From 7fb028a433f0f94e677a5bbe04dfe543de2f2b9a Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Thu, 6 Feb 2025 18:47:18 +0100
Subject: [PATCH 01/11] DRA: add DRADeviceTaints feature

---
 pkg/features/kube_features.go                 | 21 ++++++++++++-------
 pkg/features/versioned_kube_features.go       | 12 +++++++----
 .../reference/versioned_feature_list.yaml     |  6 ++++++
 3 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
index 49e6a490e08..3611c3125a1 100644
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -220,6 +220,13 @@ const (
 	// is to move it into a separate KEP.
 	DRAAdminAccess featuregate.Feature = "DRAAdminAccess"
 
+	// owner: @pohly
+	// kep: http://kep.k8s.io/5055
+	//
+	// Marking devices as tainted can prevent using them for new pods and/or
+	// cause pods using them to stop. Users can decide to tolerate taints.
+	DRADeviceTaints featuregate.Feature = "DRADeviceTaints"
+
 	// owner: @mortent
 	// kep: http://kep.k8s.io/4816
 	//
@@ -228,6 +235,13 @@ const (
 	// be selected.
 	DRAPrioritizedList featuregate.Feature = "DRAPrioritizedList"
 
+	// owner: @LionelJouin
+	// kep: http://kep.k8s.io/4817
+	//
+	// Enables support the ResourceClaim.status.devices field and for setting this
+	// status from DRA drivers.
+	DRAResourceClaimDeviceStatus featuregate.Feature = "DRAResourceClaimDeviceStatus"
+
 	// owner: @pohly
 	// kep: http://kep.k8s.io/4381
 	//
@@ -236,13 +250,6 @@ const (
 	// based on "structured parameters".
 	DynamicResourceAllocation featuregate.Feature = "DynamicResourceAllocation"
 
-	// owner: @LionelJouin
-	// kep: http://kep.k8s.io/4817
-	//
-	// Enables support the ResourceClaim.status.devices field and for setting this
-	// status from DRA drivers.
-	DRAResourceClaimDeviceStatus featuregate.Feature = "DRAResourceClaimDeviceStatus"
-
 	// owner: @lauralorenz
 	// kep: https://kep.k8s.io/4603
 	//
diff --git a/pkg/features/versioned_kube_features.go b/pkg/features/versioned_kube_features.go
index a92e791317c..24ce82778b3 100644
--- a/pkg/features/versioned_kube_features.go
+++ b/pkg/features/versioned_kube_features.go
@@ -178,13 +178,12 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
-	DRAPrioritizedList: {
+	DRADeviceTaints: {
 		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
-	DynamicResourceAllocation: {
-		{Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha},
-		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Beta},
+	DRAPrioritizedList: {
+		{Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Alpha},
 	},
 
 	DRAResourceClaimDeviceStatus: {
@@ -192,6 +191,11 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	DynamicResourceAllocation: {
+		{Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Beta},
+	},
+
 	KubeletCrashLoopBackOffMax: {
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
 	},
diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
index 81de567551a..e54a7b287dd 100644
--- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
+++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
@@ -425,6 +425,12 @@
     lockToDefault: false
     preRelease: Alpha
     version: "1.32"
+- name: DRADeviceTaints
+  versionedSpecs:
+  - default: false
+    lockToDefault: false
+    preRelease: Alpha
+    version: "1.33"
 - name: DRAPrioritizedList
   versionedSpecs:
   - default: false

From 797475e1137914faab71f4c3b18d9041bf73cfc8 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Fri, 7 Mar 2025 14:46:52 +0100
Subject: [PATCH 02/11] DRA: add device taints API

This adds the "DeviceTaint" top-level type to v1alpha3 and related fields to
ResourceSlice and ResourceClaim. It's complete enough bring up an API server
and generate files.
---
 pkg/api/testing/defaulting_test.go            |   6 +
 pkg/apis/resource/fuzzer/fuzzer.go            |  21 ++
 pkg/apis/resource/register.go                 |   2 +
 pkg/apis/resource/types.go                    | 286 ++++++++++++++
 pkg/apis/resource/v1alpha3/defaults.go        |   9 +
 pkg/apis/resource/v1alpha3/defaults_test.go   |  26 ++
 pkg/apis/resource/v1beta1/defaults.go         |   9 +
 pkg/apis/resource/v1beta1/defaults_test.go    |  26 ++
 pkg/apis/resource/validation/validation.go    | 160 +++++++-
 .../validation_devicetaintrule_test.go        | 351 ++++++++++++++++++
 .../validation_resourceclaim_test.go          |  69 +++-
 .../validation_resourceslice_test.go          |  41 ++
 .../default_storage_factory_builder.go        |   2 +
 pkg/printers/internalversion/printers.go      |  42 +++
 .../devicetaintrule/storage/storage.go        |  56 +++
 .../devicetaintrule/storage/storage_test.go   | 144 +++++++
 .../resource/devicetaintrule/strategy.go      |  84 +++++
 .../resource/devicetaintrule/strategy_test.go |  86 +++++
 .../resource/resourceclaim/strategy.go        |   2 +
 .../resource/resourceslice/strategy.go        |  36 ++
 .../resource/resourceslice/strategy_test.go   | 220 +++++++++--
 .../resource/rest/storage_resource.go         |   9 +
 .../k8s.io/api/resource/v1alpha3/register.go  |   2 +
 .../src/k8s.io/api/resource/v1alpha3/types.go | 290 +++++++++++++++
 .../api/resource/v1beta1/devicetaint.go       |  35 ++
 .../src/k8s.io/api/resource/v1beta1/types.go  | 191 +++++++++-
 .../dynamic-resource-allocation/api/types.go  |  17 +
 .../resourceclaim/devicetoleration.go         |  53 +++
 .../resourceclaim/devicetoleration_test.go    | 127 +++++++
 .../deploy/example/devicetaintpolicy.yaml     |  13 +
 .../apiserver/apply/reset_fields_test.go      |   1 +
 test/integration/etcd/data.go                 |   6 +
 32 files changed, 2379 insertions(+), 43 deletions(-)
 create mode 100644 pkg/apis/resource/validation/validation_devicetaintrule_test.go
 create mode 100644 pkg/registry/resource/devicetaintrule/storage/storage.go
 create mode 100644 pkg/registry/resource/devicetaintrule/storage/storage_test.go
 create mode 100644 pkg/registry/resource/devicetaintrule/strategy.go
 create mode 100644 pkg/registry/resource/devicetaintrule/strategy_test.go
 create mode 100644 staging/src/k8s.io/api/resource/v1beta1/devicetaint.go
 create mode 100644 staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go
 create mode 100644 staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration_test.go
 create mode 100644 test/e2e/dra/test-driver/deploy/example/devicetaintpolicy.yaml

diff --git a/pkg/api/testing/defaulting_test.go b/pkg/api/testing/defaulting_test.go
index 3dab45f7119..3ab7111d015 100644
--- a/pkg/api/testing/defaulting_test.go
+++ b/pkg/api/testing/defaulting_test.go
@@ -135,14 +135,20 @@ func TestDefaulting(t *testing.T) {
 		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "ClusterRoleBindingList"}:                        {},
 		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "RoleBinding"}:                                   {},
 		{Group: "rbac.authorization.k8s.io", Version: "v1", Kind: "RoleBindingList"}:                               {},
+		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "DeviceTaintRule"}:                                   {},
+		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "DeviceTaintRuleList"}:                               {},
 		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "ResourceClaim"}:                                     {},
 		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "ResourceClaimList"}:                                 {},
 		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "ResourceClaimTemplate"}:                             {},
 		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "ResourceClaimTemplateList"}:                         {},
+		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "ResourceSlice"}:                                     {},
+		{Group: "resource.k8s.io", Version: "v1alpha3", Kind: "ResourceSliceList"}:                                 {},
 		{Group: "resource.k8s.io", Version: "v1beta1", Kind: "ResourceClaim"}:                                      {},
 		{Group: "resource.k8s.io", Version: "v1beta1", Kind: "ResourceClaimList"}:                                  {},
 		{Group: "resource.k8s.io", Version: "v1beta1", Kind: "ResourceClaimTemplate"}:                              {},
 		{Group: "resource.k8s.io", Version: "v1beta1", Kind: "ResourceClaimTemplateList"}:                          {},
+		{Group: "resource.k8s.io", Version: "v1beta1", Kind: "ResourceSlice"}:                                      {},
+		{Group: "resource.k8s.io", Version: "v1beta1", Kind: "ResourceSliceList"}:                                  {},
 		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "ValidatingAdmissionPolicy"}:            {},
 		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "ValidatingAdmissionPolicyList"}:        {},
 		{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Kind: "ValidatingAdmissionPolicyBinding"}:     {},
diff --git a/pkg/apis/resource/fuzzer/fuzzer.go b/pkg/apis/resource/fuzzer/fuzzer.go
index 33bfb5bbb95..34f12e9847d 100644
--- a/pkg/apis/resource/fuzzer/fuzzer.go
+++ b/pkg/apis/resource/fuzzer/fuzzer.go
@@ -17,6 +17,9 @@ limitations under the License.
 package fuzzer
 
 import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/kubernetes/pkg/apis/resource"
@@ -57,6 +60,24 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 				}[c.Int31n(2)]
 			}
 		},
+		func(r *resource.DeviceToleration, c randfill.Continue) {
+			c.FillNoCustom(r)
+			if r.Operator == "" {
+				r.Operator = []resource.DeviceTolerationOperator{
+					resource.DeviceTolerationOpEqual,
+					resource.DeviceTolerationOpExists,
+				}[c.Int31n(2)]
+			}
+		},
+		func(r *resource.DeviceTaint, c randfill.Continue) {
+			c.FillNoCustom(r)
+			if r.TimeAdded == nil {
+				// Current time is more or less random.
+				// Truncate to seconds because sub-second resolution
+				// does not survive round-tripping.
+				r.TimeAdded = &metav1.Time{Time: time.Now().Truncate(time.Second)}
+			}
+		},
 		func(r *resource.OpaqueDeviceConfiguration, c randfill.Continue) {
 			c.FillNoCustom(r)
 			// Match the fuzzer default content for runtime.Object.
diff --git a/pkg/apis/resource/register.go b/pkg/apis/resource/register.go
index 986dc2168be..3bf3a33bf5a 100644
--- a/pkg/apis/resource/register.go
+++ b/pkg/apis/resource/register.go
@@ -54,6 +54,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&DeviceClass{},
 		&DeviceClassList{},
+		&DeviceTaintRule{},
+		&DeviceTaintRuleList{},
 		&ResourceClaim{},
 		&ResourceClaimList{},
 		&ResourceClaimTemplate{},
diff --git a/pkg/apis/resource/types.go b/pkg/apis/resource/types.go
index c2cb135a36d..c4cc591b34c 100644
--- a/pkg/apis/resource/types.go
+++ b/pkg/apis/resource/types.go
@@ -219,6 +219,18 @@ type BasicDevice struct {
 	//
 	// +optional
 	Capacity map[QualifiedName]DeviceCapacity
+
+	// If specified, these are the driver-defined taints.
+	//
+	// The maximum number of taints is 8.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Taints []DeviceTaint
 }
 
 // DeviceCapacity describes a quantity associated with a device.
@@ -297,6 +309,64 @@ type DeviceAttribute struct {
 // DeviceAttributeMaxValueLength is the maximum length of a string or version attribute value.
 const DeviceAttributeMaxValueLength = 64
 
+// DeviceTaintsMaxLength is the maximum number of taints per device.
+const DeviceTaintsMaxLength = 8
+
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
+type DeviceTaint struct {
+	// The taint key to be applied to a device.
+	// Must be a label name.
+	//
+	// +required
+	Key string
+
+	// The taint value corresponding to the taint key.
+	// Must be a label value.
+	//
+	// +optional
+	Value string
+
+	// The effect of the taint on claims that do not tolerate the taint
+	// and through such claims on the pods using them.
+	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here.
+	//
+	// +required
+	Effect DeviceTaintEffect
+
+	// ^^^^
+	//
+	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
+	// It might get added as part of that.
+
+	// TimeAdded represents the time at which the taint was added.
+	// Added automatically during create or update if not set.
+	//
+	// +optional
+	TimeAdded *metav1.Time
+
+	// ^^^
+	//
+	// This field was defined as "It is only written for NoExecute taints." for node taints.
+	// But in practice, Kubernetes never did anything with it (no validation, no defaulting,
+	// ignored during pod eviction in pkg/controller/tainteviction).
+}
+
+// +enum
+type DeviceTaintEffect string
+
+const (
+	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
+	// but allow all pods submitted to Kubelet without going through the scheduler
+	// to start, and allow all already-running pods to continue running.
+	DeviceTaintEffectNoSchedule DeviceTaintEffect = "NoSchedule"
+
+	// Evict any already-running pods that do not tolerate the device taint.
+	DeviceTaintEffectNoExecute DeviceTaintEffect = "NoExecute"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ResourceSliceList is a collection of ResourceSlices.
@@ -502,6 +572,32 @@ type DeviceRequest struct {
 	// +listType=atomic
 	// +featureGate=DRAPrioritizedList
 	FirstAvailable []DeviceSubRequest
+
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration
 }
 
 // DeviceSubRequest describes a request for device provided in the
@@ -574,11 +670,35 @@ type DeviceSubRequest struct {
 	// +optional
 	// +oneOf=AllocationMode
 	Count int64
+
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration
 }
 
 const (
 	DeviceSelectorsMaxSize             = 32
 	FirstAvailableDeviceRequestMaxSize = 8
+	DeviceTolerationsMaxLength         = 16
 )
 
 type DeviceAllocationMode string
@@ -784,6 +904,59 @@ type OpaqueDeviceConfiguration struct {
 // [OpaqueDeviceConfiguration.Parameters] field.
 const OpaqueParametersMaxLength = 10 * 1024
 
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
+type DeviceToleration struct {
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	// Must be a label name.
+	//
+	// +optional
+	Key string
+
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a ResourceClaim can
+	// tolerate all taints of a particular category.
+	//
+	// +optional
+	// +default="Equal"
+	Operator DeviceTolerationOperator
+
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value must be empty, otherwise just a regular string.
+	// Must be a label value.
+	//
+	// +optional
+	Value string
+
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule and NoExecute.
+	//
+	// +optional
+	Effect DeviceTaintEffect
+
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	// If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+	// taint was adedd> + <toleration seconds>.
+	//
+	// +optional
+	TolerationSeconds *int64
+}
+
+// A toleration operator is the set of operators that can be used in a toleration.
+//
+// +enum
+type DeviceTolerationOperator string
+
+const (
+	DeviceTolerationOpExists DeviceTolerationOperator = "Exists"
+	DeviceTolerationOpEqual  DeviceTolerationOperator = "Equal"
+)
+
 // ResourceClaimStatus tracks whether the resource has been allocated and what
 // the result of that was.
 type ResourceClaimStatus struct {
@@ -954,6 +1127,19 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +featureGate=DRAAdminAccess
 	AdminAccess *bool
+
+	// A copy of all tolerations specified in the request at the time
+	// when the device got allocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration
 }
 
 // DeviceAllocationConfiguration gets embedded in an AllocationResult.
@@ -1218,3 +1404,103 @@ type NetworkDeviceData struct {
 	// +optional
 	HardwareAddress string
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeviceTaintRule adds one taint to all devices which match the selector.
+// This has the same effect as if the taint was specified directly
+// in the ResourceSlice by the DRA driver.
+type DeviceTaintRule struct {
+	metav1.TypeMeta
+	// Standard object metadata
+	// +optional
+	metav1.ObjectMeta
+
+	// Spec specifies the selector and one taint.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec DeviceTaintRuleSpec
+
+	// ^^^
+	// A spec gets added because adding a status seems likely.
+	// Such a status could provide feedback on applying the
+	// eviction and/or statistics (number of matching devices,
+	// affected allocated claims, pods remaining to be evicted,
+	// etc.).
+}
+
+// DeviceTaintRuleSpec specifies the selector and one taint.
+type DeviceTaintRuleSpec struct {
+	// DeviceSelector defines which device(s) the taint is applied to.
+	// All selector criteria must be satified for a device to
+	// match. The empty selector matches all devices. Without
+	// a selector, no devices are matches.
+	//
+	// +optional
+	DeviceSelector *DeviceTaintSelector
+
+	// The taint that gets applied to matching devices.
+	//
+	// +required
+	Taint DeviceTaint
+}
+
+// DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to.
+// The empty selector matches all devices. Without a selector, no devices
+// are matched.
+type DeviceTaintSelector struct {
+	// If DeviceClassName is set, the selectors defined there must be
+	// satisfied by a device to be selected. This field corresponds
+	// to class.metadata.name.
+	//
+	// +optional
+	DeviceClassName *string
+
+	// If driver is set, only devices from that driver are selected.
+	// This fields corresponds to slice.spec.driver.
+	//
+	// +optional
+	Driver *string
+
+	// If pool is set, only devices in that pool are selected.
+	//
+	// Also setting the driver name may be useful to avoid
+	// ambiguity when different drivers use the same pool name,
+	// but this is not required because selecting pools from
+	// different drivers may also be useful, for example when
+	// drivers with node-local devices use the node name as
+	// their pool name.
+	//
+	// +optional
+	Pool *string
+
+	// If device is set, only devices with that name are selected.
+	// This field corresponds to slice.spec.devices[].name.
+	//
+	// Setting also driver and pool may be required to avoid ambiguity,
+	// but is not required.
+	//
+	// +optional
+	Device *string
+
+	// Selectors contains the same selection criteria as a ResourceClaim.
+	// Currently, CEL expressions are supported. All of these selectors
+	// must be satisfied.
+	//
+	// +optional
+	// +listType=atomic
+	Selectors []DeviceSelector
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// DeviceTaintRuleList is a collection of DeviceTaintRules.
+type DeviceTaintRuleList struct {
+	metav1.TypeMeta
+	// Standard list metadata
+	// +optional
+	metav1.ListMeta
+
+	// Items is the list of DeviceTaintRules.
+	Items []DeviceTaintRule
+}
diff --git a/pkg/apis/resource/v1alpha3/defaults.go b/pkg/apis/resource/v1alpha3/defaults.go
index 2d93bc28354..3e53f40a166 100644
--- a/pkg/apis/resource/v1alpha3/defaults.go
+++ b/pkg/apis/resource/v1alpha3/defaults.go
@@ -17,7 +17,10 @@ limitations under the License.
 package v1alpha3
 
 import (
+	"time"
+
 	resourceapi "k8s.io/api/resource/v1alpha3"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -50,3 +53,9 @@ func SetDefaults_DeviceSubRequest(obj *resourceapi.DeviceSubRequest) {
 		obj.Count = 1
 	}
 }
+
+func SetDefaults_DeviceTaint(obj *resourceapi.DeviceTaint) {
+	if obj.TimeAdded == nil {
+		obj.TimeAdded = &metav1.Time{Time: time.Now().Truncate(time.Second)}
+	}
+}
diff --git a/pkg/apis/resource/v1alpha3/defaults_test.go b/pkg/apis/resource/v1alpha3/defaults_test.go
index 4d19747a2b0..69c4d584a02 100644
--- a/pkg/apis/resource/v1alpha3/defaults_test.go
+++ b/pkg/apis/resource/v1alpha3/defaults_test.go
@@ -19,11 +19,14 @@ package v1alpha3_test
 import (
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 
 	v1alpha3 "k8s.io/api/resource/v1alpha3"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 
 	// ensure types are installed
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
@@ -134,6 +137,29 @@ func TestSetDefaultAllocationModeWithSubRequests(t *testing.T) {
 	assert.Equal(t, nonDefaultCount, output.Spec.Devices.Requests[0].FirstAvailable[1].Count)
 }
 
+func TestSetDefaultDeviceTaint(t *testing.T) {
+	slice := &v1alpha3.ResourceSlice{
+		Spec: v1alpha3.ResourceSliceSpec{
+			Devices: []v1alpha3.Device{{
+				Name: "device-0",
+				Basic: &v1alpha3.BasicDevice{
+					Taints: []v1alpha3.DeviceTaint{{}},
+				},
+			}},
+		},
+	}
+
+	// fields should be defaulted
+	output := roundTrip(t, slice).(*v1alpha3.ResourceSlice)
+	assert.WithinDuration(t, time.Now(), ptr.Deref(output.Spec.Devices[0].Basic.Taints[0].TimeAdded, metav1.Time{}).Time, time.Minute /* allow for some processing delay */, "time added default")
+
+	// field should not change
+	timeAdded, _ := time.ParseInLocation(time.RFC3339, "2006-01-02T15:04:05Z", time.UTC)
+	slice.Spec.Devices[0].Basic.Taints[0].TimeAdded = &metav1.Time{Time: timeAdded}
+	output = roundTrip(t, slice).(*v1alpha3.ResourceSlice)
+	assert.WithinDuration(t, timeAdded, ptr.Deref(output.Spec.Devices[0].Basic.Taints[0].TimeAdded, metav1.Time{}).Time, 0 /* semantically the same, different time zone allowed */, "time added fixed")
+}
+
 func roundTrip(t *testing.T, obj runtime.Object) runtime.Object {
 	codec := legacyscheme.Codecs.LegacyCodec(v1alpha3.SchemeGroupVersion)
 	data, err := runtime.Encode(codec, obj)
diff --git a/pkg/apis/resource/v1beta1/defaults.go b/pkg/apis/resource/v1beta1/defaults.go
index 6ce9b1de26a..4e959c7d768 100644
--- a/pkg/apis/resource/v1beta1/defaults.go
+++ b/pkg/apis/resource/v1beta1/defaults.go
@@ -17,7 +17,10 @@ limitations under the License.
 package v1beta1
 
 import (
+	"time"
+
 	resourceapi "k8s.io/api/resource/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -50,3 +53,9 @@ func SetDefaults_DeviceSubRequest(obj *resourceapi.DeviceSubRequest) {
 		obj.Count = 1
 	}
 }
+
+func SetDefaults_DeviceTaint(obj *resourceapi.DeviceTaint) {
+	if obj.TimeAdded == nil {
+		obj.TimeAdded = &metav1.Time{Time: time.Now().Truncate(time.Second)}
+	}
+}
diff --git a/pkg/apis/resource/v1beta1/defaults_test.go b/pkg/apis/resource/v1beta1/defaults_test.go
index 9b00b0732a1..153a1bb47ee 100644
--- a/pkg/apis/resource/v1beta1/defaults_test.go
+++ b/pkg/apis/resource/v1beta1/defaults_test.go
@@ -19,11 +19,14 @@ package v1beta1_test
 import (
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 
 	v1beta1 "k8s.io/api/resource/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 
 	// ensure types are installed
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
@@ -134,6 +137,29 @@ func TestSetDefaultAllocationModeWithSubRequests(t *testing.T) {
 	assert.Equal(t, nonDefaultCount, output.Spec.Devices.Requests[0].FirstAvailable[1].Count)
 }
 
+func TestSetDefaultDeviceTaint(t *testing.T) {
+	slice := &v1beta1.ResourceSlice{
+		Spec: v1beta1.ResourceSliceSpec{
+			Devices: []v1beta1.Device{{
+				Name: "device-0",
+				Basic: &v1beta1.BasicDevice{
+					Taints: []v1beta1.DeviceTaint{{}},
+				},
+			}},
+		},
+	}
+
+	// fields should be defaulted
+	output := roundTrip(t, slice).(*v1beta1.ResourceSlice)
+	assert.WithinDuration(t, time.Now(), ptr.Deref(output.Spec.Devices[0].Basic.Taints[0].TimeAdded, metav1.Time{}).Time, time.Minute /* allow for some processing delay */, "time added default")
+
+	// field should not change
+	timeAdded, _ := time.ParseInLocation(time.RFC3339, "2006-01-02T15:04:05Z", time.UTC)
+	slice.Spec.Devices[0].Basic.Taints[0].TimeAdded = &metav1.Time{Time: timeAdded}
+	output = roundTrip(t, slice).(*v1beta1.ResourceSlice)
+	assert.WithinDuration(t, timeAdded, ptr.Deref(output.Spec.Devices[0].Basic.Taints[0].TimeAdded, metav1.Time{}).Time, 0 /* semantically the same, different time zone allowed */, "time added fixed")
+}
+
 func roundTrip(t *testing.T, obj runtime.Object) runtime.Object {
 	codec := legacyscheme.Codecs.LegacyCodec(v1beta1.SchemeGroupVersion)
 	data, err := runtime.Encode(codec, obj)
diff --git a/pkg/apis/resource/validation/validation.go b/pkg/apis/resource/validation/validation.go
index 0a1b1ce429f..2148455964c 100644
--- a/pkg/apis/resource/validation/validation.go
+++ b/pkg/apis/resource/validation/validation.go
@@ -199,6 +199,10 @@ func validateDeviceRequest(request resource.DeviceRequest, fldPath *field.Path,
 			},
 			fldPath.Child("firstAvailable"))...)
 	}
+	for i, toleration := range request.Tolerations {
+		allErrs = append(allErrs, validateDeviceToleration(toleration, fldPath.Child("tolerations").Index(i))...)
+	}
+
 	return allErrs
 }
 
@@ -207,6 +211,9 @@ func validateDeviceSubRequest(subRequest resource.DeviceSubRequest, fldPath *fie
 	allErrs = append(allErrs, validateDeviceClass(subRequest.DeviceClassName, fldPath.Child("deviceClassName"))...)
 	allErrs = append(allErrs, validateSelectorSlice(subRequest.Selectors, fldPath.Child("selectors"), stored)...)
 	allErrs = append(allErrs, validateDeviceAllocationMode(subRequest.AllocationMode, subRequest.Count, fldPath.Child("allocationMode"), fldPath.Child("count"))...)
+	for i, toleration := range subRequest.Tolerations {
+		allErrs = append(allErrs, validateDeviceToleration(toleration, fldPath.Child("tolerations").Index(i))...)
+	}
 	return allErrs
 }
 
@@ -642,6 +649,9 @@ func validateBasicDevice(device resource.BasicDevice, fldPath *field.Path) field
 	if combinedLen, max := len(device.Attributes)+len(device.Capacity), resource.ResourceSliceMaxAttributesAndCapacitiesPerDevice; combinedLen > max {
 		allErrs = append(allErrs, field.Invalid(fldPath, combinedLen, fmt.Sprintf("the total number of attributes and capacities must not exceed %d", max)))
 	}
+	for i, taint := range device.Taints {
+		allErrs = append(allErrs, validateDeviceTaint(taint, fldPath.Child("taints").Index(i))...)
+	}
 	return allErrs
 }
 
@@ -675,19 +685,12 @@ func validateDeviceAttribute(attribute resource.DeviceAttribute, fldPath *field.
 		numFields++
 	}
 	if attribute.StringValue != nil {
-		if len(*attribute.StringValue) > resource.DeviceAttributeMaxValueLength {
-			allErrs = append(allErrs, field.TooLong(fldPath.Child("string"), "" /*unused*/, resource.DeviceAttributeMaxValueLength))
-		}
 		numFields++
+		allErrs = append(allErrs, validateDeviceAttributeStringValue(attribute.StringValue, fldPath.Child("string"))...)
 	}
 	if attribute.VersionValue != nil {
 		numFields++
-		if !semverRe.MatchString(*attribute.VersionValue) {
-			allErrs = append(allErrs, field.Invalid(fldPath.Child("version"), *attribute.VersionValue, "must be a string compatible with semver.org spec 2.0.0"))
-		}
-		if len(*attribute.VersionValue) > resource.DeviceAttributeMaxValueLength {
-			allErrs = append(allErrs, field.TooLong(fldPath.Child("version"), "" /*unused*/, resource.DeviceAttributeMaxValueLength))
-		}
+		allErrs = append(allErrs, validateDeviceAttributeVersionValue(attribute.VersionValue, fldPath.Child("version"))...)
 	}
 
 	switch numFields {
@@ -701,6 +704,25 @@ func validateDeviceAttribute(attribute resource.DeviceAttribute, fldPath *field.
 	return allErrs
 }
 
+func validateDeviceAttributeStringValue(value *string, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	if len(*value) > resource.DeviceAttributeMaxValueLength {
+		allErrs = append(allErrs, field.TooLong(fldPath, "" /*unused*/, resource.DeviceAttributeMaxValueLength))
+	}
+	return allErrs
+}
+
+func validateDeviceAttributeVersionValue(value *string, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	if !semverRe.MatchString(*value) {
+		allErrs = append(allErrs, field.Invalid(fldPath, *value, "must be a string compatible with semver.org spec 2.0.0"))
+	}
+	if len(*value) > resource.DeviceAttributeMaxValueLength {
+		allErrs = append(allErrs, field.TooLong(fldPath, "" /*unused*/, resource.DeviceAttributeMaxValueLength))
+	}
+	return allErrs
+}
+
 func validateDeviceCapacity(capacity resource.DeviceCapacity, fldPath *field.Path) field.ErrorList {
 	// Any parsed quantity is valid.
 	return nil
@@ -893,3 +915,123 @@ func validateNetworkDeviceData(networkDeviceData *resource.NetworkDeviceData, fl
 		}, stringKey, fldPath.Child("ips"))...)
 	return allErrs
 }
+
+// ValidateDeviceTaintRule tests if a DeviceTaintRule object is valid.
+func ValidateDeviceTaintRule(deviceTaint *resource.DeviceTaintRule) field.ErrorList {
+	allErrs := corevalidation.ValidateObjectMeta(&deviceTaint.ObjectMeta, false, apimachineryvalidation.NameIsDNSSubdomain, field.NewPath("metadata"))
+	allErrs = append(allErrs, validateDeviceTaintRuleSpec(&deviceTaint.Spec, nil, field.NewPath("spec"))...)
+	return allErrs
+}
+
+// ValidateDeviceTaintRuleUpdate tests if a DeviceTaintRule update is valid.
+func ValidateDeviceTaintRuleUpdate(deviceTaint, oldDeviceTaint *resource.DeviceTaintRule) field.ErrorList {
+	allErrs := corevalidation.ValidateObjectMetaUpdate(&deviceTaint.ObjectMeta, &oldDeviceTaint.ObjectMeta, field.NewPath("metadata"))
+	allErrs = append(allErrs, validateDeviceTaintRuleSpec(&deviceTaint.Spec, &oldDeviceTaint.Spec, field.NewPath("spec"))...)
+	return allErrs
+}
+
+func validateDeviceTaintRuleSpec(spec, oldSpec *resource.DeviceTaintRuleSpec, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	var oldFilter *resource.DeviceTaintSelector
+	if oldSpec != nil {
+		oldFilter = oldSpec.DeviceSelector // +k8s:verify-mutation:reason=clone
+	}
+	allErrs = append(allErrs, validateDeviceTaintSelector(spec.DeviceSelector, oldFilter, fldPath.Child("deviceSelector"))...)
+	allErrs = append(allErrs, validateDeviceTaint(spec.Taint, fldPath.Child("taint"))...)
+	return allErrs
+}
+
+func validateDeviceTaintSelector(filter, oldFilter *resource.DeviceTaintSelector, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if filter == nil {
+		return allErrs
+	}
+	if filter.DeviceClassName != nil {
+		allErrs = append(allErrs, validateDeviceClassName(*filter.DeviceClassName, fldPath.Child("deviceClassName"))...)
+	}
+	if filter.Driver != nil {
+		allErrs = append(allErrs, validateDriverName(*filter.Driver, fldPath.Child("driver"))...)
+	}
+	if filter.Pool != nil {
+		allErrs = append(allErrs, validatePoolName(*filter.Pool, fldPath.Child("pool"))...)
+	}
+	if filter.Device != nil {
+		allErrs = append(allErrs, validateDeviceName(*filter.Device, fldPath.Child("device"))...)
+	}
+
+	// If the selectors are exactly as before, we treat the CEL expressions as "stored".
+	// Any change, including merely reordering selectors, triggers validation as new
+	// expressions.
+	stored := false
+	if oldFilter != nil {
+		stored = apiequality.Semantic.DeepEqual(filter.Selectors, oldFilter.Selectors)
+	}
+	allErrs = append(allErrs, validateSlice(filter.Selectors, resource.DeviceSelectorsMaxSize,
+		func(selector resource.DeviceSelector, fldPath *field.Path) field.ErrorList {
+			return validateSelector(selector, fldPath, stored)
+		},
+		fldPath.Child("selectors"))...)
+
+	return allErrs
+}
+
+var validDeviceTolerationOperators = []resource.DeviceTolerationOperator{resource.DeviceTolerationOpEqual, resource.DeviceTolerationOpExists}
+var validDeviceTaintEffects = sets.New(resource.DeviceTaintEffectNoSchedule, resource.DeviceTaintEffectNoExecute)
+
+func validateDeviceTaint(taint resource.DeviceTaint, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	allErrs = append(allErrs, metav1validation.ValidateLabelName(taint.Key, fldPath.Child("key"))...) // Includes checking for non-empty.
+	if taint.Value != "" {
+		allErrs = append(allErrs, validateLabelValue(taint.Value, fldPath.Child("value"))...)
+	}
+	switch {
+	case taint.Effect == "":
+		allErrs = append(allErrs, field.Required(fldPath.Child("effect"), "")) // Required in a taint.
+	case !validDeviceTaintEffects.Has(taint.Effect):
+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("effect"), taint.Effect, sets.List(validDeviceTaintEffects)))
+	}
+
+	return allErrs
+}
+
+func validateDeviceToleration(toleration resource.DeviceToleration, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if toleration.Key != "" {
+		allErrs = append(allErrs, metav1validation.ValidateLabelName(toleration.Key, fldPath.Child("key"))...)
+	}
+	switch toleration.Operator {
+	case resource.DeviceTolerationOpExists:
+		if toleration.Value != "" {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("value"), toleration.Value, "must be empty for operator `Exists`"))
+		}
+	case resource.DeviceTolerationOpEqual:
+		allErrs = append(allErrs, validateLabelValue(toleration.Value, fldPath.Child("value"))...)
+	case "":
+		allErrs = append(allErrs, field.Required(fldPath.Child("operator"), ""))
+	default:
+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("operator"), toleration.Operator, validDeviceTolerationOperators))
+	}
+	switch {
+	case toleration.Effect == "":
+		// Optional in a toleration.
+	case !validDeviceTaintEffects.Has(toleration.Effect):
+		allErrs = append(allErrs, field.NotSupported(fldPath.Child("effect"), toleration.Effect, sets.List(validDeviceTaintEffects)))
+	}
+
+	return allErrs
+}
+
+func validateLabelValue(value string, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	// There's no metav1validation.ValidateLabelValue.
+	for _, msg := range validation.IsValidLabelValue(value) {
+		allErrs = append(allErrs, field.Invalid(fldPath, value, msg))
+	}
+
+	return allErrs
+}
diff --git a/pkg/apis/resource/validation/validation_devicetaintrule_test.go b/pkg/apis/resource/validation/validation_devicetaintrule_test.go
new file mode 100644
index 00000000000..9851c272bbc
--- /dev/null
+++ b/pkg/apis/resource/validation/validation_devicetaintrule_test.go
@@ -0,0 +1,351 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package validation
+
+import (
+	"strings"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	resourceapi "k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/utils/ptr"
+)
+
+func testDeviceTaintRule(name string, spec resourceapi.DeviceTaintRuleSpec) *resourceapi.DeviceTaintRule {
+	return &resourceapi.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: *spec.DeepCopy(),
+	}
+}
+
+var validDeviceTaintRuleSpec = resourceapi.DeviceTaintRuleSpec{
+	DeviceSelector: &resourceapi.DeviceTaintSelector{
+		DeviceClassName: ptr.To(goodName),
+		Driver:          ptr.To("test.example.com"),
+		Pool:            ptr.To(goodName),
+		Device:          ptr.To(goodName),
+	},
+	Taint: resourceapi.DeviceTaint{
+		Key:    "example.com/taint",
+		Value:  "tainted",
+		Effect: resourceapi.DeviceTaintEffectNoSchedule,
+	},
+}
+
+func TestValidateDeviceTaint(t *testing.T) {
+	goodName := "foo"
+	now := metav1.Now()
+	badName := "!@#$%^"
+	badValue := "spaces not allowed"
+
+	scenarios := map[string]struct {
+		taintRule    *resourceapi.DeviceTaintRule
+		wantFailures field.ErrorList
+	}{
+		"good": {
+			taintRule: testDeviceTaintRule(goodName, validDeviceTaintRuleSpec),
+		},
+		"missing-name": {
+			wantFailures: field.ErrorList{field.Required(field.NewPath("metadata", "name"), "name or generateName is required")},
+			taintRule:    testDeviceTaintRule("", validDeviceTaintRuleSpec),
+		},
+		"bad-name": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "name"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
+			taintRule:    testDeviceTaintRule(badName, validDeviceTaintRuleSpec),
+		},
+		"generate-name": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.GenerateName = "pvc-"
+				return taintRule
+			}(),
+		},
+		"uid": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.UID = "ac051fac-2ead-46d9-b8b4-4e0fbeb7455d"
+				return taintRule
+			}(),
+		},
+		"resource-version": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.ResourceVersion = "1"
+				return taintRule
+			}(),
+		},
+		"generation": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Generation = 100
+				return taintRule
+			}(),
+		},
+		"creation-timestamp": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.CreationTimestamp = now
+				return taintRule
+			}(),
+		},
+		"deletion-grace-period-seconds": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.DeletionGracePeriodSeconds = ptr.To(int64(10))
+				return taintRule
+			}(),
+		},
+		"owner-references": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.OwnerReferences = []metav1.OwnerReference{
+					{
+						APIVersion: "v1",
+						Kind:       "pod",
+						Name:       "foo",
+						UID:        "ac051fac-2ead-46d9-b8b4-4e0fbeb7455d",
+					},
+				}
+				return taintRule
+			}(),
+		},
+		"finalizers": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Finalizers = []string{
+					"example.com/foo",
+				}
+				return taintRule
+			}(),
+		},
+		"managed-fields": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.ManagedFields = []metav1.ManagedFieldsEntry{
+					{
+						FieldsType: "FieldsV1",
+						Operation:  "Apply",
+						APIVersion: "apps/v1",
+						Manager:    "foo",
+					},
+				}
+				return taintRule
+			}(),
+		},
+		"good-labels": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Labels = map[string]string{
+					"apps.kubernetes.io/name": "test",
+				}
+				return taintRule
+			}(),
+		},
+		"bad-labels": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "labels"), badValue, "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')")},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Labels = map[string]string{
+					"hello-world": badValue,
+				}
+				return taintRule
+			}(),
+		},
+		"good-annotations": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Annotations = map[string]string{
+					"foo": "bar",
+				}
+				return taintRule
+			}(),
+		},
+		"bad-annotations": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "annotations"), badName, "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')")},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Annotations = map[string]string{
+					badName: "hello world",
+				}
+				return taintRule
+			}(),
+		},
+		"bad-class": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "deviceSelector", "deviceClassName"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Spec.DeviceSelector.DeviceClassName = ptr.To(badName)
+				return taintRule
+			}(),
+		},
+		"bad-driver": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "deviceSelector", "driver"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Spec.DeviceSelector.Driver = ptr.To(badName)
+				return taintRule
+			}(),
+		},
+		"bad-pool": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "deviceSelector", "pool"), badName, "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')")},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Spec.DeviceSelector.Pool = ptr.To(badName)
+				return taintRule
+			}(),
+		},
+		"bad-device": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("spec", "deviceSelector", "device"), badName, "a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')")},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Spec.DeviceSelector.Device = ptr.To(badName)
+				return taintRule
+			}(),
+		},
+		"CEL-compile-errors": {
+			wantFailures: field.ErrorList{
+				field.Invalid(field.NewPath("spec", "deviceSelector", "selectors").Index(1).Child("cel", "expression"), `device.attributes[true].someBoolean`, "compilation failed: ERROR: <input>:1:18: found no matching overload for '_[_]' applied to '(map(string, map(string, any)), bool)'\n | device.attributes[true].someBoolean\n | .................^"),
+			},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				taintRule.Spec.DeviceSelector.Selectors = []resourceapi.DeviceSelector{
+					{
+						// Good selector.
+						CEL: &resourceapi.CELDeviceSelector{
+							Expression: `device.driver == "dra.example.com"`,
+						},
+					},
+					{
+						// Bad selector.
+						CEL: &resourceapi.CELDeviceSelector{
+							Expression: `device.attributes[true].someBoolean`,
+						},
+					},
+				}
+				return taintRule
+			}(),
+		},
+		"CEL-length": {
+			wantFailures: field.ErrorList{
+				field.TooLong(field.NewPath("spec", "deviceSelector", "selectors").Index(1).Child("cel", "expression"), "" /*unused*/, resourceapi.CELSelectorExpressionMaxLength),
+			},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				taintRule := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				expression := `device.driver == ""`
+				taintRule.Spec.DeviceSelector.Selectors = []resourceapi.DeviceSelector{
+					{
+						// Good selector.
+						CEL: &resourceapi.CELDeviceSelector{
+							Expression: strings.ReplaceAll(expression, `""`, `"`+strings.Repeat("x", resourceapi.CELSelectorExpressionMaxLength-len(expression))+`"`),
+						},
+					},
+					{
+						// Too long by one selector.
+						CEL: &resourceapi.CELDeviceSelector{
+							Expression: strings.ReplaceAll(expression, `""`, `"`+strings.Repeat("x", resourceapi.CELSelectorExpressionMaxLength-len(expression)+1)+`"`),
+						},
+					},
+				}
+				return taintRule
+			}(),
+		},
+		"CEL-cost": {
+			wantFailures: field.ErrorList{
+				field.Forbidden(field.NewPath("spec", "deviceSelector", "selectors").Index(0).Child("cel", "expression"), "too complex, exceeds cost limit"),
+			},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				claim := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				claim.Spec.DeviceSelector.Selectors = []resourceapi.DeviceSelector{
+					{
+						CEL: &resourceapi.CELDeviceSelector{
+							// From https://github.com/kubernetes/kubernetes/blob/50fc400f178d2078d0ca46aee955ee26375fc437/test/integration/apiserver/cel/validatingadmissionpolicy_test.go#L2150.
+							Expression: `[1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(x, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(y, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z2, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z3, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z4, [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].all(z5, int('1'.find('[0-9]*')) < 100)))))))`,
+						},
+					},
+				}
+				return claim
+			}(),
+		},
+		"valid-taint": {
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				claim := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				claim.Spec.Taint = resourceapi.DeviceTaint{
+					Key:    goodName,
+					Value:  goodName,
+					Effect: resourceapi.DeviceTaintEffectNoExecute,
+				}
+				return claim
+			}(),
+		},
+		"invalid-taint": {
+			wantFailures: field.ErrorList{
+				field.Required(field.NewPath("spec", "taint", "effect"), ""),
+			},
+			taintRule: func() *resourceapi.DeviceTaintRule {
+				claim := testDeviceTaintRule(goodName, validDeviceTaintRuleSpec)
+				claim.Spec.Taint = resourceapi.DeviceTaint{
+					// Minimal test. Full coverage of validateDeviceTaint is in ResourceSlice test.
+					Key:   goodName,
+					Value: goodName,
+				}
+				return claim
+			}(),
+		},
+	}
+
+	for name, scenario := range scenarios {
+		t.Run(name, func(t *testing.T) {
+			errs := ValidateDeviceTaintRule(scenario.taintRule)
+			assertFailures(t, scenario.wantFailures, errs)
+		})
+	}
+}
+
+func TestValidateDeviceTaintUpdate(t *testing.T) {
+	name := "valid"
+	validTaintRule := testDeviceTaintRule(name, validDeviceTaintRuleSpec)
+
+	scenarios := map[string]struct {
+		old          *resourceapi.DeviceTaintRule
+		update       func(patch *resourceapi.DeviceTaintRule) *resourceapi.DeviceTaintRule
+		wantFailures field.ErrorList
+	}{
+		"valid-no-op-update": {
+			old:    validTaintRule,
+			update: func(taintRule *resourceapi.DeviceTaintRule) *resourceapi.DeviceTaintRule { return taintRule },
+		},
+		"invalid-name-update": {
+			wantFailures: field.ErrorList{field.Invalid(field.NewPath("metadata", "name"), name+"-update", "field is immutable")},
+			old:          validTaintRule,
+			update: func(taintRule *resourceapi.DeviceTaintRule) *resourceapi.DeviceTaintRule {
+				taintRule.Name += "-update"
+				return taintRule
+			},
+		},
+	}
+
+	for name, scenario := range scenarios {
+		t.Run(name, func(t *testing.T) {
+			scenario.old.ResourceVersion = "1"
+			errs := ValidateDeviceTaintRuleUpdate(scenario.update(scenario.old.DeepCopy()), scenario.old)
+			assertFailures(t, scenario.wantFailures, errs)
+		})
+	}
+}
diff --git a/pkg/apis/resource/validation/validation_resourceclaim_test.go b/pkg/apis/resource/validation/validation_resourceclaim_test.go
index 7224fc82f1f..69745829b08 100644
--- a/pkg/apis/resource/validation/validation_resourceclaim_test.go
+++ b/pkg/apis/resource/validation/validation_resourceclaim_test.go
@@ -735,6 +735,70 @@ func TestValidateClaim(t *testing.T) {
 				return claim
 			}(),
 		},
+		"tolerations": {
+			wantFailures: func() field.ErrorList {
+				var allErrs field.ErrorList
+				fldPath := field.NewPath("spec", "devices", "requests").Index(0).Child("firstAvailable").Index(0).Child("tolerations")
+				allErrs = append(allErrs,
+					field.Required(fldPath.Index(0).Child("operator"), ""),
+				)
+				fldPath = field.NewPath("spec", "devices", "requests").Index(1).Child("tolerations")
+				allErrs = append(allErrs,
+					field.Required(fldPath.Index(3).Child("operator"), ""),
+
+					field.NotSupported(fldPath.Index(4).Child("operator"), resource.DeviceTolerationOperator("some-other-op"), []resource.DeviceTolerationOperator{resource.DeviceTolerationOpEqual, resource.DeviceTolerationOpExists}),
+
+					field.Invalid(fldPath.Index(5).Child("key"), badName, "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')"),
+					field.Invalid(fldPath.Index(5).Child("value"), badName, "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"),
+					field.NotSupported(fldPath.Index(5).Child("effect"), resource.DeviceTaintEffect("some-other-effect"), []resource.DeviceTaintEffect{resource.DeviceTaintEffectNoExecute, resource.DeviceTaintEffectNoSchedule}),
+				)
+				return allErrs
+			}(),
+			claim: func() *resource.ResourceClaim {
+				claim := testClaim(goodName, goodNS, validClaimSpecWithFirstAvailable)
+				claim.Spec.Devices.Requests[0].FirstAvailable[0].Tolerations = []resource.DeviceToleration{
+					{
+						// One invalid case to verify the field path.
+						// Full test for validateDeviceToleration is below.
+						Operator: "",
+					},
+				}
+				claim.Spec.Devices.Requests = append(claim.Spec.Devices.Requests, *validClaimSpec.Devices.Requests[0].DeepCopy())
+				claim.Spec.Devices.Requests[1].Name += "-other"
+				claim.Spec.Devices.Requests[1].Tolerations = []resource.DeviceToleration{
+					{
+						// Minimal valid toleration: match all taints.
+						Operator: resource.DeviceTolerationOpExists,
+					},
+					{
+						Key:      "example.com/taint",
+						Operator: resource.DeviceTolerationOpExists,
+						Effect:   resource.DeviceTaintEffectNoExecute,
+					},
+					{
+						Key:      "example.com/taint",
+						Operator: resource.DeviceTolerationOpEqual,
+						Value:    "tainted",
+						Effect:   resource.DeviceTaintEffectNoSchedule,
+					},
+					{
+						// Invalid, operator is required.
+						Operator: "",
+					},
+					{
+						Key:      goodName,
+						Operator: "some-other-op",
+					},
+					{
+						Key:      badName,
+						Operator: resource.DeviceTolerationOpEqual,
+						Value:    badName,
+						Effect:   "some-other-effect",
+					},
+				}
+				return claim
+			}(),
+		},
 	}
 
