion: "v1",
-		Kind:       "Pod",
-		Name:       nsName.Name,
-		Namespace:  nsName.Namespace,
-	}
-	tc.recorder.Eventf(ref, v1.EventTypeNormal, "TaintManagerEviction", "Cancelling deletion of Pod %s", nsName.String())
-}
diff --git a/pkg/controller/devicetainteviction/taint_eviction_test.go b/pkg/controller/devicetainteviction/taint_eviction_test.go
deleted file mode 100644
index 6c933d5f23d..00000000000
--- a/pkg/controller/devicetainteviction/taint_eviction_test.go
+++ /dev/null
@@ -1,941 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package tainteviction
-
-import (
-	"context"
-	"fmt"
-	goruntime "runtime"
-	"sort"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes/fake"
-	clienttesting "k8s.io/client-go/testing"
-	"k8s.io/client-go/tools/cache"
-	"k8s.io/kubernetes/pkg/controller/testutil"
-)
-
-var timeForControllerToProgressForSanityCheck = 20 * time.Millisecond
-
-func getPodsAssignedToNode(ctx context.Context, c *fake.Clientset) GetPodsByNodeNameFunc {
-	return func(nodeName string) ([]*corev1.Pod, error) {
-		selector := fields.SelectorFromSet(fields.Set{"spec.nodeName": nodeName})
-		pods, err := c.CoreV1().Pods(corev1.NamespaceAll).List(ctx, metav1.ListOptions{
-			FieldSelector: selector.String(),
-			LabelSelector: labels.Everything().String(),
-		})
-		if err != nil {
-			return []*corev1.Pod{}, fmt.Errorf("failed to get Pods assigned to node %v", nodeName)
-		}
-		rPods := make([]*corev1.Pod, len(pods.Items))
-		for i := range pods.Items {
-			rPods[i] = &pods.Items[i]
-		}
-		return rPods, nil
-	}
-}
-
-func createNoExecuteTaint(index int) corev1.Taint {
-	now := metav1.Now()
-	return corev1.Taint{
-		Key:       "testTaint" + fmt.Sprintf("%v", index),
-		Value:     "test" + fmt.Sprintf("%v", index),
-		Effect:    corev1.TaintEffectNoExecute,
-		TimeAdded: &now,
-	}
-}
-
-func addToleration(pod *corev1.Pod, index int, duration int64) *corev1.Pod {
-	if pod.Annotations == nil {
-		pod.Annotations = map[string]string{}
-	}
-	if duration < 0 {
-		pod.Spec.Tolerations = []corev1.Toleration{{Key: "testTaint" + fmt.Sprintf("%v", index), Value: "test" + fmt.Sprintf("%v", index), Effect: corev1.TaintEffectNoExecute}}
-
-	} else {
-		pod.Spec.Tolerations = []corev1.Toleration{{Key: "testTaint" + fmt.Sprintf("%v", index), Value: "test" + fmt.Sprintf("%v", index), Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &duration}}
-	}
-	return pod
-}
-
-func addTaintsToNode(node *corev1.Node, key, value string, indices []int) *corev1.Node {
-	taints := []corev1.Taint{}
-	for _, index := range indices {
-		taints = append(taints, createNoExecuteTaint(index))
-	}
-	node.Spec.Taints = taints
-	return node
-}
-
-var alwaysReady = func() bool { return true }
-
-func setupNewController(ctx context.Context, fakeClientSet *fake.Clientset) (*Controller, cache.Indexer, cache.Indexer) {
-	informerFactory := informers.NewSharedInformerFactory(fakeClientSet, 0)
-	podIndexer := informerFactory.Core().V1().Pods().Informer().GetIndexer()
-	nodeIndexer := informerFactory.Core().V1().Nodes().Informer().GetIndexer()
-	mgr, _ := New(ctx, fakeClientSet, informerFactory.Core().V1().Pods(), informerFactory.Core().V1().Nodes(), "taint-eviction-controller")
-	mgr.podListerSynced = alwaysReady
-	mgr.nodeListerSynced = alwaysReady
-	mgr.getPodsAssignedToNode = getPodsAssignedToNode(ctx, fakeClientSet)
-	return mgr, podIndexer, nodeIndexer
-}
-
-type timestampedPod struct {
-	names     []string
-	timestamp time.Duration
-}
-
-type durationSlice []timestampedPod
-
-func (a durationSlice) Len() int           { return len(a) }
-func (a durationSlice) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
-func (a durationSlice) Less(i, j int) bool { return a[i].timestamp < a[j].timestamp }
-
-func TestFilterNoExecuteTaints(t *testing.T) {
-	taints := []corev1.Taint{
-		{
-			Key:    "one",
-			Value:  "one",
-			Effect: corev1.TaintEffectNoExecute,
-		},
-		{
-			Key:    "two",
-			Value:  "two",
-			Effect: corev1.TaintEffectNoSchedule,