 	for name, scenario := range scenarios {
@@ -1645,11 +1709,6 @@ func TestValidateClaimStatusUpdate(t *testing.T) {
 
 			scenario.oldClaim.ResourceVersion = "1"
 			errs := ValidateResourceClaimStatusUpdate(scenario.update(scenario.oldClaim.DeepCopy()), scenario.oldClaim)
-
-			if name == "invalid-data-device-status-limits-feature-gate" {
-				fmt.Println(errs)
-				fmt.Println(scenario.wantFailures)
-			}
 			assertFailures(t, scenario.wantFailures, errs)
 		})
 	}
diff --git a/pkg/apis/resource/validation/validation_resourceslice_test.go b/pkg/apis/resource/validation/validation_resourceslice_test.go
index 5eb141e84a6..34be623bc6c 100644
--- a/pkg/apis/resource/validation/validation_resourceslice_test.go
+++ b/pkg/apis/resource/validation/validation_resourceslice_test.go
@@ -447,6 +447,47 @@ func TestValidateResourceSlice(t *testing.T) {
 				return slice
 			}(),
 		},
+		"taints": {
+			wantFailures: func() field.ErrorList {
+				fldPath := field.NewPath("spec", "devices").Index(0).Child("basic", "taints")
+				return field.ErrorList{
+					field.Invalid(fldPath.Index(2).Child("key"), "", "name part must be non-empty"),
+					field.Invalid(fldPath.Index(2).Child("key"), "", "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')"),
+					field.Required(fldPath.Index(2).Child("effect"), ""),
+
+					field.Invalid(fldPath.Index(3).Child("key"), badName, "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')"),
+					field.Invalid(fldPath.Index(3).Child("value"), badName, "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"),
+					field.NotSupported(fldPath.Index(3).Child("effect"), resourceapi.DeviceTaintEffect("some-other-op"), []resourceapi.DeviceTaintEffect{resourceapi.DeviceTaintEffectNoExecute, resourceapi.DeviceTaintEffectNoSchedule}),
+				}
+			}(),
+			slice: func() *resourceapi.ResourceSlice {
+				slice := testResourceSlice(goodName, goodName, goodName, 3)
+				slice.Spec.Devices[0].Basic.Taints = []resourceapi.DeviceTaint{
+					{
+						// Minimal valid taint.
+						Key:    "example.com/taint",
+						Effect: resourceapi.DeviceTaintEffectNoExecute,
+					},
+					{
+						// Full valid taint, other key and effect.
+						Key:       "taint",
+						Value:     "tainted",
+						Effect:    resourceapi.DeviceTaintEffectNoSchedule,
+						TimeAdded: ptr.To(metav1.Now()),
+					},
+					{
+						// Invalid, all empty!
+					},
+					{
+						// Invalid strings.
+						Key:    badName,
+						Value:  badName,
+						Effect: "some-other-op",
+					},
+				}
+				return slice
+			}(),
+		},
 	}
 
 	for name, scenario := range scenarios {
diff --git a/pkg/kubeapiserver/default_storage_factory_builder.go b/pkg/kubeapiserver/default_storage_factory_builder.go
index f012ce11e08..c19b4b17662 100644
--- a/pkg/kubeapiserver/default_storage_factory_builder.go
+++ b/pkg/kubeapiserver/default_storage_factory_builder.go
@@ -37,6 +37,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/apis/networking"
 	"k8s.io/kubernetes/pkg/apis/policy"
+	"k8s.io/kubernetes/pkg/apis/resource"
 	"k8s.io/kubernetes/pkg/apis/storage"
 	"k8s.io/kubernetes/pkg/apis/storagemigration"
 )
@@ -89,6 +90,7 @@ func NewStorageFactoryConfigEffectiveVersion(effectiveVersion basecompatibility.
 		certificates.Resource("clustertrustbundles").WithVersion("v1beta1"),
 		storage.Resource("volumeattributesclasses").WithVersion("v1beta1"),
 		storagemigration.Resource("storagemigrations").WithVersion("v1alpha1"),
+		resource.Resource("devicetaintrules").WithVersion("v1alpha3"),
 	}
 
 	return &StorageFactoryConfig{
diff --git a/pkg/printers/internalversion/printers.go b/pkg/printers/internalversion/printers.go
index b0d7e421dd1..71ffb3acfa5 100644
--- a/pkg/printers/internalversion/printers.go
+++ b/pkg/printers/internalversion/printers.go
@@ -687,6 +687,22 @@ func AddHandlers(h printers.PrintHandler) {
 	_ = h.TableHandler(nodeResourceSliceColumnDefinitions, printResourceSlice)
 	_ = h.TableHandler(nodeResourceSliceColumnDefinitions, printResourceSliceList)
 
+	deviceTaintColumnDefinitions := []metav1.TableColumnDefinition{
+		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
+		// The filter criteria are not printed. They could be lengthy (CEL!) and in practice many of them
+		// will be empty. Instead, the admin could pick a descriptive name.
+		//
+		// The taint is more useful.
+		{Name: "Key", Type: "string", Description: resourceapi.DeviceTaint{}.SwaggerDoc()["key"]},
+		{Name: "Value", Type: "string", Description: resourceapi.DeviceTaint{}.SwaggerDoc()["value"]},
+		{Name: "Effect", Type: "string", Description: resourceapi.DeviceTaint{}.SwaggerDoc()["effect"]},
+		// TimeAdded and Age are often the same, but not necessarily.
+		{Name: "TimeAdded", Type: "string", Description: resourceapi.DeviceTaint{}.SwaggerDoc()["timeAdded"]},
+		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
+	}
+	_ = h.TableHandler(deviceTaintColumnDefinitions, printDeviceTaint)
+	_ = h.TableHandler(deviceTaintColumnDefinitions, printDeviceTaintRuleList)
+
 	serviceCIDRColumnDefinitions := []metav1.TableColumnDefinition{
 		{Name: "Name", Type: "string", Format: "name", Description: metav1.ObjectMeta{}.SwaggerDoc()["name"]},
 		{Name: "CIDRs", Type: "string", Description: networkingv1beta1.ServiceCIDRSpec{}.SwaggerDoc()["cidrs"]},
@@ -3172,6 +3188,32 @@ func printResourceSliceList(list *resource.ResourceSliceList, options printers.G
 	return rows, nil
 }
 
+func printDeviceTaint(obj *resource.DeviceTaintRule, options printers.GenerateOptions) ([]metav1.TableRow, error) {
+	row := metav1.TableRow{
+		Object: runtime.RawExtension{Object: obj},
+	}
+
+	timeAdded := ""
+	if added := obj.Spec.Taint.TimeAdded; added != nil {
+		timeAdded = translateTimestampSince(*added)
+	}
+	row.Cells = append(row.Cells, obj.Name, string(obj.Spec.Taint.Key), obj.Spec.Taint.Value, string(obj.Spec.Taint.Effect), timeAdded, translateTimestampSince(obj.CreationTimestamp))
+
+	return []metav1.TableRow{row}, nil
+}
+
+func printDeviceTaintRuleList(list *resource.DeviceTaintRuleList, options printers.GenerateOptions) ([]metav1.TableRow, error) {
+	rows := make([]metav1.TableRow, 0, len(list.Items))
+	for i := range list.Items {
+		r, err := printDeviceTaint(&list.Items[i], options)
+		if err != nil {
+			return nil, err
+		}
+		rows = append(rows, r...)
+	}
+	return rows, nil
+}
+
 func printStorageVersionMigration(obj *svmv1alpha1.StorageVersionMigration, options printers.GenerateOptions) ([]metav1.TableRow, error) {
 	row := metav1.TableRow{
 		Object: runtime.RawExtension{Object: obj},
diff --git a/pkg/registry/resource/devicetaintrule/storage/storage.go b/pkg/registry/resource/devicetaintrule/storage/storage.go
new file mode 100644
index 00000000000..64ff2fb3972
--- /dev/null
+++ b/pkg/registry/resource/devicetaintrule/storage/storage.go
@@ -0,0 +1,56 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storage
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/registry/generic"
+	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/kubernetes/pkg/printers"
+	printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
+	printerstorage "k8s.io/kubernetes/pkg/printers/storage"
+	"k8s.io/kubernetes/pkg/registry/resource/devicetaintrule"
+)
+
+// REST implements a RESTStorage for DeviceTaintRule.
+type REST struct {
+	*genericregistry.Store
+}
+
+// NewREST returns a RESTStorage object that will work against DeviceTaintRule.
+func NewREST(optsGetter generic.RESTOptionsGetter) (*REST, error) {
+	store := &genericregistry.Store{
+		NewFunc:                   func() runtime.Object { return &resource.DeviceTaintRule{} },
+		NewListFunc:               func() runtime.Object { return &resource.DeviceTaintRuleList{} },
+		DefaultQualifiedResource:  resource.Resource("devicetaintrules"),
+		SingularQualifiedResource: resource.Resource("devicetaintrule"),
+
+		CreateStrategy:      devicetaintrule.Strategy,
+		UpdateStrategy:      devicetaintrule.Strategy,
+		DeleteStrategy:      devicetaintrule.Strategy,
+		ReturnDeletedObject: true,
+
+		TableConvertor: printerstorage.TableConvertor{TableGenerator: printers.NewTableGenerator().With(printersinternal.AddHandlers)},
+	}
+	options := &generic.StoreOptions{RESTOptions: optsGetter}
+	if err := store.CompleteWithOptions(options); err != nil {
+		return nil, err
+	}
+
+	return &REST{store}, nil
+}
diff --git a/pkg/registry/resource/devicetaintrule/storage/storage_test.go b/pkg/registry/resource/devicetaintrule/storage/storage_test.go
new file mode 100644
index 00000000000..767727e4003
--- /dev/null
+++ b/pkg/registry/resource/devicetaintrule/storage/storage_test.go
@@ -0,0 +1,144 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package storage
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/registry/generic"
+	genericregistrytest "k8s.io/apiserver/pkg/registry/generic/testing"
+	etcd3testing "k8s.io/apiserver/pkg/storage/etcd3/testing"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	_ "k8s.io/kubernetes/pkg/apis/resource/install"
+	"k8s.io/kubernetes/pkg/registry/registrytest"
+)
+
+func newStorage(t *testing.T) (*REST, *etcd3testing.EtcdTestServer) {
+	etcdStorage, server := registrytest.NewEtcdStorageForResource(t, resource.Resource("devicetaintrules"))
+	restOptions := generic.RESTOptions{
+		StorageConfig:           etcdStorage,
+		Decorator:               generic.UndecoratedStorage,
+		DeleteCollectionWorkers: 1,
+		ResourcePrefix:          "devicetaintrules",
+	}
+	deviceTaintStorage, err := NewREST(restOptions)
+	if err != nil {
+		t.Fatalf("unexpected error from REST storage: %v", err)
+	}
+	return deviceTaintStorage, server
+}
+
+func validNewDeviceTaint(name string) *resource.DeviceTaintRule {
+	return &resource.DeviceTaintRule{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: resource.DeviceTaintRuleSpec{
+			Taint: resource.DeviceTaint{
+				Key:    "example.com/taint",
+				Effect: resource.DeviceTaintEffectNoExecute,
+			},
+		},
+	}
+}
+
+func TestCreate(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store).ClusterScope()
+	patch := validNewDeviceTaint("foo")
+	patch.ObjectMeta = metav1.ObjectMeta{GenerateName: "foo"}
+	test.TestCreate(
+		// valid
+		patch,
+		// invalid
+		&resource.DeviceTaintRule{
+			ObjectMeta: metav1.ObjectMeta{Name: "*BadName!"},
+		},
+	)
+}
+
+func TestUpdate(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store).ClusterScope()
+	test.TestUpdate(
+		// valid
+		validNewDeviceTaint("foo"),
+		// updateFunc
+		func(obj runtime.Object) runtime.Object {
+			object := obj.(*resource.DeviceTaintRule)
+			object.Labels = map[string]string{"foo": "bar"}
+			return object
+		},
+	)
+
+}
+
+func TestDelete(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store).ClusterScope().ReturnDeletedObject()
+	test.TestDelete(validNewDeviceTaint("foo"))
+}
+
+func TestGet(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store).ClusterScope()
+	test.TestGet(validNewDeviceTaint("foo"))
+}
+
+func TestList(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store).ClusterScope()
+	test.TestList(validNewDeviceTaint("foo"))
+}
+
+func TestWatch(t *testing.T) {
+	storage, server := newStorage(t)
+	defer server.Terminate(t)
+	defer storage.Store.DestroyFunc()
+	test := genericregistrytest.New(t, storage.Store).ClusterScope()
+	test.TestWatch(
+		validNewDeviceTaint("foo"),
+		// matching labels
+		[]labels.Set{},
+		// not matching labels
+		[]labels.Set{
+			{"foo": "bar"},
+		},
+		// matching fields
+		[]fields.Set{
+			{"metadata.name": "foo"},
+		},
+		// not matching fields
+		[]fields.Set{
+			{"metadata.name": "bar"},
+		},
+	)
+}
diff --git a/pkg/registry/resource/devicetaintrule/strategy.go b/pkg/registry/resource/devicetaintrule/strategy.go
new file mode 100644
index 00000000000..d458fc7d538
--- /dev/null
+++ b/pkg/registry/resource/devicetaintrule/strategy.go
@@ -0,0 +1,84 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetaintrule
+
+import (
+	"context"
+
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/storage/names"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/kubernetes/pkg/apis/resource/validation"
+)
+
+// deviceTaintRuleStrategy implements behavior for DeviceTaintRule objects
+type deviceTaintRuleStrategy struct {
+	runtime.ObjectTyper
+	names.NameGenerator
+}
+
+var Strategy = deviceTaintRuleStrategy{legacyscheme.Scheme, names.SimpleNameGenerator}
+
+func (deviceTaintRuleStrategy) NamespaceScoped() bool {
+	return false
+}
+
+func (deviceTaintRuleStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
+	patch := obj.(*resource.DeviceTaintRule)
+	patch.Generation = 1
+}
+
+func (deviceTaintRuleStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
+	patch := obj.(*resource.DeviceTaintRule)
+	return validation.ValidateDeviceTaintRule(patch)
+}
+
+func (deviceTaintRuleStrategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
+	return nil
+}
+
+func (deviceTaintRuleStrategy) Canonicalize(obj runtime.Object) {
+}
+
+func (deviceTaintRuleStrategy) AllowCreateOnUpdate() bool {
+	return false
+}
+
+func (deviceTaintRuleStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
+	patch := obj.(*resource.DeviceTaintRule)
+	oldPatch := old.(*resource.DeviceTaintRule)
+
+	// Any changes to the spec increment the generation number.
+	if !apiequality.Semantic.DeepEqual(oldPatch.Spec, patch.Spec) {
+		patch.Generation = oldPatch.Generation + 1
+	}
+}
+
+func (deviceTaintRuleStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
+	return validation.ValidateDeviceTaintRuleUpdate(obj.(*resource.DeviceTaintRule), old.(*resource.DeviceTaintRule))
+}
+
+func (deviceTaintRuleStrategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
+	return nil
+}
+
+func (deviceTaintRuleStrategy) AllowUnconditionalUpdate() bool {
+	return true
+}
diff --git a/pkg/registry/resource/devicetaintrule/strategy_test.go b/pkg/registry/resource/devicetaintrule/strategy_test.go
new file mode 100644
index 00000000000..7923a8e981c
--- /dev/null
+++ b/pkg/registry/resource/devicetaintrule/strategy_test.go
@@ -0,0 +1,86 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetaintrule
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/kubernetes/pkg/apis/resource"
+)
+
+var patch = &resource.DeviceTaintRule{
+	ObjectMeta: metav1.ObjectMeta{
+		Name: "valid-patch",
+	},
+	Spec: resource.DeviceTaintRuleSpec{
+		Taint: resource.DeviceTaint{
+			Key:    "example.com/tainted",
+			Effect: resource.DeviceTaintEffectNoExecute,
+		},
+	},
+}
+
+func TestDeviceTaintRuleStrategy(t *testing.T) {
+	if Strategy.NamespaceScoped() {
+		t.Errorf("DeviceTaintRule must not be namespace scoped")
+	}
+	if Strategy.AllowCreateOnUpdate() {
+		t.Errorf("DeviceTaintRule should not allow create on update")
+	}
+}
+
+func TestDeviceTaintRuleStrategyCreate(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	patch := patch.DeepCopy()
+
+	Strategy.PrepareForCreate(ctx, patch)
+	errs := Strategy.Validate(ctx, patch)
+	if len(errs) != 0 {
+		t.Errorf("unexpected error validating for create %v", errs)
+	}
+}
+
+func TestDeviceTaintRuleStrategyUpdate(t *testing.T) {
+	t.Run("no-changes-okay", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		patch := patch.DeepCopy()
+		newPatch := patch.DeepCopy()
+		newPatch.ResourceVersion = "4"
+
+		Strategy.PrepareForUpdate(ctx, newPatch, patch)
+		errs := Strategy.ValidateUpdate(ctx, newPatch, patch)
+		if len(errs) != 0 {
+			t.Errorf("unexpected validation errors: %v", errs)
+		}
+	})
+
+	t.Run("name-change-not-allowed", func(t *testing.T) {
+		ctx := genericapirequest.NewDefaultContext()
+		patch := patch.DeepCopy()
+		newPatch := patch.DeepCopy()
+		newPatch.Name = "valid-patch-2"
+		newPatch.ResourceVersion = "4"
+
+		Strategy.PrepareForUpdate(ctx, newPatch, patch)
+		errs := Strategy.ValidateUpdate(ctx, newPatch, patch)
+		if len(errs) == 0 {
+			t.Errorf("expected a validation error")
+		}
+	})
+}
diff --git a/pkg/registry/resource/resourceclaim/strategy.go b/pkg/registry/resource/resourceclaim/strategy.go
index cb770b2a6e1..d494965820e 100644
--- a/pkg/registry/resource/resourceclaim/strategy.go
+++ b/pkg/registry/resource/resourceclaim/strategy.go
@@ -313,3 +313,5 @@ func dropDeallocatedStatusDevices(newClaim, oldClaim *resource.ResourceClaim) {
 		newClaim.Status.Devices = nil
 	}
 }
+
+// TODO: add tests after partitionable devices is merged (code conflict!)
diff --git a/pkg/registry/resource/resourceslice/strategy.go b/pkg/registry/resource/resourceslice/strategy.go
index 336de305c2f..6170aaac6bf 100644
--- a/pkg/registry/resource/resourceslice/strategy.go
+++ b/pkg/registry/resource/resourceslice/strategy.go
@@ -28,10 +28,12 @@ import (
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/storage"
 	"k8s.io/apiserver/pkg/storage/names"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/resource"
 	"k8s.io/kubernetes/pkg/apis/resource/validation"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 // resourceSliceStrategy implements behavior for ResourceSlice objects
@@ -49,6 +51,8 @@ func (resourceSliceStrategy) NamespaceScoped() bool {
 func (resourceSliceStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
 	slice := obj.(*resource.ResourceSlice)
 	slice.Generation = 1
+
+	dropDisabledFields(slice, nil)
 }
 
 func (resourceSliceStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
@@ -75,6 +79,8 @@ func (resourceSliceStrategy) PrepareForUpdate(ctx context.Context, obj, old runt
 	if !apiequality.Semantic.DeepEqual(oldSlice.Spec, slice.Spec) {
 		slice.Generation = oldSlice.Generation + 1
 	}
+
+	dropDisabledFields(slice, oldSlice)
 }
 
 func (resourceSliceStrategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) field.ErrorList {
@@ -147,3 +153,33 @@ func toSelectableFields(slice *resource.ResourceSlice) fields.Set {
 	// Adds one field.
 	return generic.AddObjectMetaFieldsSet(fields, &slice.ObjectMeta, false)
 }
+
+// dropDisabledFields removes fields which are covered by a feature gate.
+func dropDisabledFields(newSlice, oldSlice *resource.ResourceSlice) {
+	dropDisabledDRADeviceTaintsFields(newSlice, oldSlice)
+}
+
+func dropDisabledDRADeviceTaintsFields(newSlice, oldSlice *resource.ResourceSlice) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints) || draDeviceTaintsFeatureInUse(oldSlice) {
+		return
+	}
+
+	for _, device := range newSlice.Spec.Devices {
+		if device.Basic != nil {
+			device.Basic.Taints = nil
+		}
+	}
+}
+
+func draDeviceTaintsFeatureInUse(slice *resource.ResourceSlice) bool {
+	if slice == nil {
+		return false
+	}
+
+	for _, device := range slice.Spec.Devices {
+		if device.Basic != nil && len(device.Basic.Taints) > 0 {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/registry/resource/resourceslice/strategy_test.go b/pkg/registry/resource/resourceslice/strategy_test.go
index 0ee366655b0..4424f9fdeed 100644
--- a/pkg/registry/resource/resourceslice/strategy_test.go
+++ b/pkg/registry/resource/resourceslice/strategy_test.go
@@ -19,9 +19,14 @@ package resourceslice
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/apis/resource"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 var slice = &resource.ResourceSlice{
@@ -35,9 +40,22 @@ var slice = &resource.ResourceSlice{
 			Name:               "valid-pool-name",
 			ResourceSliceCount: 1,
 		},
+		Devices: []resource.Device{{
+			Name:  "device-0",
+			Basic: &resource.BasicDevice{},
+		}},
 	},
 }
 
+var sliceWithDeviceTaints = func() *resource.ResourceSlice {
+	slice := slice.DeepCopy()
+	slice.Spec.Devices[0].Basic.Taints = []resource.DeviceTaint{{
+		Key:    "example.com/tainted",
+		Effect: resource.DeviceTaintEffectNoSchedule,
+	}}
+	return slice
+}()
+
 func TestResourceSliceStrategy(t *testing.T) {
 	if Strategy.NamespaceScoped() {
 		t.Errorf("ResourceSlice must not be namespace scoped")
@@ -49,40 +67,186 @@ func TestResourceSliceStrategy(t *testing.T) {
 
 func TestResourceSliceStrategyCreate(t *testing.T) {
 	ctx := genericapirequest.NewDefaultContext()
-	slice := slice.DeepCopy()
+	testCases := map[string]struct {
+		obj                     *resource.ResourceSlice
+		deviceTaints            bool
+		expectedValidationError bool
+		expectObj               *resource.ResourceSlice
+	}{
+		"simple": {
+			obj: slice,
+			expectObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.ObjectMeta.Generation = 1
+				return obj
+			}(),
+		},
+		"validation error": {
+			obj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.Name = "%#@$%$"
+				return obj
+			}(),
+			expectedValidationError: true,
+		},
+		"drop-fields-device-taints": {
+			obj:          sliceWithDeviceTaints,
+			deviceTaints: false,
+			expectObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.Generation = 1
+				return obj
+			}(),
+		},
+		"keep-fields-device-taints": {
+			obj:          sliceWithDeviceTaints,
+			deviceTaints: true,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithDeviceTaints.DeepCopy()
+				obj.ObjectMeta.Generation = 1
+				return obj
+			}(),
+		},
+	}
 
-	Strategy.PrepareForCreate(ctx, slice)
-	errs := Strategy.Validate(ctx, slice)
-	if len(errs) != 0 {
-		t.Errorf("unexpected error validating for create %v", errs)
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceTaints, tc.deviceTaints)
+
+			obj := tc.obj.DeepCopy()
+
+			Strategy.PrepareForCreate(ctx, obj)
+			if errs := Strategy.Validate(ctx, obj); len(errs) != 0 {
+				if !tc.expectedValidationError {
+					t.Fatalf("unexpected validation errors: %q", errs)
+				}
+				return
+			}
+			if warnings := Strategy.WarningsOnCreate(ctx, obj); len(warnings) != 0 {
+				t.Fatalf("unexpected warnings: %q", warnings)
+			}
+			Strategy.Canonicalize(obj)
+			assert.Equal(t, tc.expectObj, obj)
+		})
 	}
 }
 
 func TestResourceSliceStrategyUpdate(t *testing.T) {
-	t.Run("no-changes-okay", func(t *testing.T) {
-		ctx := genericapirequest.NewDefaultContext()
-		slice := slice.DeepCopy()
-		newSlice := slice.DeepCopy()
-		newSlice.ResourceVersion = "4"
+	ctx := genericapirequest.NewDefaultContext()
 
-		Strategy.PrepareForUpdate(ctx, newSlice, slice)
-		errs := Strategy.ValidateUpdate(ctx, newSlice, slice)
-		if len(errs) != 0 {
-			t.Errorf("unexpected validation errors: %v", errs)
-		}
-	})
+	testcases := map[string]struct {
+		oldObj                *resource.ResourceSlice
+		newObj                *resource.ResourceSlice
+		deviceTaints          bool
+		expectValidationError bool
+		expectObj             *resource.ResourceSlice
+	}{
+		"no-changes-okay": {
+			oldObj: slice,
+			newObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			expectObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+		},
+		"name-change-not-allowed": {
+			oldObj: slice,
+			newObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.Name = "valid-slice-2"
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			expectValidationError: true,
+		},
+		"drop-fields-device-taints": {
+			oldObj: slice,
+			newObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			deviceTaints: false,
+			expectObj: func() *resource.ResourceSlice {
+				obj := slice.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+		},
+		"keep-fields-device-taints": {
+			oldObj: slice,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithDeviceTaints.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			deviceTaints: true,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithDeviceTaints.DeepCopy()
+				obj.ResourceVersion = "4"
+				obj.Generation = 1
+				return obj
+			}(),
+		},
+		"keep-existing-fields-device-taints": {
+			oldObj: sliceWithDeviceTaints,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithDeviceTaints.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			deviceTaints: true,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithDeviceTaints.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+		},
+		"keep-existing-fields-device-taints-disabled-feature": {
+			oldObj: sliceWithDeviceTaints,
+			newObj: func() *resource.ResourceSlice {
+				obj := sliceWithDeviceTaints.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+			deviceTaints: false,
+			expectObj: func() *resource.ResourceSlice {
+				obj := sliceWithDeviceTaints.DeepCopy()
+				obj.ResourceVersion = "4"
+				return obj
+			}(),
+		},
+	}
 
-	t.Run("name-change-not-allowed", func(t *testing.T) {
-		ctx := genericapirequest.NewDefaultContext()
-		slice := slice.DeepCopy()
-		newSlice := slice.DeepCopy()
-		newSlice.Name = "valid-slice-2"
-		newSlice.ResourceVersion = "4"
+	for name, tc := range testcases {
+		t.Run(name, func(t *testing.T) {
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceTaints, tc.deviceTaints)
 
-		Strategy.PrepareForUpdate(ctx, newSlice, slice)
-		errs := Strategy.ValidateUpdate(ctx, newSlice, slice)
-		if len(errs) == 0 {
-			t.Errorf("expected a validation error")
-		}
-	})
+			oldObj := tc.oldObj.DeepCopy()
+			newObj := tc.newObj.DeepCopy()
+
+			Strategy.PrepareForUpdate(ctx, newObj, oldObj)
+			if errs := Strategy.ValidateUpdate(ctx, newObj, oldObj); len(errs) != 0 {
+				if !tc.expectValidationError {
+					t.Fatalf("unexpected validation errors: %q", errs)
+				}
+				return
+			} else if tc.expectValidationError {
+				t.Fatal("expected validation error(s), got none")
+			}
+			if warnings := Strategy.WarningsOnUpdate(ctx, newObj, oldObj); len(warnings) != 0 {
+				t.Fatalf("unexpected warnings: %q", warnings)
+			}
+			Strategy.Canonicalize(newObj)
+
+			expectObj := tc.expectObj.DeepCopy()
+			assert.Equal(t, expectObj, newObj)
+
+		})
+	}
 }
diff --git a/pkg/registry/resource/rest/storage_resource.go b/pkg/registry/resource/rest/storage_resource.go
index 18c18d95601..0ce68cfa5f1 100644
--- a/pkg/registry/resource/rest/storage_resource.go
+++ b/pkg/registry/resource/rest/storage_resource.go
@@ -26,6 +26,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/resource"
 	deviceclassstore "k8s.io/kubernetes/pkg/registry/resource/deviceclass/storage"
+	devicetaintrulestore "k8s.io/kubernetes/pkg/registry/resource/devicetaintrule/storage"
 	resourceclaimstore "k8s.io/kubernetes/pkg/registry/resource/resourceclaim/storage"
 	resourceclaimtemplatestore "k8s.io/kubernetes/pkg/registry/resource/resourceclaimtemplate/storage"
 	resourceslicestore "k8s.io/kubernetes/pkg/registry/resource/resourceslice/storage"
@@ -93,6 +94,14 @@ func (p RESTStorageProvider) v1alpha3Storage(apiResourceConfigSource serverstora
 		storage[resource] = resourceSliceStorage
 	}
 
+	if resource := "devicetaintrules"; apiResourceConfigSource.ResourceEnabled(resourcev1alpha3.SchemeGroupVersion.WithResource(resource)) {
+		deviceTaintStorage, err := devicetaintrulestore.NewREST(restOptionsGetter)
+		if err != nil {
+			return nil, err
+		}
+		storage[resource] = deviceTaintStorage
+	}
+
 	return storage, nil
 }
 
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/register.go b/staging/src/k8s.io/api/resource/v1alpha3/register.go
index 8573758e319..b02ba0e28ba 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/register.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/register.go
@@ -52,6 +52,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ResourceClaimTemplateList{},
 		&ResourceSlice{},
 		&ResourceSliceList{},
+		&DeviceTaintRule{},
+		&DeviceTaintRuleList{},
 	)
 
 	// Add the watch version that applies
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/types.go b/staging/src/k8s.io/api/resource/v1alpha3/types.go
index b6c6c31840e..8d8337abf97 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/types.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/types.go
@@ -223,6 +223,18 @@ type BasicDevice struct {
 	//
 	// +optional
 	Capacity map[QualifiedName]resource.Quantity `json:"capacity,omitempty" protobuf:"bytes,2,rep,name=capacity"`
+
+	// If specified, these are the driver-defined taints.
+	//
+	// The maximum number of taints is 8.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Taints []DeviceTaint `json:"taints,omitempty" protobuf:"bytes,3,rep,name=taints"`
 }
 
 // Limit for the sum of the number of entries in both attributes and capacity.
@@ -290,6 +302,64 @@ type DeviceAttribute struct {
 // DeviceAttributeMaxValueLength is the maximum length of a string or version attribute value.
 const DeviceAttributeMaxValueLength = 64
 
+// DeviceTaintsMaxLength is the maximum number of taints per device.
+const DeviceTaintsMaxLength = 8
+
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
+type DeviceTaint struct {
+	// The taint key to be applied to a device.
+	// Must be a label name.
+	//
+	// +required
+	Key string `json:"key" protobuf:"bytes,1,name=key"`
+
+	// The taint value corresponding to the taint key.
+	// Must be a label value.
+	//
+	// +optional
+	Value string `json:"value,omitempty" protobuf:"bytes,2,opt,name=value"`
+
+	// The effect of the taint on claims that do not tolerate the taint
+	// and through such claims on the pods using them.
+	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here.
+	//
+	// +required
+	Effect DeviceTaintEffect `json:"effect" protobuf:"bytes,3,name=effect,casttype=DeviceTaintEffect"`
+
+	// ^^^^
+	//
+	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
+	// It might get added as part of that.
+
+	// TimeAdded represents the time at which the taint was added.
+	// Added automatically during create or update if not set.
+	//
+	// +optional
+	TimeAdded *metav1.Time `json:"timeAdded,omitempty" protobuf:"bytes,4,opt,name=timeAdded"`
+
+	// ^^^
+	//
+	// This field was defined as "It is only written for NoExecute taints." for node taints.
+	// But in practice, Kubernetes never did anything with it (no validation, no defaulting,
+	// ignored during pod eviction in pkg/controller/tainteviction).
+}
+
+// +enum
+type DeviceTaintEffect string
+
+const (
+	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
+	// but allow all pods submitted to Kubelet without going through the scheduler
+	// to start, and allow all already-running pods to continue running.
+	DeviceTaintEffectNoSchedule DeviceTaintEffect = "NoSchedule"
+
+	// Evict any already-running pods that do not tolerate the device taint.
+	DeviceTaintEffectNoExecute DeviceTaintEffect = "NoExecute"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +k8s:prerelease-lifecycle-gen:introduced=1.31
 // +k8s:prerelease-lifecycle-gen:replacement=resource.k8s.io,v1beta1,ResourceSliceList
@@ -499,6 +569,32 @@ type DeviceRequest struct {
 	// +listType=atomic
 	// +featureGate=DRAPrioritizedList
 	FirstAvailable []DeviceSubRequest `json:"firstAvailable,omitempty" protobuf:"bytes,7,name=firstAvailable"`
+
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration `json:"tolerations,omitempty" protobuf:"bytes,8,opt,name=tolerations"`
 }
 
 // DeviceSubRequest describes a request for device provided in the
@@ -571,11 +667,35 @@ type DeviceSubRequest struct {
 	// +optional
 	// +oneOf=AllocationMode
 	Count int64 `json:"count,omitempty" protobuf:"bytes,5,opt,name=count"`
+
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration `json:"tolerations,omitempty" protobuf:"bytes,7,opt,name=tolerations"`
 }
 
 const (
 	DeviceSelectorsMaxSize             = 32
 	FirstAvailableDeviceRequestMaxSize = 8
+	DeviceTolerationsMaxLength         = 16
 )
 
 type DeviceAllocationMode string
@@ -781,6 +901,59 @@ type OpaqueDeviceConfiguration struct {
 // [OpaqueDeviceConfiguration.Parameters] field.
 const OpaqueParametersMaxLength = 10 * 1024
 