-		},
-	}
-	taints = getNoExecuteTaints(taints)
-	if len(taints) != 1 || taints[0].Key != "one" {
-		t.Errorf("Filtering doesn't work. Got %v", taints)
-	}
-}
-
-func TestCreatePod(t *testing.T) {
-	testCases := []struct {
-		description  string
-		pod          *corev1.Pod
-		taintedNodes map[string][]corev1.Taint
-		expectPatch  bool
-		expectDelete bool
-	}{
-		{
-			description:  "not scheduled - ignore",
-			pod:          testutil.NewPod("pod1", ""),
-			taintedNodes: map[string][]corev1.Taint{},
-			expectDelete: false,
-		},
-		{
-			description:  "scheduled on untainted Node",
-			pod:          testutil.NewPod("pod1", "node1"),
-			taintedNodes: map[string][]corev1.Taint{},
-			expectDelete: false,
-		},
-		{
-			description: "schedule on tainted Node",
-			pod:         testutil.NewPod("pod1", "node1"),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "schedule on tainted Node with finite toleration",
-			pod:         addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectDelete: false,
-		},
-		{
-			description: "schedule on tainted Node with infinite toleration",
-			pod:         addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectDelete: false,
-		},
-		{
-			description: "schedule on tainted Node with infinite invalid toleration",
-			pod:         addToleration(testutil.NewPod("pod1", "node1"), 2, -1),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.pod}})
-			controller, podIndexer, _ := setupNewController(ctx, fakeClientset)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-			controller.taintedNodes = item.taintedNodes
-
-			podIndexer.Add(item.pod)
-			controller.PodUpdated(nil, item.pod)
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-
-			cancel()
-		})
-	}
-}
-
-func TestDeletePod(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	fakeClientset := fake.NewSimpleClientset()
-	controller, _, _ := setupNewController(ctx, fakeClientset)
-	controller.recorder = testutil.NewFakeRecorder()
-	go controller.Run(ctx)
-	controller.taintedNodes = map[string][]corev1.Taint{
-		"node1": {createNoExecuteTaint(1)},
-	}
-	controller.PodUpdated(testutil.NewPod("pod1", "node1"), nil)
-	// wait a bit to see if nothing will panic
-	time.Sleep(timeForControllerToProgressForSanityCheck)
-}
-
-func TestUpdatePod(t *testing.T) {
-	testCases := []struct {
-		description               string
-		prevPod                   *corev1.Pod
-		awaitForScheduledEviction bool
-		newPod                    *corev1.Pod
-		taintedNodes              map[string][]corev1.Taint
-		expectPatch               bool
-		expectDelete              bool
-		skipOnWindows             bool
-	}{
-		{
-			description: "scheduling onto tainted Node",
-			prevPod:     testutil.NewPod("pod1", ""),
-			newPod:      testutil.NewPod("pod1", "node1"),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "scheduling onto tainted Node with toleration",
-			prevPod:     addToleration(testutil.NewPod("pod1", ""), 1, -1),
-			newPod:      addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectDelete: false,
-		},
-		{
-			description:               "removing toleration",
-			prevPod:                   addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			newPod:                    testutil.NewPod("pod1", "node1"),
-			awaitForScheduledEviction: true,
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description:               "lengthening toleration shouldn't work",
-			prevPod:                   addToleration(testutil.NewPod("pod1", "node1"), 1, 1),
-			newPod:                    addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			awaitForScheduledEviction: true,
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:   true,
-			expectDelete:  true,
-			skipOnWindows: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			if item.skipOnWindows && goruntime.GOOS == "windows" {
-				// TODO: remove skip once the flaking test has been fixed.
-				t.Skip("Skip flaking test on Windows.")
-			}
-			ctx, cancel := context.WithCancel(context.Background())
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.prevPod}})
-			controller, podIndexer, _ := setupNewController(context.TODO(), fakeClientset)
-			controller.recorder = testutil.NewFakeRecorder()
-			controller.taintedNodes = item.taintedNodes
-			go controller.Run(ctx)
-
-			podIndexer.Add(item.prevPod)
-			controller.PodUpdated(nil, item.prevPod)
-
-			if item.awaitForScheduledEviction {
-				nsName := types.NamespacedName{Namespace: item.prevPod.Namespace, Name: item.prevPod.Name}
-				err := wait.PollImmediate(time.Millisecond*10, time.Second, func() (bool, error) {
-					scheduledEviction := controller.taintEvictionQueue.GetWorkerUnsafe(nsName.String())
-					return scheduledEviction != nil, nil
-				})
-				if err != nil {
-					t.Fatalf("Failed to await for scheduled eviction: %q", err)
-				}
-			}
-
-			podIndexer.Update(item.newPod)
-			controller.PodUpdated(item.prevPod, item.newPod)
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-			cancel()
-		})
-	}
-}
-
-func TestCreateNode(t *testing.T) {
-	testCases := []struct {
-		description  string
-		pods         []corev1.Pod
-		node         *corev1.Node
-		expectPatch  bool
-		expectDelete bool
-	}{
-		{
-			description: "Creating Node matching already assigned Pod",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			node:         testutil.NewNode("node1"),
-			expectPatch:  false,
-			expectDelete: false,
-		},
-		{
-			description: "Creating tainted Node matching already assigned Pod",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			node:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "Creating tainted Node matching already assigned tolerating Pod",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
-			},
-			node:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  false,
-			expectDelete: false,
-		},
-	}
-
-	for _, item := range testCases {
-		ctx, cancel := context.WithCancel(context.Background())
-		fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-		controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-		nodeIndexer.Add(item.node)
-		controller.recorder = testutil.NewFakeRecorder()
-		go controller.Run(ctx)
-		controller.NodeUpdated(nil, item.node)
-
-		verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-
-		cancel()
-	}
-}
-
-func TestDeleteNode(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	fakeClientset := fake.NewSimpleClientset()
-	controller, _, _ := setupNewController(ctx, fakeClientset)
-	controller.recorder = testutil.NewFakeRecorder()
-	controller.taintedNodes = map[string][]corev1.Taint{
-		"node1": {createNoExecuteTaint(1)},
-	}
-	go controller.Run(ctx)
-	controller.NodeUpdated(testutil.NewNode("node1"), nil)
-
-	// await until controller.taintedNodes is empty
-	err := wait.PollImmediate(10*time.Millisecond, time.Second, func() (bool, error) {
-		controller.taintedNodesLock.Lock()
-		defer controller.taintedNodesLock.Unlock()
-		_, ok := controller.taintedNodes["node1"]
-		return !ok, nil
-	})
-	if err != nil {
-		t.Errorf("Failed to await for processing node deleted: %q", err)
-	}
-	cancel()
-}
-
-func TestUpdateNode(t *testing.T) {
-	testCases := []struct {
-		description     string
-		pods            []corev1.Pod
-		oldNode         *corev1.Node
-		newNode         *corev1.Node
-		expectPatch     bool
-		expectDelete    bool
-		additionalSleep time.Duration
-	}{
-		{
-			description: "Added taint, expect node patched and deleted",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "Added tolerated taint",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectDelete: false,
-		},
-		{
-			description: "Only one added taint tolerated",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "Taint removed",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, 1),
-			},
-			oldNode:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			newNode:         testutil.NewNode("node1"),
-			expectDelete:    false,
-			additionalSleep: 1500 * time.Millisecond,
-		},
-		{
-			description: "Pod with multiple tolerations are evicted when first one runs out",
-			pods: []corev1.Pod{
-				{
-					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "default",
-						Name:      "pod1",
-					},
-					Spec: corev1.PodSpec{
-						NodeName: "node1",
-						Tolerations: []corev1.Toleration{
-							{Key: "testTaint1", Value: "test1", Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &[]int64{1}[0]},
-							{Key: "testTaint2", Value: "test2", Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &[]int64{100}[0]},
-						},
-					},
-					Status: corev1.PodStatus{
-						Conditions: []corev1.PodCondition{