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
+type DeviceToleration struct {
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	// Must be a label name.
+	//
+	// +optional
+	Key string `json:"key,omitempty" protobuf:"bytes,1,opt,name=key"`
+
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a ResourceClaim can
+	// tolerate all taints of a particular category.
+	//
+	// +optional
+	// +default="Equal"
+	Operator DeviceTolerationOperator `json:"operator,omitempty" protobuf:"bytes,2,opt,name=operator,casttype=DeviceTolerationOperator"`
+
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value must be empty, otherwise just a regular string.
+	// Must be a label value.
+	//
+	// +optional
+	Value string `json:"value,omitempty" protobuf:"bytes,3,opt,name=value"`
+
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule and NoExecute.
+	//
+	// +optional
+	Effect DeviceTaintEffect `json:"effect,omitempty" protobuf:"bytes,4,opt,name=effect,casttype=DeviceTaintEffect"`
+
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	// If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+	// taint was adedd> + <toleration seconds>.
+	//
+	// +optional
+	TolerationSeconds *int64 `json:"tolerationSeconds,omitempty" protobuf:"varint,5,opt,name=tolerationSeconds"`
+}
+
+// A toleration operator is the set of operators that can be used in a toleration.
+//
+// +enum
+type DeviceTolerationOperator string
+
+const (
+	DeviceTolerationOpExists DeviceTolerationOperator = "Exists"
+	DeviceTolerationOpEqual  DeviceTolerationOperator = "Equal"
+)
+
 // ResourceClaimStatus tracks whether the resource has been allocated and what
 // the result of that was.
 type ResourceClaimStatus struct {
@@ -951,6 +1124,19 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +featureGate=DRAAdminAccess
 	AdminAccess *bool `json:"adminAccess" protobuf:"bytes,5,name=adminAccess"`
+
+	// A copy of all tolerations specified in the request at the time
+	// when the device got allocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration `json:"tolerations,omitempty" protobuf:"bytes,6,opt,name=tolerations"`
 }
 
 // DeviceAllocationConfiguration gets embedded in an AllocationResult.
@@ -1228,3 +1414,107 @@ type NetworkDeviceData struct {
 	// +optional
 	HardwareAddress string `json:"hardwareAddress,omitempty" protobuf:"bytes,3,opt,name=hardwareAddress"`
 }
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:prerelease-lifecycle-gen:introduced=1.33
+
+// DeviceTaintRule adds one taint to all devices which match the selector.
+// This has the same effect as if the taint was specified directly
+// in the ResourceSlice by the DRA driver.
+type DeviceTaintRule struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Spec specifies the selector and one taint.
+	//
+	// Changing the spec automatically increments the metadata.generation number.
+	Spec DeviceTaintRuleSpec `json:"spec" protobuf:"bytes,2,name=spec"`
+
+	// ^^^
+	// A spec gets added because adding a status seems likely.
+	// Such a status could provide feedback on applying the
+	// eviction and/or statistics (number of matching devices,
+	// affected allocated claims, pods remaining to be evicted,
+	// etc.).
+}
+
+// DeviceTaintRuleSpec specifies the selector and one taint.
+type DeviceTaintRuleSpec struct {
+	// DeviceSelector defines which device(s) the taint is applied to.
+	// All selector criteria must be satified for a device to
+	// match. The empty selector matches all devices. Without
+	// a selector, no devices are matches.
+	//
+	// +optional
+	DeviceSelector *DeviceTaintSelector `json:"deviceSelector,omitempty" protobuf:"bytes,1,opt,name=deviceSelector"`
+
+	// The taint that gets applied to matching devices.
+	//
+	// +required
+	Taint DeviceTaint `json:"taint,omitempty" protobuf:"bytes,2,rep,name=taint"`
+}
+
+// DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to.
+// The empty selector matches all devices. Without a selector, no devices
+// are matched.
+type DeviceTaintSelector struct {
+	// If DeviceClassName is set, the selectors defined there must be
+	// satisfied by a device to be selected. This field corresponds
+	// to class.metadata.name.
+	//
+	// +optional
+	DeviceClassName *string `json:"deviceClassName,omitempty" protobuf:"bytes,1,opt,name=deviceClassName"`
+
+	// If driver is set, only devices from that driver are selected.
+	// This fields corresponds to slice.spec.driver.
+	//
+	// +optional
+	Driver *string `json:"driver,omitempty" protobuf:"bytes,2,opt,name=driver"`
+
+	// If pool is set, only devices in that pool are selected.
+	//
+	// Also setting the driver name may be useful to avoid
+	// ambiguity when different drivers use the same pool name,
+	// but this is not required because selecting pools from
+	// different drivers may also be useful, for example when
+	// drivers with node-local devices use the node name as
+	// their pool name.
+	//
+	// +optional
+	Pool *string `json:"pool,omitempty" protobuf:"bytes,3,opt,name=pool"`
+
+	// If device is set, only devices with that name are selected.
+	// This field corresponds to slice.spec.devices[].name.
+	//
+	// Setting also driver and pool may be required to avoid ambiguity,
+	// but is not required.
+	//
+	// +optional
+	Device *string `json:"device,omitempty" protobuf:"bytes,4,opt,name=device"`
+
+	// Selectors contains the same selection criteria as a ResourceClaim.
+	// Currently, CEL expressions are supported. All of these selectors
+	// must be satisfied.
+	//
+	// +optional
+	// +listType=atomic
+	Selectors []DeviceSelector `json:"selectors,omitempty" protobuf:"bytes,5,rep,name=selectors"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +k8s:prerelease-lifecycle-gen:introduced=1.33
+
+// DeviceTaintRuleList is a collection of DeviceTaintRules.
+type DeviceTaintRuleList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard list metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is the list of DeviceTaintRules.
+	Items []DeviceTaintRule `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/staging/src/k8s.io/api/resource/v1beta1/devicetaint.go b/staging/src/k8s.io/api/resource/v1beta1/devicetaint.go
new file mode 100644
index 00000000000..a2587eae929
--- /dev/null
+++ b/staging/src/k8s.io/api/resource/v1beta1/devicetaint.go
@@ -0,0 +1,35 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import "fmt"
+
+var _ fmt.Stringer = DeviceTaint{}
+
+// String converts to a string in the format '<key>=<value>:<effect>', '<key>=<value>:', '<key>:<effect>', or '<key>'.
+func (t DeviceTaint) String() string {
+	if len(t.Effect) == 0 {
+		if len(t.Value) == 0 {
+			return fmt.Sprintf("%v", t.Key)
+		}
+		return fmt.Sprintf("%v=%v:", t.Key, t.Value)
+	}
+	if len(t.Value) == 0 {
+		return fmt.Sprintf("%v:%v", t.Key, t.Effect)
+	}
+	return fmt.Sprintf("%v=%v:%v", t.Key, t.Value, t.Effect)
+}
diff --git a/staging/src/k8s.io/api/resource/v1beta1/types.go b/staging/src/k8s.io/api/resource/v1beta1/types.go
index cc1f02161f5..04b8f89575e 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/types.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/types.go
@@ -222,6 +222,18 @@ type BasicDevice struct {
 	//
 	// +optional
 	Capacity map[QualifiedName]DeviceCapacity `json:"capacity,omitempty" protobuf:"bytes,2,rep,name=capacity"`
+
+	// If specified, these are the driver-defined taints.
+	//
+	// The maximum number of taints is 8.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Taints []DeviceTaint `json:"taints,omitempty" protobuf:"bytes,3,rep,name=taints"`
 }
 
 // DeviceCapacity describes a quantity associated with a device.
@@ -300,6 +312,66 @@ type DeviceAttribute struct {
 // DeviceAttributeMaxValueLength is the maximum length of a string or version attribute value.
 const DeviceAttributeMaxValueLength = 64
 
+// DeviceTaintsMaxLength is the maximum number of taints per device.
+const DeviceTaintsMaxLength = 8
+
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+type DeviceTaint struct {
+	// The taint key to be applied to a device.
+	// Must be a label name.
+	//
+	// +required
+	Key string `json:"key" protobuf:"bytes,1,name=key"`
+
+	// The taint value corresponding to the taint key.
+	// Must be a label value.
+	//
+	// +optional
+	Value string `json:"value,omitempty" protobuf:"bytes,2,opt,name=value"`
+
+	// The effect of the taint on claims that do not tolerate the taint
+	// and through such claims on the pods using them.
+	// Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
+	// nodes is not valid here.
+	//
+	// +required
+	Effect DeviceTaintEffect `json:"effect" protobuf:"bytes,3,name=effect,casttype=DeviceTaintEffect"`
+
+	// ^^^^
+	//
+	// Implementing PreferNoSchedule would depend on a scoring solution for DRA.
+	// It might get added as part of that.
+
+	// TimeAdded represents the time at which the taint was added.
+	// Added automatically during create or update if not set.
+	//
+	// +optional
+	TimeAdded *metav1.Time `json:"timeAdded,omitempty" protobuf:"bytes,4,opt,name=timeAdded"`
+
+	// ^^^
+	//
+	// This field was defined as "It is only written for NoExecute taints." for node taints.
+	// But in practice, Kubernetes never did anything with it (no validation, no defaulting,
+	// ignored during pod eviction in pkg/controller/tainteviction).
+}
+
+// +enum
+type DeviceTaintEffect string
+
+const (
+	// Do not allow new pods to schedule which use a tainted device unless they tolerate the taint,
+	// but allow all pods submitted to Kubelet without going through the scheduler
+	// to start, and allow all already-running pods to continue running.
+	DeviceTaintEffectNoSchedule DeviceTaintEffect = "NoSchedule"
+
+	// Evict any already-running pods that do not tolerate the device taint.
+	DeviceTaintEffectNoExecute DeviceTaintEffect = "NoExecute"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +k8s:prerelease-lifecycle-gen:introduced=1.32
 
@@ -508,6 +580,32 @@ type DeviceRequest struct {
 	// +listType=atomic
 	// +featureGate=DRAPrioritizedList
 	FirstAvailable []DeviceSubRequest `json:"firstAvailable,omitempty" protobuf:"bytes,7,name=firstAvailable"`
+
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This field can only be set when deviceClassName is set and no subrequests
+	// are specified in the firstAvailable list.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration `json:"tolerations,omitempty" protobuf:"bytes,8,opt,name=tolerations"`
 }
 
 // DeviceSubRequest describes a request for device provided in the
@@ -580,10 +678,35 @@ type DeviceSubRequest struct {
 	// +optional
 	// +oneOf=AllocationMode
 	Count int64 `json:"count,omitempty" protobuf:"bytes,5,opt,name=count"`
+
+	// If specified, the request's tolerations.
+	//
+	// Tolerations for NoSchedule are required to allocate a
+	// device which has a taint with that effect. The same applies
+	// to NoExecute.
+	//
+	// In addition, should any of the allocated devices get tainted
+	// with NoExecute after allocation and that effect is not tolerated,
+	// then all pods consuming the ResourceClaim get deleted to evict
+	// them. The scheduler will not let new pods reserve the claim while
+	// it has these tainted devices. Once all pods are evicted, the
+	// claim will get deallocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration `json:"tolerations,omitempty" protobuf:"bytes,7,opt,name=tolerations"`
 }
 
 const (
-	DeviceSelectorsMaxSize = 32
+	DeviceSelectorsMaxSize             = 32
+	FirstAvailableDeviceRequestMaxSize = 8
+	DeviceTolerationsMaxLength         = 16
 )
 
 type DeviceAllocationMode string
@@ -789,6 +912,59 @@ type OpaqueDeviceConfiguration struct {
 // [OpaqueDeviceConfiguration.Parameters] field.
 const OpaqueParametersMaxLength = 10 * 1024
 
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
+type DeviceToleration struct {
+	// Key is the taint key that the toleration applies to. Empty means match all taint keys.
+	// If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+	// Must be a label name.
+	//
+	// +optional
+	Key string `json:"key,omitempty" protobuf:"bytes,1,opt,name=key"`
+
+	// Operator represents a key's relationship to the value.
+	// Valid operators are Exists and Equal. Defaults to Equal.
+	// Exists is equivalent to wildcard for value, so that a ResourceClaim can
+	// tolerate all taints of a particular category.
+	//
+	// +optional
+	// +default="Equal"
+	Operator DeviceTolerationOperator `json:"operator,omitempty" protobuf:"bytes,2,opt,name=operator,casttype=DeviceTolerationOperator"`
+
+	// Value is the taint value the toleration matches to.
+	// If the operator is Exists, the value must be empty, otherwise just a regular string.
+	// Must be a label value.
+	//
+	// +optional
+	Value string `json:"value,omitempty" protobuf:"bytes,3,opt,name=value"`
+
+	// Effect indicates the taint effect to match. Empty means match all taint effects.
+	// When specified, allowed values are NoSchedule and NoExecute.
+	//
+	// +optional
+	Effect DeviceTaintEffect `json:"effect,omitempty" protobuf:"bytes,4,opt,name=effect,casttype=DeviceTaintEffect"`
+
+	// TolerationSeconds represents the period of time the toleration (which must be
+	// of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+	// it is not set, which means tolerate the taint forever (do not evict). Zero and
+	// negative values will be treated as 0 (evict immediately) by the system.
+	// If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+	// taint was adedd> + <toleration seconds>.
+	//
+	// +optional
+	TolerationSeconds *int64 `json:"tolerationSeconds,omitempty" protobuf:"varint,5,opt,name=tolerationSeconds"`
+}
+
+// A toleration operator is the set of operators that can be used in a toleration.
+//
+// +enum
+type DeviceTolerationOperator string
+
+const (
+	DeviceTolerationOpExists DeviceTolerationOperator = "Exists"
+	DeviceTolerationOpEqual  DeviceTolerationOperator = "Equal"
+)
+
 // ResourceClaimStatus tracks whether the resource has been allocated and what
 // the result of that was.
 type ResourceClaimStatus struct {
@@ -959,6 +1135,19 @@ type DeviceRequestAllocationResult struct {
 	// +optional
 	// +featureGate=DRAAdminAccess
 	AdminAccess *bool `json:"adminAccess" protobuf:"bytes,5,name=adminAccess"`
+
+	// A copy of all tolerations specified in the request at the time
+	// when the device got allocated.
+	//
+	// The maximum number of tolerations is 16.
+	//
+	// This is an alpha field and requires enabling the DRADeviceTaints
+	// feature gate.
+	//
+	// +optional
+	// +listType=atomic
+	// +featureGate=DRADeviceTaints
+	Tolerations []DeviceToleration `json:"tolerations,omitempty" protobuf:"bytes,6,opt,name=tolerations"`
 }
 
 // DeviceAllocationConfiguration gets embedded in an AllocationResult.
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/api/types.go b/staging/src/k8s.io/dynamic-resource-allocation/api/types.go
index 16682ff57e4..c07d683691d 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/api/types.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/api/types.go
@@ -18,6 +18,7 @@ package api
 
 import (
 	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1beta1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -50,6 +51,7 @@ type Device struct {
 type BasicDevice struct {
 	Attributes map[QualifiedName]DeviceAttribute
 	Capacity   map[QualifiedName]DeviceCapacity
+	Taints     []resourceapi.DeviceTaint
 }
 
 type QualifiedName string
@@ -66,3 +68,18 @@ type DeviceAttribute struct {
 type DeviceCapacity struct {
 	Value resource.Quantity
 }
+
+type DeviceTaint struct {
+	Key       string
+	Value     string
+	Effect    DeviceTaintEffect
+	TimeAdded *metav1.Time
+}
+
+type DeviceTaintEffect string
+
+const (
+	DeviceTaintEffectNoSchedule DeviceTaintEffect = "NoSchedule"
+
+	DeviceTaintEffectNoExecute DeviceTaintEffect = "NoExecute"
+)
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go
new file mode 100644
index 00000000000..4e14f8772b6
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceclaim
+
+import (
+	resourceapi "k8s.io/api/resource/v1beta1"
+)
+
+// ToleratesTaint checks if the toleration tolerates the taint.
+// The matching follows the rules below:
+//
+//  1. Empty toleration.effect means to match all taint effects,
+//     otherwise taint effect must equal to toleration.effect.
+//  2. If toleration.operator is 'Exists', it means to match all taint values.
+//  3. Empty toleration.key means to match all taint keys.
+//     If toleration.key is empty, toleration.operator must be 'Exists';
+//     this combination means to match all taint values and all taint keys.
+func ToleratesTaint(toleration resourceapi.DeviceToleration, taint resourceapi.DeviceTaint) bool {
+	// This code was copied from https://github.com/kubernetes/kubernetes/blob/f007012f5fe49e40ae0596cf463a8e7b247b3357/staging/src/k8s.io/api/core/v1/toleration.go#L39-L56.
+	// It wasn't placed in the resourceapi package because code related to logic
+	// doesn't belong there.
+	if toleration.Effect != "" && toleration.Effect != taint.Effect {
+		return false
+	}
+
+	if toleration.Key != "" && toleration.Key != taint.Key {
+		return false
+	}
+
+	switch toleration.Operator {
+	// Empty operator means Equal, should be set because of defaulting.
+	case "", resourceapi.DeviceTolerationOpEqual:
+		return toleration.Value == taint.Value
+	case resourceapi.DeviceTolerationOpExists:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration_test.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration_test.go
new file mode 100644
index 00000000000..6d346f7d114
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceclaim/devicetoleration_test.go
@@ -0,0 +1,127 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package resourceclaim
+
+import (
+	"testing"
+
+	resourceapi "k8s.io/api/resource/v1beta1"
+)
+
+func TestTolerationToleratesTaint(t *testing.T) {
+
+	testCases := []struct {
+		description     string
+		toleration      resourceapi.DeviceToleration
+		taint           resourceapi.DeviceTaint
+		expectTolerated bool
+	}{
+		{
+			description: "toleration and taint have the same key and effect, and operator is Exists, and taint has no value, expect tolerated",
+			toleration: resourceapi.DeviceToleration{
+				Key:      "foo",
+				Operator: resourceapi.DeviceTolerationOpExists,
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			taint: resourceapi.DeviceTaint{
+				Key:    "foo",
+				Effect: resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			expectTolerated: true,
+		},
+		{
+			description: "toleration and taint have the same key and effect, and operator is Exists, and taint has some value, expect tolerated",
+			toleration: resourceapi.DeviceToleration{
+				Key:      "foo",
+				Operator: resourceapi.DeviceTolerationOpExists,
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			taint: resourceapi.DeviceTaint{
+				Key:    "foo",
+				Value:  "bar",
+				Effect: resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			expectTolerated: true,
+		},
+		{
+			description: "toleration and taint have the same effect, toleration has empty key and operator is Exists, means match all taints, expect tolerated",
+			toleration: resourceapi.DeviceToleration{
+				Key:      "",
+				Operator: resourceapi.DeviceTolerationOpExists,
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			taint: resourceapi.DeviceTaint{
+				Key:    "foo",
+				Value:  "bar",
+				Effect: resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			expectTolerated: true,
+		},
+		{
+			description: "toleration and taint have the same key, effect and value, and operator is Equal, expect tolerated",
+			toleration: resourceapi.DeviceToleration{
+				Key:      "foo",
+				Operator: resourceapi.DeviceTolerationOpEqual,
+				Value:    "bar",
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			taint: resourceapi.DeviceTaint{
+				Key:    "foo",
+				Value:  "bar",
+				Effect: resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			expectTolerated: true,
+		},
+		{
+			description: "toleration and taint have the same key and effect, but different values, and operator is Equal, expect not tolerated",
+			toleration: resourceapi.DeviceToleration{
+				Key:      "foo",
+				Operator: resourceapi.DeviceTolerationOpEqual,
+				Value:    "value1",
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			taint: resourceapi.DeviceTaint{
+				Key:    "foo",
+				Value:  "value2",
+				Effect: resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			expectTolerated: false,
+		},
+		{
+			description: "toleration and taint have the same key and value, but different effects, and operator is Equal, expect not tolerated",
+			toleration: resourceapi.DeviceToleration{
+				Key:      "foo",
+				Operator: resourceapi.DeviceTolerationOpEqual,
+				Value:    "bar",
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+			},
+			taint: resourceapi.DeviceTaint{
+				Key:    "foo",
+				Value:  "bar",
+				Effect: resourceapi.DeviceTaintEffectNoExecute,
+			},
+			expectTolerated: false,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.description, func(t *testing.T) {
+			if tolerated := ToleratesTaint(tc.toleration, tc.taint); tc.expectTolerated != tolerated {
+				t.Errorf("expect %v, got %v: toleration %+v, taint %s", tc.expectTolerated, tolerated, tc.toleration, tc.taint)
+			}
+		})
+	}
+}
diff --git a/test/e2e/dra/test-driver/deploy/example/devicetaintpolicy.yaml b/test/e2e/dra/test-driver/deploy/example/devicetaintpolicy.yaml
new file mode 100644
index 00000000000..c1e007c7607
--- /dev/null
+++ b/test/e2e/dra/test-driver/deploy/example/devicetaintpolicy.yaml
@@ -0,0 +1,13 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceTaintRule
+metadata:
+  name: example
+spec:
+  # The entire hardware installation is broken.
+  # Evict all pods and don't schedule new ones.
+  selector:
+    driver: dra.example.com
+  taint:
+    key: dra.example.com/health
+    value: "Down"
+    effect: NoExecute
diff --git a/test/integration/apiserver/apply/reset_fields_test.go b/test/integration/apiserver/apply/reset_fields_test.go
index b703e9de9b9..ff8116fe0fc 100644
--- a/test/integration/apiserver/apply/reset_fields_test.go
+++ b/test/integration/apiserver/apply/reset_fields_test.go
@@ -153,6 +153,7 @@ var resetFieldsSpecData = map[schema.GroupVersionResource]string{
 	gvr("resource.k8s.io", "v1alpha3", "deviceclasses"):                            `{"metadata": {"labels":{"a":"c"}}}`,
 	gvr("resource.k8s.io", "v1alpha3", "resourceclaims"):                           `{"spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "other-class"}]}}}`, // spec is immutable, but that doesn't matter for the test.
 	gvr("resource.k8s.io", "v1alpha3", "resourceclaimtemplates"):                   `{"spec": {"spec": {"resourceClassName": "class2name"}}}`,
+	gvr("resource.k8s.io", "v1alpha3", "devicetaintrules"):                         `{"metadata": {"labels":{"a":"c"}}}`,
 	gvr("resource.k8s.io", "v1beta1", "deviceclasses"):                             `{"metadata": {"labels":{"a":"c"}}}`,
 	gvr("resource.k8s.io", "v1beta1", "resourceclaims"):                            `{"spec": {"devices": {"requests": [{"name": "req-0", "deviceClassName": "other-class"}]}}}`, // spec is immutable, but that doesn't matter for the test.
 	gvr("resource.k8s.io", "v1beta1", "resourceclaimtemplates"):                    `{"spec": {"spec": {"resourceClassName": "class2name"}}}`,
diff --git a/test/integration/etcd/data.go b/test/integration/etcd/data.go
index 3ec1763305b..85848ec79ec 100644
--- a/test/integration/etcd/data.go
+++ b/test/integration/etcd/data.go
@@ -590,6 +590,12 @@ func GetEtcdStorageDataForNamespaceServedAt(namespace string, v string, removeAl
 			IntroducedVersion: "1.31",
 			RemovedVersion:    "1.37",
 		},
+		gvr("resource.k8s.io", "v1alpha3", "devicetaintrules"): {
+			Stub:              `{"metadata": {"name": "taint1name"}, "spec": {"taint": {"key": "example.com/taintkey", "value": "taintvalue", "effect": "NoSchedule"}}}`,
+			ExpectedEtcdPath:  "/registry/devicetaintrules/taint1name",
+			IntroducedVersion: "1.33",
+			RemovedVersion:    "1.39",
+		},
 		// --
 
 		// k8s.io/kubernetes/pkg/apis/resource/v1beta1

From 99dbd85c45f77a4fd719ff9271128e8a4ed46082 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Fri, 7 Mar 2025 14:59:08 +0100
Subject: [PATCH 03/11] DRA: generated files for device taints API

---
 api/discovery/aggregated_v2.json              |   20 +
 .../apis__resource.k8s.io__v1alpha3.json      |   17 +
 api/openapi-spec/swagger.json                 |  938 +++++++
 ...is__resource.k8s.io__v1alpha3_openapi.json | 1491 +++++++++++
 ...pis__resource.k8s.io__v1beta1_openapi.json |  112 +
 .../v1alpha3/zz_generated.conversion.go       |  224 ++
 .../v1alpha3/zz_generated.defaults.go         |   71 +
 .../v1beta1/zz_generated.conversion.go        |   82 +
 .../resource/v1beta1/zz_generated.defaults.go |   56 +
 pkg/apis/resource/zz_generated.deepcopy.go    |  194 ++
 pkg/generated/openapi/zz_generated.openapi.go |  554 ++++-
 .../api/resource/v1alpha3/generated.pb.go     | 2173 +++++++++++++++--
 .../api/resource/v1alpha3/generated.proto     |  235 ++
 .../v1alpha3/types_swagger_doc_generated.go   |   72 +
 .../v1alpha3/zz_generated.deepcopy.go         |  194 ++
 .../zz_generated.prerelease-lifecycle.go      |   36 +
 .../api/resource/v1beta1/generated.pb.go      | 1137 +++++++--
 .../api/resource/v1beta1/generated.proto      |  150 ++
 .../v1beta1/types_swagger_doc_generated.go    |   29 +
 .../resource/v1beta1/zz_generated.deepcopy.go |   69 +
 ...ource.k8s.io.v1alpha3.DeviceTaintRule.json |   67 +
 ...esource.k8s.io.v1alpha3.DeviceTaintRule.pb |  Bin 0 -> 543 bytes
 ...ource.k8s.io.v1alpha3.DeviceTaintRule.yaml |   48 +
 ...esource.k8s.io.v1alpha3.ResourceClaim.json |   31 +-
 .../resource.k8s.io.v1alpha3.ResourceClaim.pb |  Bin 1363 -> 1526 bytes
 ...esource.k8s.io.v1alpha3.ResourceClaim.yaml |   18 +
 ...k8s.io.v1alpha3.ResourceClaimTemplate.json |   20 +-
 ...e.k8s.io.v1alpha3.ResourceClaimTemplate.pb |  Bin 1117 -> 1226 bytes
 ...k8s.io.v1alpha3.ResourceClaimTemplate.yaml |   12 +
 ...esource.k8s.io.v1alpha3.ResourceSlice.json |   10 +-
 .../resource.k8s.io.v1alpha3.ResourceSlice.pb |  Bin 628 -> 676 bytes
 ...esource.k8s.io.v1alpha3.ResourceSlice.yaml |    5 +
 ...resource.k8s.io.v1beta1.ResourceClaim.json |   31 +-
 .../resource.k8s.io.v1beta1.ResourceClaim.pb  |  Bin 1362 -> 1525 bytes
 ...resource.k8s.io.v1beta1.ResourceClaim.yaml |   18 +
 ....k8s.io.v1beta1.ResourceClaimTemplate.json |   20 +-
 ...ce.k8s.io.v1beta1.ResourceClaimTemplate.pb |  Bin 1116 -> 1225 bytes
 ....k8s.io.v1beta1.ResourceClaimTemplate.yaml |   12 +
 ...resource.k8s.io.v1beta1.ResourceSlice.json |   10 +-
 .../resource.k8s.io.v1beta1.ResourceSlice.pb  |  Bin 629 -> 677 bytes
 ...resource.k8s.io.v1beta1.ResourceSlice.yaml |    5 +
 .../applyconfigurations/internal/internal.go  |  168 ++
 .../resource/v1alpha3/basicdevice.go          |   14 +
 .../resource/v1alpha3/devicerequest.go        |   14 +
 .../v1alpha3/devicerequestallocationresult.go |   24 +-
 .../resource/v1alpha3/devicesubrequest.go     |   14 +
 .../resource/v1alpha3/devicetaint.go          |   71 +
 .../resource/v1alpha3/devicetaintrule.go      |  253 ++
 .../resource/v1alpha3/devicetaintrulespec.go  |   48 +
 .../resource/v1alpha3/devicetaintselector.go  |   80 +
 .../resource/v1alpha3/devicetoleration.go     |   79 +
 .../resource/v1beta1/basicdevice.go           |   14 +
 .../resource/v1beta1/devicerequest.go         |   14 +
 .../v1beta1/devicerequestallocationresult.go  |   24 +-
 .../resource/v1beta1/devicesubrequest.go      |   14 +
 .../resource/v1beta1/devicetaint.go           |   71 +
 .../resource/v1beta1/devicetoleration.go      |   79 +
 .../client-go/applyconfigurations/utils.go    |   14 +
 .../src/k8s.io/client-go/informers/generic.go |    2 +
 .../resource/v1alpha3/devicetaintrule.go      |  101 +
 .../informers/resource/v1alpha3/interface.go  |    7 +
 .../resource/v1alpha3/devicetaintrule.go      |   71 +
 .../v1alpha3/fake/fake_devicetaintrule.go     |   53 +
 .../v1alpha3/fake/fake_resource_client.go     |    4 +
 .../resource/v1alpha3/generated_expansion.go  |    2 +
 .../resource/v1alpha3/resource_client.go      |    5 +
 .../resource/v1alpha3/devicetaintrule.go      |   48 +
 .../resource/v1alpha3/expansion_generated.go  |    4 +
 .../api/zz_generated.conversion.go            |   45 +-
 69 files changed, 9179 insertions(+), 319 deletions(-)
 create mode 100644 staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json
 create mode 100644 staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.pb
 create mode 100644 staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
 create mode 100644 staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go
 create mode 100644 staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go
 create mode 100644 staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go
 create mode 100644 staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go
 create mode 100644 staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetoleration.go
 create mode 100644 staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go
 create mode 100644 staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go
 create mode 100644 staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go
 create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go
 create mode 100644 staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_devicetaintrule.go
 create mode 100644 staging/src/k8s.io/client-go/listers/resource/v1alpha3/devicetaintrule.go