-							{
-								Type:   corev1.PodReady,
-								Status: corev1.ConditionTrue,
-							},
-						},
-					},
-				},
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-			nodeIndexer.Add(item.newNode)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-			controller.NodeUpdated(item.oldNode, item.newNode)
-
-			if item.additionalSleep > 0 {
-				time.Sleep(item.additionalSleep)
-			}
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-		})
-	}
-}
-
-func TestUpdateNodeWithMultipleTaints(t *testing.T) {
-	taint1 := createNoExecuteTaint(1)
-	taint2 := createNoExecuteTaint(2)
-
-	minute := int64(60)
-	pod := testutil.NewPod("pod1", "node1")
-	pod.Spec.Tolerations = []corev1.Toleration{
-		{Key: taint1.Key, Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoExecute},
-		{Key: taint2.Key, Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &minute},
-	}
-	podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
-
-	untaintedNode := testutil.NewNode("node1")
-
-	doubleTaintedNode := testutil.NewNode("node1")
-	doubleTaintedNode.Spec.Taints = []corev1.Taint{taint1, taint2}
-
-	singleTaintedNode := testutil.NewNode("node1")
-	singleTaintedNode.Spec.Taints = []corev1.Taint{taint1}
-
-	ctx, cancel := context.WithCancel(context.TODO())
-	fakeClientset := fake.NewSimpleClientset(pod)
-	controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-	controller.recorder = testutil.NewFakeRecorder()
-	go controller.Run(ctx)
-
-	// no taint
-	nodeIndexer.Add(untaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is not queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
-		t.Fatalf("pod queued for deletion with no taints")
-	}
-
-	// no taint -> infinitely tolerated taint
-	nodeIndexer.Update(singleTaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is not queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
-		t.Fatalf("pod queued for deletion with permanently tolerated taint")
-	}
-
-	// infinitely tolerated taint -> temporarily tolerated taint
-	nodeIndexer.Update(doubleTaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) == nil {
-		t.Fatalf("pod not queued for deletion after addition of temporarily tolerated taint")
-	}
-
-	// temporarily tolerated taint -> infinitely tolerated taint
-	nodeIndexer.Update(singleTaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is not queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
-		t.Fatalf("pod queued for deletion after removal of temporarily tolerated taint")
-	}
-
-	// verify pod is not deleted
-	for _, action := range fakeClientset.Actions() {
-		if action.GetVerb() == "delete" && action.GetResource().Resource == "pods" {
-			t.Error("Unexpected deletion")
-		}
-	}
-	cancel()
-}
-
-func TestUpdateNodeWithMultiplePods(t *testing.T) {
-	testCases := []struct {
-		description         string
-		pods                []corev1.Pod
-		oldNode             *corev1.Node
-		newNode             *corev1.Node
-		expectedDeleteTimes durationSlice
-	}{
-		{
-			description: "Pods with different toleration times are evicted appropriately",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-				*addToleration(testutil.NewPod("pod2", "node1"), 1, 1),
-				*addToleration(testutil.NewPod("pod3", "node1"), 1, -1),
-			},
-			oldNode: testutil.NewNode("node1"),
-			newNode: addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectedDeleteTimes: durationSlice{
-				{[]string{"pod1"}, 0},
-				{[]string{"pod2"}, time.Second},
-			},
-		},
-		{
-			description: "Evict all pods not matching all taints instantly",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-				*addToleration(testutil.NewPod("pod2", "node1"), 1, 1),
-				*addToleration(testutil.NewPod("pod3", "node1"), 1, -1),
-			},
-			oldNode: testutil.NewNode("node1"),
-			newNode: addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
-			expectedDeleteTimes: durationSlice{
-				{[]string{"pod1", "pod2", "pod3"}, 0},
-			},
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			t.Logf("Starting testcase %q", item.description)
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-			sort.Sort(item.expectedDeleteTimes)
-			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-			nodeIndexer.Add(item.newNode)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-			controller.NodeUpdated(item.oldNode, item.newNode)
-
-			startedAt := time.Now()
-			for i := range item.expectedDeleteTimes {
-				if i == 0 || item.expectedDeleteTimes[i-1].timestamp != item.expectedDeleteTimes[i].timestamp {
-					// compute a grace duration to give controller time to process updates. Choose big
-					// enough intervals in the test cases above to avoid flakes.
-					var increment time.Duration
-					if i == len(item.expectedDeleteTimes)-1 || item.expectedDeleteTimes[i+1].timestamp == item.expectedDeleteTimes[i].timestamp {
-						increment = 500 * time.Millisecond
-					} else {
-						increment = ((item.expectedDeleteTimes[i+1].timestamp - item.expectedDeleteTimes[i].timestamp) / time.Duration(2))
-					}
-
-					sleepTime := item.expectedDeleteTimes[i].timestamp - time.Since(startedAt) + increment
-					if sleepTime < 0 {
-						sleepTime = 0
-					}
-					t.Logf("Sleeping for %v", sleepTime)
-					time.Sleep(sleepTime)
-				}
-
-				for delay, podName := range item.expectedDeleteTimes[i].names {
-					deleted := false
-					for _, action := range fakeClientset.Actions() {
-						deleteAction, ok := action.(clienttesting.DeleteActionImpl)
-						if !ok {
-							t.Logf("Found not-delete action with verb %v. Ignoring.", action.GetVerb())
-							continue
-						}
-						if deleteAction.GetResource().Resource != "pods" {
-							continue
-						}
-						if podName == deleteAction.GetName() {
-							deleted = true
-						}
-					}
-					if !deleted {
-						t.Errorf("Failed to deleted pod %v after %v", podName, delay)
-					}
-				}
-				for _, action := range fakeClientset.Actions() {
-					deleteAction, ok := action.(clienttesting.DeleteActionImpl)
-					if !ok {
-						t.Logf("Found not-delete action with verb %v. Ignoring.", action.GetVerb())
-						continue
-					}
-					if deleteAction.GetResource().Resource != "pods" {
-						continue
-					}
-					deletedPodName := deleteAction.GetName()
-					expected := false
-					for _, podName := range item.expectedDeleteTimes[i].names {
-						if podName == deletedPodName {
-							expected = true
-						}
-					}
-					if !expected {
-						t.Errorf("Pod %v was deleted even though it shouldn't have", deletedPodName)
-					}
-				}
-				fakeClientset.ClearActions()
-			}
-		})
-	}
-}
-
-func TestGetMinTolerationTime(t *testing.T) {
-	one := int64(1)
-	two := int64(2)
-	oneSec := 1 * time.Second
-
-	tests := []struct {
-		tolerations []corev1.Toleration
-		expected    time.Duration
-	}{
-		{
-			tolerations: []corev1.Toleration{},
-			expected:    0,
-		},
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: nil,
-				},
-			},
-			expected: -1,
-		},
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: &one,
-				},
-				{
-					TolerationSeconds: &two,
-				},
-			},
-			expected: oneSec,
-		},
-
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: &one,
-				},
-				{
-					TolerationSeconds: nil,
-				},
-			},
-			expected: oneSec,
-		},
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: nil,
-				},
-				{
-					TolerationSeconds: &one,
-				},
-			},
-			expected: oneSec,
-		},
-	}
-
-	for _, test := range tests {
-		got := getMinTolerationTime(test.tolerations)
-		if got != test.expected {
-			t.Errorf("Incorrect min toleration time: got %v, expected %v", got, test.expected)
-		}
-	}
-}
-
-// TestEventualConsistency verifies if getPodsAssignedToNode returns incomplete data
-// (e.g. due to watch latency), it will reconcile the remaining pods eventually.
-// This scenario is partially covered by TestUpdatePods, but given this is an important
-// property of TaintManager, it's better to have explicit test for this.
-func TestEventualConsistency(t *testing.T) {
-	testCases := []struct {
-		description  string
-		pods         []corev1.Pod
-		prevPod      *corev1.Pod
-		newPod       *corev1.Pod
-		oldNode      *corev1.Node
-		newNode      *corev1.Node
-		expectPatch  bool
-		expectDelete bool
-	}{
-		{
-			description: "existing pod2 scheduled onto tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      testutil.NewPod("pod2", ""),
-			newPod:       testutil.NewPod("pod2", "node1"),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "existing pod2 with taint toleration scheduled onto tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      addToleration(testutil.NewPod("pod2", ""), 1, 100),
-			newPod:       addToleration(testutil.NewPod("pod2", "node1"), 1, 100),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "new pod2 created on tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      nil,
-			newPod:       testutil.NewPod("pod2", "node1"),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "new pod2 with tait toleration created on tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      nil,
-			newPod:       addToleration(testutil.NewPod("pod2", "node1"), 1, 100),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-			controller, podIndexer, nodeIndexer := setupNewController(ctx, fakeClientset)
-			nodeIndexer.Add(item.newNode)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-
-			if item.prevPod != nil {
-				podIndexer.Add(item.prevPod)
-				controller.PodUpdated(nil, item.prevPod)
-			}
-
-			// First we simulate NodeUpdate that should delete 'pod1'. It doesn't know about 'pod2' yet.
-			controller.NodeUpdated(item.oldNode, item.newNode)
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-			fakeClientset.ClearActions()
-
-			// And now the delayed update of 'pod2' comes to the TaintManager. We should delete it as well.