diff --git a/api/discovery/aggregated_v2.json b/api/discovery/aggregated_v2.json
index d38e89db052..e9e9482ed1b 100644
--- a/api/discovery/aggregated_v2.json
+++ b/api/discovery/aggregated_v2.json
@@ -1915,6 +1915,26 @@
                 "watch"
               ]
             },
+            {
+              "resource": "devicetaintrules",
+              "responseKind": {
+                "group": "",
+                "kind": "DeviceTaintRule",
+                "version": ""
+              },
+              "scope": "Cluster",
+              "singularResource": "devicetaintrule",
+              "verbs": [
+                "create",
+                "delete",
+                "deletecollection",
+                "get",
+                "list",
+                "patch",
+                "update",
+                "watch"
+              ]
+            },
             {
               "resource": "resourceclaims",
               "responseKind": {
diff --git a/api/discovery/apis__resource.k8s.io__v1alpha3.json b/api/discovery/apis__resource.k8s.io__v1alpha3.json
index d331ccbb808..2073026e04f 100644
--- a/api/discovery/apis__resource.k8s.io__v1alpha3.json
+++ b/api/discovery/apis__resource.k8s.io__v1alpha3.json
@@ -20,6 +20,23 @@
         "watch"
       ]
     },
+    {
+      "kind": "DeviceTaintRule",
+      "name": "devicetaintrules",
+      "namespaced": false,
+      "singularName": "devicetaintrule",
+      "storageVersionHash": "DJ3UJ0fj8MI=",
+      "verbs": [
+        "create",
+        "delete",
+        "deletecollection",
+        "get",
+        "list",
+        "patch",
+        "update",
+        "watch"
+      ]
+    },
     {
       "kind": "ResourceClaim",
       "name": "resourceclaims",
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
index e07367312f2..f29888d0472 100644
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -14971,6 +14971,14 @@
           },
           "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
           "type": "object"
+        },
+        "taints": {
+          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaint"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "type": "object"
@@ -15279,6 +15287,14 @@
           },
           "type": "array",
           "x-kubernetes-list-type": "atomic"
+        },
+        "tolerations": {
+          "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceToleration"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "required": [
@@ -15308,6 +15324,14 @@
         "request": {
           "description": "Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.",
           "type": "string"
+        },
+        "tolerations": {
+          "description": "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceToleration"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "required": [
@@ -15355,6 +15379,14 @@
           },
           "type": "array",
           "x-kubernetes-list-type": "atomic"
+        },
+        "tolerations": {
+          "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceToleration"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "required": [
@@ -15363,6 +15395,173 @@
       ],
       "type": "object"
     },
+    "io.k8s.api.resource.v1alpha3.DeviceTaint": {
+      "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+      "properties": {
+        "effect": {
+          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+          "type": "string"
+        },
+        "key": {
+          "description": "The taint key to be applied to a device. Must be a label name.",
+          "type": "string"
+        },
+        "timeAdded": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
+          "description": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set."
+        },
+        "value": {
+          "description": "The taint value corresponding to the taint key. Must be a label value.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "key",
+        "effect"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.resource.v1alpha3.DeviceTaintRule": {
+      "description": "DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if the taint was specified directly in the ResourceSlice by the DRA driver.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
+          "description": "Standard object metadata"
+        },
+        "spec": {
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec",
+          "description": "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number."
+        }
+      },
+      "required": [
+        "spec"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      ]
+    },
+    "io.k8s.api.resource.v1alpha3.DeviceTaintRuleList": {
+      "description": "DeviceTaintRuleList is a collection of DeviceTaintRules.",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+          "type": "string"
+        },
+        "items": {
+          "description": "Items is the list of DeviceTaintRules.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+          },
+          "type": "array"
+        },
+        "kind": {
+          "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+          "type": "string"
+        },
+        "metadata": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta",
+          "description": "Standard list metadata"
+        }
+      },
+      "required": [
+        "items"
+      ],
+      "type": "object",
+      "x-kubernetes-group-version-kind": [
+        {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRuleList",
+          "version": "v1alpha3"
+        }
+      ]
+    },
+    "io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec": {
+      "description": "DeviceTaintRuleSpec specifies the selector and one taint.",
+      "properties": {
+        "deviceSelector": {
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintSelector",
+          "description": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches."
+        },
+        "taint": {
+          "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaint",
+          "description": "The taint that gets applied to matching devices."
+        }
+      },
+      "required": [
+        "taint"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.resource.v1alpha3.DeviceTaintSelector": {
+      "description": "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
+      "properties": {
+        "device": {
+          "description": "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
+          "type": "string"
+        },
+        "deviceClassName": {
+          "description": "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
+          "type": "string"
+        },
+        "driver": {
+          "description": "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
+          "type": "string"
+        },
+        "pool": {
+          "description": "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
+          "type": "string"
+        },
+        "selectors": {
+          "description": "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
+        }
+      },
+      "type": "object"
+    },
+    "io.k8s.api.resource.v1alpha3.DeviceToleration": {
+      "description": "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+      "properties": {
+        "effect": {
+          "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.",
+          "type": "string"
+        },
+        "key": {
+          "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+          "type": "string"
+        },
+        "operator": {
+          "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.",
+          "type": "string"
+        },
+        "tolerationSeconds": {
+          "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+          "format": "int64",
+          "type": "integer"
+        },
+        "value": {
+          "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "io.k8s.api.resource.v1alpha3.NetworkDeviceData": {
       "description": "NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.",
       "properties": {
@@ -15833,6 +16032,14 @@
           },
           "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
           "type": "object"
+        },
+        "taints": {
+          "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceTaint"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "type": "object"
@@ -16154,6 +16361,14 @@
           },
           "type": "array",
           "x-kubernetes-list-type": "atomic"
+        },
+        "tolerations": {
+          "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceToleration"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "required": [
@@ -16183,6 +16398,14 @@
         "request": {
           "description": "Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.",
           "type": "string"
+        },
+        "tolerations": {
+          "description": "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceToleration"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "required": [
@@ -16230,6 +16453,14 @@
           },
           "type": "array",
           "x-kubernetes-list-type": "atomic"
+        },
+        "tolerations": {
+          "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+          "items": {
+            "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceToleration"
+          },
+          "type": "array",
+          "x-kubernetes-list-type": "atomic"
         }
       },
       "required": [
@@ -16238,6 +16469,59 @@
       ],
       "type": "object"
     },
+    "io.k8s.api.resource.v1beta1.DeviceTaint": {
+      "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+      "properties": {
+        "effect": {
+          "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+          "type": "string"
+        },
+        "key": {
+          "description": "The taint key to be applied to a device. Must be a label name.",
+          "type": "string"
+        },
+        "timeAdded": {
+          "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time",
+          "description": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set."
+        },
+        "value": {
+          "description": "The taint value corresponding to the taint key. Must be a label value.",
+          "type": "string"
+        }
+      },
+      "required": [
+        "key",
+        "effect"
+      ],
+      "type": "object"
+    },
+    "io.k8s.api.resource.v1beta1.DeviceToleration": {
+      "description": "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+      "properties": {
+        "effect": {
+          "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.",
+          "type": "string"
+        },
+        "key": {
+          "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+          "type": "string"
+        },
+        "operator": {
+          "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.",
+          "type": "string"
+        },
+        "tolerationSeconds": {
+          "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+          "format": "int64",
+          "type": "integer"
+        },
+        "value": {
+          "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+          "type": "string"
+        }
+      },
+      "type": "object"
+    },
     "io.k8s.api.resource.v1beta1.NetworkDeviceData": {
       "description": "NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.",
       "properties": {
@@ -75084,6 +75368,500 @@
         }
       }
     },
+    "/apis/resource.k8s.io/v1alpha3/devicetaintrules": {
+      "delete": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "delete collection of DeviceTaintRule",
+        "operationId": "deleteResourceV1alpha3CollectionDeviceTaintRule",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
+          },
+          {
+            "$ref": "#/parameters/continue-QfD61s0i"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
+          },
+          {
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "list or watch objects of kind DeviceTaintRule",
+        "operationId": "listResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+          },
+          {
+            "$ref": "#/parameters/continue-QfD61s0i"
+          },
+          {
+            "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+          },
+          {
+            "$ref": "#/parameters/labelSelector-5Zw57w4C"
+          },
+          {
+            "$ref": "#/parameters/limit-1NfNmdNH"
+          },
+          {
+            "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+          },
+          {
+            "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+          },
+          {
+            "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+          },
+          {
+            "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+          },
+          {
+            "$ref": "#/parameters/watch-XNNPZGbK"
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        }
+      ],
+      "post": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "create a DeviceTaintRule",
+        "operationId": "createResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      }
+    },
+    "/apis/resource.k8s.io/v1alpha3/devicetaintrules/{name}": {
+      "delete": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "delete a DeviceTaintRule",
+        "operationId": "deleteResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-2Y1dVQaQ"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/gracePeriodSeconds--K5HaBOS"
+          },
+          {
+            "$ref": "#/parameters/ignoreStoreReadErrorWithClusterBreakingPotential-QbNkfIqj"
+          },
+          {
+            "$ref": "#/parameters/orphanDependents-uRB25kX5"
+          },
+          {
+            "$ref": "#/parameters/propagationPolicy-6jk3prlO"
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "202": {
+            "description": "Accepted",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "read the specified DeviceTaintRule",
+        "operationId": "readResourceV1alpha3DeviceTaintRule",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the DeviceTaintRule",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        }
+      ],
+      "patch": {
+        "consumes": [
+          "application/json-patch+json",
+          "application/merge-patch+json",
+          "application/strategic-merge-patch+json",
+          "application/apply-patch+yaml",
+          "application/apply-patch+cbor"
+        ],
+        "description": "partially update the specified DeviceTaintRule",
+        "operationId": "patchResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "$ref": "#/parameters/body-78PwaGsr"
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-7c6nTn1T"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/force-tOGGb0Yi"
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "put": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "replace the specified DeviceTaintRule",
+        "operationId": "replaceResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "in": "body",
+            "name": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "type": "string",
+            "uniqueItems": true
+          },
+          {
+            "$ref": "#/parameters/fieldManager-Qy4HdaTW"
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "type": "string",
+            "uniqueItems": true
+          }
+        ],
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "201": {
+            "description": "Created",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      }
+    },
     "/apis/resource.k8s.io/v1alpha3/namespaces/{namespace}/resourceclaims": {
       "delete": {
         "consumes": [
@@ -77084,6 +77862,166 @@
         }
       ]
     },
+    "/apis/resource.k8s.io/v1alpha3/watch/devicetaintrules": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch individual changes to a list of DeviceTaintRule. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchResourceV1alpha3DeviceTaintRuleList",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
+    "/apis/resource.k8s.io/v1alpha3/watch/devicetaintrules/{name}": {
+      "get": {
+        "consumes": [
+          "*/*"
+        ],
+        "description": "watch changes to an object of kind DeviceTaintRule. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchResourceV1alpha3DeviceTaintRule",
+        "produces": [
+          "application/json",
+          "application/yaml",
+          "application/vnd.kubernetes.protobuf",
+          "application/cbor",
+          "application/json;stream=watch",
+          "application/vnd.kubernetes.protobuf;stream=watch",
+          "application/cbor-seq"
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "schemes": [
+          "https"
+        ],
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "$ref": "#/parameters/allowWatchBookmarks-HC2hJt-J"
+        },
+        {
+          "$ref": "#/parameters/continue-QfD61s0i"
+        },
+        {
+          "$ref": "#/parameters/fieldSelector-xIcQKXFG"
+        },
+        {
+          "$ref": "#/parameters/labelSelector-5Zw57w4C"
+        },
+        {
+          "$ref": "#/parameters/limit-1NfNmdNH"
+        },
+        {
+          "description": "name of the DeviceTaintRule",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "type": "string",
+          "uniqueItems": true
+        },
+        {
+          "$ref": "#/parameters/pretty-tJGM1-ng"
+        },
+        {
+          "$ref": "#/parameters/resourceVersion-5WAnf1kx"
+        },
+        {
+          "$ref": "#/parameters/resourceVersionMatch-t8XhRHeC"
+        },
+        {
+          "$ref": "#/parameters/sendInitialEvents-rLXlEK_k"
+        },
+        {
+          "$ref": "#/parameters/timeoutSeconds-yvYezaOC"
+        },
+        {
+          "$ref": "#/parameters/watch-XNNPZGbK"
+        }
+      ]
+    },
     "/apis/resource.k8s.io/v1alpha3/watch/namespaces/{namespace}/resourceclaims": {
       "get": {
         "consumes": [
diff --git a/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json b/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json
index b3c40a8bd92..3e8a981eb41 100644
--- a/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json
+++ b/api/openapi-spec/v3/apis__resource.k8s.io__v1alpha3_openapi.json
@@ -188,6 +188,19 @@
             },
             "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
             "type": "object"
+          },
+          "taints": {
+            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaint"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "type": "object"
@@ -585,6 +598,19 @@
             },
             "type": "array",
             "x-kubernetes-list-type": "atomic"
+          },
+          "tolerations": {
+            "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceToleration"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "required": [
@@ -618,6 +644,19 @@
             "default": "",
             "description": "Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.",
             "type": "string"
+          },
+          "tolerations": {
+            "description": "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceToleration"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "required": [
@@ -676,6 +715,19 @@
             },
             "type": "array",
             "x-kubernetes-list-type": "atomic"
+          },
+          "tolerations": {
+            "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceToleration"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "required": [
@@ -684,6 +736,214 @@
         ],
         "type": "object"
       },
+      "io.k8s.api.resource.v1alpha3.DeviceTaint": {
+        "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+        "properties": {
+          "effect": {
+            "default": "",
+            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+            "type": "string"
+          },
+          "key": {
+            "default": "",
+            "description": "The taint key to be applied to a device. Must be a label name.",
+            "type": "string"
+          },
+          "timeAdded": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set."
+          },
+          "value": {
+            "description": "The taint value corresponding to the taint key. Must be a label value.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "key",
+          "effect"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.resource.v1alpha3.DeviceTaintRule": {
+        "description": "DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if the taint was specified directly in the ResourceSlice by the DRA driver.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard object metadata"
+          },
+          "spec": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec"
+              }
+            ],
+            "default": {},
+            "description": "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number."
+          }
+        },
+        "required": [
+          "spec"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeviceTaintRule",
+            "version": "v1alpha3"
+          }
+        ]
+      },
+      "io.k8s.api.resource.v1alpha3.DeviceTaintRuleList": {
+        "description": "DeviceTaintRuleList is a collection of DeviceTaintRules.",
+        "properties": {
+          "apiVersion": {
+            "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+            "type": "string"
+          },
+          "items": {
+            "description": "Items is the list of DeviceTaintRules.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array"
+          },
+          "kind": {
+            "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+            "type": "string"
+          },
+          "metadata": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"
+              }
+            ],
+            "default": {},
+            "description": "Standard list metadata"
+          }
+        },
+        "required": [
+          "items"
+        ],
+        "type": "object",
+        "x-kubernetes-group-version-kind": [
+          {
+            "group": "resource.k8s.io",
+            "kind": "DeviceTaintRuleList",
+            "version": "v1alpha3"
+          }
+        ]
+      },
+      "io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec": {
+        "description": "DeviceTaintRuleSpec specifies the selector and one taint.",
+        "properties": {
+          "deviceSelector": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintSelector"
+              }
+            ],
+            "description": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches."
+          },
+          "taint": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaint"
+              }
+            ],
+            "default": {},
+            "description": "The taint that gets applied to matching devices."
+          }
+        },
+        "required": [
+          "taint"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.resource.v1alpha3.DeviceTaintSelector": {
+        "description": "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
+        "properties": {
+          "device": {
+            "description": "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
+            "type": "string"
+          },
+          "deviceClassName": {
+            "description": "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
+            "type": "string"
+          },
+          "driver": {
+            "description": "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
+            "type": "string"
+          },
+          "pool": {
+            "description": "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
+            "type": "string"
+          },
+          "selectors": {
+            "description": "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceSelector"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
+          }
+        },
+        "type": "object"
+      },
+      "io.k8s.api.resource.v1alpha3.DeviceToleration": {
+        "description": "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+        "properties": {
+          "effect": {
+            "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.",
+            "type": "string"
+          },
+          "key": {
+            "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+            "type": "string"
+          },
+          "operator": {
+            "default": "Equal",
+            "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.",
+            "type": "string"
+          },
+          "tolerationSeconds": {
+            "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "value": {
+            "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
       "io.k8s.api.resource.v1alpha3.NetworkDeviceData": {
         "description": "NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.",
         "properties": {
@@ -3376,6 +3636,905 @@
         }
       }
     },
+    "/apis/resource.k8s.io/v1alpha3/devicetaintrules": {
+      "delete": {
+        "description": "delete collection of DeviceTaintRule",
+        "operationId": "deleteResourceV1alpha3CollectionDeviceTaintRule",
+        "parameters": [
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Status"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "deletecollection",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "get": {
+        "description": "list or watch objects of kind DeviceTaintRule",
+        "operationId": "listResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+            "in": "query",
+            "name": "allowWatchBookmarks",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+            "in": "query",
+            "name": "continue",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+            "in": "query",
+            "name": "fieldSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+            "in": "query",
+            "name": "labelSelector",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+            "in": "query",
+            "name": "limit",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersion",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+            "in": "query",
+            "name": "resourceVersionMatch",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+            "in": "query",
+            "name": "sendInitialEvents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+            "in": "query",
+            "name": "timeoutSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+            "in": "query",
+            "name": "watch",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRuleList"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "list",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "post": {
+        "description": "create a DeviceTaintRule",
+        "operationId": "createResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "post",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      }
+    },
+    "/apis/resource.k8s.io/v1alpha3/devicetaintrules/{name}": {
+      "delete": {
+        "description": "delete a DeviceTaintRule",
+        "operationId": "deleteResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.",
+            "in": "query",
+            "name": "gracePeriodSeconds",
+            "schema": {
+              "type": "integer",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "if set to true, it will trigger an unsafe deletion of the resource in case the normal deletion flow fails with a corrupt object error. A resource is considered corrupt if it can not be retrieved from the underlying storage successfully because of a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and removes the object from the storage. WARNING: This may potentially break the cluster if the workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use only if you REALLY know what you are doing. The default value is false, and the user must opt in to enable it",
+            "in": "query",
+            "name": "ignoreStoreReadErrorWithClusterBreakingPotential",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.",
+            "in": "query",
+            "name": "orphanDependents",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.",
+            "in": "query",
+            "name": "propagationPolicy",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "202": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "Accepted"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "delete",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "get": {
+        "description": "read the specified DeviceTaintRule",
+        "operationId": "readResourceV1alpha3DeviceTaintRule",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "get",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "description": "name of the DeviceTaintRule",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        }
+      ],
+      "patch": {
+        "description": "partially update the specified DeviceTaintRule",
+        "operationId": "patchResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.",
+            "in": "query",
+            "name": "force",
+            "schema": {
+              "type": "boolean",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/apply-patch+cbor": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/apply-patch+yaml": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/json-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            },
+            "application/strategic-merge-patch+json": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "patch",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "put": {
+        "description": "replace the specified DeviceTaintRule",
+        "operationId": "replaceResourceV1alpha3DeviceTaintRule",
+        "parameters": [
+          {
+            "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
+            "in": "query",
+            "name": "dryRun",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
+            "in": "query",
+            "name": "fieldManager",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          },
+          {
+            "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
+            "in": "query",
+            "name": "fieldValidation",
+            "schema": {
+              "type": "string",
+              "uniqueItems": true
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "*/*": {
+              "schema": {
+                "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "201": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1alpha3.DeviceTaintRule"
+                }
+              }
+            },
+            "description": "Created"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "put",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      }
+    },
     "/apis/resource.k8s.io/v1alpha3/namespaces/{namespace}/resourceclaims": {
       "delete": {
         "description": "delete collection of ResourceClaim",
@@ -7086,6 +8245,338 @@
         }
       ]
     },
+    "/apis/resource.k8s.io/v1alpha3/watch/devicetaintrules": {
+      "get": {
+        "description": "watch individual changes to a list of DeviceTaintRule. deprecated: use the 'watch' parameter with a list operation instead.",
+        "operationId": "watchResourceV1alpha3DeviceTaintRuleList",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "watchlist",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
+    "/apis/resource.k8s.io/v1alpha3/watch/devicetaintrules/{name}": {
+      "get": {
+        "description": "watch changes to an object of kind DeviceTaintRule. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.",
+        "operationId": "watchResourceV1alpha3DeviceTaintRule",
+        "responses": {
+          "200": {
+            "content": {
+              "application/cbor": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/cbor-seq": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/json;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/vnd.kubernetes.protobuf;stream=watch": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              },
+              "application/yaml": {
+                "schema": {
+                  "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"
+                }
+              }
+            },
+            "description": "OK"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        },
+        "tags": [
+          "resource_v1alpha3"
+        ],
+        "x-kubernetes-action": "watch",
+        "x-kubernetes-group-version-kind": {
+          "group": "resource.k8s.io",
+          "kind": "DeviceTaintRule",
+          "version": "v1alpha3"
+        }
+      },
+      "parameters": [
+        {
+          "description": "allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.",
+          "in": "query",
+          "name": "allowWatchBookmarks",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.",
+          "in": "query",
+          "name": "continue",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their fields. Defaults to everything.",
+          "in": "query",
+          "name": "fieldSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "A selector to restrict the list of returned objects by their labels. Defaults to everything.",
+          "in": "query",
+          "name": "labelSelector",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.",
+          "in": "query",
+          "name": "limit",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "name of the DeviceTaintRule",
+          "in": "path",
+          "name": "name",
+          "required": true,
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).",
+          "in": "query",
+          "name": "pretty",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersion",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset",
+          "in": "query",
+          "name": "resourceVersionMatch",
+          "schema": {
+            "type": "string",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event  will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n  is interpreted as \"data at least as new as the provided `resourceVersion`\"\n  and the bookmark event is send when the state is synced\n  to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n  If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n  bookmark event is send when the state is synced at least to the moment\n  when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n  Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.",
+          "in": "query",
+          "name": "sendInitialEvents",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.",
+          "in": "query",
+          "name": "timeoutSeconds",
+          "schema": {
+            "type": "integer",
+            "uniqueItems": true
+          }
+        },
+        {
+          "description": "Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.",
+          "in": "query",
+          "name": "watch",
+          "schema": {
+            "type": "boolean",
+            "uniqueItems": true
+          }
+        }
+      ]
+    },
     "/apis/resource.k8s.io/v1alpha3/watch/namespaces/{namespace}/resourceclaims": {
       "get": {
         "description": "watch individual changes to a list of ResourceClaim. deprecated: use the 'watch' parameter with a list operation instead.",
diff --git a/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json b/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json
index 49d9d960dc3..031a1c8bb33 100644
--- a/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json
+++ b/api/openapi-spec/v3/apis__resource.k8s.io__v1beta1_openapi.json
@@ -193,6 +193,19 @@
             },
             "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
             "type": "object"
+          },
+          "taints": {
+            "description": "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1beta1.DeviceTaint"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "type": "object"
@@ -607,6 +620,19 @@
             },
             "type": "array",
             "x-kubernetes-list-type": "atomic"
+          },
+          "tolerations": {
+            "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1beta1.DeviceToleration"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "required": [
@@ -640,6 +666,19 @@
             "default": "",
             "description": "Request is the name of the request in the claim which caused this device to be allocated. If it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include both the name of the main request and the subrequest using the format <main request>/<subrequest>.\n\nMultiple devices may have been allocated per request.",
             "type": "string"
+          },
+          "tolerations": {
+            "description": "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1beta1.DeviceToleration"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "required": [
@@ -698,6 +737,19 @@
             },
             "type": "array",
             "x-kubernetes-list-type": "atomic"
+          },
+          "tolerations": {
+            "description": "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+            "items": {
+              "allOf": [
+                {
+                  "$ref": "#/components/schemas/io.k8s.api.resource.v1beta1.DeviceToleration"
+                }
+              ],
+              "default": {}
+            },
+            "type": "array",
+            "x-kubernetes-list-type": "atomic"
           }
         },
         "required": [
@@ -706,6 +758,66 @@
         ],
         "type": "object"
       },
+      "io.k8s.api.resource.v1beta1.DeviceTaint": {
+        "description": "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+        "properties": {
+          "effect": {
+            "default": "",
+            "description": "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+            "type": "string"
+          },
+          "key": {
+            "default": "",
+            "description": "The taint key to be applied to a device. Must be a label name.",
+            "type": "string"
+          },
+          "timeAdded": {
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time"
+              }
+            ],
+            "description": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set."
+          },
+          "value": {
+            "description": "The taint value corresponding to the taint key. Must be a label value.",
+            "type": "string"
+          }
+        },
+        "required": [
+          "key",
+          "effect"
+        ],
+        "type": "object"
+      },
+      "io.k8s.api.resource.v1beta1.DeviceToleration": {
+        "description": "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+        "properties": {
+          "effect": {
+            "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.",
+            "type": "string"
+          },
+          "key": {
+            "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+            "type": "string"
+          },
+          "operator": {
+            "default": "Equal",
+            "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.",
+            "type": "string"
+          },
+          "tolerationSeconds": {
+            "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+            "format": "int64",
+            "type": "integer"
+          },
+          "value": {
+            "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
       "io.k8s.api.resource.v1beta1.NetworkDeviceData": {
         "description": "NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.",
         "properties": {
diff --git a/pkg/apis/resource/v1alpha3/zz_generated.conversion.go b/pkg/apis/resource/v1alpha3/zz_generated.conversion.go
index 21d069e4f75..c2389524dff 100644
--- a/pkg/apis/resource/v1alpha3/zz_generated.conversion.go
+++ b/pkg/apis/resource/v1alpha3/zz_generated.conversion.go
@@ -242,6 +242,66 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceTaint)(nil), (*resource.DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_DeviceTaint_To_resource_DeviceTaint(a.(*resourcev1alpha3.DeviceTaint), b.(*resource.DeviceTaint), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceTaint)(nil), (*resourcev1alpha3.DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceTaint_To_v1alpha3_DeviceTaint(a.(*resource.DeviceTaint), b.(*resourcev1alpha3.DeviceTaint), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceTaintRule)(nil), (*resource.DeviceTaintRule)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_DeviceTaintRule_To_resource_DeviceTaintRule(a.(*resourcev1alpha3.DeviceTaintRule), b.(*resource.DeviceTaintRule), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceTaintRule)(nil), (*resourcev1alpha3.DeviceTaintRule)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceTaintRule_To_v1alpha3_DeviceTaintRule(a.(*resource.DeviceTaintRule), b.(*resourcev1alpha3.DeviceTaintRule), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceTaintRuleList)(nil), (*resource.DeviceTaintRuleList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_DeviceTaintRuleList_To_resource_DeviceTaintRuleList(a.(*resourcev1alpha3.DeviceTaintRuleList), b.(*resource.DeviceTaintRuleList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceTaintRuleList)(nil), (*resourcev1alpha3.DeviceTaintRuleList)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceTaintRuleList_To_v1alpha3_DeviceTaintRuleList(a.(*resource.DeviceTaintRuleList), b.(*resourcev1alpha3.DeviceTaintRuleList), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceTaintRuleSpec)(nil), (*resource.DeviceTaintRuleSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_DeviceTaintRuleSpec_To_resource_DeviceTaintRuleSpec(a.(*resourcev1alpha3.DeviceTaintRuleSpec), b.(*resource.DeviceTaintRuleSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceTaintRuleSpec)(nil), (*resourcev1alpha3.DeviceTaintRuleSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(a.(*resource.DeviceTaintRuleSpec), b.(*resourcev1alpha3.DeviceTaintRuleSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceTaintSelector)(nil), (*resource.DeviceTaintSelector)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector(a.(*resourcev1alpha3.DeviceTaintSelector), b.(*resource.DeviceTaintSelector), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceTaintSelector)(nil), (*resourcev1alpha3.DeviceTaintSelector)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceTaintSelector_To_v1alpha3_DeviceTaintSelector(a.(*resource.DeviceTaintSelector), b.(*resourcev1alpha3.DeviceTaintSelector), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.DeviceToleration)(nil), (*resource.DeviceToleration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_DeviceToleration_To_resource_DeviceToleration(a.(*resourcev1alpha3.DeviceToleration), b.(*resource.DeviceToleration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceToleration)(nil), (*resourcev1alpha3.DeviceToleration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceToleration_To_v1alpha3_DeviceToleration(a.(*resource.DeviceToleration), b.(*resourcev1alpha3.DeviceToleration), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*resourcev1alpha3.NetworkDeviceData)(nil), (*resource.NetworkDeviceData)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_NetworkDeviceData_To_resource_NetworkDeviceData(a.(*resourcev1alpha3.NetworkDeviceData), b.(*resource.NetworkDeviceData), scope)
 	}); err != nil {
@@ -466,6 +526,7 @@ func autoConvert_v1alpha3_BasicDevice_To_resource_BasicDevice(in *resourcev1alph
 	} else {
 		out.Capacity = nil
 	}
+	out.Taints = *(*[]resource.DeviceTaint)(unsafe.Pointer(&in.Taints))
 	return nil
 }
 
@@ -489,6 +550,7 @@ func autoConvert_resource_BasicDevice_To_v1alpha3_BasicDevice(in *resource.Basic
 	} else {
 		out.Capacity = nil
 	}
+	out.Taints = *(*[]resourcev1alpha3.DeviceTaint)(unsafe.Pointer(&in.Taints))
 	return nil
 }
 
@@ -825,6 +887,7 @@ func autoConvert_v1alpha3_DeviceRequest_To_resource_DeviceRequest(in *resourcev1
 	out.Count = in.Count
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
 	out.FirstAvailable = *(*[]resource.DeviceSubRequest)(unsafe.Pointer(&in.FirstAvailable))
+	out.Tolerations = *(*[]resource.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -841,6 +904,7 @@ func autoConvert_resource_DeviceRequest_To_v1alpha3_DeviceRequest(in *resource.D
 	out.Count = in.Count
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
 	out.FirstAvailable = *(*[]resourcev1alpha3.DeviceSubRequest)(unsafe.Pointer(&in.FirstAvailable))
+	out.Tolerations = *(*[]resourcev1alpha3.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -855,6 +919,7 @@ func autoConvert_v1alpha3_DeviceRequestAllocationResult_To_resource_DeviceReques
 	out.Pool = in.Pool
 	out.Device = in.Device
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
+	out.Tolerations = *(*[]resource.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -869,6 +934,7 @@ func autoConvert_resource_DeviceRequestAllocationResult_To_v1alpha3_DeviceReques
 	out.Pool = in.Pool
 	out.Device = in.Device
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
+	out.Tolerations = *(*[]resourcev1alpha3.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -903,6 +969,7 @@ func autoConvert_v1alpha3_DeviceSubRequest_To_resource_DeviceSubRequest(in *reso
 	out.Selectors = *(*[]resource.DeviceSelector)(unsafe.Pointer(&in.Selectors))
 	out.AllocationMode = resource.DeviceAllocationMode(in.AllocationMode)
 	out.Count = in.Count
+	out.Tolerations = *(*[]resource.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -917,6 +984,7 @@ func autoConvert_resource_DeviceSubRequest_To_v1alpha3_DeviceSubRequest(in *reso
 	out.Selectors = *(*[]resourcev1alpha3.DeviceSelector)(unsafe.Pointer(&in.Selectors))
 	out.AllocationMode = resourcev1alpha3.DeviceAllocationMode(in.AllocationMode)
 	out.Count = in.Count
+	out.Tolerations = *(*[]resourcev1alpha3.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -925,6 +993,162 @@ func Convert_resource_DeviceSubRequest_To_v1alpha3_DeviceSubRequest(in *resource
 	return autoConvert_resource_DeviceSubRequest_To_v1alpha3_DeviceSubRequest(in, out, s)
 }
 
+func autoConvert_v1alpha3_DeviceTaint_To_resource_DeviceTaint(in *resourcev1alpha3.DeviceTaint, out *resource.DeviceTaint, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Value = in.Value
+	out.Effect = resource.DeviceTaintEffect(in.Effect)
+	out.TimeAdded = (*v1.Time)(unsafe.Pointer(in.TimeAdded))
+	return nil
+}
+
+// Convert_v1alpha3_DeviceTaint_To_resource_DeviceTaint is an autogenerated conversion function.
+func Convert_v1alpha3_DeviceTaint_To_resource_DeviceTaint(in *resourcev1alpha3.DeviceTaint, out *resource.DeviceTaint, s conversion.Scope) error {
+	return autoConvert_v1alpha3_DeviceTaint_To_resource_DeviceTaint(in, out, s)
+}
+
+func autoConvert_resource_DeviceTaint_To_v1alpha3_DeviceTaint(in *resource.DeviceTaint, out *resourcev1alpha3.DeviceTaint, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Value = in.Value
+	out.Effect = resourcev1alpha3.DeviceTaintEffect(in.Effect)
+	out.TimeAdded = (*v1.Time)(unsafe.Pointer(in.TimeAdded))
+	return nil
+}
+
+// Convert_resource_DeviceTaint_To_v1alpha3_DeviceTaint is an autogenerated conversion function.
+func Convert_resource_DeviceTaint_To_v1alpha3_DeviceTaint(in *resource.DeviceTaint, out *resourcev1alpha3.DeviceTaint, s conversion.Scope) error {
+	return autoConvert_resource_DeviceTaint_To_v1alpha3_DeviceTaint(in, out, s)
+}
+
+func autoConvert_v1alpha3_DeviceTaintRule_To_resource_DeviceTaintRule(in *resourcev1alpha3.DeviceTaintRule, out *resource.DeviceTaintRule, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_v1alpha3_DeviceTaintRuleSpec_To_resource_DeviceTaintRuleSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha3_DeviceTaintRule_To_resource_DeviceTaintRule is an autogenerated conversion function.
+func Convert_v1alpha3_DeviceTaintRule_To_resource_DeviceTaintRule(in *resourcev1alpha3.DeviceTaintRule, out *resource.DeviceTaintRule, s conversion.Scope) error {
+	return autoConvert_v1alpha3_DeviceTaintRule_To_resource_DeviceTaintRule(in, out, s)
+}
+
+func autoConvert_resource_DeviceTaintRule_To_v1alpha3_DeviceTaintRule(in *resource.DeviceTaintRule, out *resourcev1alpha3.DeviceTaintRule, s conversion.Scope) error {
+	out.ObjectMeta = in.ObjectMeta
+	if err := Convert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(&in.Spec, &out.Spec, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_resource_DeviceTaintRule_To_v1alpha3_DeviceTaintRule is an autogenerated conversion function.
+func Convert_resource_DeviceTaintRule_To_v1alpha3_DeviceTaintRule(in *resource.DeviceTaintRule, out *resourcev1alpha3.DeviceTaintRule, s conversion.Scope) error {
+	return autoConvert_resource_DeviceTaintRule_To_v1alpha3_DeviceTaintRule(in, out, s)
+}
+
+func autoConvert_v1alpha3_DeviceTaintRuleList_To_resource_DeviceTaintRuleList(in *resourcev1alpha3.DeviceTaintRuleList, out *resource.DeviceTaintRuleList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]resource.DeviceTaintRule)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_v1alpha3_DeviceTaintRuleList_To_resource_DeviceTaintRuleList is an autogenerated conversion function.
+func Convert_v1alpha3_DeviceTaintRuleList_To_resource_DeviceTaintRuleList(in *resourcev1alpha3.DeviceTaintRuleList, out *resource.DeviceTaintRuleList, s conversion.Scope) error {
+	return autoConvert_v1alpha3_DeviceTaintRuleList_To_resource_DeviceTaintRuleList(in, out, s)
+}
+
+func autoConvert_resource_DeviceTaintRuleList_To_v1alpha3_DeviceTaintRuleList(in *resource.DeviceTaintRuleList, out *resourcev1alpha3.DeviceTaintRuleList, s conversion.Scope) error {
+	out.ListMeta = in.ListMeta
+	out.Items = *(*[]resourcev1alpha3.DeviceTaintRule)(unsafe.Pointer(&in.Items))
+	return nil
+}
+
+// Convert_resource_DeviceTaintRuleList_To_v1alpha3_DeviceTaintRuleList is an autogenerated conversion function.
+func Convert_resource_DeviceTaintRuleList_To_v1alpha3_DeviceTaintRuleList(in *resource.DeviceTaintRuleList, out *resourcev1alpha3.DeviceTaintRuleList, s conversion.Scope) error {
+	return autoConvert_resource_DeviceTaintRuleList_To_v1alpha3_DeviceTaintRuleList(in, out, s)
+}
+
+func autoConvert_v1alpha3_DeviceTaintRuleSpec_To_resource_DeviceTaintRuleSpec(in *resourcev1alpha3.DeviceTaintRuleSpec, out *resource.DeviceTaintRuleSpec, s conversion.Scope) error {
+	out.DeviceSelector = (*resource.DeviceTaintSelector)(unsafe.Pointer(in.DeviceSelector))
+	if err := Convert_v1alpha3_DeviceTaint_To_resource_DeviceTaint(&in.Taint, &out.Taint, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_v1alpha3_DeviceTaintRuleSpec_To_resource_DeviceTaintRuleSpec is an autogenerated conversion function.
+func Convert_v1alpha3_DeviceTaintRuleSpec_To_resource_DeviceTaintRuleSpec(in *resourcev1alpha3.DeviceTaintRuleSpec, out *resource.DeviceTaintRuleSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha3_DeviceTaintRuleSpec_To_resource_DeviceTaintRuleSpec(in, out, s)
+}
+
+func autoConvert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(in *resource.DeviceTaintRuleSpec, out *resourcev1alpha3.DeviceTaintRuleSpec, s conversion.Scope) error {
+	out.DeviceSelector = (*resourcev1alpha3.DeviceTaintSelector)(unsafe.Pointer(in.DeviceSelector))
+	if err := Convert_resource_DeviceTaint_To_v1alpha3_DeviceTaint(&in.Taint, &out.Taint, s); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Convert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec is an autogenerated conversion function.
+func Convert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(in *resource.DeviceTaintRuleSpec, out *resourcev1alpha3.DeviceTaintRuleSpec, s conversion.Scope) error {
+	return autoConvert_resource_DeviceTaintRuleSpec_To_v1alpha3_DeviceTaintRuleSpec(in, out, s)
+}
+
+func autoConvert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector(in *resourcev1alpha3.DeviceTaintSelector, out *resource.DeviceTaintSelector, s conversion.Scope) error {
+	out.DeviceClassName = (*string)(unsafe.Pointer(in.DeviceClassName))
+	out.Driver = (*string)(unsafe.Pointer(in.Driver))
+	out.Pool = (*string)(unsafe.Pointer(in.Pool))
+	out.Device = (*string)(unsafe.Pointer(in.Device))
+	out.Selectors = *(*[]resource.DeviceSelector)(unsafe.Pointer(&in.Selectors))
+	return nil
+}
+
+// Convert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector is an autogenerated conversion function.
+func Convert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector(in *resourcev1alpha3.DeviceTaintSelector, out *resource.DeviceTaintSelector, s conversion.Scope) error {
+	return autoConvert_v1alpha3_DeviceTaintSelector_To_resource_DeviceTaintSelector(in, out, s)
+}
+
+func autoConvert_resource_DeviceTaintSelector_To_v1alpha3_DeviceTaintSelector(in *resource.DeviceTaintSelector, out *resourcev1alpha3.DeviceTaintSelector, s conversion.Scope) error {
+	out.DeviceClassName = (*string)(unsafe.Pointer(in.DeviceClassName))
+	out.Driver = (*string)(unsafe.Pointer(in.Driver))
+	out.Pool = (*string)(unsafe.Pointer(in.Pool))
+	out.Device = (*string)(unsafe.Pointer(in.Device))
+	out.Selectors = *(*[]resourcev1alpha3.DeviceSelector)(unsafe.Pointer(&in.Selectors))
+	return nil
+}
+
+// Convert_resource_DeviceTaintSelector_To_v1alpha3_DeviceTaintSelector is an autogenerated conversion function.
+func Convert_resource_DeviceTaintSelector_To_v1alpha3_DeviceTaintSelector(in *resource.DeviceTaintSelector, out *resourcev1alpha3.DeviceTaintSelector, s conversion.Scope) error {
+	return autoConvert_resource_DeviceTaintSelector_To_v1alpha3_DeviceTaintSelector(in, out, s)
+}
+
+func autoConvert_v1alpha3_DeviceToleration_To_resource_DeviceToleration(in *resourcev1alpha3.DeviceToleration, out *resource.DeviceToleration, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Operator = resource.DeviceTolerationOperator(in.Operator)
+	out.Value = in.Value
+	out.Effect = resource.DeviceTaintEffect(in.Effect)
+	out.TolerationSeconds = (*int64)(unsafe.Pointer(in.TolerationSeconds))
+	return nil
+}
+
+// Convert_v1alpha3_DeviceToleration_To_resource_DeviceToleration is an autogenerated conversion function.
+func Convert_v1alpha3_DeviceToleration_To_resource_DeviceToleration(in *resourcev1alpha3.DeviceToleration, out *resource.DeviceToleration, s conversion.Scope) error {
+	return autoConvert_v1alpha3_DeviceToleration_To_resource_DeviceToleration(in, out, s)
+}
+
+func autoConvert_resource_DeviceToleration_To_v1alpha3_DeviceToleration(in *resource.DeviceToleration, out *resourcev1alpha3.DeviceToleration, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Operator = resourcev1alpha3.DeviceTolerationOperator(in.Operator)
+	out.Value = in.Value
+	out.Effect = resourcev1alpha3.DeviceTaintEffect(in.Effect)
+	out.TolerationSeconds = (*int64)(unsafe.Pointer(in.TolerationSeconds))
+	return nil
+}
+
+// Convert_resource_DeviceToleration_To_v1alpha3_DeviceToleration is an autogenerated conversion function.
+func Convert_resource_DeviceToleration_To_v1alpha3_DeviceToleration(in *resource.DeviceToleration, out *resourcev1alpha3.DeviceToleration, s conversion.Scope) error {
+	return autoConvert_resource_DeviceToleration_To_v1alpha3_DeviceToleration(in, out, s)
+}
+
 func autoConvert_v1alpha3_NetworkDeviceData_To_resource_NetworkDeviceData(in *resourcev1alpha3.NetworkDeviceData, out *resource.NetworkDeviceData, s conversion.Scope) error {
 	out.InterfaceName = in.InterfaceName
 	out.IPs = *(*[]string)(unsafe.Pointer(&in.IPs))
diff --git a/pkg/apis/resource/v1alpha3/zz_generated.defaults.go b/pkg/apis/resource/v1alpha3/zz_generated.defaults.go
index 67ba496b84f..9fae98af0ba 100644
--- a/pkg/apis/resource/v1alpha3/zz_generated.defaults.go
+++ b/pkg/apis/resource/v1alpha3/zz_generated.defaults.go
@@ -30,6 +30,10 @@ import (
 // Public to allow building arbitrary schemes.
 // All generated defaulters are covering - they call all nested defaulters.
 func RegisterDefaults(scheme *runtime.Scheme) error {
+	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.DeviceTaintRule{}, func(obj interface{}) { SetObjectDefaults_DeviceTaintRule(obj.(*resourcev1alpha3.DeviceTaintRule)) })
+	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.DeviceTaintRuleList{}, func(obj interface{}) {
+		SetObjectDefaults_DeviceTaintRuleList(obj.(*resourcev1alpha3.DeviceTaintRuleList))
+	})
 	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.ResourceClaim{}, func(obj interface{}) { SetObjectDefaults_ResourceClaim(obj.(*resourcev1alpha3.ResourceClaim)) })
 	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.ResourceClaimList{}, func(obj interface{}) { SetObjectDefaults_ResourceClaimList(obj.(*resourcev1alpha3.ResourceClaimList)) })
 	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.ResourceClaimTemplate{}, func(obj interface{}) {
@@ -38,9 +42,22 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
 	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.ResourceClaimTemplateList{}, func(obj interface{}) {
 		SetObjectDefaults_ResourceClaimTemplateList(obj.(*resourcev1alpha3.ResourceClaimTemplateList))
 	})
+	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.ResourceSlice{}, func(obj interface{}) { SetObjectDefaults_ResourceSlice(obj.(*resourcev1alpha3.ResourceSlice)) })
+	scheme.AddTypeDefaultingFunc(&resourcev1alpha3.ResourceSliceList{}, func(obj interface{}) { SetObjectDefaults_ResourceSliceList(obj.(*resourcev1alpha3.ResourceSliceList)) })
 	return nil
 }
 
+func SetObjectDefaults_DeviceTaintRule(in *resourcev1alpha3.DeviceTaintRule) {
+	SetDefaults_DeviceTaint(&in.Spec.Taint)
+}
+
+func SetObjectDefaults_DeviceTaintRuleList(in *resourcev1alpha3.DeviceTaintRuleList) {
+	for i := range in.Items {
+		a := &in.Items[i]
+		SetObjectDefaults_DeviceTaintRule(a)
+	}
+}
+
 func SetObjectDefaults_ResourceClaim(in *resourcev1alpha3.ResourceClaim) {
 	for i := range in.Spec.Devices.Requests {
 		a := &in.Spec.Devices.Requests[i]
@@ -48,6 +65,29 @@ func SetObjectDefaults_ResourceClaim(in *resourcev1alpha3.ResourceClaim) {
 		for j := range a.FirstAvailable {
 			b := &a.FirstAvailable[j]
 			SetDefaults_DeviceSubRequest(b)
+			for k := range b.Tolerations {
+				c := &b.Tolerations[k]
+				if c.Operator == "" {
+					c.Operator = "Equal"
+				}
+			}
+		}
+		for j := range a.Tolerations {
+			b := &a.Tolerations[j]
+			if b.Operator == "" {
+				b.Operator = "Equal"
+			}
+		}
+	}
+	if in.Status.Allocation != nil {
+		for i := range in.Status.Allocation.Devices.Results {
+			a := &in.Status.Allocation.Devices.Results[i]
+			for j := range a.Tolerations {
+				b := &a.Tolerations[j]
+				if b.Operator == "" {
+					b.Operator = "Equal"
+				}
+			}
 		}
 	}
 }
@@ -66,6 +106,18 @@ func SetObjectDefaults_ResourceClaimTemplate(in *resourcev1alpha3.ResourceClaimT
 		for j := range a.FirstAvailable {
 			b := &a.FirstAvailable[j]
 			SetDefaults_DeviceSubRequest(b)
+			for k := range b.Tolerations {
+				c := &b.Tolerations[k]
+				if c.Operator == "" {
+					c.Operator = "Equal"
+				}
+			}
+		}
+		for j := range a.Tolerations {
+			b := &a.Tolerations[j]
+			if b.Operator == "" {
+				b.Operator = "Equal"
+			}
 		}
 	}
 }
@@ -76,3 +128,22 @@ func SetObjectDefaults_ResourceClaimTemplateList(in *resourcev1alpha3.ResourceCl
 		SetObjectDefaults_ResourceClaimTemplate(a)
 	}
 }
+
+func SetObjectDefaults_ResourceSlice(in *resourcev1alpha3.ResourceSlice) {
+	for i := range in.Spec.Devices {
+		a := &in.Spec.Devices[i]
+		if a.Basic != nil {
+			for j := range a.Basic.Taints {
+				b := &a.Basic.Taints[j]
+				SetDefaults_DeviceTaint(b)
+			}
+		}
+	}
+}
+
+func SetObjectDefaults_ResourceSliceList(in *resourcev1alpha3.ResourceSliceList) {
+	for i := range in.Items {
+		a := &in.Items[i]
+		SetObjectDefaults_ResourceSlice(a)
+	}
+}
diff --git a/pkg/apis/resource/v1beta1/zz_generated.conversion.go b/pkg/apis/resource/v1beta1/zz_generated.conversion.go
index e74a848827f..ecafebddddc 100644
--- a/pkg/apis/resource/v1beta1/zz_generated.conversion.go
+++ b/pkg/apis/resource/v1beta1/zz_generated.conversion.go
@@ -251,6 +251,26 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1beta1.DeviceTaint)(nil), (*resource.DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_DeviceTaint_To_resource_DeviceTaint(a.(*resourcev1beta1.DeviceTaint), b.(*resource.DeviceTaint), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceTaint)(nil), (*resourcev1beta1.DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceTaint_To_v1beta1_DeviceTaint(a.(*resource.DeviceTaint), b.(*resourcev1beta1.DeviceTaint), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resourcev1beta1.DeviceToleration)(nil), (*resource.DeviceToleration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_DeviceToleration_To_resource_DeviceToleration(a.(*resourcev1beta1.DeviceToleration), b.(*resource.DeviceToleration), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*resource.DeviceToleration)(nil), (*resourcev1beta1.DeviceToleration)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_resource_DeviceToleration_To_v1beta1_DeviceToleration(a.(*resource.DeviceToleration), b.(*resourcev1beta1.DeviceToleration), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*resourcev1beta1.NetworkDeviceData)(nil), (*resource.NetworkDeviceData)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta1_NetworkDeviceData_To_resource_NetworkDeviceData(a.(*resourcev1beta1.NetworkDeviceData), b.(*resource.NetworkDeviceData), scope)
 	}); err != nil {
@@ -453,6 +473,7 @@ func Convert_resource_AllocationResult_To_v1beta1_AllocationResult(in *resource.
 func autoConvert_v1beta1_BasicDevice_To_resource_BasicDevice(in *resourcev1beta1.BasicDevice, out *resource.BasicDevice, s conversion.Scope) error {
 	out.Attributes = *(*map[resource.QualifiedName]resource.DeviceAttribute)(unsafe.Pointer(&in.Attributes))
 	out.Capacity = *(*map[resource.QualifiedName]resource.DeviceCapacity)(unsafe.Pointer(&in.Capacity))
+	out.Taints = *(*[]resource.DeviceTaint)(unsafe.Pointer(&in.Taints))
 	return nil
 }
 
@@ -464,6 +485,7 @@ func Convert_v1beta1_BasicDevice_To_resource_BasicDevice(in *resourcev1beta1.Bas
 func autoConvert_resource_BasicDevice_To_v1beta1_BasicDevice(in *resource.BasicDevice, out *resourcev1beta1.BasicDevice, s conversion.Scope) error {
 	out.Attributes = *(*map[resourcev1beta1.QualifiedName]resourcev1beta1.DeviceAttribute)(unsafe.Pointer(&in.Attributes))
 	out.Capacity = *(*map[resourcev1beta1.QualifiedName]resourcev1beta1.DeviceCapacity)(unsafe.Pointer(&in.Capacity))
+	out.Taints = *(*[]resourcev1beta1.DeviceTaint)(unsafe.Pointer(&in.Taints))
 	return nil
 }
 