-			podIndexer.Update(item.newPod)
-			controller.PodUpdated(item.prevPod, item.newPod)
-			// wait a bit
-			time.Sleep(timeForControllerToProgressForSanityCheck)
-		})
-	}
-}
-
-func verifyPodActions(t *testing.T, description string, fakeClientset *fake.Clientset, expectPatch, expectDelete bool) {
-	t.Helper()
-	podPatched := false
-	podDeleted := false
-	// use Poll instead of PollImmediate to give some processing time to the controller that the expected
-	// actions are likely to be already sent
-	err := wait.Poll(10*time.Millisecond, 5*time.Second, func() (bool, error) {
-		for _, action := range fakeClientset.Actions() {
-			if action.GetVerb() == "patch" && action.GetResource().Resource == "pods" {
-				podPatched = true
-			}
-			if action.GetVerb() == "delete" && action.GetResource().Resource == "pods" {
-				podDeleted = true
-			}
-		}
-		return podPatched == expectPatch && podDeleted == expectDelete, nil
-	})
-	if err != nil {
-		t.Errorf("Failed waiting for the expected actions: %q", err)
-	}
-	if podPatched != expectPatch {
-		t.Errorf("[%v]Unexpected test result. Expected patch %v, got %v", description, expectPatch, podPatched)
-	}
-	if podDeleted != expectDelete {
-		t.Errorf("[%v]Unexpected test result. Expected delete %v, got %v", description, expectDelete, podDeleted)
-	}
-}
-
-// TestPodDeletionEvent Verify that the output events are as expected
-func TestPodDeletionEvent(t *testing.T) {
-	f := func(path cmp.Path) bool {
-		switch path.String() {
-		// These fields change at runtime, so ignore it
-		case "LastTimestamp", "FirstTimestamp", "ObjectMeta.Name":
-			return true
-		}
-		return false
-	}
-
-	t.Run("emitPodDeletionEvent", func(t *testing.T) {
-		controller := &Controller{}
-		recorder := testutil.NewFakeRecorder()
-		controller.recorder = recorder
-		controller.emitPodDeletionEvent(types.NamespacedName{
-			Name:      "test",
-			Namespace: "test",
-		})
-		want := []*corev1.Event{
-			{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-				},
-				InvolvedObject: corev1.ObjectReference{
-					Kind:       "Pod",
-					APIVersion: "v1",
-					Namespace:  "test",
-					Name:       "test",
-				},
-				Reason:  "TaintManagerEviction",
-				Type:    "Normal",
-				Count:   1,
-				Message: "Marking for deletion Pod test/test",
-				Source:  corev1.EventSource{Component: "nodeControllerTest"},
-			},
-		}
-		if diff := cmp.Diff(want, recorder.Events, cmp.FilterPath(f, cmp.Ignore())); len(diff) > 0 {
-			t.Errorf("emitPodDeletionEvent() returned data (-want,+got):\n%s", diff)
-		}
-	})
-
-	t.Run("emitCancelPodDeletionEvent", func(t *testing.T) {
-		controller := &Controller{}
-		recorder := testutil.NewFakeRecorder()
-		controller.recorder = recorder
-		controller.emitCancelPodDeletionEvent(types.NamespacedName{
-			Name:      "test",
-			Namespace: "test",
-		})
-		want := []*corev1.Event{
-			{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-				},
-				InvolvedObject: corev1.ObjectReference{
-					Kind:       "Pod",
-					APIVersion: "v1",
-					Namespace:  "test",
-					Name:       "test",
-				},
-				Reason:  "TaintManagerEviction",
-				Type:    "Normal",
-				Count:   1,
-				Message: "Cancelling deletion of Pod test/test",
-				Source:  corev1.EventSource{Component: "nodeControllerTest"},
-			},
-		}
-		if diff := cmp.Diff(want, recorder.Events, cmp.FilterPath(f, cmp.Ignore())); len(diff) > 0 {
-			t.Errorf("emitPodDeletionEvent() returned data (-want,+got):\n%s", diff)
-		}
-	})
-}
diff --git a/pkg/controller/tainteviction/namespacedobject.go b/pkg/controller/tainteviction/namespacedobject.go
new file mode 100644
index 00000000000..f0fee51f225
--- /dev/null
+++ b/pkg/controller/tainteviction/namespacedobject.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tainteviction
+
+import (
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// NamespacedObject comprises a resource name with a mandatory namespace
+// and optional UID. It gets rendered as "<namespace>/<name>[:<uid>]"
+// (text output) or as an object (JSON output).
+type NamespacedObject struct {
+	types.NamespacedName
+	UID types.UID
+}
+
+// String returns the general purpose string representation
+func (n NamespacedObject) String() string {
+	if n.UID != "" {
+		return n.Namespace + string(types.Separator) + n.Name + ":" + string(n.UID)
+	}
+	return n.Namespace + string(types.Separator) + n.Name
+}
+
+// MarshalLog emits a struct containing required key/value pair
+func (n NamespacedObject) MarshalLog() interface{} {
+	return struct {
+		Name      string    `json:"name"`
+		Namespace string    `json:"namespace,omitempty"`
+		UID       types.UID `json:"uid,omitempty"`
+	}{
+		Name:      n.Name,
+		Namespace: n.Namespace,
+		UID:       n.UID,
+	}
+}
diff --git a/pkg/controller/tainteviction/taint_eviction.go b/pkg/controller/tainteviction/taint_eviction.go
index aeae369534a..14a77c11546 100644
--- a/pkg/controller/tainteviction/taint_eviction.go
+++ b/pkg/controller/tainteviction/taint_eviction.go
@@ -106,11 +106,11 @@ type Controller struct {
 
 func deletePodHandler(c clientset.Interface, emitEventFunc func(types.NamespacedName), controllerName string) func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
 	return func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
-		ns := args.NamespacedName.Namespace
-		name := args.NamespacedName.Name
-		klog.FromContext(ctx).Info("Deleting pod", "controller", controllerName, "pod", args.NamespacedName)
+		ns := args.Object.Namespace
+		name := args.Object.Name
+		klog.FromContext(ctx).Info("Deleting pod", "controller", controllerName, "pod", args.Object)
 		if emitEventFunc != nil {
-			emitEventFunc(args.NamespacedName)
+			emitEventFunc(args.Object.NamespacedName)
 		}
 		var err error
 		for i := 0; i < retries; i++ {
diff --git a/pkg/controller/tainteviction/timed_workers.go b/pkg/controller/tainteviction/timed_workers.go
index fa7615d9b9a..732b81bbc79 100644
--- a/pkg/controller/tainteviction/timed_workers.go
+++ b/pkg/controller/tainteviction/timed_workers.go
@@ -28,18 +28,23 @@ import (
 
 // WorkArgs keeps arguments that will be passed to the function executed by the worker.
 type WorkArgs struct {
-	NamespacedName types.NamespacedName
+	// Object is the work item. The UID is only set if it was set when adding the work item.
+	Object NamespacedObject
 }
 
-// KeyFromWorkArgs creates a key for the given `WorkArgs`
+// KeyFromWorkArgs creates a key for the given `WorkArgs`.
+//
+// The key is the same as the NamespacedName of the object in the work item,
+// i.e. the UID is ignored. There cannot be two different
+// work items with the same NamespacedName and different UIDs.
 func (w *WorkArgs) KeyFromWorkArgs() string {
-	return w.NamespacedName.String()
+	return w.Object.NamespacedName.String()
 }
 
-// NewWorkArgs is a helper function to create new `WorkArgs`
+// NewWorkArgs is a helper function to create new `WorkArgs` without a UID.
 func NewWorkArgs(name, namespace string) *WorkArgs {
 	return &WorkArgs{
-		NamespacedName: types.NamespacedName{Namespace: namespace, Name: name},
+		Object: NamespacedObject{NamespacedName: types.NamespacedName{Namespace: namespace, Name: name}},
 	}
 }
 
@@ -102,31 +107,59 @@ func CreateWorkerQueue(f func(ctx context.Context, fireAt time.Time, args *WorkA
 
 func (q *TimedWorkerQueue) getWrappedWorkerFunc(key string) func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
 	return func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
+		logger := klog.FromContext(ctx)
+		logger.V(4).Info("Firing worker", "item", key, "firedTime", fireAt)
 		err := q.workFunc(ctx, fireAt, args)
 		q.Lock()
 		defer q.Unlock()
+		logger.V(4).Info("Worker finished, removing", "item", key, "err", err)
 		delete(q.workers, key)
 		return err
 	}
 }
 
 // AddWork adds a work to the WorkerQueue which will be executed not earlier than `fireAt`.
+// If replace is false, an existing work item will not get replaced, otherwise it
+// gets canceled and the new one is added instead.
 func (q *TimedWorkerQueue) AddWork(ctx context.Context, args *WorkArgs, createdAt time.Time, fireAt time.Time) {
 	key := args.KeyFromWorkArgs()
 	logger := klog.FromContext(ctx)
-	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
 
 	q.Lock()
 	defer q.Unlock()
 	if _, exists := q.workers[key]; exists {
-		logger.Info("Trying to add already existing work, skipping", "args", args)
+		logger.V(4).Info("Trying to add already existing work, skipping", "item", key, "createTime", createdAt, "firedTime", fireAt)
 		return
 	}
+	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
+	worker := createWorker(ctx, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
+	q.workers[key] = worker
+}
+
+// UpdateWork adds or replaces a work item such that it will be executed not earlier than `fireAt`.