@@ -804,6 +826,7 @@ func autoConvert_v1beta1_DeviceRequest_To_resource_DeviceRequest(in *resourcev1b
 	out.Count = in.Count
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
 	out.FirstAvailable = *(*[]resource.DeviceSubRequest)(unsafe.Pointer(&in.FirstAvailable))
+	out.Tolerations = *(*[]resource.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -820,6 +843,7 @@ func autoConvert_resource_DeviceRequest_To_v1beta1_DeviceRequest(in *resource.De
 	out.Count = in.Count
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
 	out.FirstAvailable = *(*[]resourcev1beta1.DeviceSubRequest)(unsafe.Pointer(&in.FirstAvailable))
+	out.Tolerations = *(*[]resourcev1beta1.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -834,6 +858,7 @@ func autoConvert_v1beta1_DeviceRequestAllocationResult_To_resource_DeviceRequest
 	out.Pool = in.Pool
 	out.Device = in.Device
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
+	out.Tolerations = *(*[]resource.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -848,6 +873,7 @@ func autoConvert_resource_DeviceRequestAllocationResult_To_v1beta1_DeviceRequest
 	out.Pool = in.Pool
 	out.Device = in.Device
 	out.AdminAccess = (*bool)(unsafe.Pointer(in.AdminAccess))
+	out.Tolerations = *(*[]resourcev1beta1.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -882,6 +908,7 @@ func autoConvert_v1beta1_DeviceSubRequest_To_resource_DeviceSubRequest(in *resou
 	out.Selectors = *(*[]resource.DeviceSelector)(unsafe.Pointer(&in.Selectors))
 	out.AllocationMode = resource.DeviceAllocationMode(in.AllocationMode)
 	out.Count = in.Count
+	out.Tolerations = *(*[]resource.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -896,6 +923,7 @@ func autoConvert_resource_DeviceSubRequest_To_v1beta1_DeviceSubRequest(in *resou
 	out.Selectors = *(*[]resourcev1beta1.DeviceSelector)(unsafe.Pointer(&in.Selectors))
 	out.AllocationMode = resourcev1beta1.DeviceAllocationMode(in.AllocationMode)
 	out.Count = in.Count
+	out.Tolerations = *(*[]resourcev1beta1.DeviceToleration)(unsafe.Pointer(&in.Tolerations))
 	return nil
 }
 
@@ -904,6 +932,60 @@ func Convert_resource_DeviceSubRequest_To_v1beta1_DeviceSubRequest(in *resource.
 	return autoConvert_resource_DeviceSubRequest_To_v1beta1_DeviceSubRequest(in, out, s)
 }
 
+func autoConvert_v1beta1_DeviceTaint_To_resource_DeviceTaint(in *resourcev1beta1.DeviceTaint, out *resource.DeviceTaint, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Value = in.Value
+	out.Effect = resource.DeviceTaintEffect(in.Effect)
+	out.TimeAdded = (*v1.Time)(unsafe.Pointer(in.TimeAdded))
+	return nil
+}
+
+// Convert_v1beta1_DeviceTaint_To_resource_DeviceTaint is an autogenerated conversion function.
+func Convert_v1beta1_DeviceTaint_To_resource_DeviceTaint(in *resourcev1beta1.DeviceTaint, out *resource.DeviceTaint, s conversion.Scope) error {
+	return autoConvert_v1beta1_DeviceTaint_To_resource_DeviceTaint(in, out, s)
+}
+
+func autoConvert_resource_DeviceTaint_To_v1beta1_DeviceTaint(in *resource.DeviceTaint, out *resourcev1beta1.DeviceTaint, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Value = in.Value
+	out.Effect = resourcev1beta1.DeviceTaintEffect(in.Effect)
+	out.TimeAdded = (*v1.Time)(unsafe.Pointer(in.TimeAdded))
+	return nil
+}
+
+// Convert_resource_DeviceTaint_To_v1beta1_DeviceTaint is an autogenerated conversion function.
+func Convert_resource_DeviceTaint_To_v1beta1_DeviceTaint(in *resource.DeviceTaint, out *resourcev1beta1.DeviceTaint, s conversion.Scope) error {
+	return autoConvert_resource_DeviceTaint_To_v1beta1_DeviceTaint(in, out, s)
+}
+
+func autoConvert_v1beta1_DeviceToleration_To_resource_DeviceToleration(in *resourcev1beta1.DeviceToleration, out *resource.DeviceToleration, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Operator = resource.DeviceTolerationOperator(in.Operator)
+	out.Value = in.Value
+	out.Effect = resource.DeviceTaintEffect(in.Effect)
+	out.TolerationSeconds = (*int64)(unsafe.Pointer(in.TolerationSeconds))
+	return nil
+}
+
+// Convert_v1beta1_DeviceToleration_To_resource_DeviceToleration is an autogenerated conversion function.
+func Convert_v1beta1_DeviceToleration_To_resource_DeviceToleration(in *resourcev1beta1.DeviceToleration, out *resource.DeviceToleration, s conversion.Scope) error {
+	return autoConvert_v1beta1_DeviceToleration_To_resource_DeviceToleration(in, out, s)
+}
+
+func autoConvert_resource_DeviceToleration_To_v1beta1_DeviceToleration(in *resource.DeviceToleration, out *resourcev1beta1.DeviceToleration, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Operator = resourcev1beta1.DeviceTolerationOperator(in.Operator)
+	out.Value = in.Value
+	out.Effect = resourcev1beta1.DeviceTaintEffect(in.Effect)
+	out.TolerationSeconds = (*int64)(unsafe.Pointer(in.TolerationSeconds))
+	return nil
+}
+
+// Convert_resource_DeviceToleration_To_v1beta1_DeviceToleration is an autogenerated conversion function.
+func Convert_resource_DeviceToleration_To_v1beta1_DeviceToleration(in *resource.DeviceToleration, out *resourcev1beta1.DeviceToleration, s conversion.Scope) error {
+	return autoConvert_resource_DeviceToleration_To_v1beta1_DeviceToleration(in, out, s)
+}
+
 func autoConvert_v1beta1_NetworkDeviceData_To_resource_NetworkDeviceData(in *resourcev1beta1.NetworkDeviceData, out *resource.NetworkDeviceData, s conversion.Scope) error {
 	out.InterfaceName = in.InterfaceName
 	out.IPs = *(*[]string)(unsafe.Pointer(&in.IPs))
diff --git a/pkg/apis/resource/v1beta1/zz_generated.defaults.go b/pkg/apis/resource/v1beta1/zz_generated.defaults.go
index 2335929c404..3323ca47a2b 100644
--- a/pkg/apis/resource/v1beta1/zz_generated.defaults.go
+++ b/pkg/apis/resource/v1beta1/zz_generated.defaults.go
@@ -38,6 +38,8 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
 	scheme.AddTypeDefaultingFunc(&resourcev1beta1.ResourceClaimTemplateList{}, func(obj interface{}) {
 		SetObjectDefaults_ResourceClaimTemplateList(obj.(*resourcev1beta1.ResourceClaimTemplateList))
 	})
+	scheme.AddTypeDefaultingFunc(&resourcev1beta1.ResourceSlice{}, func(obj interface{}) { SetObjectDefaults_ResourceSlice(obj.(*resourcev1beta1.ResourceSlice)) })
+	scheme.AddTypeDefaultingFunc(&resourcev1beta1.ResourceSliceList{}, func(obj interface{}) { SetObjectDefaults_ResourceSliceList(obj.(*resourcev1beta1.ResourceSliceList)) })
 	return nil
 }
 
@@ -48,6 +50,29 @@ func SetObjectDefaults_ResourceClaim(in *resourcev1beta1.ResourceClaim) {
 		for j := range a.FirstAvailable {
 			b := &a.FirstAvailable[j]
 			SetDefaults_DeviceSubRequest(b)
+			for k := range b.Tolerations {
+				c := &b.Tolerations[k]
+				if c.Operator == "" {
+					c.Operator = "Equal"
+				}
+			}
+		}
+		for j := range a.Tolerations {
+			b := &a.Tolerations[j]
+			if b.Operator == "" {
+				b.Operator = "Equal"
+			}
+		}
+	}
+	if in.Status.Allocation != nil {
+		for i := range in.Status.Allocation.Devices.Results {
+			a := &in.Status.Allocation.Devices.Results[i]
+			for j := range a.Tolerations {
+				b := &a.Tolerations[j]
+				if b.Operator == "" {
+					b.Operator = "Equal"
+				}
+			}
 		}
 	}
 }
@@ -66,6 +91,18 @@ func SetObjectDefaults_ResourceClaimTemplate(in *resourcev1beta1.ResourceClaimTe
 		for j := range a.FirstAvailable {
 			b := &a.FirstAvailable[j]
 			SetDefaults_DeviceSubRequest(b)
+			for k := range b.Tolerations {
+				c := &b.Tolerations[k]
+				if c.Operator == "" {
+					c.Operator = "Equal"
+				}
+			}
+		}
+		for j := range a.Tolerations {
+			b := &a.Tolerations[j]
+			if b.Operator == "" {
+				b.Operator = "Equal"
+			}
 		}
 	}
 }
@@ -76,3 +113,22 @@ func SetObjectDefaults_ResourceClaimTemplateList(in *resourcev1beta1.ResourceCla
 		SetObjectDefaults_ResourceClaimTemplate(a)
 	}
 }
+
+func SetObjectDefaults_ResourceSlice(in *resourcev1beta1.ResourceSlice) {
+	for i := range in.Spec.Devices {
+		a := &in.Spec.Devices[i]
+		if a.Basic != nil {
+			for j := range a.Basic.Taints {
+				b := &a.Basic.Taints[j]
+				SetDefaults_DeviceTaint(b)
+			}
+		}
+	}
+}
+
+func SetObjectDefaults_ResourceSliceList(in *resourcev1beta1.ResourceSliceList) {
+	for i := range in.Items {
+		a := &in.Items[i]
+		SetObjectDefaults_ResourceSlice(a)
+	}
+}
diff --git a/pkg/apis/resource/zz_generated.deepcopy.go b/pkg/apis/resource/zz_generated.deepcopy.go
index fb893b8528e..f227e27381d 100644
--- a/pkg/apis/resource/zz_generated.deepcopy.go
+++ b/pkg/apis/resource/zz_generated.deepcopy.go
@@ -99,6 +99,13 @@ func (in *BasicDevice) DeepCopyInto(out *BasicDevice) {
 			(*out)[key] = *val.DeepCopy()
 		}
 	}
+	if in.Taints != nil {
+		in, out := &in.Taints, &out.Taints
+		*out = make([]DeviceTaint, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -489,6 +496,13 @@ func (in *DeviceRequest) DeepCopyInto(out *DeviceRequest) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -510,6 +524,13 @@ func (in *DeviceRequestAllocationResult) DeepCopyInto(out *DeviceRequestAllocati
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -554,6 +575,13 @@ func (in *DeviceSubRequest) DeepCopyInto(out *DeviceSubRequest) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -567,6 +595,172 @@ func (in *DeviceSubRequest) DeepCopy() *DeviceSubRequest {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaint) DeepCopyInto(out *DeviceTaint) {
+	*out = *in
+	if in.TimeAdded != nil {
+		in, out := &in.TimeAdded, &out.TimeAdded
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaint.
+func (in *DeviceTaint) DeepCopy() *DeviceTaint {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintRule) DeepCopyInto(out *DeviceTaintRule) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRule.
+func (in *DeviceTaintRule) DeepCopy() *DeviceTaintRule {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeviceTaintRule) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintRuleList) DeepCopyInto(out *DeviceTaintRuleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]DeviceTaintRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRuleList.
+func (in *DeviceTaintRuleList) DeepCopy() *DeviceTaintRuleList {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintRuleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeviceTaintRuleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintRuleSpec) DeepCopyInto(out *DeviceTaintRuleSpec) {
+	*out = *in
+	if in.DeviceSelector != nil {
+		in, out := &in.DeviceSelector, &out.DeviceSelector
+		*out = new(DeviceTaintSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Taint.DeepCopyInto(&out.Taint)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRuleSpec.
+func (in *DeviceTaintRuleSpec) DeepCopy() *DeviceTaintRuleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintRuleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
+	*out = *in
+	if in.DeviceClassName != nil {
+		in, out := &in.DeviceClassName, &out.DeviceClassName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Driver != nil {
+		in, out := &in.Driver, &out.Driver
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pool != nil {
+		in, out := &in.Pool, &out.Pool
+		*out = new(string)
+		**out = **in
+	}
+	if in.Device != nil {
+		in, out := &in.Device, &out.Device
+		*out = new(string)
+		**out = **in
+	}
+	if in.Selectors != nil {
+		in, out := &in.Selectors, &out.Selectors
+		*out = make([]DeviceSelector, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintSelector.
+func (in *DeviceTaintSelector) DeepCopy() *DeviceTaintSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceToleration) DeepCopyInto(out *DeviceToleration) {
+	*out = *in
+	if in.TolerationSeconds != nil {
+		in, out := &in.TolerationSeconds, &out.TolerationSeconds
+		*out = new(int64)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceToleration.
+func (in *DeviceToleration) DeepCopy() *DeviceToleration {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceToleration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDeviceData) DeepCopyInto(out *NetworkDeviceData) {
 	*out = *in
diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go
index 560ea0d573d..70373f4dda4 100644
--- a/pkg/generated/openapi/zz_generated.openapi.go
+++ b/pkg/generated/openapi/zz_generated.openapi.go
@@ -934,6 +934,12 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"k8s.io/api/resource/v1alpha3.DeviceRequestAllocationResult":                                            schema_k8sio_api_resource_v1alpha3_DeviceRequestAllocationResult(ref),
 		"k8s.io/api/resource/v1alpha3.DeviceSelector":                                                           schema_k8sio_api_resource_v1alpha3_DeviceSelector(ref),
 		"k8s.io/api/resource/v1alpha3.DeviceSubRequest":                                                         schema_k8sio_api_resource_v1alpha3_DeviceSubRequest(ref),
+		"k8s.io/api/resource/v1alpha3.DeviceTaint":                                                              schema_k8sio_api_resource_v1alpha3_DeviceTaint(ref),
+		"k8s.io/api/resource/v1alpha3.DeviceTaintRule":                                                          schema_k8sio_api_resource_v1alpha3_DeviceTaintRule(ref),
+		"k8s.io/api/resource/v1alpha3.DeviceTaintRuleList":                                                      schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleList(ref),
+		"k8s.io/api/resource/v1alpha3.DeviceTaintRuleSpec":                                                      schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleSpec(ref),
+		"k8s.io/api/resource/v1alpha3.DeviceTaintSelector":                                                      schema_k8sio_api_resource_v1alpha3_DeviceTaintSelector(ref),
+		"k8s.io/api/resource/v1alpha3.DeviceToleration":                                                         schema_k8sio_api_resource_v1alpha3_DeviceToleration(ref),
 		"k8s.io/api/resource/v1alpha3.NetworkDeviceData":                                                        schema_k8sio_api_resource_v1alpha3_NetworkDeviceData(ref),
 		"k8s.io/api/resource/v1alpha3.OpaqueDeviceConfiguration":                                                schema_k8sio_api_resource_v1alpha3_OpaqueDeviceConfiguration(ref),
 		"k8s.io/api/resource/v1alpha3.ResourceClaim":                                                            schema_k8sio_api_resource_v1alpha3_ResourceClaim(ref),
@@ -969,6 +975,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"k8s.io/api/resource/v1beta1.DeviceRequestAllocationResult":                                             schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref),
 		"k8s.io/api/resource/v1beta1.DeviceSelector":                                                            schema_k8sio_api_resource_v1beta1_DeviceSelector(ref),
 		"k8s.io/api/resource/v1beta1.DeviceSubRequest":                                                          schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref),
+		"k8s.io/api/resource/v1beta1.DeviceTaint":                                                               schema_k8sio_api_resource_v1beta1_DeviceTaint(ref),
+		"k8s.io/api/resource/v1beta1.DeviceToleration":                                                          schema_k8sio_api_resource_v1beta1_DeviceToleration(ref),
 		"k8s.io/api/resource/v1beta1.NetworkDeviceData":                                                         schema_k8sio_api_resource_v1beta1_NetworkDeviceData(ref),
 		"k8s.io/api/resource/v1beta1.OpaqueDeviceConfiguration":                                                 schema_k8sio_api_resource_v1beta1_OpaqueDeviceConfiguration(ref),
 		"k8s.io/api/resource/v1beta1.ResourceClaim":                                                             schema_k8sio_api_resource_v1beta1_ResourceClaim(ref),
@@ -47134,11 +47142,30 @@ func schema_k8sio_api_resource_v1alpha3_BasicDevice(ref common.ReferenceCallback
 							},
 						},
 					},
+					"taints": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceTaint"),
+									},
+								},
+							},
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1alpha3.DeviceAttribute", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
+			"k8s.io/api/resource/v1alpha3.DeviceAttribute", "k8s.io/api/resource/v1alpha3.DeviceTaint", "k8s.io/apimachinery/pkg/api/resource.Quantity"},
 	}
 }
 
@@ -47763,12 +47790,31 @@ func schema_k8sio_api_resource_v1alpha3_DeviceRequest(ref common.ReferenceCallba
 							},
 						},
 					},
+					"tolerations": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceToleration"),
+									},
+								},
+							},
+						},
+					},
 				},
 				Required: []string{"name"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1alpha3.DeviceSelector", "k8s.io/api/resource/v1alpha3.DeviceSubRequest"},
+			"k8s.io/api/resource/v1alpha3.DeviceSelector", "k8s.io/api/resource/v1alpha3.DeviceSubRequest", "k8s.io/api/resource/v1alpha3.DeviceToleration"},
 	}
 }
 
@@ -47818,10 +47864,31 @@ func schema_k8sio_api_resource_v1alpha3_DeviceRequestAllocationResult(ref common
 							Format:      "",
 						},
 					},
+					"tolerations": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceToleration"),
+									},
+								},
+							},
+						},
+					},
 				},
 				Required: []string{"request", "driver", "pool", "device"},
 			},
 		},
+		Dependencies: []string{
+			"k8s.io/api/resource/v1alpha3.DeviceToleration"},
 	}
 }
 
@@ -47902,15 +47969,317 @@ func schema_k8sio_api_resource_v1alpha3_DeviceSubRequest(ref common.ReferenceCal
 							Format:      "int64",
 						},
 					},
+					"tolerations": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceToleration"),
+									},
+								},
+							},
+						},
+					},
 				},
 				Required: []string{"name", "deviceClassName"},
 			},
 		},
+		Dependencies: []string{
+			"k8s.io/api/resource/v1alpha3.DeviceSelector", "k8s.io/api/resource/v1alpha3.DeviceToleration"},
+	}
+}
+
+func schema_k8sio_api_resource_v1alpha3_DeviceTaint(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"key": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The taint key to be applied to a device. Must be a label name.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The taint value corresponding to the taint key. Must be a label value.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"effect": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+						},
+					},
+					"timeAdded": {
+						SchemaProps: spec.SchemaProps{
+							Description: "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+				},
+				Required: []string{"key", "effect"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_k8sio_api_resource_v1alpha3_DeviceTaintRule(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if the taint was specified directly in the ResourceSlice by the DRA driver.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Standard object metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number.",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/api/resource/v1alpha3.DeviceTaintRuleSpec"),
+						},
+					},
+				},
+				Required: []string{"spec"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/api/resource/v1alpha3.DeviceTaintRuleSpec", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DeviceTaintRuleList is a collection of DeviceTaintRules.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Standard list metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Items is the list of DeviceTaintRules.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceTaintRule"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/api/resource/v1alpha3.DeviceTaintRule", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_k8sio_api_resource_v1alpha3_DeviceTaintRuleSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DeviceTaintRuleSpec specifies the selector and one taint.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"deviceSelector": {
+						SchemaProps: spec.SchemaProps{
+							Description: "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches.",
+							Ref:         ref("k8s.io/api/resource/v1alpha3.DeviceTaintSelector"),
+						},
+					},
+					"taint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The taint that gets applied to matching devices.",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/api/resource/v1alpha3.DeviceTaint"),
+						},
+					},
+				},
+				Required: []string{"taint"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/api/resource/v1alpha3.DeviceTaint", "k8s.io/api/resource/v1alpha3.DeviceTaintSelector"},
+	}
+}
+
+func schema_k8sio_api_resource_v1alpha3_DeviceTaintSelector(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"deviceClassName": {
+						SchemaProps: spec.SchemaProps{
+							Description: "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"driver": {
+						SchemaProps: spec.SchemaProps{
+							Description: "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"pool": {
+						SchemaProps: spec.SchemaProps{
+							Description: "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"device": {
+						SchemaProps: spec.SchemaProps{
+							Description: "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"selectors": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1alpha3.DeviceSelector"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		Dependencies: []string{
 			"k8s.io/api/resource/v1alpha3.DeviceSelector"},
 	}
 }
 
+func schema_k8sio_api_resource_v1alpha3_DeviceToleration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"key": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"operator": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.\n\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`",
+							Default:     "Equal",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"Equal", "Exists"},
+						},
+					},
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"effect": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+						},
+					},
+					"tolerationSeconds": {
+						SchemaProps: spec.SchemaProps{
+							Description: "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func schema_k8sio_api_resource_v1alpha3_NetworkDeviceData(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -48693,11 +49062,30 @@ func schema_k8sio_api_resource_v1beta1_BasicDevice(ref common.ReferenceCallback)
 							},
 						},
 					},
+					"taints": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceTaint"),
+									},
+								},
+							},
+						},
+					},
 				},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceAttribute", "k8s.io/api/resource/v1beta1.DeviceCapacity"},
+			"k8s.io/api/resource/v1beta1.DeviceAttribute", "k8s.io/api/resource/v1beta1.DeviceCapacity", "k8s.io/api/resource/v1beta1.DeviceTaint"},
 	}
 }
 
@@ -49344,12 +49732,31 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequest(ref common.ReferenceCallbac
 							},
 						},
 					},
+					"tolerations": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceToleration"),
+									},
+								},
+							},
+						},
+					},
 				},
 				Required: []string{"name"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceSelector", "k8s.io/api/resource/v1beta1.DeviceSubRequest"},
+			"k8s.io/api/resource/v1beta1.DeviceSelector", "k8s.io/api/resource/v1beta1.DeviceSubRequest", "k8s.io/api/resource/v1beta1.DeviceToleration"},
 	}
 }
 
@@ -49399,10 +49806,31 @@ func schema_k8sio_api_resource_v1beta1_DeviceRequestAllocationResult(ref common.
 							Format:      "",
 						},
 					},
+					"tolerations": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceToleration"),
+									},
+								},
+							},
+						},
+					},
 				},
 				Required: []string{"request", "driver", "pool", "device"},
 			},
 		},
+		Dependencies: []string{
+			"k8s.io/api/resource/v1beta1.DeviceToleration"},
 	}
 }
 
@@ -49483,12 +49911,128 @@ func schema_k8sio_api_resource_v1beta1_DeviceSubRequest(ref common.ReferenceCall
 							Format:      "int64",
 						},
 					},
+					"tolerations": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/api/resource/v1beta1.DeviceToleration"),
+									},
+								},
+							},
+						},
+					},
 				},
 				Required: []string{"name", "deviceClassName"},
 			},
 		},
 		Dependencies: []string{
-			"k8s.io/api/resource/v1beta1.DeviceSelector"},
+			"k8s.io/api/resource/v1beta1.DeviceSelector", "k8s.io/api/resource/v1beta1.DeviceToleration"},
+	}
+}
+
+func schema_k8sio_api_resource_v1beta1_DeviceTaint(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"key": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The taint key to be applied to a device. Must be a label name.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The taint value corresponding to the taint key. Must be a label value.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"effect": {
+						SchemaProps: spec.SchemaProps{
+							Description: "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+						},
+					},
+					"timeAdded": {
+						SchemaProps: spec.SchemaProps{
+							Description: "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+				},
+				Required: []string{"key", "effect"},
+			},
+		},
+		Dependencies: []string{
+			"k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_k8sio_api_resource_v1beta1_DeviceToleration(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"key": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"operator": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.\n\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`",
+							Default:     "Equal",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"Equal", "Exists"},
+						},
+					},
+					"value": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"effect": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.\n\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the device taint.\n - `\"NoSchedule\"` Do not allow new pods to schedule which use a tainted device unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running.",
+							Type:        []string{"string"},
+							Format:      "",
+							Enum:        []interface{}{"NoExecute", "NoSchedule"},
+						},
+					},
+					"tolerationSeconds": {
+						SchemaProps: spec.SchemaProps{
+							Description: "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+							Type:        []string{"integer"},
+							Format:      "int64",
+						},
+					},
+				},
+			},
+		},
 	}
 }
 
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go b/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go
index ec3586e55e9..008f5ba8e14 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/generated.pb.go
@@ -610,10 +610,178 @@ func (m *DeviceSubRequest) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_DeviceSubRequest proto.InternalMessageInfo
 
+func (m *DeviceTaint) Reset()      { *m = DeviceTaint{} }
+func (*DeviceTaint) ProtoMessage() {}
+func (*DeviceTaint) Descriptor() ([]byte, []int) {
+	return fileDescriptor_66649ee9bbcd89d2, []int{20}
+}
+func (m *DeviceTaint) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceTaint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceTaint) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceTaint.Merge(m, src)
+}
+func (m *DeviceTaint) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceTaint) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceTaint.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceTaint proto.InternalMessageInfo
+
+func (m *DeviceTaintRule) Reset()      { *m = DeviceTaintRule{} }
+func (*DeviceTaintRule) ProtoMessage() {}
+func (*DeviceTaintRule) Descriptor() ([]byte, []int) {
+	return fileDescriptor_66649ee9bbcd89d2, []int{21}
+}
+func (m *DeviceTaintRule) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceTaintRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceTaintRule) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceTaintRule.Merge(m, src)
+}
+func (m *DeviceTaintRule) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceTaintRule) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceTaintRule.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceTaintRule proto.InternalMessageInfo
+
+func (m *DeviceTaintRuleList) Reset()      { *m = DeviceTaintRuleList{} }
+func (*DeviceTaintRuleList) ProtoMessage() {}
+func (*DeviceTaintRuleList) Descriptor() ([]byte, []int) {
+	return fileDescriptor_66649ee9bbcd89d2, []int{22}
+}
+func (m *DeviceTaintRuleList) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceTaintRuleList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceTaintRuleList) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceTaintRuleList.Merge(m, src)
+}
+func (m *DeviceTaintRuleList) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceTaintRuleList) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceTaintRuleList.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceTaintRuleList proto.InternalMessageInfo
+
+func (m *DeviceTaintRuleSpec) Reset()      { *m = DeviceTaintRuleSpec{} }
+func (*DeviceTaintRuleSpec) ProtoMessage() {}
+func (*DeviceTaintRuleSpec) Descriptor() ([]byte, []int) {
+	return fileDescriptor_66649ee9bbcd89d2, []int{23}
+}
+func (m *DeviceTaintRuleSpec) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceTaintRuleSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceTaintRuleSpec) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceTaintRuleSpec.Merge(m, src)
+}
+func (m *DeviceTaintRuleSpec) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceTaintRuleSpec) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceTaintRuleSpec.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceTaintRuleSpec proto.InternalMessageInfo
+
+func (m *DeviceTaintSelector) Reset()      { *m = DeviceTaintSelector{} }
+func (*DeviceTaintSelector) ProtoMessage() {}
+func (*DeviceTaintSelector) Descriptor() ([]byte, []int) {
+	return fileDescriptor_66649ee9bbcd89d2, []int{24}
+}
+func (m *DeviceTaintSelector) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceTaintSelector) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceTaintSelector) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceTaintSelector.Merge(m, src)
+}
+func (m *DeviceTaintSelector) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceTaintSelector) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceTaintSelector.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceTaintSelector proto.InternalMessageInfo
+
+func (m *DeviceToleration) Reset()      { *m = DeviceToleration{} }
+func (*DeviceToleration) ProtoMessage() {}
+func (*DeviceToleration) Descriptor() ([]byte, []int) {
+	return fileDescriptor_66649ee9bbcd89d2, []int{25}
+}
+func (m *DeviceToleration) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceToleration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceToleration) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceToleration.Merge(m, src)
+}
+func (m *DeviceToleration) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceToleration) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceToleration.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceToleration proto.InternalMessageInfo
+
 func (m *NetworkDeviceData) Reset()      { *m = NetworkDeviceData{} }
 func (*NetworkDeviceData) ProtoMessage() {}
 func (*NetworkDeviceData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{20}
+	return fileDescriptor_66649ee9bbcd89d2, []int{26}
 }
 func (m *NetworkDeviceData) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -641,7 +809,7 @@ var xxx_messageInfo_NetworkDeviceData proto.InternalMessageInfo
 func (m *OpaqueDeviceConfiguration) Reset()      { *m = OpaqueDeviceConfiguration{} }
 func (*OpaqueDeviceConfiguration) ProtoMessage() {}
 func (*OpaqueDeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{21}
+	return fileDescriptor_66649ee9bbcd89d2, []int{27}
 }
 func (m *OpaqueDeviceConfiguration) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -669,7 +837,7 @@ var xxx_messageInfo_OpaqueDeviceConfiguration proto.InternalMessageInfo
 func (m *ResourceClaim) Reset()      { *m = ResourceClaim{} }
 func (*ResourceClaim) ProtoMessage() {}
 func (*ResourceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{22}
+	return fileDescriptor_66649ee9bbcd89d2, []int{28}
 }
 func (m *ResourceClaim) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -697,7 +865,7 @@ var xxx_messageInfo_ResourceClaim proto.InternalMessageInfo
 func (m *ResourceClaimConsumerReference) Reset()      { *m = ResourceClaimConsumerReference{} }
 func (*ResourceClaimConsumerReference) ProtoMessage() {}
 func (*ResourceClaimConsumerReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{23}
+	return fileDescriptor_66649ee9bbcd89d2, []int{29}
 }
 func (m *ResourceClaimConsumerReference) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -725,7 +893,7 @@ var xxx_messageInfo_ResourceClaimConsumerReference proto.InternalMessageInfo
 func (m *ResourceClaimList) Reset()      { *m = ResourceClaimList{} }
 func (*ResourceClaimList) ProtoMessage() {}
 func (*ResourceClaimList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{24}
+	return fileDescriptor_66649ee9bbcd89d2, []int{30}
 }
 func (m *ResourceClaimList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -753,7 +921,7 @@ var xxx_messageInfo_ResourceClaimList proto.InternalMessageInfo
 func (m *ResourceClaimSpec) Reset()      { *m = ResourceClaimSpec{} }
 func (*ResourceClaimSpec) ProtoMessage() {}
 func (*ResourceClaimSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{25}
+	return fileDescriptor_66649ee9bbcd89d2, []int{31}
 }
 func (m *ResourceClaimSpec) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -781,7 +949,7 @@ var xxx_messageInfo_ResourceClaimSpec proto.InternalMessageInfo
 func (m *ResourceClaimStatus) Reset()      { *m = ResourceClaimStatus{} }
 func (*ResourceClaimStatus) ProtoMessage() {}
 func (*ResourceClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{26}
+	return fileDescriptor_66649ee9bbcd89d2, []int{32}
 }
 func (m *ResourceClaimStatus) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -809,7 +977,7 @@ var xxx_messageInfo_ResourceClaimStatus proto.InternalMessageInfo
 func (m *ResourceClaimTemplate) Reset()      { *m = ResourceClaimTemplate{} }
 func (*ResourceClaimTemplate) ProtoMessage() {}
 func (*ResourceClaimTemplate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{27}
+	return fileDescriptor_66649ee9bbcd89d2, []int{33}
 }
 func (m *ResourceClaimTemplate) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -837,7 +1005,7 @@ var xxx_messageInfo_ResourceClaimTemplate proto.InternalMessageInfo
 func (m *ResourceClaimTemplateList) Reset()      { *m = ResourceClaimTemplateList{} }
 func (*ResourceClaimTemplateList) ProtoMessage() {}
 func (*ResourceClaimTemplateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{28}
+	return fileDescriptor_66649ee9bbcd89d2, []int{34}
 }
 func (m *ResourceClaimTemplateList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -865,7 +1033,7 @@ var xxx_messageInfo_ResourceClaimTemplateList proto.InternalMessageInfo
 func (m *ResourceClaimTemplateSpec) Reset()      { *m = ResourceClaimTemplateSpec{} }
 func (*ResourceClaimTemplateSpec) ProtoMessage() {}
 func (*ResourceClaimTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{29}
+	return fileDescriptor_66649ee9bbcd89d2, []int{35}
 }
 func (m *ResourceClaimTemplateSpec) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -893,7 +1061,7 @@ var xxx_messageInfo_ResourceClaimTemplateSpec proto.InternalMessageInfo
 func (m *ResourcePool) Reset()      { *m = ResourcePool{} }
 func (*ResourcePool) ProtoMessage() {}
 func (*ResourcePool) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{30}
+	return fileDescriptor_66649ee9bbcd89d2, []int{36}
 }
 func (m *ResourcePool) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -921,7 +1089,7 @@ var xxx_messageInfo_ResourcePool proto.InternalMessageInfo
 func (m *ResourceSlice) Reset()      { *m = ResourceSlice{} }
 func (*ResourceSlice) ProtoMessage() {}
 func (*ResourceSlice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{31}
+	return fileDescriptor_66649ee9bbcd89d2, []int{37}
 }
 func (m *ResourceSlice) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -949,7 +1117,7 @@ var xxx_messageInfo_ResourceSlice proto.InternalMessageInfo
 func (m *ResourceSliceList) Reset()      { *m = ResourceSliceList{} }
 func (*ResourceSliceList) ProtoMessage() {}
 func (*ResourceSliceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{32}
+	return fileDescriptor_66649ee9bbcd89d2, []int{38}
 }
 func (m *ResourceSliceList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -977,7 +1145,7 @@ var xxx_messageInfo_ResourceSliceList proto.InternalMessageInfo
 func (m *ResourceSliceSpec) Reset()      { *m = ResourceSliceSpec{} }
 func (*ResourceSliceSpec) ProtoMessage() {}
 func (*ResourceSliceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_66649ee9bbcd89d2, []int{33}
+	return fileDescriptor_66649ee9bbcd89d2, []int{39}
 }
 func (m *ResourceSliceSpec) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1025,6 +1193,12 @@ func init() {
 	proto.RegisterType((*DeviceRequestAllocationResult)(nil), "k8s.io.api.resource.v1alpha3.DeviceRequestAllocationResult")
 	proto.RegisterType((*DeviceSelector)(nil), "k8s.io.api.resource.v1alpha3.DeviceSelector")
 	proto.RegisterType((*DeviceSubRequest)(nil), "k8s.io.api.resource.v1alpha3.DeviceSubRequest")
+	proto.RegisterType((*DeviceTaint)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaint")
+	proto.RegisterType((*DeviceTaintRule)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintRule")
+	proto.RegisterType((*DeviceTaintRuleList)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintRuleList")
+	proto.RegisterType((*DeviceTaintRuleSpec)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintRuleSpec")
+	proto.RegisterType((*DeviceTaintSelector)(nil), "k8s.io.api.resource.v1alpha3.DeviceTaintSelector")
+	proto.RegisterType((*DeviceToleration)(nil), "k8s.io.api.resource.v1alpha3.DeviceToleration")
 	proto.RegisterType((*NetworkDeviceData)(nil), "k8s.io.api.resource.v1alpha3.NetworkDeviceData")
 	proto.RegisterType((*OpaqueDeviceConfiguration)(nil), "k8s.io.api.resource.v1alpha3.OpaqueDeviceConfiguration")
 	proto.RegisterType((*ResourceClaim)(nil), "k8s.io.api.resource.v1alpha3.ResourceClaim")
@@ -1046,138 +1220,160 @@ func init() {
 }
 
 var fileDescriptor_66649ee9bbcd89d2 = []byte{
-	// 2087 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x3a, 0xcb, 0x73, 0x1c, 0x47,
-	0xf9, 0x9a, 0x9d, 0xd5, 0xeb, 0x5b, 0xbd, 0xdc, 0xfe, 0xd9, 0xbf, 0xb5, 0x08, 0xbb, 0xf2, 0x84,
-	0x02, 0x39, 0x71, 0x76, 0x63, 0x39, 0x95, 0x04, 0xcc, 0x01, 0xad, 0x24, 0x1b, 0x19, 0x5b, 0x96,
-	0x5b, 0x89, 0x0b, 0x43, 0x30, 0xb4, 0x66, 0x5b, 0xd2, 0xa0, 0xd9, 0x99, 0xcd, 0x74, 0xcf, 0x3a,
-	0xba, 0x50, 0x29, 0xfe, 0x00, 0x17, 0xff, 0x00, 0x95, 0x1b, 0x55, 0x5c, 0x80, 0xff, 0x00, 0xaa,
-	0xa0, 0x0a, 0x17, 0x5c, 0x5c, 0x15, 0x0e, 0x39, 0x2d, 0xf1, 0x52, 0x9c, 0x39, 0x70, 0xf3, 0x89,
-	0xea, 0x9e, 0x9e, 0xe7, 0xee, 0x48, 0xa3, 0x10, 0x54, 0xa1, 0x8a, 0x9b, 0xe6, 0x7b, 0xf7, 0xf7,
-	0xea, 0xef, 0xeb, 0x15, 0x5c, 0x3d, 0x7c, 0x9b, 0x35, 0x2c, 0xb7, 0x49, 0xba, 0x56, 0xd3, 0xa3,
-	0xcc, 0xf5, 0x3d, 0x93, 0x36, 0x7b, 0xd7, 0x88, 0xdd, 0x3d, 0x20, 0xd7, 0x9b, 0xfb, 0xd4, 0xa1,
-	0x1e, 0xe1, 0xb4, 0xdd, 0xe8, 0x7a, 0x2e, 0x77, 0xd1, 0x4b, 0x01, 0x75, 0x83, 0x74, 0xad, 0x46,
-	0x48, 0xdd, 0x08, 0xa9, 0x17, 0x5f, 0xdb, 0xb7, 0xf8, 0x81, 0xbf, 0xdb, 0x30, 0xdd, 0x4e, 0x73,
-	0xdf, 0xdd, 0x77, 0x9b, 0x92, 0x69, 0xd7, 0xdf, 0x93, 0x5f, 0xf2, 0x43, 0xfe, 0x15, 0x08, 0x5b,
-	0x34, 0x12, 0xaa, 0x4d, 0xd7, 0x13, 0x6a, 0xb3, 0x0a, 0x17, 0xdf, 0x88, 0x69, 0x3a, 0xc4, 0x3c,
-	0xb0, 0x1c, 0xea, 0x1d, 0x35, 0xbb, 0x87, 0xfb, 0x69, 0x7b, 0x4f, 0xc3, 0xc5, 0x9a, 0x1d, 0xca,
-	0xc9, 0x28, 0x5d, 0xcd, 0x3c, 0x2e, 0xcf, 0x77, 0xb8, 0xd5, 0x19, 0x56, 0xf3, 0xe6, 0x49, 0x0c,
-	0xcc, 0x3c, 0xa0, 0x1d, 0x92, 0xe5, 0x33, 0x3e, 0xd2, 0xe1, 0xc2, 0xaa, 0x6d, 0xbb, 0xa6, 0x80,
-	0xad, 0xd3, 0x9e, 0x65, 0xd2, 0x1d, 0x4e, 0xb8, 0xcf, 0xd0, 0x57, 0x61, 0xa2, 0xed, 0x59, 0x3d,
-	0xea, 0x55, 0xb5, 0x25, 0x6d, 0x79, 0xba, 0x35, 0xf7, 0xb4, 0x5f, 0x1f, 0x1b, 0xf4, 0xeb, 0x13,
-	0xeb, 0x12, 0x8a, 0x15, 0x16, 0x2d, 0x41, 0xb9, 0xeb, 0xba, 0x76, 0xb5, 0x24, 0xa9, 0x66, 0x14,
-	0x55, 0x79, 0xdb, 0x75, 0x6d, 0x2c, 0x31, 0x52, 0x92, 0x94, 0x5c, 0xd5, 0x33, 0x92, 0x24, 0x14,
-	0x2b, 0x2c, 0x32, 0x01, 0x4c, 0xd7, 0x69, 0x5b, 0xdc, 0x72, 0x1d, 0x56, 0x2d, 0x2f, 0xe9, 0xcb,
-	0x95, 0x95, 0x66, 0x23, 0x0e, 0x73, 0x74, 0xb0, 0x46, 0xf7, 0x70, 0x5f, 0x00, 0x58, 0x43, 0xf8,
-	0xaf, 0xd1, 0xbb, 0xd6, 0x58, 0x0b, 0xf9, 0x5a, 0x48, 0x09, 0x87, 0x08, 0xc4, 0x70, 0x42, 0x2c,
-	0xfa, 0x0e, 0x94, 0xdb, 0x84, 0x93, 0xea, 0xf8, 0x92, 0xb6, 0x5c, 0x59, 0x79, 0x2d, 0x57, 0xbc,
-	0xf2, 0x5b, 0x03, 0x93, 0xc7, 0x1b, 0x1f, 0x70, 0xea, 0x30, 0x21, 0x7c, 0x4a, 0x9c, 0x6c, 0x9d,
-	0x70, 0x82, 0xa5, 0x10, 0xb4, 0x0b, 0x15, 0x87, 0xf2, 0xc7, 0xae, 0x77, 0x28, 0x80, 0xd5, 0x09,
-	0x29, 0x33, 0x69, 0xf2, 0x70, 0x66, 0x36, 0xb6, 0x14, 0x83, 0x3c, 0xb3, 0x60, 0x6b, 0xcd, 0x0f,
-	0xfa, 0xf5, 0xca, 0x56, 0x2c, 0x07, 0x27, 0x85, 0x1a, 0x7f, 0xd6, 0x60, 0x41, 0x45, 0xc8, 0x72,
-	0x1d, 0x4c, 0x99, 0x6f, 0x73, 0xf4, 0x43, 0x98, 0x0c, 0x9c, 0xc6, 0x64, 0x74, 0x2a, 0x2b, 0x6f,
-	0x1c, 0xaf, 0x34, 0xd0, 0x96, 0x15, 0xd3, 0x9a, 0x57, 0xce, 0x9a, 0x0c, 0xf0, 0x0c, 0x87, 0x52,
-	0xd1, 0x03, 0x98, 0x71, 0xdc, 0x36, 0xdd, 0xa1, 0x36, 0x35, 0xb9, 0xeb, 0xc9, 0xc8, 0x55, 0x56,
-	0x96, 0x92, 0x5a, 0x44, 0x9d, 0x08, 0xdf, 0x6f, 0x25, 0xe8, 0x5a, 0x0b, 0x83, 0x7e, 0x7d, 0x26,
-	0x09, 0xc1, 0x29, 0x39, 0xc6, 0xa7, 0x3a, 0x54, 0x5a, 0x84, 0x59, 0x66, 0xa0, 0x11, 0xfd, 0x04,
-	0x80, 0x70, 0xee, 0x59, 0xbb, 0x3e, 0x97, 0x67, 0x11, 0x31, 0xff, 0xfa, 0xf1, 0x67, 0x49, 0xb0,
-	0x37, 0x56, 0x23, 0xde, 0x0d, 0x87, 0x7b, 0x47, 0xad, 0x97, 0xc3, 0xe8, 0xc7, 0x88, 0x9f, 0xfe,
-	0xb5, 0x3e, 0x7b, 0xdf, 0x27, 0xb6, 0xb5, 0x67, 0xd1, 0xf6, 0x16, 0xe9, 0x50, 0x9c, 0xd0, 0x88,
-	0x7a, 0x30, 0x65, 0x92, 0x2e, 0x31, 0x2d, 0x7e, 0x54, 0x2d, 0x49, 0xed, 0x6f, 0x15, 0xd7, 0xbe,
-	0xa6, 0x38, 0x03, 0xdd, 0x97, 0x95, 0xee, 0xa9, 0x10, 0x3c, 0xac, 0x39, 0xd2, 0xb5, 0x68, 0xc3,
-	0x7c, 0xc6, 0x76, 0xb4, 0x00, 0xfa, 0x21, 0x3d, 0x0a, 0xaa, 0x0d, 0x8b, 0x3f, 0xd1, 0x1a, 0x8c,
-	0xf7, 0x88, 0xed, 0x53, 0x59, 0x5b, 0xe9, 0x64, 0xcd, 0x8f, 0x71, 0x28, 0x15, 0x07, 0xbc, 0xdf,
-	0x28, 0xbd, 0xad, 0x2d, 0x1e, 0xc2, 0x6c, 0xca, 0xd6, 0x11, 0xba, 0xd6, 0xd3, 0xba, 0x1a, 0xc7,
-	0xd5, 0x5d, 0xac, 0xfc, 0xbe, 0x4f, 0x1c, 0x6e, 0xf1, 0xa3, 0x84, 0x32, 0xe3, 0x16, 0x9c, 0x5b,
-	0xdb, 0xb8, 0xa3, 0x7a, 0x89, 0x8a, 0x3b, 0x5a, 0x01, 0xa0, 0x1f, 0x74, 0x3d, 0xca, 0x44, 0x1d,
-	0xa9, 0x8e, 0x12, 0x95, 0xea, 0x46, 0x84, 0xc1, 0x09, 0x2a, 0xa3, 0x07, 0xaa, 0x43, 0x88, 0x1e,
-	0xe3, 0x90, 0x0e, 0x55, 0x7c, 0x51, 0x8f, 0x91, 0x3e, 0x95, 0x18, 0x74, 0x1b, 0xc6, 0x77, 0x45,
-	0x64, 0x94, 0xf9, 0x57, 0x0a, 0x07, 0xb1, 0x35, 0x3d, 0xe8, 0xd7, 0xc7, 0x25, 0x00, 0x07, 0x22,
-	0x8c, 0x27, 0x25, 0xf8, 0x72, 0xb6, 0x60, 0xd6, 0x5c, 0x67, 0xcf, 0xda, 0xf7, 0x3d, 0xf9, 0x81,
-	0xbe, 0x05, 0x13, 0x81, 0x48, 0x65, 0xd1, 0x72, 0xd8, 0xd1, 0x76, 0x24, 0xf4, 0x45, 0xbf, 0x7e,
-	0x31, 0xcb, 0x1a, 0x60, 0xb0, 0xe2, 0x43, 0xcb, 0x30, 0xe5, 0xd1, 0xf7, 0x7d, 0xca, 0x38, 0x93,
-	0x79, 0x37, 0xdd, 0x9a, 0x11, 0xa9, 0x83, 0x15, 0x0c, 0x47, 0x58, 0xf4, 0xa1, 0x06, 0xe7, 0x83,
-	0xaa, 0x4c, 0xd9, 0xa0, 0x2a, 0xf2, 0x5a, 0x91, 0x9c, 0x48, 0x31, 0xb6, 0xbe, 0xa4, 0x8c, 0x3d,
-	0x3f, 0x02, 0x89, 0x47, 0xa9, 0x32, 0xfe, 0xae, 0xc1, 0xc5, 0xd1, 0x1d, 0x04, 0xed, 0xc1, 0xa4,
-	0x27, 0xff, 0x0a, 0x8b, 0xf7, 0x46, 0x11, 0x83, 0xd4, 0x31, 0xf3, 0xfb, 0x51, 0xf0, 0xcd, 0x70,
-	0x28, 0x1c, 0x99, 0x30, 0x61, 0x4a, 0x9b, 0x54, 0x95, 0xde, 0x38, 0x5d, 0xbf, 0x4b, 0x7b, 0x20,
-	0xba, 0x80, 0x02, 0x30, 0x56, 0xa2, 0x8d, 0x5f, 0x6a, 0x30, 0x9f, 0xa9, 0x22, 0x54, 0x03, 0xdd,
-	0x72, 0xb8, 0x4c, 0x2b, 0x3d, 0x88, 0xd1, 0xa6, 0xc3, 0x1f, 0x88, 0x64, 0xc7, 0x02, 0x81, 0x2e,
-	0x43, 0x79, 0x57, 0x5c, 0x7f, 0x22, 0x1c, 0x53, 0xad, 0xd9, 0x41, 0xbf, 0x3e, 0xdd, 0x72, 0x5d,
-	0x3b, 0xa0, 0x90, 0x28, 0xf4, 0x35, 0x98, 0x60, 0xdc, 0xb3, 0x9c, 0xfd, 0x6a, 0x59, 0x66, 0x8b,
-	0xec, 0xf7, 0x3b, 0x12, 0x12, 0x90, 0x29, 0x34, 0x7a, 0x05, 0x26, 0x7b, 0xd4, 0x93, 0x15, 0x32,
-	0x2e, 0x29, 0x65, 0x37, 0x7d, 0x10, 0x80, 0x02, 0xd2, 0x90, 0xc0, 0xf8, 0x75, 0x09, 0x2a, 0x2a,
-	0x80, 0x36, 0xb1, 0x3a, 0xe8, 0x61, 0x22, 0xa1, 0x82, 0x48, 0xbc, 0x7a, 0x8a, 0x48, 0xb4, 0x16,
-	0xc2, 0xe6, 0x35, 0x22, 0x03, 0x29, 0x54, 0x4c, 0xd7, 0x61, 0xdc, 0x23, 0x96, 0xa3, 0xd2, 0x35,
-	0xdd, 0x20, 0x8e, 0x4b, 0x3c, 0xc5, 0xd6, 0x3a, 0xaf, 0x14, 0x54, 0x62, 0x18, 0xc3, 0x49, 0xb9,
-	0xe8, 0x51, 0x14, 0x62, 0x5d, 0x6a, 0x78, 0xb3, 0x90, 0x06, 0x71, 0xf8, 0x62, 0xd1, 0xfd, 0xa3,
-	0x06, 0xd5, 0x3c, 0xa6, 0x54, 0x3d, 0x6a, 0x9f, 0xa9, 0x1e, 0x4b, 0x67, 0x57, 0x8f, 0xbf, 0xd3,
-	0x12, 0xb1, 0x67, 0x0c, 0xfd, 0x08, 0xa6, 0xc4, 0x20, 0x24, 0xe7, 0x9a, 0x60, 0x1c, 0x78, 0xbd,
-	0xd8, 0xd8, 0x74, 0x6f, 0xf7, 0xc7, 0xd4, 0xe4, 0x77, 0x29, 0x27, 0x71, 0x33, 0x8e, 0x61, 0x38,
-	0x92, 0x8a, 0xee, 0x41, 0x99, 0x75, 0xa9, 0x79, 0x9a, 0x8b, 0x48, 0x9a, 0xb6, 0xd3, 0xa5, 0x66,
-	0xdc, 0xaf, 0xc5, 0x17, 0x96, 0x82, 0x8c, 0x9f, 0x27, 0x83, 0xc1, 0x58, 0x3a, 0x18, 0x79, 0x2e,
-	0xd6, 0xce, 0xce, 0xc5, 0xbf, 0x8d, 0x5a, 0x81, 0xb4, 0xef, 0x8e, 0xc5, 0x38, 0x7a, 0x6f, 0xc8,
-	0xcd, 0x8d, 0x62, 0x6e, 0x16, 0xdc, 0xd2, 0xc9, 0x51, 0x95, 0x85, 0x90, 0x84, 0x8b, 0xb7, 0x60,
-	0xdc, 0xe2, 0xb4, 0x13, 0xd6, 0xd7, 0x95, 0xc2, 0x3e, 0x6e, 0xcd, 0x2a, 0xa9, 0xe3, 0x9b, 0x82,
-	0x1f, 0x07, 0x62, 0x8c, 0x67, 0xe9, 0x13, 0x08, 0xdf, 0xa3, 0x1f, 0xc0, 0x34, 0x53, 0x37, 0x72,
-	0xd8, 0x25, 0xae, 0x16, 0xd1, 0x13, 0x8d, 0x77, 0xe7, 0x94, 0xaa, 0xe9, 0x10, 0xc2, 0x70, 0x2c,
-	0x31, 0x51, 0xc1, 0xa5, 0x53, 0x55, 0x70, 0x26, 0xfe, 0xb9, 0x15, 0xec, 0xc1, 0xa8, 0x00, 0xa2,
-	0xef, 0xc3, 0x84, 0xdb, 0x25, 0xef, 0xfb, 0x54, 0x45, 0xe5, 0x84, 0x09, 0xee, 0x9e, 0xa4, 0x1d,
-	0x95, 0x26, 0x20, 0x74, 0x06, 0x68, 0xac, 0x44, 0x1a, 0x4f, 0x34, 0x58, 0xc8, 0x36, 0xb3, 0x53,
-	0x74, 0x8b, 0x6d, 0x98, 0xeb, 0x10, 0x6e, 0x1e, 0x44, 0x17, 0x8a, 0xda, 0x93, 0x96, 0x07, 0xfd,
-	0xfa, 0xdc, 0xdd, 0x14, 0xe6, 0x45, 0xbf, 0x8e, 0x6e, 0xfa, 0xb6, 0x7d, 0x94, 0x9e, 0x19, 0x33,
-	0xfc, 0xc6, 0x3f, 0x75, 0x98, 0x4d, 0xf5, 0xee, 0x02, 0xd3, 0xd1, 0x2a, 0xcc, 0xb7, 0x63, 0x67,
-	0x0b, 0x84, 0x32, 0xe3, 0xff, 0x15, 0x71, 0x32, 0x53, 0x24, 0x5f, 0x96, 0x3e, 0x9d, 0x3a, 0xfa,
-	0xe7, 0x9e, 0x3a, 0x0f, 0x60, 0x8e, 0x44, 0xb7, 0xf5, 0x5d, 0xb7, 0x4d, 0xd5, 0x5d, 0xd9, 0x50,
-	0x5c, 0x73, 0xab, 0x29, 0xec, 0x8b, 0x7e, 0xfd, 0xff, 0xb2, 0x77, 0xbc, 0x80, 0xe3, 0x8c, 0x14,
-	0xf4, 0x32, 0x8c, 0x9b, 0xae, 0xef, 0x70, 0x79, 0xa1, 0xea, 0x71, 0xa9, 0xac, 0x09, 0x20, 0x0e,
-	0x70, 0xe8, 0x1a, 0x54, 0x48, 0xbb, 0x63, 0x39, 0xab, 0xa6, 0x49, 0x19, 0x93, 0x6b, 0xdc, 0x54,
-	0x70, 0x4b, 0xaf, 0xc6, 0x60, 0x9c, 0xa4, 0x41, 0x0e, 0xcc, 0xed, 0x59, 0x1e, 0xe3, 0xab, 0x3d,
-	0x62, 0xd9, 0x64, 0xd7, 0xa6, 0xd5, 0xc9, 0xe2, 0xd7, 0xe2, 0x8e, 0xbf, 0x1b, 0xde, 0xbb, 0x17,
-	0xc3, 0xf3, 0xdd, 0x4c, 0x49, 0xc3, 0x19, 0xe9, 0xc6, 0x3f, 0xb4, 0x70, 0x26, 0xcd, 0x99, 0x9d,
-	0xd0, 0x15, 0x31, 0x89, 0x49, 0x94, 0x4a, 0x84, 0xc4, 0x30, 0x25, 0xc1, 0x38, 0xc4, 0x27, 0x56,
-	0xfb, 0x52, 0xa1, 0xd5, 0x5e, 0x2f, 0xb0, 0xda, 0x97, 0x8f, 0x5d, 0xed, 0x33, 0x1e, 0x1e, 0x3f,
-	0xd9, 0xc3, 0xc6, 0x7b, 0x30, 0x97, 0xd9, 0x21, 0x6e, 0x83, 0x6e, 0x52, 0x5b, 0x15, 0xf9, 0x09,
-	0x5b, 0xf6, 0xd0, 0x06, 0xd2, 0x9a, 0x1c, 0xf4, 0xeb, 0xfa, 0xda, 0xc6, 0x1d, 0x2c, 0x84, 0x18,
-	0x1f, 0x97, 0xc2, 0xb2, 0x8e, 0x83, 0xf1, 0xbf, 0x42, 0xfa, 0x37, 0x0b, 0xc9, 0xf8, 0x95, 0x06,
-	0xe7, 0x86, 0xde, 0x37, 0xd0, 0x0d, 0x98, 0xb5, 0x1c, 0x4e, 0xbd, 0x3d, 0x62, 0xd2, 0xad, 0xd8,
-	0xbf, 0x17, 0x94, 0x88, 0xd9, 0xcd, 0x24, 0x12, 0xa7, 0x69, 0xd1, 0x25, 0xd0, 0xad, 0x6e, 0xb8,
-	0x23, 0xc9, 0x18, 0x6e, 0x6e, 0x33, 0x2c, 0x60, 0x22, 0x18, 0x07, 0xc4, 0x6b, 0x3f, 0x26, 0x1e,
-	0x5d, 0x6d, 0xb7, 0xc5, 0xd6, 0xa8, 0x32, 0x35, 0x0a, 0xc6, 0xb7, 0xd3, 0x68, 0x9c, 0xa5, 0x37,
-	0x7e, 0xa1, 0xc1, 0xa5, 0xdc, 0xfb, 0xa0, 0xf0, 0x13, 0x18, 0x01, 0xe8, 0x12, 0x8f, 0x74, 0x28,
-	0xa7, 0x1e, 0x1b, 0x31, 0x23, 0x15, 0x78, 0x59, 0x8a, 0xc6, 0xaf, 0xed, 0x48, 0x10, 0x4e, 0x08,
-	0x35, 0x3e, 0x2a, 0xc1, 0x2c, 0x56, 0x99, 0x11, 0x0c, 0xfc, 0xff, 0xf9, 0xa1, 0xef, 0x7e, 0x6a,
-	0xe8, 0x3b, 0xa1, 0xe0, 0x52, 0xc6, 0xe5, 0x8d, 0x7d, 0xe8, 0xa1, 0x58, 0x85, 0x08, 0xf7, 0x59,
-	0xb1, 0xf5, 0x35, 0x2d, 0x54, 0x32, 0xc6, 0x41, 0x08, 0xbe, 0xb1, 0x12, 0x68, 0x0c, 0x34, 0xa8,
-	0xa5, 0xe8, 0xc5, 0x7d, 0xed, 0x77, 0xa8, 0x87, 0xe9, 0x1e, 0xf5, 0xa8, 0x63, 0x52, 0x74, 0x15,
-	0xa6, 0x48, 0xd7, 0xba, 0xe5, 0xb9, 0x7e, 0x57, 0x45, 0x34, 0x1a, 0xc8, 0x56, 0xb7, 0x37, 0x25,
-	0x1c, 0x47, 0x14, 0x82, 0x3a, 0xb4, 0x48, 0xe5, 0x55, 0x62, 0x49, 0x0a, 0xe0, 0x38, 0xa2, 0x88,
-	0x7a, 0x47, 0x39, 0xb7, 0x77, 0xb4, 0x40, 0xf7, 0xad, 0xb6, 0xda, 0xec, 0x5e, 0x57, 0x04, 0xfa,
-	0xbb, 0x9b, 0xeb, 0x2f, 0xfa, 0xf5, 0xcb, 0x79, 0xcf, 0xb7, 0xfc, 0xa8, 0x4b, 0x59, 0xe3, 0xdd,
-	0xcd, 0x75, 0x2c, 0x98, 0x8d, 0xdf, 0x6b, 0x70, 0x2e, 0x75, 0xc8, 0x33, 0x18, 0x4c, 0xb7, 0xd3,
-	0x83, 0xe9, 0xab, 0xa7, 0x08, 0x59, 0xce, 0x68, 0x6a, 0x65, 0x0e, 0x21, 0x67, 0xd3, 0x77, 0xb2,
-	0x4f, 0x9a, 0x57, 0x0a, 0xef, 0x7f, 0xf9, 0xef, 0x98, 0xc6, 0x9f, 0x4a, 0x70, 0x7e, 0x44, 0x16,
-	0xa1, 0x47, 0x00, 0x71, 0x83, 0x1b, 0xe1, 0xb4, 0x11, 0x0a, 0x87, 0x5e, 0x2b, 0xe6, 0xe4, 0x43,
-	0x63, 0x0c, 0x4d, 0x48, 0x44, 0x0c, 0x2a, 0x1e, 0x65, 0xd4, 0xeb, 0xd1, 0xf6, 0x4d, 0xd7, 0x53,
-	0xae, 0xfb, 0xe6, 0x29, 0x5c, 0x37, 0x94, 0xbd, 0xf1, 0x06, 0x8d, 0x63, 0xc1, 0x38, 0xa9, 0x05,
-	0x3d, 0x8a, 0x5d, 0x18, 0xbc, 0x9e, 0x5f, 0x2f, 0x74, 0xa2, 0xf4, 0xc3, 0xff, 0x31, 0xce, 0xfc,
-	0x8b, 0x06, 0x17, 0x52, 0x46, 0xbe, 0x43, 0x3b, 0x5d, 0x9b, 0x70, 0x7a, 0x06, 0xcd, 0xe8, 0x61,
-	0xaa, 0x19, 0xbd, 0x75, 0x0a, 0x4f, 0x86, 0x46, 0xe6, 0xee, 0xa2, 0x1f, 0x6b, 0x70, 0x69, 0x24,
-	0xc7, 0x19, 0x14, 0xd7, 0x77, 0xd3, 0xc5, 0x75, 0xfd, 0x33, 0x9c, 0x2b, 0x7f, 0xff, 0xbb, 0x94,
-	0xeb, 0x87, 0xff, 0xca, 0xdb, 0xc3, 0xf8, 0x8d, 0x06, 0x33, 0x21, 0xa5, 0x18, 0x42, 0x0b, 0x0c,
-	0x6c, 0x2b, 0x00, 0xea, 0x27, 0xaf, 0xf0, 0x8d, 0x46, 0x8f, 0xed, 0xbe, 0x15, 0x61, 0x70, 0x82,
-	0x0a, 0xdd, 0x06, 0x14, 0x5a, 0xb8, 0x63, 0xcb, 0xa1, 0x40, 0xcc, 0x3d, 0xba, 0xe4, 0x5d, 0x54,
-	0xbc, 0x08, 0x0f, 0x51, 0xe0, 0x11, 0x5c, 0xc6, 0x1f, 0xb4, 0xf8, 0xde, 0x96, 0xe0, 0x2f, 0xaa,
-	0xe7, 0xa5, 0x71, 0xb9, 0x9e, 0x4f, 0xde, 0x3b, 0x92, 0xf2, 0x0b, 0x7b, 0xef, 0x48, 0xeb, 0x72,
-	0x4a, 0xe2, 0x89, 0x9e, 0x39, 0x85, 0x2c, 0x85, 0xa2, 0x53, 0xde, 0x9d, 0xc4, 0x0f, 0x9d, 0x95,
-	0x95, 0x57, 0x8a, 0x99, 0x23, 0xd2, 0x74, 0xe4, 0xe6, 0x74, 0x15, 0xa6, 0x1c, 0xb7, 0x1d, 0xcc,
-	0xc3, 0x99, 0xe9, 0x62, 0x4b, 0xc1, 0x71, 0x44, 0x31, 0xf4, 0x73, 0x5c, 0xf9, 0xf3, 0xf9, 0x39,
-	0x4e, 0x4e, 0x44, 0xb6, 0x2d, 0x08, 0xc2, 0xa5, 0x2c, 0x9e, 0x88, 0x14, 0x1c, 0x47, 0x14, 0xe8,
-	0x5e, 0x7c, 0xbf, 0x4c, 0xc8, 0x98, 0x7c, 0xa5, 0xc8, 0x15, 0x9d, 0x7f, 0xa1, 0xb4, 0x5a, 0x4f,
-	0x9f, 0xd7, 0xc6, 0x9e, 0x3d, 0xaf, 0x8d, 0x7d, 0xf2, 0xbc, 0x36, 0xf6, 0xe1, 0xa0, 0xa6, 0x3d,
-	0x1d, 0xd4, 0xb4, 0x67, 0x83, 0x9a, 0xf6, 0xc9, 0xa0, 0xa6, 0x7d, 0x3a, 0xa8, 0x69, 0x3f, 0xfb,
-	0x5b, 0x6d, 0xec, 0x7b, 0x2f, 0x1d, 0xf7, 0x7f, 0x01, 0xff, 0x0a, 0x00, 0x00, 0xff, 0xff, 0xc2,
-	0x62, 0xe6, 0x4b, 0x36, 0x20, 0x00, 0x00,
+	// 2435 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1a, 0xcd, 0x6f, 0x1c, 0x57,
+	0x3d, 0xb3, 0xb3, 0x5e, 0xaf, 0x7f, 0x1b, 0x3b, 0xf1, 0x0b, 0x29, 0x1b, 0xd3, 0xee, 0x26, 0x13,
+	0x04, 0x4e, 0x9b, 0xac, 0x1b, 0xa7, 0x6a, 0x0b, 0x01, 0x09, 0xaf, 0xed, 0xa4, 0x4e, 0x13, 0xc7,
+	0x79, 0x76, 0x03, 0x81, 0x12, 0x18, 0xcf, 0x3e, 0xdb, 0x83, 0x67, 0x67, 0xb6, 0xf3, 0xde, 0x3a,
+	0xf5, 0x05, 0x55, 0xfc, 0x01, 0x11, 0x57, 0x0e, 0xa8, 0x12, 0x07, 0x24, 0x2e, 0x80, 0xc4, 0x8d,
+	0x0b, 0x48, 0x20, 0x35, 0x82, 0x4b, 0x24, 0x2a, 0x54, 0x71, 0x58, 0xc8, 0x22, 0xc4, 0xff, 0xe0,
+	0x13, 0x7a, 0x1f, 0xf3, 0xb9, 0x3b, 0xce, 0x6c, 0x49, 0xac, 0x22, 0x71, 0xdb, 0xf9, 0x7d, 0xbe,
+	0xf7, 0xfb, 0x7e, 0xef, 0x2d, 0x5c, 0xdc, 0x7d, 0x93, 0x36, 0x6c, 0x6f, 0xce, 0xec, 0xd8, 0x73,
+	0x3e, 0xa1, 0x5e, 0xd7, 0xb7, 0xc8, 0xdc, 0xde, 0x65, 0xd3, 0xe9, 0xec, 0x98, 0x57, 0xe6, 0xb6,
+	0x89, 0x4b, 0x7c, 0x93, 0x91, 0x56, 0xa3, 0xe3, 0x7b, 0xcc, 0x43, 0x2f, 0x4a, 0xea, 0x86, 0xd9,
+	0xb1, 0x1b, 0x01, 0x75, 0x23, 0xa0, 0x9e, 0xb9, 0xb4, 0x6d, 0xb3, 0x9d, 0xee, 0x66, 0xc3, 0xf2,
+	0xda, 0x73, 0xdb, 0xde, 0xb6, 0x37, 0x27, 0x98, 0x36, 0xbb, 0x5b, 0xe2, 0x4b, 0x7c, 0x88, 0x5f,
+	0x52, 0xd8, 0x8c, 0x11, 0x53, 0x6d, 0x79, 0x3e, 0x57, 0x9b, 0x56, 0x38, 0xf3, 0x5a, 0x44, 0xd3,
+	0x36, 0xad, 0x1d, 0xdb, 0x25, 0xfe, 0xfe, 0x5c, 0x67, 0x77, 0x3b, 0xb9, 0xde, 0x51, 0xb8, 0xe8,
+	0x5c, 0x9b, 0x30, 0x73, 0x98, 0xae, 0xb9, 0x2c, 0x2e, 0xbf, 0xeb, 0x32, 0xbb, 0x3d, 0xa8, 0xe6,
+	0xf5, 0xa7, 0x31, 0x50, 0x6b, 0x87, 0xb4, 0xcd, 0x34, 0x9f, 0xf1, 0xa1, 0x0e, 0xa7, 0x17, 0x1c,
+	0xc7, 0xb3, 0x38, 0x6c, 0x89, 0xec, 0xd9, 0x16, 0x59, 0x67, 0x26, 0xeb, 0x52, 0xf4, 0x25, 0x28,
+	0xb5, 0x7c, 0x7b, 0x8f, 0xf8, 0x55, 0xed, 0xac, 0x36, 0x3b, 0xd1, 0x9c, 0x7a, 0xd4, 0xab, 0x1f,
+	0xeb, 0xf7, 0xea, 0xa5, 0x25, 0x01, 0xc5, 0x0a, 0x8b, 0xce, 0x42, 0xb1, 0xe3, 0x79, 0x4e, 0xb5,
+	0x20, 0xa8, 0x8e, 0x2b, 0xaa, 0xe2, 0x9a, 0xe7, 0x39, 0x58, 0x60, 0x84, 0x24, 0x21, 0xb9, 0xaa,
+	0xa7, 0x24, 0x09, 0x28, 0x56, 0x58, 0x64, 0x01, 0x58, 0x9e, 0xdb, 0xb2, 0x99, 0xed, 0xb9, 0xb4,
+	0x5a, 0x3c, 0xab, 0xcf, 0x56, 0xe6, 0xe7, 0x1a, 0x91, 0x9b, 0xc3, 0x8d, 0x35, 0x3a, 0xbb, 0xdb,
+	0x1c, 0x40, 0x1b, 0xdc, 0x7e, 0x8d, 0xbd, 0xcb, 0x8d, 0xc5, 0x80, 0xaf, 0x89, 0x94, 0x70, 0x08,
+	0x41, 0x14, 0xc7, 0xc4, 0xa2, 0xb7, 0xa1, 0xd8, 0x32, 0x99, 0x59, 0x1d, 0x3b, 0xab, 0xcd, 0x56,
+	0xe6, 0x2f, 0x65, 0x8a, 0x57, 0x76, 0x6b, 0x60, 0xf3, 0xc1, 0xf2, 0xfb, 0x8c, 0xb8, 0x94, 0x0b,
+	0x2f, 0xf3, 0x9d, 0x2d, 0x99, 0xcc, 0xc4, 0x42, 0x08, 0xda, 0x84, 0x8a, 0x4b, 0xd8, 0x03, 0xcf,
+	0xdf, 0xe5, 0xc0, 0x6a, 0x49, 0xc8, 0x8c, 0x2f, 0x79, 0x30, 0x32, 0x1b, 0xab, 0x8a, 0x41, 0xec,
+	0x99, 0xb3, 0x35, 0x4f, 0xf4, 0x7b, 0xf5, 0xca, 0x6a, 0x24, 0x07, 0xc7, 0x85, 0x1a, 0x7f, 0xd6,
+	0xe0, 0xa4, 0xf2, 0x90, 0xed, 0xb9, 0x98, 0xd0, 0xae, 0xc3, 0xd0, 0xf7, 0x60, 0x5c, 0x1a, 0x8d,
+	0x0a, 0xef, 0x54, 0xe6, 0x5f, 0x3b, 0x5c, 0xa9, 0xd4, 0x96, 0x16, 0xd3, 0x3c, 0xa1, 0x8c, 0x35,
+	0x2e, 0xf1, 0x14, 0x07, 0x52, 0xd1, 0x5d, 0x38, 0xee, 0x7a, 0x2d, 0xb2, 0x4e, 0x1c, 0x62, 0x31,
+	0xcf, 0x17, 0x9e, 0xab, 0xcc, 0x9f, 0x8d, 0x6b, 0xe1, 0x79, 0xc2, 0x6d, 0xbf, 0x1a, 0xa3, 0x6b,
+	0x9e, 0xec, 0xf7, 0xea, 0xc7, 0xe3, 0x10, 0x9c, 0x90, 0x63, 0xfc, 0xa6, 0x08, 0x95, 0xa6, 0x49,
+	0x6d, 0x4b, 0x6a, 0x44, 0x3f, 0x04, 0x30, 0x19, 0xf3, 0xed, 0xcd, 0x2e, 0x13, 0x7b, 0xe1, 0x3e,
+	0xff, 0xca, 0xe1, 0x7b, 0x89, 0xb1, 0x37, 0x16, 0x42, 0xde, 0x65, 0x97, 0xf9, 0xfb, 0xcd, 0xf3,
+	0x81, 0xf7, 0x23, 0xc4, 0x8f, 0xfe, 0x5e, 0x9f, 0xbc, 0xd3, 0x35, 0x1d, 0x7b, 0xcb, 0x26, 0xad,
+	0x55, 0xb3, 0x4d, 0x70, 0x4c, 0x23, 0xda, 0x83, 0xb2, 0x65, 0x76, 0x4c, 0xcb, 0x66, 0xfb, 0xd5,
+	0x82, 0xd0, 0xfe, 0x46, 0x7e, 0xed, 0x8b, 0x8a, 0x53, 0xea, 0x3e, 0xa7, 0x74, 0x97, 0x03, 0xf0,
+	0xa0, 0xe6, 0x50, 0x17, 0xba, 0x03, 0x25, 0x66, 0xda, 0x2e, 0xa3, 0x55, 0x5d, 0x68, 0xbd, 0x90,
+	0xc7, 0x7f, 0x1b, 0x9c, 0x23, 0x4a, 0x1f, 0xf1, 0x49, 0xb1, 0x12, 0x34, 0xe3, 0xc0, 0x89, 0x94,
+	0x39, 0xd0, 0x49, 0xd0, 0x77, 0xc9, 0xbe, 0x4c, 0x60, 0xcc, 0x7f, 0xa2, 0x45, 0x18, 0xdb, 0x33,
+	0x9d, 0x2e, 0x11, 0xe9, 0x9a, 0x8c, 0xff, 0xec, 0xb0, 0x09, 0xa4, 0x62, 0xc9, 0xfb, 0xd5, 0xc2,
+	0x9b, 0xda, 0xcc, 0x2e, 0x4c, 0x26, 0xb6, 0x3f, 0x44, 0xd7, 0x52, 0x52, 0x57, 0xe3, 0xb0, 0x54,
+	0x8e, 0x94, 0xdf, 0xe9, 0x9a, 0x2e, 0xb3, 0xd9, 0x7e, 0x4c, 0x99, 0x71, 0x1d, 0xa6, 0x17, 0x97,
+	0x6f, 0xaa, 0xf2, 0xa4, 0x42, 0x09, 0xcd, 0x03, 0x90, 0xf7, 0x3b, 0x3e, 0xa1, 0x3c, 0x35, 0x55,
+	0x91, 0x0a, 0xb3, 0x7f, 0x39, 0xc4, 0xe0, 0x18, 0x95, 0xb1, 0x07, 0xaa, 0xe8, 0xf0, 0xb2, 0xe5,
+	0x9a, 0x6d, 0xa2, 0xf8, 0xc2, 0xb2, 0x25, 0xdc, 0x24, 0x30, 0xe8, 0x06, 0x8c, 0x6d, 0x72, 0x67,
+	0xab, 0xe5, 0x5f, 0xc8, 0x1d, 0x17, 0xcd, 0x89, 0x7e, 0xaf, 0x3e, 0x26, 0x00, 0x58, 0x8a, 0x30,
+	0x1e, 0x16, 0xe0, 0xa5, 0x74, 0x0e, 0x2e, 0x7a, 0xee, 0x96, 0xbd, 0xdd, 0xf5, 0xc5, 0x07, 0xfa,
+	0x06, 0x94, 0xa4, 0x48, 0xb5, 0xa2, 0xd9, 0xc0, 0xcb, 0xeb, 0x02, 0x7a, 0xd0, 0xab, 0xbf, 0x90,
+	0x66, 0x95, 0x18, 0xac, 0xf8, 0xd0, 0x2c, 0x94, 0x7d, 0xf2, 0x5e, 0x97, 0x50, 0x46, 0x45, 0x28,
+	0x4f, 0x34, 0x8f, 0xf3, 0x68, 0xc4, 0x0a, 0x86, 0x43, 0x2c, 0xfa, 0x40, 0x83, 0x53, 0x32, 0xd1,
+	0x13, 0x6b, 0x50, 0x49, 0x7e, 0x39, 0x4f, 0x4c, 0x24, 0x18, 0x9b, 0x5f, 0x50, 0x8b, 0x3d, 0x35,
+	0x04, 0x89, 0x87, 0xa9, 0x32, 0xfe, 0xa5, 0xc1, 0x0b, 0xc3, 0x8b, 0x12, 0xda, 0x82, 0x71, 0x5f,
+	0xfc, 0x0a, 0xea, 0xc1, 0xd5, 0x3c, 0x0b, 0x52, 0xdb, 0xcc, 0x2e, 0x71, 0xf2, 0x9b, 0xe2, 0x40,
+	0x38, 0xb2, 0xa0, 0x64, 0x89, 0x35, 0xa9, 0xc4, 0xbf, 0x3a, 0x5a, 0x09, 0x4d, 0x5a, 0x20, 0x4c,
+	0x4a, 0x09, 0xc6, 0x4a, 0xb4, 0xf1, 0x0b, 0x0d, 0x4e, 0xa4, 0xb2, 0x08, 0xd5, 0x40, 0xb7, 0x5d,
+	0x26, 0xc2, 0x4a, 0x97, 0x3e, 0x5a, 0x71, 0xd9, 0x5d, 0x1e, 0xec, 0x98, 0x23, 0xd0, 0x39, 0x28,
+	0x6e, 0xf2, 0x8e, 0xca, 0xdd, 0x51, 0x6e, 0x4e, 0xf6, 0x7b, 0xf5, 0x89, 0xa6, 0xe7, 0x39, 0x92,
+	0x42, 0xa0, 0xd0, 0x97, 0xa1, 0x44, 0x99, 0x6f, 0xbb, 0xdb, 0xd5, 0xa2, 0x88, 0x16, 0xd1, 0x42,
+	0xd6, 0x05, 0x44, 0x92, 0x29, 0x34, 0x7a, 0x19, 0xc6, 0xf7, 0x88, 0x2f, 0x32, 0x64, 0x4c, 0x50,
+	0x8a, 0x02, 0x7d, 0x57, 0x82, 0x24, 0x69, 0x40, 0x60, 0xfc, 0xaa, 0x00, 0x15, 0xe5, 0x40, 0xc7,
+	0xb4, 0xdb, 0xe8, 0x5e, 0x2c, 0xa0, 0xa4, 0x27, 0x5e, 0x19, 0xc1, 0x13, 0xcd, 0x93, 0x41, 0x3d,
+	0x1c, 0x12, 0x81, 0x04, 0x2a, 0x96, 0xe7, 0x52, 0xe6, 0xcb, 0x1a, 0x28, 0x1d, 0xd0, 0xc8, 0x19,
+	0x78, 0x8a, 0xad, 0x79, 0x4a, 0x29, 0xa8, 0x44, 0x30, 0x8a, 0xe3, 0x72, 0xd1, 0xfd, 0xd0, 0xc5,
+	0xb2, 0xca, 0xbe, 0x9e, 0x4b, 0x03, 0xdf, 0x7c, 0x3e, 0xef, 0x7e, 0xa4, 0x41, 0x35, 0x8b, 0x29,
+	0x91, 0x8f, 0xda, 0xa7, 0xca, 0xc7, 0xc2, 0xd1, 0xe5, 0xe3, 0xef, 0xb5, 0x98, 0xef, 0x29, 0x45,
+	0xdf, 0x87, 0x32, 0x9f, 0xad, 0xc4, 0xa8, 0x24, 0x27, 0x8c, 0x57, 0xf3, 0x4d, 0x62, 0xb7, 0x37,
+	0x7f, 0x40, 0x2c, 0x76, 0x8b, 0x30, 0x33, 0x2a, 0xc6, 0x11, 0x0c, 0x87, 0x52, 0xd1, 0x6d, 0x28,
+	0xd2, 0x0e, 0xb1, 0x46, 0x69, 0x44, 0x62, 0x69, 0xeb, 0x1d, 0x62, 0x45, 0xf5, 0x9a, 0x7f, 0x61,
+	0x21, 0xc8, 0xf8, 0x69, 0xdc, 0x19, 0x94, 0x26, 0x9d, 0x91, 0x65, 0x62, 0xed, 0xe8, 0x4c, 0xfc,
+	0xbb, 0xb0, 0x14, 0x88, 0xf5, 0xdd, 0xb4, 0x29, 0x43, 0xef, 0x0e, 0x98, 0xb9, 0x91, 0xcf, 0xcc,
+	0x9c, 0x5b, 0x18, 0x39, 0xcc, 0xb2, 0x00, 0x12, 0x33, 0xf1, 0x2a, 0x8c, 0xd9, 0x8c, 0xb4, 0x83,
+	0xfc, 0xba, 0x90, 0xdb, 0xc6, 0xcd, 0x49, 0x25, 0x75, 0x6c, 0x85, 0xf3, 0x63, 0x29, 0xc6, 0x78,
+	0x9c, 0xdc, 0x01, 0xb7, 0x3d, 0xfa, 0x2e, 0x4c, 0x50, 0xd5, 0x91, 0x83, 0x2a, 0x71, 0x31, 0x8f,
+	0x9e, 0x70, 0x62, 0x9c, 0x56, 0xaa, 0x26, 0x02, 0x08, 0xc5, 0x91, 0xc4, 0x58, 0x06, 0x17, 0x46,
+	0xca, 0xe0, 0x94, 0xff, 0x33, 0x33, 0xd8, 0x87, 0x61, 0x0e, 0x44, 0xdf, 0x81, 0x92, 0xd7, 0x31,
+	0xdf, 0xeb, 0x12, 0xe5, 0x95, 0xa7, 0x0c, 0x85, 0xb7, 0x05, 0xed, 0xb0, 0x30, 0x01, 0xae, 0x53,
+	0xa2, 0xb1, 0x12, 0x69, 0x3c, 0xd4, 0xe0, 0x64, 0xba, 0x98, 0x8d, 0x50, 0x2d, 0xd6, 0x60, 0xaa,
+	0x6d, 0x32, 0x6b, 0x27, 0x6c, 0x28, 0xea, 0xe8, 0x35, 0xdb, 0xef, 0xd5, 0xa7, 0x6e, 0x25, 0x30,
+	0x07, 0xbd, 0x3a, 0xba, 0xd6, 0x75, 0x9c, 0xfd, 0xe4, 0x18, 0x9a, 0xe2, 0x37, 0xfe, 0x56, 0x84,
+	0xc9, 0x44, 0xed, 0xce, 0x31, 0x1d, 0x2d, 0xc0, 0x89, 0x56, 0x64, 0x6c, 0x8e, 0x50, 0xcb, 0xf8,
+	0xbc, 0x22, 0x8e, 0x47, 0x8a, 0xe0, 0x4b, 0xd3, 0x27, 0x43, 0x47, 0x7f, 0xe6, 0xa1, 0x73, 0x17,
+	0xa6, 0xcc, 0xb0, 0x5b, 0xdf, 0xf2, 0x5a, 0x44, 0xf5, 0xca, 0x86, 0xe2, 0x9a, 0x5a, 0x48, 0x60,
+	0x0f, 0x7a, 0xf5, 0xcf, 0xa5, 0x7b, 0x3c, 0x87, 0xe3, 0x94, 0x14, 0x74, 0x1e, 0xc6, 0x2c, 0xaf,
+	0xeb, 0x32, 0xd1, 0x50, 0xf5, 0x28, 0x55, 0x16, 0x39, 0x10, 0x4b, 0x1c, 0xba, 0x0c, 0x15, 0xb3,
+	0xd5, 0xb6, 0xdd, 0x05, 0xcb, 0x22, 0x94, 0x8a, 0x93, 0x61, 0x59, 0x76, 0xe9, 0x85, 0x08, 0x8c,
+	0xe3, 0x34, 0xc8, 0x85, 0xa9, 0x2d, 0xdb, 0xa7, 0x6c, 0x61, 0xcf, 0xb4, 0x1d, 0x73, 0xd3, 0x21,
+	0xd5, 0xf1, 0xfc, 0x6d, 0x71, 0xbd, 0xbb, 0x19, 0xf4, 0xdd, 0x17, 0x82, 0xfd, 0x5d, 0x4b, 0x48,
+	0xc3, 0x29, 0xe9, 0xbc, 0x07, 0x33, 0xcf, 0x21, 0x32, 0x50, 0x69, 0xb5, 0x9c, 0x5f, 0xd9, 0x46,
+	0xc8, 0x16, 0xf5, 0xe0, 0x08, 0x46, 0x71, 0x5c, 0xae, 0xf1, 0xd7, 0x70, 0xf4, 0xcd, 0x18, 0xd1,
+	0xd0, 0x05, 0x3e, 0xf0, 0x09, 0x94, 0x8a, 0xb7, 0xd8, 0xcc, 0x26, 0xc0, 0x38, 0xc0, 0xc7, 0x2e,
+	0x25, 0x0a, 0xb9, 0x2e, 0x25, 0xf4, 0x1c, 0x97, 0x12, 0xc5, 0x43, 0x2f, 0x25, 0x52, 0x8e, 0x1c,
+	0xcb, 0xe1, 0xc8, 0x94, 0x61, 0x4b, 0xcf, 0xc9, 0xb0, 0xef, 0xc2, 0x54, 0xea, 0x44, 0x74, 0x03,
+	0x74, 0x8b, 0x38, 0xaa, 0x64, 0x3d, 0xe5, 0x1a, 0x62, 0xe0, 0x3c, 0xd5, 0x1c, 0xef, 0xf7, 0xea,
+	0xfa, 0xe2, 0xf2, 0x4d, 0xcc, 0x85, 0x18, 0xbf, 0xd5, 0x83, 0x22, 0x15, 0x85, 0xd6, 0xff, 0xcb,
+	0xc2, 0x7f, 0x5b, 0x16, 0x52, 0xa1, 0x31, 0xfe, 0x9c, 0x42, 0xe3, 0xdf, 0xe1, 0x34, 0x27, 0xee,
+	0x08, 0xd0, 0x4b, 0xb1, 0xb3, 0x79, 0xb3, 0xa2, 0xd8, 0xf5, 0xb7, 0xc9, 0xbe, 0x3c, 0xa8, 0x9f,
+	0x8f, 0x1f, 0xd4, 0x27, 0xa2, 0xa5, 0xcb, 0xf3, 0x81, 0xc4, 0xa1, 0xab, 0x50, 0x22, 0x5b, 0x5b,
+	0xc4, 0x62, 0x2a, 0xa9, 0x82, 0xab, 0x96, 0xd2, 0xb2, 0x80, 0x1e, 0xf4, 0xea, 0xd3, 0x31, 0x95,
+	0x12, 0x88, 0x15, 0x0b, 0xfa, 0x26, 0x4c, 0x30, 0xbb, 0x4d, 0x16, 0x5a, 0x2d, 0xd2, 0x12, 0xf6,
+	0xae, 0xcc, 0xbf, 0x9c, 0x6f, 0xd0, 0xd9, 0xb0, 0xdb, 0x44, 0x9e, 0x81, 0x36, 0x02, 0x01, 0x38,
+	0x92, 0x65, 0x3c, 0x0a, 0x47, 0x12, 0xa1, 0x16, 0x77, 0x1d, 0x72, 0x04, 0xb3, 0xeb, 0x7a, 0x62,
+	0x76, 0xbd, 0x9c, 0xfb, 0xee, 0x86, 0x2f, 0x2f, 0x73, 0x7e, 0xfd, 0x48, 0x0b, 0x66, 0x91, 0x90,
+	0xf6, 0x08, 0x66, 0x44, 0x9c, 0x9c, 0x11, 0x2f, 0x8d, 0xb4, 0x97, 0x8c, 0x39, 0xf1, 0xe3, 0xc1,
+	0x9d, 0x88, 0x59, 0xb1, 0x0d, 0x53, 0xad, 0x44, 0xaa, 0x8e, 0x32, 0x7e, 0x0b, 0x51, 0x61, 0x8e,
+	0x23, 0x9e, 0xa9, 0xc9, 0xbc, 0xc7, 0x29, 0xe1, 0x7c, 0xfc, 0x15, 0x57, 0x63, 0xf9, 0x2e, 0x70,
+	0xe2, 0x57, 0x6c, 0xe1, 0xb6, 0xe4, 0xfa, 0xa5, 0x18, 0xe3, 0x27, 0x85, 0xc4, 0xb6, 0x42, 0x3d,
+	0x5f, 0x1f, 0xac, 0x79, 0x32, 0xd3, 0x4e, 0xe5, 0xaa, 0x77, 0x46, 0xaa, 0xa7, 0xc1, 0x90, 0x7e,
+	0xf6, 0x62, 0xa2, 0x9f, 0x95, 0x53, 0xbd, 0xcc, 0x48, 0xf5, 0x32, 0x18, 0xd2, 0xc7, 0x12, 0x55,
+	0x75, 0xec, 0x59, 0x57, 0x55, 0xe3, 0x67, 0x85, 0xa0, 0x5d, 0x44, 0x45, 0xe9, 0x69, 0x65, 0xe7,
+	0x2d, 0x28, 0x7b, 0x1d, 0x4e, 0xeb, 0x05, 0x5b, 0xbf, 0x18, 0x04, 0xea, 0x6d, 0x05, 0x3f, 0xe8,
+	0xd5, 0xab, 0x69, 0xb1, 0x01, 0x0e, 0x87, 0xdc, 0x51, 0x01, 0xd3, 0x73, 0x15, 0xb0, 0xe2, 0xe8,
+	0x05, 0x6c, 0x11, 0xa6, 0xa3, 0x02, 0xbb, 0x4e, 0x2c, 0xcf, 0x6d, 0x51, 0x55, 0xe9, 0x4f, 0xf7,
+	0x7b, 0xf5, 0xe9, 0x8d, 0x34, 0x12, 0x0f, 0xd2, 0x1b, 0xbf, 0xd4, 0x60, 0x7a, 0xe0, 0xfa, 0x1f,
+	0x5d, 0x85, 0x49, 0xdb, 0x65, 0xc4, 0xdf, 0x32, 0x2d, 0x12, 0x0b, 0x9e, 0xd3, 0x6a, 0x79, 0x93,
+	0x2b, 0x71, 0x24, 0x4e, 0xd2, 0xa2, 0x33, 0xa0, 0xdb, 0x9d, 0xe0, 0xbe, 0x4f, 0x74, 0xf0, 0x95,
+	0x35, 0x8a, 0x39, 0x8c, 0xb7, 0xe2, 0x1d, 0xd3, 0x6f, 0x3d, 0x30, 0x7d, 0x5e, 0x2b, 0x7d, 0x3e,
+	0xbd, 0xe8, 0xc9, 0x56, 0xfc, 0x56, 0x12, 0x8d, 0xd3, 0xf4, 0xc6, 0xcf, 0x35, 0x38, 0x93, 0x79,
+	0xb6, 0xc9, 0xfd, 0x42, 0x64, 0x02, 0x74, 0x4c, 0xdf, 0x6c, 0x13, 0x46, 0x7c, 0x3a, 0xe4, 0xbc,
+	0x9f, 0xe3, 0xe1, 0x25, 0x2c, 0xc7, 0x6b, 0xa1, 0x20, 0x1c, 0x13, 0x6a, 0x7c, 0x58, 0x80, 0x49,
+	0xac, 0x22, 0x58, 0x5e, 0x5e, 0x3d, 0xff, 0x26, 0x70, 0x27, 0xd1, 0x04, 0x9e, 0x32, 0x6e, 0x25,
+	0x16, 0x97, 0xd5, 0x02, 0xd0, 0x3d, 0x28, 0x51, 0xf1, 0xfa, 0x96, 0xef, 0x2a, 0x36, 0x29, 0x54,
+	0x30, 0x46, 0x4e, 0x90, 0xdf, 0x58, 0x09, 0x34, 0xfa, 0x1a, 0xd4, 0x12, 0xf4, 0xfc, 0xec, 0xd9,
+	0x6d, 0x13, 0x1f, 0x93, 0x2d, 0xe2, 0x13, 0xd7, 0x22, 0xe8, 0x22, 0x94, 0xcd, 0x8e, 0x7d, 0xdd,
+	0xf7, 0xba, 0x1d, 0xe5, 0xd1, 0xb0, 0x71, 0x2c, 0xac, 0xad, 0x08, 0x38, 0x0e, 0x29, 0x38, 0x75,
+	0xb0, 0x22, 0x15, 0x57, 0xb1, 0x0b, 0x3f, 0x09, 0xc7, 0x21, 0x45, 0x38, 0x39, 0x16, 0x33, 0x27,
+	0xc7, 0x26, 0xe8, 0x5d, 0xbb, 0xa5, 0x6e, 0x29, 0x5f, 0x0d, 0x8a, 0xc5, 0x3b, 0x2b, 0x4b, 0x07,
+	0xbd, 0xfa, 0xb9, 0xac, 0xd7, 0x4d, 0xb6, 0xdf, 0x21, 0xb4, 0xf1, 0xce, 0xca, 0x12, 0xe6, 0xcc,
+	0xc6, 0x1f, 0x34, 0x98, 0x4e, 0x6c, 0xf2, 0x08, 0x1a, 0xe8, 0x5a, 0xb2, 0x81, 0xbe, 0x32, 0x82,
+	0xcb, 0x32, 0xda, 0xa7, 0x9d, 0xda, 0x84, 0xe8, 0x9d, 0x1b, 0xe9, 0x17, 0xbf, 0x0b, 0xb9, 0xef,
+	0x32, 0xb3, 0x9f, 0xf9, 0x8c, 0x3f, 0x15, 0xe0, 0xd4, 0x90, 0x28, 0x42, 0xf7, 0x01, 0xa2, 0xf1,
+	0x76, 0x88, 0xd1, 0x86, 0x28, 0x1c, 0xb8, 0x79, 0x9f, 0x12, 0xef, 0x70, 0x11, 0x34, 0x26, 0x11,
+	0x51, 0xa8, 0xf8, 0x84, 0x12, 0x7f, 0x8f, 0xb4, 0xae, 0x89, 0xea, 0xcf, 0x4d, 0xf7, 0xb5, 0x11,
+	0x4c, 0x37, 0x10, 0xbd, 0xd1, 0x54, 0x8c, 0x23, 0xc1, 0x38, 0xae, 0x05, 0xdd, 0x8f, 0x4c, 0x28,
+	0x1f, 0x97, 0xaf, 0xe4, 0xda, 0x51, 0xf2, 0x5d, 0xfc, 0x10, 0x63, 0x7e, 0xac, 0xc1, 0xe9, 0xc4,
+	0x22, 0x37, 0x48, 0xbb, 0xe3, 0x98, 0xec, 0x28, 0x26, 0xd2, 0x7b, 0x89, 0x62, 0xf4, 0xc6, 0x08,
+	0x96, 0x0c, 0x16, 0x99, 0x39, 0x97, 0xfe, 0x45, 0x83, 0x33, 0x43, 0x39, 0x8e, 0x20, 0xb9, 0xbe,
+	0x95, 0x4c, 0xae, 0x2b, 0x9f, 0x62, 0x5f, 0xd9, 0x77, 0x99, 0x67, 0x32, 0xed, 0xf0, 0x3f, 0xd9,
+	0x3d, 0x8c, 0x5f, 0x6b, 0x70, 0x3c, 0xa0, 0xe4, 0xd3, 0x61, 0x8e, 0xe3, 0xfa, 0x3c, 0x80, 0xfa,
+	0x47, 0x48, 0xf0, 0xde, 0xa0, 0x47, 0xeb, 0xbe, 0x1e, 0x62, 0x70, 0x8c, 0x0a, 0xdd, 0x00, 0x14,
+	0xac, 0x70, 0xdd, 0x11, 0x43, 0x01, 0x3f, 0xf5, 0xea, 0x82, 0x77, 0x46, 0xf1, 0x22, 0x3c, 0x40,
+	0x81, 0x87, 0x70, 0x19, 0x7f, 0xd4, 0xa2, 0xbe, 0x2d, 0xc0, 0x9f, 0x55, 0xcb, 0x8b, 0xc5, 0x65,
+	0x5a, 0x3e, 0xde, 0x77, 0x04, 0xe5, 0x67, 0xb6, 0xef, 0x88, 0xd5, 0x65, 0xa4, 0xc4, 0x43, 0x3d,
+	0xb5, 0x0b, 0x91, 0x0a, 0x79, 0xa7, 0xbc, 0x9b, 0xb1, 0xff, 0x01, 0x25, 0x4f, 0xf7, 0x87, 0x2c,
+	0x87, 0x87, 0xe9, 0xd0, 0xeb, 0xb9, 0x8b, 0x50, 0x76, 0xbd, 0x96, 0x9c, 0x87, 0x53, 0xd3, 0xc5,
+	0xaa, 0x82, 0xe3, 0x90, 0x62, 0xe0, 0xdf, 0x2a, 0xc5, 0x67, 0xf3, 0x6f, 0x15, 0x31, 0x11, 0x39,
+	0x0e, 0x27, 0x08, 0x6e, 0xfe, 0xa2, 0x89, 0x48, 0xc1, 0x71, 0x48, 0x81, 0x6e, 0x47, 0xfd, 0x45,
+	0xde, 0xf9, 0x7d, 0x31, 0x4f, 0x8b, 0xce, 0x6e, 0x28, 0xcd, 0xe6, 0xa3, 0x27, 0xb5, 0x63, 0x8f,
+	0x9f, 0xd4, 0x8e, 0x7d, 0xf2, 0xa4, 0x76, 0xec, 0x83, 0x7e, 0x4d, 0x7b, 0xd4, 0xaf, 0x69, 0x8f,
+	0xfb, 0x35, 0xed, 0x93, 0x7e, 0x4d, 0xfb, 0x47, 0xbf, 0xa6, 0xfd, 0xf8, 0x9f, 0xb5, 0x63, 0xdf,
+	0x7e, 0xf1, 0xb0, 0xbf, 0xcd, 0xfd, 0x27, 0x00, 0x00, 0xff, 0xff, 0xf8, 0xa8, 0x47, 0x3e, 0x55,
+	0x27, 0x00, 0x00,
 }
 