+// This is a cheap no-op when the old and new fireAt are the same.
+func (q *TimedWorkerQueue) UpdateWork(ctx context.Context, args *WorkArgs, createdAt time.Time, fireAt time.Time) {
+	key := args.KeyFromWorkArgs()
+	logger := klog.FromContext(ctx)
+
+	q.Lock()
+	defer q.Unlock()
+	if worker, exists := q.workers[key]; exists {
+		if worker.FireAt.Compare(fireAt) == 0 {
+			logger.V(4).Info("Keeping existing work, same time", "item", key, "createTime", worker.CreatedAt, "firedTime", worker.FireAt)
+			return
+		}
+		logger.V(4).Info("Replacing existing work", "item", key, "createTime", worker.CreatedAt, "firedTime", worker.FireAt)
+		worker.Cancel()
+	}
+	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
 	worker := createWorker(ctx, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
 	q.workers[key] = worker
 }
 
 // CancelWork removes scheduled function execution from the queue. Returns true if work was cancelled.
+// The key must be the same as the one returned by WorkArgs.KeyFromWorkArgs, i.e.
+// the result of NamespacedName.String.
 func (q *TimedWorkerQueue) CancelWork(logger klog.Logger, key string) bool {
 	q.Lock()
 	defer q.Unlock()
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
index 0b85ac77aac..50dfbd596ef 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
@@ -95,7 +95,7 @@ var (
 
 	// Node with "instance-1" device and no device attributes.
 	workerNode      = &st.MakeNode().Name(nodeName).Label("kubernetes.io/hostname", nodeName).Node
-	workerNodeSlice = st.MakeResourceSlice(nodeName, driver).Device("instance-1", nil).Obj()
+	workerNodeSlice = st.MakeResourceSlice(nodeName, driver).Device("instance-1").Obj()
 
 	// Node with same device, but now with a "healthy" boolean attribute.
 	workerNode2      = &st.MakeNode().Name(node2Name).Label("kubernetes.io/hostname", node2Name).Node
diff --git a/pkg/scheduler/testing/wrappers.go b/pkg/scheduler/testing/wrappers.go
index dc9daec425f..0c4db3c7685 100644
--- a/pkg/scheduler/testing/wrappers.go
+++ b/pkg/scheduler/testing/wrappers.go
@@ -1188,9 +1188,23 @@ func (wrapper *ResourceSliceWrapper) Devices(names ...string) *ResourceSliceWrap
 	return wrapper
 }
 
-// Device sets the devices field of the inner object.
-func (wrapper *ResourceSliceWrapper) Device(name string, attrs map[resourceapi.QualifiedName]resourceapi.DeviceAttribute) *ResourceSliceWrapper {
-	wrapper.Spec.Devices = append(wrapper.Spec.Devices, resourceapi.Device{Name: name, Basic: &resourceapi.BasicDevice{Attributes: attrs}})
+// Device extends the devices field of the inner object.
+// The device must have a name and may have arbitrary additional fields.
+func (wrapper *ResourceSliceWrapper) Device(name string, otherFields ...any) *ResourceSliceWrapper {
+	device := resourceapi.Device{Name: name, Basic: &resourceapi.BasicDevice{}}
+	for _, field := range otherFields {
+		switch typedField := field.(type) {
+		case map[resourceapi.QualifiedName]resourceapi.DeviceAttribute:
+			device.Basic.Attributes = typedField
+		case map[resourceapi.QualifiedName]resourceapi.DeviceCapacity:
+			device.Basic.Capacity = typedField
+		case resourceapi.DeviceTaint:
+			device.Basic.Taints = append(device.Basic.Taints, typedField)
+		default:
+			panic(fmt.Sprintf("expected a type which matches a field in BasicDevice, got %T", field))
+		}
+	}
+	wrapper.Spec.Devices = append(wrapper.Spec.Devices, device)
 	return wrapper
 }
 
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index 1f7858b3011..ec9cea0314f 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -215,6 +215,24 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 				eventsRule(),
 			},
 		})
+		if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints) {
+			addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
+				// Same name as in k8s.io/kubernetes/cmd/kube-controller-manager/names.
+				ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "device-taint-eviction-controller"},
+				Rules: []rbacv1.PolicyRule{
+					// Deletes pods to evict them.
+					rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
+					// Sets pod conditions.
+					rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
+					// The rest is read-only.
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie(),
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceslices").RuleOrDie(),
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("deviceclasses").RuleOrDie(),
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("devicetaintrules").RuleOrDie(),
+					eventsRule(),
+				},
+			})
+		}
 	}
 
 	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{