 func (m *AllocatedDeviceStatus) Marshal() (dAtA []byte, err error) {
@@ -1321,6 +1517,20 @@ func (m *BasicDevice) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.Taints) > 0 {
+		for iNdEx := len(m.Taints) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Taints[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x1a
+		}
+	}
 	if len(m.Capacity) > 0 {
 		keysForCapacity := make([]string, 0, len(m.Capacity))
 		for k := range m.Capacity {
@@ -1975,6 +2185,20 @@ func (m *DeviceRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.Tolerations) > 0 {
+		for iNdEx := len(m.Tolerations) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Tolerations[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x42
+		}
+	}
 	if len(m.FirstAvailable) > 0 {
 		for iNdEx := len(m.FirstAvailable) - 1; iNdEx >= 0; iNdEx-- {
 			{
@@ -2054,6 +2278,20 @@ func (m *DeviceRequestAllocationResult) MarshalToSizedBuffer(dAtA []byte) (int,
 	_ = i
 	var l int
 	_ = l
+	if len(m.Tolerations) > 0 {
+		for iNdEx := len(m.Tolerations) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Tolerations[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x32
+		}
+	}
 	if m.AdminAccess != nil {
 		i--
 		if *m.AdminAccess {
@@ -2142,6 +2380,20 @@ func (m *DeviceSubRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.Tolerations) > 0 {
+		for iNdEx := len(m.Tolerations) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Tolerations[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x3a
+		}
+	}
 	i = encodeVarintGenerated(dAtA, i, uint64(m.Count))
 	i--
 	dAtA[i] = 0x28
@@ -2177,6 +2429,304 @@ func (m *DeviceSubRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *DeviceTaint) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceTaint) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceTaint) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.TimeAdded != nil {
+		{
+			size, err := m.TimeAdded.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x22
+	}
+	i -= len(m.Effect)
+	copy(dAtA[i:], m.Effect)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Effect)))
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.Value)
+	copy(dAtA[i:], m.Value)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.Key)
+	copy(dAtA[i:], m.Key)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *DeviceTaintRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceTaintRule) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceTaintRule) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	{
+		size, err := m.Spec.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x12
+	{
+		size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *DeviceTaintRuleList) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceTaintRuleList) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceTaintRuleList) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Items) > 0 {
+		for iNdEx := len(m.Items) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Items[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x12
+		}
+	}
+	{
+		size, err := m.ListMeta.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *DeviceTaintRuleSpec) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceTaintRuleSpec) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceTaintRuleSpec) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	{
+		size, err := m.Taint.MarshalToSizedBuffer(dAtA[:i])
+		if err != nil {
+			return 0, err
+		}
+		i -= size
+		i = encodeVarintGenerated(dAtA, i, uint64(size))
+	}
+	i--
+	dAtA[i] = 0x12
+	if m.DeviceSelector != nil {
+		{
+			size, err := m.DeviceSelector.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
+func (m *DeviceTaintSelector) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceTaintSelector) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceTaintSelector) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if len(m.Selectors) > 0 {
+		for iNdEx := len(m.Selectors) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Selectors[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x2a
+		}
+	}
+	if m.Device != nil {
+		i -= len(*m.Device)
+		copy(dAtA[i:], *m.Device)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Device)))
+		i--
+		dAtA[i] = 0x22
+	}
+	if m.Pool != nil {
+		i -= len(*m.Pool)
+		copy(dAtA[i:], *m.Pool)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Pool)))
+		i--
+		dAtA[i] = 0x1a
+	}
+	if m.Driver != nil {
+		i -= len(*m.Driver)
+		copy(dAtA[i:], *m.Driver)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.Driver)))
+		i--
+		dAtA[i] = 0x12
+	}
+	if m.DeviceClassName != nil {
+		i -= len(*m.DeviceClassName)
+		copy(dAtA[i:], *m.DeviceClassName)
+		i = encodeVarintGenerated(dAtA, i, uint64(len(*m.DeviceClassName)))
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
+func (m *DeviceToleration) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceToleration) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceToleration) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.TolerationSeconds != nil {
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TolerationSeconds))
+		i--
+		dAtA[i] = 0x28
+	}
+	i -= len(m.Effect)
+	copy(dAtA[i:], m.Effect)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Effect)))
+	i--
+	dAtA[i] = 0x22
+	i -= len(m.Value)
+	copy(dAtA[i:], m.Value)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.Operator)
+	copy(dAtA[i:], m.Operator)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Operator)))
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.Key)
+	copy(dAtA[i:], m.Key)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
 func (m *NetworkDeviceData) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -2909,6 +3459,12 @@ func (m *BasicDevice) Size() (n int) {
 			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
 		}
 	}
+	if len(m.Taints) > 0 {
+		for _, e := range m.Taints {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -3167,6 +3723,12 @@ func (m *DeviceRequest) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if len(m.Tolerations) > 0 {
+		for _, e := range m.Tolerations {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -3187,6 +3749,12 @@ func (m *DeviceRequestAllocationResult) Size() (n int) {
 	if m.AdminAccess != nil {
 		n += 2
 	}
+	if len(m.Tolerations) > 0 {
+		for _, e := range m.Tolerations {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -3222,6 +3790,127 @@ func (m *DeviceSubRequest) Size() (n int) {
 	l = len(m.AllocationMode)
 	n += 1 + l + sovGenerated(uint64(l))
 	n += 1 + sovGenerated(uint64(m.Count))
+	if len(m.Tolerations) > 0 {
+		for _, e := range m.Tolerations {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeviceTaint) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Effect)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TimeAdded != nil {
+		l = m.TimeAdded.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *DeviceTaintRule) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ObjectMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	l = m.Spec.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeviceTaintRuleList) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = m.ListMeta.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	if len(m.Items) > 0 {
+		for _, e := range m.Items {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeviceTaintRuleSpec) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.DeviceSelector != nil {
+		l = m.DeviceSelector.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	l = m.Taint.Size()
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
+func (m *DeviceTaintSelector) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.DeviceClassName != nil {
+		l = len(*m.DeviceClassName)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Driver != nil {
+		l = len(*m.Driver)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Pool != nil {
+		l = len(*m.Pool)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if m.Device != nil {
+		l = len(*m.Device)
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	if len(m.Selectors) > 0 {
+		for _, e := range m.Selectors {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeviceToleration) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Operator)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Effect)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TolerationSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.TolerationSeconds))
+	}
 	return n
 }
 
@@ -3495,6 +4184,11 @@ func (this *BasicDevice) String() string {
 	if this == nil {
 		return "nil"
 	}
+	repeatedStringForTaints := "[]DeviceTaint{"
+	for _, f := range this.Taints {
+		repeatedStringForTaints += strings.Replace(strings.Replace(f.String(), "DeviceTaint", "DeviceTaint", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForTaints += "}"
 	keysForAttributes := make([]string, 0, len(this.Attributes))
 	for k := range this.Attributes {
 		keysForAttributes = append(keysForAttributes, string(k))
@@ -3518,6 +4212,7 @@ func (this *BasicDevice) String() string {
 	s := strings.Join([]string{`&BasicDevice{`,
 		`Attributes:` + mapStringForAttributes + `,`,
 		`Capacity:` + mapStringForCapacity + `,`,
+		`Taints:` + repeatedStringForTaints + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3720,6 +4415,11 @@ func (this *DeviceRequest) String() string {
 		repeatedStringForFirstAvailable += strings.Replace(strings.Replace(f.String(), "DeviceSubRequest", "DeviceSubRequest", 1), `&`, ``, 1) + ","
 	}
 	repeatedStringForFirstAvailable += "}"
+	repeatedStringForTolerations := "[]DeviceToleration{"
+	for _, f := range this.Tolerations {
+		repeatedStringForTolerations += strings.Replace(strings.Replace(f.String(), "DeviceToleration", "DeviceToleration", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForTolerations += "}"
 	s := strings.Join([]string{`&DeviceRequest{`,
 		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
 		`DeviceClassName:` + fmt.Sprintf("%v", this.DeviceClassName) + `,`,
@@ -3728,6 +4428,7 @@ func (this *DeviceRequest) String() string {
 		`Count:` + fmt.Sprintf("%v", this.Count) + `,`,
 		`AdminAccess:` + valueToStringGenerated(this.AdminAccess) + `,`,
 		`FirstAvailable:` + repeatedStringForFirstAvailable + `,`,
+		`Tolerations:` + repeatedStringForTolerations + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3736,12 +4437,18 @@ func (this *DeviceRequestAllocationResult) String() string {
 	if this == nil {
 		return "nil"
 	}
+	repeatedStringForTolerations := "[]DeviceToleration{"
+	for _, f := range this.Tolerations {
+		repeatedStringForTolerations += strings.Replace(strings.Replace(f.String(), "DeviceToleration", "DeviceToleration", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForTolerations += "}"
 	s := strings.Join([]string{`&DeviceRequestAllocationResult{`,
 		`Request:` + fmt.Sprintf("%v", this.Request) + `,`,
 		`Driver:` + fmt.Sprintf("%v", this.Driver) + `,`,
 		`Pool:` + fmt.Sprintf("%v", this.Pool) + `,`,
 		`Device:` + fmt.Sprintf("%v", this.Device) + `,`,
 		`AdminAccess:` + valueToStringGenerated(this.AdminAccess) + `,`,
+		`Tolerations:` + repeatedStringForTolerations + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3765,12 +4472,102 @@ func (this *DeviceSubRequest) String() string {
 		repeatedStringForSelectors += strings.Replace(strings.Replace(f.String(), "DeviceSelector", "DeviceSelector", 1), `&`, ``, 1) + ","
 	}
 	repeatedStringForSelectors += "}"
+	repeatedStringForTolerations := "[]DeviceToleration{"
+	for _, f := range this.Tolerations {
+		repeatedStringForTolerations += strings.Replace(strings.Replace(f.String(), "DeviceToleration", "DeviceToleration", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForTolerations += "}"
 	s := strings.Join([]string{`&DeviceSubRequest{`,
 		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
 		`DeviceClassName:` + fmt.Sprintf("%v", this.DeviceClassName) + `,`,
 		`Selectors:` + repeatedStringForSelectors + `,`,
 		`AllocationMode:` + fmt.Sprintf("%v", this.AllocationMode) + `,`,
 		`Count:` + fmt.Sprintf("%v", this.Count) + `,`,
+		`Tolerations:` + repeatedStringForTolerations + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceTaint) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeviceTaint{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`Effect:` + fmt.Sprintf("%v", this.Effect) + `,`,
+		`TimeAdded:` + strings.Replace(fmt.Sprintf("%v", this.TimeAdded), "Time", "v1.Time", 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceTaintRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeviceTaintRule{`,
+		`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
+		`Spec:` + strings.Replace(strings.Replace(this.Spec.String(), "DeviceTaintRuleSpec", "DeviceTaintRuleSpec", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceTaintRuleList) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForItems := "[]DeviceTaintRule{"
+	for _, f := range this.Items {
+		repeatedStringForItems += strings.Replace(strings.Replace(f.String(), "DeviceTaintRule", "DeviceTaintRule", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForItems += "}"
+	s := strings.Join([]string{`&DeviceTaintRuleList{`,
+		`ListMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ListMeta), "ListMeta", "v1.ListMeta", 1), `&`, ``, 1) + `,`,
+		`Items:` + repeatedStringForItems + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceTaintRuleSpec) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeviceTaintRuleSpec{`,
+		`DeviceSelector:` + strings.Replace(this.DeviceSelector.String(), "DeviceTaintSelector", "DeviceTaintSelector", 1) + `,`,
+		`Taint:` + strings.Replace(strings.Replace(this.Taint.String(), "DeviceTaint", "DeviceTaint", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceTaintSelector) String() string {
+	if this == nil {
+		return "nil"
+	}
+	repeatedStringForSelectors := "[]DeviceSelector{"
+	for _, f := range this.Selectors {
+		repeatedStringForSelectors += strings.Replace(strings.Replace(f.String(), "DeviceSelector", "DeviceSelector", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForSelectors += "}"
+	s := strings.Join([]string{`&DeviceTaintSelector{`,
+		`DeviceClassName:` + valueToStringGenerated(this.DeviceClassName) + `,`,
+		`Driver:` + valueToStringGenerated(this.Driver) + `,`,
+		`Pool:` + valueToStringGenerated(this.Pool) + `,`,
+		`Device:` + valueToStringGenerated(this.Device) + `,`,
+		`Selectors:` + repeatedStringForSelectors + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceToleration) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeviceToleration{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Operator:` + fmt.Sprintf("%v", this.Operator) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`Effect:` + fmt.Sprintf("%v", this.Effect) + `,`,
+		`TolerationSeconds:` + valueToStringGenerated(this.TolerationSeconds) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -4634,6 +5431,40 @@ func (m *BasicDevice) Unmarshal(dAtA []byte) error {
 			}
 			m.Capacity[QualifiedName(mapkey)] = *mapvalue
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Taints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Taints = append(m.Taints, DeviceTaint{})
+			if err := m.Taints[len(m.Taints)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -6412,6 +7243,40 @@ func (m *DeviceRequest) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tolerations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Tolerations = append(m.Tolerations, DeviceToleration{})
+			if err := m.Tolerations[len(m.Tolerations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -6611,6 +7476,40 @@ func (m *DeviceRequestAllocationResult) Unmarshal(dAtA []byte) error {
 			}
 			b := bool(v != 0)
 			m.AdminAccess = &b
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tolerations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Tolerations = append(m.Tolerations, DeviceToleration{})
+			if err := m.Tolerations[len(m.Tolerations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -6896,6 +7795,988 @@ func (m *DeviceSubRequest) Unmarshal(dAtA []byte) error {
 					break
 				}
 			}
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tolerations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Tolerations = append(m.Tolerations, DeviceToleration{})
+			if err := m.Tolerations[len(m.Tolerations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceTaint) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceTaint: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceTaint: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Effect", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Effect = DeviceTaintEffect(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeAdded", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.TimeAdded == nil {
+				m.TimeAdded = &v1.Time{}
+			}
+			if err := m.TimeAdded.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceTaintRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceTaintRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceTaintRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Spec", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Spec.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceTaintRuleList) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceTaintRuleList: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceTaintRuleList: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ListMeta", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.ListMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Items", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Items = append(m.Items, DeviceTaintRule{})
+			if err := m.Items[len(m.Items)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceTaintRuleSpec) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceTaintRuleSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceTaintRuleSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeviceSelector", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.DeviceSelector == nil {
+				m.DeviceSelector = &DeviceTaintSelector{}
+			}
+			if err := m.DeviceSelector.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Taint", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if err := m.Taint.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceTaintSelector) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceTaintSelector: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceTaintSelector: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field DeviceClassName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.DeviceClassName = &s
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Driver", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.Driver = &s
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Pool", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.Pool = &s
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Device", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			s := string(dAtA[iNdEx:postIndex])
+			m.Device = &s
+			iNdEx = postIndex
+		case 5:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Selectors", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Selectors = append(m.Selectors, DeviceSelector{})
+			if err := m.Selectors[len(m.Selectors)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceToleration) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceToleration: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceToleration: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Operator", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Operator = DeviceTolerationOperator(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Effect", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Effect = DeviceTaintEffect(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TolerationSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TolerationSeconds = &v
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/generated.proto b/staging/src/k8s.io/api/resource/v1alpha3/generated.proto
index 714973183b1..76ff86901b9 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/generated.proto
+++ b/staging/src/k8s.io/api/resource/v1alpha3/generated.proto
@@ -113,6 +113,18 @@ message BasicDevice {
   //
   // +optional
   map<string, .k8s.io.apimachinery.pkg.api.resource.Quantity> capacity = 2;
+
+  // If specified, these are the driver-defined taints.
+  //
+  // The maximum number of taints is 8.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceTaint taints = 3;
 }
 
 // CELDeviceSelector contains a CEL expression for selecting a device.
@@ -520,6 +532,32 @@ message DeviceRequest {
   // +listType=atomic
   // +featureGate=DRAPrioritizedList
   repeated DeviceSubRequest firstAvailable = 7;
+
+  // If specified, the request's tolerations.
+  //
+  // Tolerations for NoSchedule are required to allocate a
+  // device which has a taint with that effect. The same applies
+  // to NoExecute.
+  //
+  // In addition, should any of the allocated devices get tainted
+  // with NoExecute after allocation and that effect is not tolerated,
+  // then all pods consuming the ResourceClaim get deleted to evict
+  // them. The scheduler will not let new pods reserve the claim while
+  // it has these tainted devices. Once all pods are evicted, the
+  // claim will get deallocated.
+  //
+  // The maximum number of tolerations is 16.
+  //
+  // This field can only be set when deviceClassName is set and no subrequests
+  // are specified in the firstAvailable list.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceToleration tolerations = 8;
 }
 
 // DeviceRequestAllocationResult contains the allocation result for one request.
@@ -571,6 +609,19 @@ message DeviceRequestAllocationResult {
   // +optional
   // +featureGate=DRAAdminAccess
   optional bool adminAccess = 5;
+
+  // A copy of all tolerations specified in the request at the time
+  // when the device got allocated.
+  //
+  // The maximum number of tolerations is 16.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceToleration tolerations = 6;
 }
 
 // DeviceSelector must have exactly one field set.
@@ -652,6 +703,190 @@ message DeviceSubRequest {
   // +optional
   // +oneOf=AllocationMode
   optional int64 count = 5;
+
+  // If specified, the request's tolerations.
+  //
+  // Tolerations for NoSchedule are required to allocate a
+  // device which has a taint with that effect. The same applies
+  // to NoExecute.
+  //
+  // In addition, should any of the allocated devices get tainted
+  // with NoExecute after allocation and that effect is not tolerated,
+  // then all pods consuming the ResourceClaim get deleted to evict
+  // them. The scheduler will not let new pods reserve the claim while
+  // it has these tainted devices. Once all pods are evicted, the
+  // claim will get deallocated.
+  //
+  // The maximum number of tolerations is 16.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceToleration tolerations = 7;
+}
+
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
+message DeviceTaint {
+  // The taint key to be applied to a device.
+  // Must be a label name.
+  //
+  // +required
+  optional string key = 1;
+
+  // The taint value corresponding to the taint key.
+  // Must be a label value.
+  //
+  // +optional
+  optional string value = 2;
+
+  // The effect of the taint on claims that do not tolerate the taint
+  // and through such claims on the pods using them.
+  // Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
+  // nodes is not valid here.
+  //
+  // +required
+  optional string effect = 3;
+
+  // TimeAdded represents the time at which the taint was added.
+  // Added automatically during create or update if not set.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time timeAdded = 4;
+}
+
+// DeviceTaintRule adds one taint to all devices which match the selector.
+// This has the same effect as if the taint was specified directly
+// in the ResourceSlice by the DRA driver.
+message DeviceTaintRule {
+  // Standard object metadata
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Spec specifies the selector and one taint.
+  //
+  // Changing the spec automatically increments the metadata.generation number.
+  optional DeviceTaintRuleSpec spec = 2;
+}
+
+// DeviceTaintRuleList is a collection of DeviceTaintRules.
+message DeviceTaintRuleList {
+  // Standard list metadata
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // Items is the list of DeviceTaintRules.
+  repeated DeviceTaintRule items = 2;
+}
+
+// DeviceTaintRuleSpec specifies the selector and one taint.
+message DeviceTaintRuleSpec {
+  // DeviceSelector defines which device(s) the taint is applied to.
+  // All selector criteria must be satified for a device to
+  // match. The empty selector matches all devices. Without
+  // a selector, no devices are matches.
+  //
+  // +optional
+  optional DeviceTaintSelector deviceSelector = 1;
+
+  // The taint that gets applied to matching devices.
+  //
+  // +required
+  optional DeviceTaint taint = 2;
+}
+
+// DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to.
+// The empty selector matches all devices. Without a selector, no devices
+// are matched.
+message DeviceTaintSelector {
+  // If DeviceClassName is set, the selectors defined there must be
+  // satisfied by a device to be selected. This field corresponds
+  // to class.metadata.name.
+  //
+  // +optional
+  optional string deviceClassName = 1;
+
+  // If driver is set, only devices from that driver are selected.
+  // This fields corresponds to slice.spec.driver.
+  //
+  // +optional
+  optional string driver = 2;
+
+  // If pool is set, only devices in that pool are selected.
+  //
+  // Also setting the driver name may be useful to avoid
+  // ambiguity when different drivers use the same pool name,
+  // but this is not required because selecting pools from
+  // different drivers may also be useful, for example when
+  // drivers with node-local devices use the node name as
+  // their pool name.
+  //
+  // +optional
+  optional string pool = 3;
+
+  // If device is set, only devices with that name are selected.
+  // This field corresponds to slice.spec.devices[].name.
+  //
+  // Setting also driver and pool may be required to avoid ambiguity,
+  // but is not required.
+  //
+  // +optional
+  optional string device = 4;
+
+  // Selectors contains the same selection criteria as a ResourceClaim.
+  // Currently, CEL expressions are supported. All of these selectors
+  // must be satisfied.
+  //
+  // +optional
+  // +listType=atomic
+  repeated DeviceSelector selectors = 5;
+}
+
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
+message DeviceToleration {
+  // Key is the taint key that the toleration applies to. Empty means match all taint keys.
+  // If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+  // Must be a label name.
+  //
+  // +optional
+  optional string key = 1;
+
+  // Operator represents a key's relationship to the value.
+  // Valid operators are Exists and Equal. Defaults to Equal.
+  // Exists is equivalent to wildcard for value, so that a ResourceClaim can
+  // tolerate all taints of a particular category.
+  //
+  // +optional
+  // +default="Equal"
+  optional string operator = 2;
+
+  // Value is the taint value the toleration matches to.
+  // If the operator is Exists, the value must be empty, otherwise just a regular string.
+  // Must be a label value.
+  //
+  // +optional
+  optional string value = 3;
+
+  // Effect indicates the taint effect to match. Empty means match all taint effects.
+  // When specified, allowed values are NoSchedule and NoExecute.
+  //
+  // +optional
+  optional string effect = 4;
+
+  // TolerationSeconds represents the period of time the toleration (which must be
+  // of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+  // it is not set, which means tolerate the taint forever (do not evict). Zero and
+  // negative values will be treated as 0 (evict immediately) by the system.
+  // If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+  // taint was adedd> + <toleration seconds>.
+  //
+  // +optional
+  optional int64 tolerationSeconds = 5;
 }
 
 // NetworkDeviceData provides network-related details for the allocated device.
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go b/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go
index e7388eef7fe..605c8e0c792 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/types_swagger_doc_generated.go
@@ -55,6 +55,7 @@ var map_BasicDevice = map[string]string{
 	"":           "BasicDevice defines one device instance.",
 	"attributes": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
 	"capacity":   "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
+	"taints":     "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (BasicDevice) SwaggerDoc() map[string]string {
@@ -198,6 +199,7 @@ var map_DeviceRequest = map[string]string{
 	"count":           "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.",
 	"adminAccess":     "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device.  They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.",
 	"firstAvailable":  "FirstAvailable contains subrequests, of which exactly one will be satisfied by the scheduler to satisfy this request. It tries to satisfy them in the order in which they are listed here. So if there are two entries in the list, the scheduler will only check the second one if it determines that the first one cannot be used.\n\nThis field may only be set in the entries of DeviceClaim.Requests.\n\nDRA does not yet implement scoring, so the scheduler will select the first set of devices that satisfies all the requests in the claim. And if the requirements can be satisfied on more than one node, other scheduling features will determine which node is chosen. This means that the set of devices allocated to a claim might not be the optimal set available to the cluster. Scoring will be implemented later.",
+	"tolerations":     "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (DeviceRequest) SwaggerDoc() map[string]string {
@@ -211,6 +213,7 @@ var map_DeviceRequestAllocationResult = map[string]string{
 	"pool":        "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":      "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"adminAccess": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.",
+	"tolerations": "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (DeviceRequestAllocationResult) SwaggerDoc() map[string]string {
@@ -233,12 +236,81 @@ var map_DeviceSubRequest = map[string]string{
 	"selectors":       "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.",
 	"allocationMode":  "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This request is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
 	"count":           "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.",
+	"tolerations":     "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (DeviceSubRequest) SwaggerDoc() map[string]string {
 	return map_DeviceSubRequest
 }
 
+var map_DeviceTaint = map[string]string{
+	"":          "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+	"key":       "The taint key to be applied to a device. Must be a label name.",
+	"value":     "The taint value corresponding to the taint key. Must be a label value.",
+	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+	"timeAdded": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
+}
+
+func (DeviceTaint) SwaggerDoc() map[string]string {
+	return map_DeviceTaint
+}
+
+var map_DeviceTaintRule = map[string]string{
+	"":         "DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if the taint was specified directly in the ResourceSlice by the DRA driver.",
+	"metadata": "Standard object metadata",
+	"spec":     "Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number.",
+}
+
+func (DeviceTaintRule) SwaggerDoc() map[string]string {
+	return map_DeviceTaintRule
+}
+
+var map_DeviceTaintRuleList = map[string]string{
+	"":         "DeviceTaintRuleList is a collection of DeviceTaintRules.",
+	"metadata": "Standard list metadata",
+	"items":    "Items is the list of DeviceTaintRules.",
+}
+
+func (DeviceTaintRuleList) SwaggerDoc() map[string]string {
+	return map_DeviceTaintRuleList
+}
+
+var map_DeviceTaintRuleSpec = map[string]string{
+	"":               "DeviceTaintRuleSpec specifies the selector and one taint.",
+	"deviceSelector": "DeviceSelector defines which device(s) the taint is applied to. All selector criteria must be satified for a device to match. The empty selector matches all devices. Without a selector, no devices are matches.",
+	"taint":          "The taint that gets applied to matching devices.",
+}
+
+func (DeviceTaintRuleSpec) SwaggerDoc() map[string]string {
+	return map_DeviceTaintRuleSpec
+}
+
+var map_DeviceTaintSelector = map[string]string{
+	"":                "DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.",
+	"deviceClassName": "If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.",
+	"driver":          "If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.",
+	"pool":            "If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.",
+	"device":          "If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required.",
+	"selectors":       "Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.",
+}
+
+func (DeviceTaintSelector) SwaggerDoc() map[string]string {
+	return map_DeviceTaintSelector
+}
+
+var map_DeviceToleration = map[string]string{
+	"":                  "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+	"key":               "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+	"operator":          "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.",
+	"value":             "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+	"effect":            "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.",
+	"tolerationSeconds": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+}
+
+func (DeviceToleration) SwaggerDoc() map[string]string {
+	return map_DeviceToleration
+}
+
 var map_NetworkDeviceData = map[string]string{
 	"":                "NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.",
 	"interfaceName":   "InterfaceName specifies the name of the network interface associated with the allocated device. This might be the name of a physical or virtual network interface being configured in the pod.\n\nMust not be longer than 256 characters.",
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go
index 6f604acf6c3..a07b25cc892 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.deepcopy.go
@@ -100,6 +100,13 @@ func (in *BasicDevice) DeepCopyInto(out *BasicDevice) {
 			(*out)[key] = val.DeepCopy()
 		}
 	}
+	if in.Taints != nil {
+		in, out := &in.Taints, &out.Taints
+		*out = make([]DeviceTaint, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -473,6 +480,13 @@ func (in *DeviceRequest) DeepCopyInto(out *DeviceRequest) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -494,6 +508,13 @@ func (in *DeviceRequestAllocationResult) DeepCopyInto(out *DeviceRequestAllocati
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -538,6 +559,13 @@ func (in *DeviceSubRequest) DeepCopyInto(out *DeviceSubRequest) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -551,6 +579,172 @@ func (in *DeviceSubRequest) DeepCopy() *DeviceSubRequest {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaint) DeepCopyInto(out *DeviceTaint) {
+	*out = *in
+	if in.TimeAdded != nil {
+		in, out := &in.TimeAdded, &out.TimeAdded
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaint.
+func (in *DeviceTaint) DeepCopy() *DeviceTaint {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintRule) DeepCopyInto(out *DeviceTaintRule) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRule.
+func (in *DeviceTaintRule) DeepCopy() *DeviceTaintRule {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeviceTaintRule) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintRuleList) DeepCopyInto(out *DeviceTaintRuleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]DeviceTaintRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRuleList.
+func (in *DeviceTaintRuleList) DeepCopy() *DeviceTaintRuleList {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintRuleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *DeviceTaintRuleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintRuleSpec) DeepCopyInto(out *DeviceTaintRuleSpec) {
+	*out = *in
+	if in.DeviceSelector != nil {
+		in, out := &in.DeviceSelector, &out.DeviceSelector
+		*out = new(DeviceTaintSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Taint.DeepCopyInto(&out.Taint)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintRuleSpec.
+func (in *DeviceTaintRuleSpec) DeepCopy() *DeviceTaintRuleSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintRuleSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaintSelector) DeepCopyInto(out *DeviceTaintSelector) {
+	*out = *in
+	if in.DeviceClassName != nil {
+		in, out := &in.DeviceClassName, &out.DeviceClassName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Driver != nil {
+		in, out := &in.Driver, &out.Driver
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pool != nil {
+		in, out := &in.Pool, &out.Pool
+		*out = new(string)
+		**out = **in
+	}
+	if in.Device != nil {
+		in, out := &in.Device, &out.Device
+		*out = new(string)
+		**out = **in
+	}
+	if in.Selectors != nil {
+		in, out := &in.Selectors, &out.Selectors
+		*out = make([]DeviceSelector, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaintSelector.
+func (in *DeviceTaintSelector) DeepCopy() *DeviceTaintSelector {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaintSelector)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceToleration) DeepCopyInto(out *DeviceToleration) {
+	*out = *in
+	if in.TolerationSeconds != nil {
+		in, out := &in.TolerationSeconds, &out.TolerationSeconds
+		*out = new(int64)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceToleration.
+func (in *DeviceToleration) DeepCopy() *DeviceToleration {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceToleration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDeviceData) DeepCopyInto(out *NetworkDeviceData) {
 	*out = *in
diff --git a/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.prerelease-lifecycle.go b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.prerelease-lifecycle.go
index 9f57ab67042..4916aefa6a4 100644
--- a/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.prerelease-lifecycle.go
+++ b/staging/src/k8s.io/api/resource/v1alpha3/zz_generated.prerelease-lifecycle.go
@@ -73,6 +73,42 @@ func (in *DeviceClassList) APILifecycleRemoved() (major, minor int) {
 	return 1, 37
 }
 
+// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
+func (in *DeviceTaintRule) APILifecycleIntroduced() (major, minor int) {
+	return 1, 33
+}
+
+// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
+func (in *DeviceTaintRule) APILifecycleDeprecated() (major, minor int) {
+	return 1, 36
+}
+
+// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
+func (in *DeviceTaintRule) APILifecycleRemoved() (major, minor int) {
+	return 1, 39
+}
+
+// APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
+func (in *DeviceTaintRuleList) APILifecycleIntroduced() (major, minor int) {
+	return 1, 33
+}
+
+// APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or  "k8s:prerelease-lifecycle-gen:introduced" plus three minor.
+func (in *DeviceTaintRuleList) APILifecycleDeprecated() (major, minor int) {
+	return 1, 36
+}
+
+// APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison.
+// It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or  "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.
+func (in *DeviceTaintRuleList) APILifecycleRemoved() (major, minor int) {
+	return 1, 39
+}
+
 // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison.
 // It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.
 func (in *ResourceClaim) APILifecycleIntroduced() (major, minor int) {
diff --git a/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go b/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go
index 9d2ecffd67c..4a7cf78afc3 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/generated.pb.go
@@ -637,10 +637,66 @@ func (m *DeviceSubRequest) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_DeviceSubRequest proto.InternalMessageInfo
 
+func (m *DeviceTaint) Reset()      { *m = DeviceTaint{} }
+func (*DeviceTaint) ProtoMessage() {}
+func (*DeviceTaint) Descriptor() ([]byte, []int) {
+	return fileDescriptor_ba331e3ec6484c27, []int{21}
+}
+func (m *DeviceTaint) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceTaint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceTaint) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceTaint.Merge(m, src)
+}
+func (m *DeviceTaint) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceTaint) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceTaint.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceTaint proto.InternalMessageInfo
+
+func (m *DeviceToleration) Reset()      { *m = DeviceToleration{} }
+func (*DeviceToleration) ProtoMessage() {}
+func (*DeviceToleration) Descriptor() ([]byte, []int) {
+	return fileDescriptor_ba331e3ec6484c27, []int{22}
+}
+func (m *DeviceToleration) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *DeviceToleration) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *DeviceToleration) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_DeviceToleration.Merge(m, src)
+}
+func (m *DeviceToleration) XXX_Size() int {
+	return m.Size()
+}
+func (m *DeviceToleration) XXX_DiscardUnknown() {
+	xxx_messageInfo_DeviceToleration.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_DeviceToleration proto.InternalMessageInfo
+
 func (m *NetworkDeviceData) Reset()      { *m = NetworkDeviceData{} }
 func (*NetworkDeviceData) ProtoMessage() {}
 func (*NetworkDeviceData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{21}
+	return fileDescriptor_ba331e3ec6484c27, []int{23}
 }
 func (m *NetworkDeviceData) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -668,7 +724,7 @@ var xxx_messageInfo_NetworkDeviceData proto.InternalMessageInfo
 func (m *OpaqueDeviceConfiguration) Reset()      { *m = OpaqueDeviceConfiguration{} }
 func (*OpaqueDeviceConfiguration) ProtoMessage() {}
 func (*OpaqueDeviceConfiguration) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{22}
+	return fileDescriptor_ba331e3ec6484c27, []int{24}
 }
 func (m *OpaqueDeviceConfiguration) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -696,7 +752,7 @@ var xxx_messageInfo_OpaqueDeviceConfiguration proto.InternalMessageInfo
 func (m *ResourceClaim) Reset()      { *m = ResourceClaim{} }
 func (*ResourceClaim) ProtoMessage() {}
 func (*ResourceClaim) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{23}
+	return fileDescriptor_ba331e3ec6484c27, []int{25}
 }
 func (m *ResourceClaim) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -724,7 +780,7 @@ var xxx_messageInfo_ResourceClaim proto.InternalMessageInfo
 func (m *ResourceClaimConsumerReference) Reset()      { *m = ResourceClaimConsumerReference{} }
 func (*ResourceClaimConsumerReference) ProtoMessage() {}
 func (*ResourceClaimConsumerReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{24}
+	return fileDescriptor_ba331e3ec6484c27, []int{26}
 }
 func (m *ResourceClaimConsumerReference) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -752,7 +808,7 @@ var xxx_messageInfo_ResourceClaimConsumerReference proto.InternalMessageInfo
 func (m *ResourceClaimList) Reset()      { *m = ResourceClaimList{} }
 func (*ResourceClaimList) ProtoMessage() {}
 func (*ResourceClaimList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{25}
+	return fileDescriptor_ba331e3ec6484c27, []int{27}
 }
 func (m *ResourceClaimList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -780,7 +836,7 @@ var xxx_messageInfo_ResourceClaimList proto.InternalMessageInfo
 func (m *ResourceClaimSpec) Reset()      { *m = ResourceClaimSpec{} }
 func (*ResourceClaimSpec) ProtoMessage() {}
 func (*ResourceClaimSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{26}
+	return fileDescriptor_ba331e3ec6484c27, []int{28}
 }
 func (m *ResourceClaimSpec) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -808,7 +864,7 @@ var xxx_messageInfo_ResourceClaimSpec proto.InternalMessageInfo
 func (m *ResourceClaimStatus) Reset()      { *m = ResourceClaimStatus{} }
 func (*ResourceClaimStatus) ProtoMessage() {}
 func (*ResourceClaimStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{27}
+	return fileDescriptor_ba331e3ec6484c27, []int{29}
 }
 func (m *ResourceClaimStatus) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -836,7 +892,7 @@ var xxx_messageInfo_ResourceClaimStatus proto.InternalMessageInfo
 func (m *ResourceClaimTemplate) Reset()      { *m = ResourceClaimTemplate{} }
 func (*ResourceClaimTemplate) ProtoMessage() {}
 func (*ResourceClaimTemplate) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{28}
+	return fileDescriptor_ba331e3ec6484c27, []int{30}
 }
 func (m *ResourceClaimTemplate) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -864,7 +920,7 @@ var xxx_messageInfo_ResourceClaimTemplate proto.InternalMessageInfo
 func (m *ResourceClaimTemplateList) Reset()      { *m = ResourceClaimTemplateList{} }
 func (*ResourceClaimTemplateList) ProtoMessage() {}
 func (*ResourceClaimTemplateList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{29}
+	return fileDescriptor_ba331e3ec6484c27, []int{31}
 }
 func (m *ResourceClaimTemplateList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -892,7 +948,7 @@ var xxx_messageInfo_ResourceClaimTemplateList proto.InternalMessageInfo
 func (m *ResourceClaimTemplateSpec) Reset()      { *m = ResourceClaimTemplateSpec{} }
 func (*ResourceClaimTemplateSpec) ProtoMessage() {}
 func (*ResourceClaimTemplateSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{30}
+	return fileDescriptor_ba331e3ec6484c27, []int{32}
 }
 func (m *ResourceClaimTemplateSpec) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -920,7 +976,7 @@ var xxx_messageInfo_ResourceClaimTemplateSpec proto.InternalMessageInfo
 func (m *ResourcePool) Reset()      { *m = ResourcePool{} }
 func (*ResourcePool) ProtoMessage() {}
 func (*ResourcePool) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{31}
+	return fileDescriptor_ba331e3ec6484c27, []int{33}
 }
 func (m *ResourcePool) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -948,7 +1004,7 @@ var xxx_messageInfo_ResourcePool proto.InternalMessageInfo
 func (m *ResourceSlice) Reset()      { *m = ResourceSlice{} }
 func (*ResourceSlice) ProtoMessage() {}
 func (*ResourceSlice) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{32}
+	return fileDescriptor_ba331e3ec6484c27, []int{34}
 }
 func (m *ResourceSlice) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -976,7 +1032,7 @@ var xxx_messageInfo_ResourceSlice proto.InternalMessageInfo
 func (m *ResourceSliceList) Reset()      { *m = ResourceSliceList{} }
 func (*ResourceSliceList) ProtoMessage() {}
 func (*ResourceSliceList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{33}
+	return fileDescriptor_ba331e3ec6484c27, []int{35}
 }
 func (m *ResourceSliceList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1004,7 +1060,7 @@ var xxx_messageInfo_ResourceSliceList proto.InternalMessageInfo
 func (m *ResourceSliceSpec) Reset()      { *m = ResourceSliceSpec{} }
 func (*ResourceSliceSpec) ProtoMessage() {}
 func (*ResourceSliceSpec) Descriptor() ([]byte, []int) {
-	return fileDescriptor_ba331e3ec6484c27, []int{34}
+	return fileDescriptor_ba331e3ec6484c27, []int{36}
 }
 func (m *ResourceSliceSpec) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1053,6 +1109,8 @@ func init() {
 	proto.RegisterType((*DeviceRequestAllocationResult)(nil), "k8s.io.api.resource.v1beta1.DeviceRequestAllocationResult")
 	proto.RegisterType((*DeviceSelector)(nil), "k8s.io.api.resource.v1beta1.DeviceSelector")
 	proto.RegisterType((*DeviceSubRequest)(nil), "k8s.io.api.resource.v1beta1.DeviceSubRequest")
+	proto.RegisterType((*DeviceTaint)(nil), "k8s.io.api.resource.v1beta1.DeviceTaint")
+	proto.RegisterType((*DeviceToleration)(nil), "k8s.io.api.resource.v1beta1.DeviceToleration")
 	proto.RegisterType((*NetworkDeviceData)(nil), "k8s.io.api.resource.v1beta1.NetworkDeviceData")
 	proto.RegisterType((*OpaqueDeviceConfiguration)(nil), "k8s.io.api.resource.v1beta1.OpaqueDeviceConfiguration")
 	proto.RegisterType((*ResourceClaim)(nil), "k8s.io.api.resource.v1beta1.ResourceClaim")
@@ -1074,139 +1132,153 @@ func init() {
 }
 
 var fileDescriptor_ba331e3ec6484c27 = []byte{
-	// 2103 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1a, 0x4b, 0x6f, 0x1c, 0x49,
-	0xd9, 0x3d, 0x3d, 0x7e, 0x7d, 0xe3, 0x57, 0x2a, 0x24, 0x4c, 0x1c, 0x31, 0xe3, 0x74, 0x24, 0xf0,
-	0x66, 0xb3, 0x33, 0x9b, 0x01, 0xa2, 0x28, 0x7b, 0x61, 0xda, 0x76, 0x82, 0xd9, 0xc4, 0xf1, 0x96,
-	0xd9, 0x10, 0x2d, 0x1b, 0x44, 0x4d, 0x4f, 0xd9, 0x6e, 0xdc, 0xd3, 0x3d, 0xe9, 0xae, 0x76, 0xd6,
-	0x07, 0x04, 0xe2, 0xbc, 0x42, 0xdc, 0x11, 0x1c, 0x91, 0x90, 0x10, 0xe2, 0x17, 0x80, 0x04, 0x42,
-	0x44, 0x1c, 0x60, 0xb5, 0x5c, 0x56, 0x1c, 0x06, 0x32, 0xfb, 0x03, 0x10, 0xd7, 0x9c, 0x50, 0x55,
-	0x57, 0x3f, 0x67, 0x7a, 0xb6, 0x0d, 0x8b, 0x15, 0x24, 0x6e, 0xee, 0xef, 0x5d, 0xdf, 0xbb, 0x6a,
-	0x0c, 0xaf, 0x1e, 0xdd, 0xf2, 0x1a, 0xa6, 0xd3, 0x24, 0x7d, 0xb3, 0xe9, 0x52, 0xcf, 0xf1, 0x5d,
-	0x83, 0x36, 0x8f, 0x6f, 0x74, 0x28, 0x23, 0x37, 0x9a, 0x07, 0xd4, 0xa6, 0x2e, 0x61, 0xb4, 0xdb,
-	0xe8, 0xbb, 0x0e, 0x73, 0xd0, 0xe5, 0x80, 0xb8, 0x41, 0xfa, 0x66, 0x23, 0x24, 0x6e, 0x48, 0xe2,
-	0xd5, 0xd7, 0x0e, 0x4c, 0x76, 0xe8, 0x77, 0x1a, 0x86, 0xd3, 0x6b, 0x1e, 0x38, 0x07, 0x4e, 0x53,
-	0xf0, 0x74, 0xfc, 0x7d, 0xf1, 0x25, 0x3e, 0xc4, 0x5f, 0x81, 0xac, 0x55, 0x2d, 0xa1, 0xd8, 0x70,
-	0x5c, 0xae, 0x34, 0xab, 0x6f, 0xf5, 0x4b, 0x31, 0x4d, 0x8f, 0x18, 0x87, 0xa6, 0x4d, 0xdd, 0x93,
-	0x66, 0xff, 0xe8, 0x20, 0x6d, 0xed, 0x69, 0xb8, 0xbc, 0x66, 0x8f, 0x32, 0x32, 0x4e, 0x57, 0x33,
-	0x8f, 0xcb, 0xf5, 0x6d, 0x66, 0xf6, 0x46, 0xd5, 0xdc, 0xfc, 0x24, 0x06, 0xcf, 0x38, 0xa4, 0x3d,
-	0x92, 0xe5, 0xd3, 0x7e, 0xaa, 0xc2, 0x85, 0xb6, 0x65, 0x39, 0x06, 0x87, 0x6d, 0xd2, 0x63, 0xd3,
-	0xa0, 0x7b, 0x8c, 0x30, 0xdf, 0x43, 0x9f, 0x87, 0x99, 0xae, 0x6b, 0x1e, 0x53, 0xb7, 0xaa, 0xac,
-	0x29, 0xeb, 0xf3, 0xfa, 0xd2, 0xb3, 0x41, 0x7d, 0x6a, 0x38, 0xa8, 0xcf, 0x6c, 0x0a, 0x28, 0x96,
-	0x58, 0xb4, 0x06, 0xe5, 0xbe, 0xe3, 0x58, 0xd5, 0x92, 0xa0, 0x5a, 0x90, 0x54, 0xe5, 0x5d, 0xc7,
-	0xb1, 0xb0, 0xc0, 0x08, 0x49, 0x42, 0x72, 0x55, 0xcd, 0x48, 0x12, 0x50, 0x2c, 0xb1, 0xc8, 0x00,
-	0x30, 0x1c, 0xbb, 0x6b, 0x32, 0xd3, 0xb1, 0xbd, 0x6a, 0x79, 0x4d, 0x5d, 0xaf, 0xb4, 0x9a, 0x8d,
-	0x38, 0xca, 0xd1, 0xc1, 0x1a, 0xfd, 0xa3, 0x03, 0x0e, 0xf0, 0x1a, 0xdc, 0x7f, 0x8d, 0xe3, 0x1b,
-	0x8d, 0x8d, 0x90, 0x4f, 0x47, 0x52, 0x38, 0x44, 0x20, 0x0f, 0x27, 0xc4, 0xa2, 0x37, 0xa1, 0xdc,
-	0x25, 0x8c, 0x54, 0xa7, 0xd7, 0x94, 0xf5, 0x4a, 0xeb, 0xb5, 0x5c, 0xf1, 0xd2, 0x6f, 0x0d, 0x4c,
-	0x9e, 0x6e, 0xbd, 0xc7, 0xa8, 0xed, 0x71, 0xe1, 0x73, 0xfc, 0x64, 0x9b, 0x84, 0x11, 0x2c, 0x84,
-	0x20, 0x02, 0x15, 0x9b, 0xb2, 0xa7, 0x8e, 0x7b, 0xc4, 0x81, 0xd5, 0x19, 0x21, 0xb3, 0xd1, 0x98,
-	0x90, 0x98, 0x8d, 0x1d, 0x49, 0x2f, 0x8e, 0xcc, 0xb9, 0xf4, 0xe5, 0xe1, 0xa0, 0x5e, 0xd9, 0x89,
-	0xc5, 0xe0, 0xa4, 0x4c, 0xed, 0x8f, 0x0a, 0xac, 0xc8, 0x00, 0x99, 0x8e, 0x8d, 0xa9, 0xe7, 0x5b,
-	0x0c, 0x7d, 0x0b, 0x66, 0x03, 0x9f, 0x79, 0x22, 0x38, 0x95, 0xd6, 0x17, 0x27, 0xea, 0x0c, 0x94,
-	0x65, 0xa5, 0xe8, 0xcb, 0xd2, 0x55, 0xb3, 0x01, 0xde, 0xc3, 0xa1, 0x50, 0xf4, 0x10, 0x16, 0x6c,
-	0xa7, 0x4b, 0xf7, 0xa8, 0x45, 0x0d, 0xe6, 0xb8, 0x22, 0x6e, 0x95, 0xd6, 0x5a, 0x52, 0x09, 0xaf,
-	0x12, 0xee, 0xf9, 0x9d, 0x04, 0x9d, 0xbe, 0x32, 0x1c, 0xd4, 0x17, 0x92, 0x10, 0x9c, 0x92, 0xa3,
-	0xfd, 0x55, 0x85, 0x8a, 0x4e, 0x3c, 0xd3, 0x08, 0x34, 0xa2, 0xef, 0x02, 0x10, 0xc6, 0x5c, 0xb3,
-	0xe3, 0x33, 0x71, 0x14, 0x1e, 0xf1, 0x5b, 0x13, 0x8f, 0x92, 0xe0, 0x6e, 0xb4, 0x23, 0xd6, 0x2d,
-	0x9b, 0xb9, 0x27, 0xfa, 0xd5, 0x30, 0xf4, 0x31, 0xe2, 0x07, 0x7f, 0xab, 0x2f, 0xbe, 0xe5, 0x13,
-	0xcb, 0xdc, 0x37, 0x69, 0x77, 0x87, 0xf4, 0x28, 0x4e, 0x28, 0x44, 0x3e, 0xcc, 0x19, 0xa4, 0x4f,
-	0x0c, 0x93, 0x9d, 0x54, 0x4b, 0x42, 0xf9, 0xcd, 0xc2, 0xca, 0x37, 0x24, 0x63, 0xa0, 0xfa, 0x8a,
-	0x54, 0x3d, 0x17, 0x82, 0x47, 0x15, 0x47, 0xaa, 0x56, 0x8f, 0x60, 0x39, 0x63, 0x3a, 0x5a, 0x01,
-	0xf5, 0x88, 0x9e, 0x04, 0x95, 0x86, 0xf9, 0x9f, 0x48, 0x87, 0xe9, 0x63, 0x62, 0xf9, 0x54, 0xd4,
-	0x55, 0xa5, 0x75, 0xbd, 0x48, 0x80, 0x43, 0xa1, 0x38, 0x60, 0xbd, 0x5d, 0xba, 0xa5, 0xac, 0x1e,
-	0xc2, 0x62, 0xca, 0xd4, 0x31, 0xaa, 0xda, 0x69, 0x55, 0xaf, 0x16, 0x50, 0x15, 0x8a, 0x4c, 0x68,
-	0xd2, 0xee, 0xc2, 0xb9, 0x8d, 0xad, 0x7b, 0xb2, 0x87, 0xc8, 0x88, 0xa3, 0x16, 0x00, 0x7d, 0xaf,
-	0xef, 0x52, 0x8f, 0xd7, 0x8f, 0xec, 0x24, 0x51, 0x89, 0x6e, 0x45, 0x18, 0x9c, 0xa0, 0xd2, 0x7c,
-	0x90, 0x9d, 0x81, 0xf7, 0x16, 0x9b, 0xf4, 0xa8, 0xe4, 0x8b, 0x7a, 0x8b, 0xf0, 0xa7, 0xc0, 0xa0,
-	0x6d, 0x98, 0xee, 0xf0, 0xa8, 0x48, 0xdb, 0xd7, 0x8b, 0xc6, 0x4f, 0x9f, 0x1f, 0x0e, 0xea, 0xd3,
-	0x02, 0x80, 0x03, 0x09, 0xda, 0xfb, 0x25, 0xf8, 0x5c, 0xb6, 0x52, 0x36, 0x1c, 0x7b, 0xdf, 0x3c,
-	0xf0, 0x5d, 0xf1, 0x81, 0xbe, 0x02, 0x33, 0x81, 0x44, 0x69, 0xd0, 0x7a, 0xd8, 0xc8, 0xf6, 0x04,
-	0xf4, 0xc5, 0xa0, 0x7e, 0x31, 0xcb, 0x1a, 0x60, 0xb0, 0xe4, 0x43, 0xeb, 0x30, 0xe7, 0xd2, 0x27,
-	0x3e, 0xf5, 0x98, 0x27, 0x32, 0x6e, 0x5e, 0x5f, 0xe0, 0x59, 0x83, 0x25, 0x0c, 0x47, 0x58, 0xf4,
-	0x3d, 0x38, 0x1f, 0x54, 0x63, 0xca, 0x04, 0x59, 0x89, 0xaf, 0x17, 0x09, 0x51, 0x92, 0x4f, 0xbf,
-	0x2c, 0x4d, 0x3d, 0x3f, 0x06, 0x89, 0xc7, 0x69, 0xd2, 0x3e, 0x56, 0xe0, 0xe2, 0xf8, 0xc6, 0x81,
-	0x28, 0xcc, 0xba, 0xe2, 0xaf, 0xb0, 0x66, 0x6f, 0x17, 0xb0, 0x47, 0x9e, 0x31, 0xbf, 0x0b, 0x05,
-	0xdf, 0x1e, 0x0e, 0x65, 0xa3, 0x0e, 0xcc, 0x18, 0xc2, 0x24, 0x59, 0x9c, 0xb7, 0x4f, 0xd5, 0xe4,
-	0xd2, 0xe7, 0x8f, 0x66, 0x4e, 0x00, 0xc6, 0x52, 0xb2, 0xf6, 0x73, 0x05, 0x96, 0x33, 0xd5, 0x83,
-	0x6a, 0xa0, 0x9a, 0x36, 0x13, 0x19, 0xa5, 0x06, 0xf1, 0xd9, 0xb6, 0xd9, 0x43, 0x9e, 0xe7, 0x98,
-	0x23, 0xd0, 0x15, 0x28, 0x77, 0xf8, 0xc4, 0xe3, 0xb1, 0x98, 0xd3, 0x17, 0x87, 0x83, 0xfa, 0xbc,
-	0xee, 0x38, 0x56, 0x40, 0x21, 0x50, 0xe8, 0x0b, 0x30, 0xe3, 0x31, 0xd7, 0xb4, 0x0f, 0xaa, 0x65,
-	0x91, 0x29, 0xa2, 0xc7, 0xef, 0x09, 0x48, 0x40, 0x26, 0xd1, 0xe8, 0x1a, 0xcc, 0x1e, 0x53, 0x57,
-	0x14, 0xc7, 0xb4, 0xa0, 0x14, 0x2d, 0xf4, 0x61, 0x00, 0x0a, 0x48, 0x43, 0x02, 0x8d, 0xc2, 0x52,
-	0xba, 0xfa, 0xd0, 0x5e, 0x58, 0xb9, 0xca, 0xc8, 0xe4, 0x19, 0x19, 0x96, 0xb1, 0xc7, 0xde, 0xf2,
-	0x89, 0xcd, 0x4c, 0x76, 0xa2, 0x2f, 0x4a, 0xa7, 0x4c, 0x07, 0x8a, 0x02, 0x59, 0xda, 0x2f, 0x4a,
-	0x50, 0x91, 0x7a, 0x2c, 0x62, 0xf6, 0xd0, 0xa3, 0x44, 0xce, 0x06, 0xe1, 0xbe, 0x56, 0x3c, 0xdc,
-	0xfa, 0x4a, 0xd8, 0x19, 0xc7, 0xe4, 0x78, 0x17, 0x2a, 0x86, 0x63, 0x7b, 0xcc, 0x25, 0xa6, 0x2d,
-	0x0b, 0x22, 0x3d, 0x92, 0x27, 0xe4, 0xb6, 0xe4, 0xd2, 0xcf, 0x4b, 0xf9, 0x95, 0x18, 0xe6, 0xe1,
-	0xa4, 0x58, 0xf4, 0x38, 0x4a, 0x23, 0x55, 0x28, 0xf8, 0x72, 0x11, 0x05, 0xfc, 0xe4, 0xc5, 0x32,
-	0xe8, 0xf7, 0x0a, 0x54, 0xf3, 0x98, 0x52, 0xf5, 0xae, 0xfc, 0x3b, 0xf5, 0x5e, 0x3a, 0xb3, 0x7a,
-	0xff, 0x8d, 0x92, 0x08, 0xbb, 0xe7, 0xa1, 0x6f, 0xc3, 0x1c, 0xdf, 0xae, 0xc4, 0xb2, 0xa4, 0x8c,
-	0x58, 0x31, 0x61, 0x17, 0x7b, 0xd0, 0xf9, 0x0e, 0x35, 0xd8, 0x7d, 0xca, 0x48, 0xdc, 0xe9, 0x63,
-	0x18, 0x8e, 0xa4, 0xa2, 0x1d, 0x28, 0x7b, 0x7d, 0x6a, 0x9c, 0x62, 0xc2, 0x09, 0xcb, 0xf6, 0xfa,
-	0xd4, 0x88, 0x67, 0x01, 0xff, 0xc2, 0x42, 0x8e, 0xf6, 0xe3, 0x64, 0x24, 0x3c, 0x2f, 0x1d, 0x89,
-	0x1c, 0xff, 0x2a, 0x67, 0xe6, 0xdf, 0x5f, 0x47, 0x9d, 0x46, 0x58, 0x77, 0xcf, 0xf4, 0x18, 0x7a,
-	0x77, 0xc4, 0xc7, 0x8d, 0x62, 0x3e, 0xe6, 0xdc, 0xc2, 0xc3, 0x51, 0x79, 0x85, 0x90, 0x84, 0x7f,
-	0xef, 0xc3, 0xb4, 0xc9, 0x68, 0x2f, 0x2c, 0xac, 0xf5, 0xa2, 0x0e, 0x8e, 0xfb, 0xc2, 0x36, 0x67,
-	0xc7, 0x81, 0x14, 0xed, 0x4f, 0xe9, 0x03, 0x70, 0xc7, 0xa3, 0x77, 0x61, 0xde, 0x93, 0xa3, 0x3e,
-	0x6c, 0x0e, 0x45, 0xd6, 0x87, 0x68, 0x61, 0x3c, 0x27, 0x35, 0xcd, 0x87, 0x10, 0x0f, 0xc7, 0x02,
-	0x13, 0x95, 0x5b, 0x3a, 0x4d, 0xe5, 0x66, 0x42, 0x9f, 0x5b, 0xb9, 0x4f, 0x60, 0x5c, 0xf4, 0xd0,
-	0x3b, 0x30, 0xe3, 0xf4, 0xc9, 0x93, 0xa8, 0xab, 0x4e, 0xde, 0x09, 0x1f, 0x08, 0xd2, 0x71, 0x29,
-	0x02, 0x5c, 0x65, 0x80, 0xc6, 0x52, 0xa2, 0xf6, 0x43, 0x05, 0x56, 0xb2, 0x2d, 0xec, 0x14, 0x4d,
-	0x62, 0x17, 0x96, 0x7a, 0x84, 0x19, 0x87, 0xd1, 0xac, 0x92, 0xb7, 0xae, 0xf5, 0xe1, 0xa0, 0xbe,
-	0x74, 0x3f, 0x85, 0x79, 0x31, 0xa8, 0xa3, 0x3b, 0xbe, 0x65, 0x9d, 0xa4, 0xb7, 0xd0, 0x0c, 0xbf,
-	0xf6, 0x4f, 0x15, 0x16, 0x53, 0x0d, 0xbb, 0xc0, 0xce, 0xd5, 0x86, 0xe5, 0x6e, 0xec, 0x6b, 0x8e,
-	0x90, 0x66, 0x7c, 0x56, 0x12, 0x27, 0xd3, 0x44, 0xf0, 0x65, 0xe9, 0xd3, 0x79, 0xa3, 0x7e, 0xda,
-	0x79, 0xf3, 0x10, 0x96, 0x48, 0xb4, 0x07, 0xdc, 0x77, 0xba, 0x54, 0x4e, 0xe1, 0x86, 0xe4, 0x5a,
-	0x6a, 0xa7, 0xb0, 0x2f, 0x06, 0xf5, 0xcf, 0x64, 0xb7, 0x07, 0x0e, 0xc7, 0x19, 0x29, 0xe8, 0x2a,
-	0x4c, 0x1b, 0x8e, 0x6f, 0x33, 0x31, 0xaa, 0xd5, 0xb8, 0x4c, 0x36, 0x38, 0x10, 0x07, 0x38, 0x74,
-	0x03, 0x2a, 0xa4, 0xdb, 0x33, 0xed, 0xb6, 0x61, 0x50, 0xcf, 0x13, 0x77, 0xc2, 0xb9, 0x60, 0xfe,
-	0xb7, 0x63, 0x30, 0x4e, 0xd2, 0xa0, 0x1e, 0x2c, 0xed, 0x9b, 0xae, 0xc7, 0xda, 0xc7, 0xc4, 0xb4,
-	0x48, 0xc7, 0xa2, 0xd5, 0xd9, 0xc2, 0xa3, 0x70, 0xcf, 0xef, 0x84, 0xa3, 0xf6, 0x62, 0x78, 0xbc,
-	0x3b, 0x29, 0x61, 0x38, 0x23, 0x5c, 0xfb, 0x87, 0x12, 0x2e, 0xba, 0x39, 0x3b, 0x19, 0x7a, 0x85,
-	0x2f, 0x78, 0x02, 0x25, 0xd3, 0x20, 0xb1, 0xa4, 0x09, 0x30, 0x0e, 0xf1, 0x89, 0x67, 0x82, 0x52,
-	0xa1, 0x67, 0x02, 0xb5, 0xc0, 0x33, 0x41, 0x79, 0xe2, 0x33, 0x41, 0xc6, 0xc1, 0xd3, 0x9f, 0xec,
-	0x60, 0xed, 0x9b, 0xe1, 0xe6, 0x14, 0xdd, 0x4b, 0xb6, 0x41, 0x35, 0xa8, 0x35, 0xa6, 0xe9, 0x8e,
-	0xfa, 0x79, 0xe4, 0x52, 0xa3, 0xcf, 0x0e, 0x07, 0x75, 0x75, 0x63, 0xeb, 0x1e, 0xe6, 0x32, 0xb4,
-	0x0f, 0x4b, 0x61, 0x4d, 0xc7, 0xb1, 0xf8, 0x7f, 0x15, 0xfd, 0x67, 0x55, 0xa4, 0xfd, 0x52, 0x81,
-	0x73, 0x23, 0x4f, 0x25, 0xe8, 0x0d, 0x58, 0x34, 0x6d, 0x46, 0xdd, 0x7d, 0x62, 0xd0, 0x9d, 0xd8,
-	0xbd, 0x17, 0xa4, 0x88, 0xc5, 0xed, 0x24, 0x12, 0xa7, 0x69, 0xd1, 0x25, 0x50, 0xcd, 0x7e, 0x78,
-	0xed, 0x12, 0x21, 0xdc, 0xde, 0xf5, 0x30, 0x87, 0xf1, 0x58, 0x1c, 0x12, 0xb7, 0xfb, 0x94, 0xb8,
-	0xb4, 0xdd, 0xed, 0xf2, 0x7b, 0xa8, 0xcc, 0xd3, 0x28, 0x16, 0x5f, 0x4d, 0xa3, 0x71, 0x96, 0x5e,
-	0xfb, 0x99, 0x02, 0x97, 0x72, 0x67, 0x41, 0xe1, 0xc7, 0x34, 0x02, 0xd0, 0x27, 0x2e, 0xe9, 0x51,
-	0x46, 0x5d, 0x4f, 0x2e, 0x46, 0xa7, 0x7c, 0xa3, 0x8a, 0x76, 0xae, 0xdd, 0x48, 0x10, 0x4e, 0x08,
-	0xd5, 0x7e, 0x52, 0x82, 0x45, 0x2c, 0x13, 0x23, 0x58, 0xf0, 0xff, 0xfb, 0x9b, 0xde, 0x6e, 0x6a,
-	0xd3, 0x9b, 0x5c, 0x6e, 0x29, 0xdb, 0xf2, 0x76, 0x3d, 0xf4, 0x88, 0x5f, 0xb0, 0x08, 0xf3, 0xbd,
-	0x42, 0x37, 0xe2, 0xb4, 0x4c, 0xc1, 0x17, 0x87, 0x20, 0xf8, 0xc6, 0x52, 0x9e, 0x36, 0x54, 0xa0,
-	0x96, 0xa2, 0xe7, 0x93, 0xda, 0xef, 0x51, 0x17, 0xd3, 0x7d, 0xea, 0x52, 0xdb, 0xa0, 0xe8, 0x3a,
-	0xcc, 0x91, 0xbe, 0x79, 0xd7, 0x75, 0xfc, 0xbe, 0x8c, 0x67, 0xb4, 0x86, 0xb5, 0x77, 0xb7, 0x05,
-	0x1c, 0x47, 0x14, 0x9c, 0x3a, 0x34, 0x48, 0x66, 0x55, 0xe2, 0x4e, 0x14, 0xc0, 0x71, 0x44, 0x11,
-	0x35, 0x8e, 0x72, 0x6e, 0xe3, 0xd0, 0x41, 0xf5, 0xcd, 0xae, 0xbc, 0x2e, 0xbe, 0x2e, 0x09, 0xd4,
-	0xb7, 0xb7, 0x37, 0x5f, 0x0c, 0xea, 0x57, 0xf2, 0x9e, 0x81, 0xd9, 0x49, 0x9f, 0x7a, 0x8d, 0xb7,
-	0xb7, 0x37, 0x31, 0x67, 0xd6, 0x7e, 0xab, 0xc0, 0xb9, 0xd4, 0x21, 0xcf, 0x60, 0x1d, 0x7d, 0x90,
-	0x5e, 0x47, 0xaf, 0x15, 0x8f, 0x58, 0xce, 0x42, 0x7a, 0x98, 0x39, 0x83, 0xd8, 0x48, 0xf7, 0xb2,
-	0x4f, 0xa3, 0xeb, 0x45, 0xaf, 0x7b, 0xf9, 0xef, 0xa1, 0xda, 0x1f, 0x4a, 0x70, 0x7e, 0x4c, 0x0e,
-	0xa1, 0xc7, 0x00, 0x71, 0x73, 0x93, 0xfa, 0x26, 0x0f, 0xed, 0x91, 0xe7, 0x8f, 0x25, 0xf1, 0x60,
-	0x19, 0x43, 0x13, 0x02, 0x91, 0x0b, 0x15, 0x97, 0x7a, 0xd4, 0x3d, 0xa6, 0xdd, 0x3b, 0x8e, 0x2b,
-	0xfd, 0xf6, 0x46, 0x71, 0xbf, 0x8d, 0x64, 0x6e, 0x7c, 0x5b, 0xc6, 0xb1, 0x5c, 0x9c, 0x54, 0x82,
-	0x1e, 0xc7, 0xfe, 0x0b, 0x5e, 0xe0, 0x5b, 0x45, 0xce, 0x93, 0xfe, 0xed, 0x60, 0x82, 0x27, 0xff,
-	0xa2, 0xc0, 0x85, 0x94, 0x8d, 0x5f, 0xa7, 0xbd, 0xbe, 0x45, 0x18, 0x3d, 0x83, 0x2e, 0xf4, 0x28,
-	0xd5, 0x85, 0x6e, 0x16, 0xf7, 0x63, 0x68, 0x63, 0xee, 0xcd, 0xf3, 0x43, 0x05, 0x2e, 0x8d, 0xe5,
-	0x38, 0x83, 0xb2, 0xfa, 0x46, 0xba, 0xac, 0x5a, 0xa7, 0x3f, 0x56, 0x4e, 0x79, 0xfd, 0x39, 0xef,
-	0x50, 0xa2, 0xce, 0xfe, 0x07, 0x87, 0x86, 0xf6, 0x2b, 0x05, 0x16, 0x42, 0x4a, 0xbe, 0x78, 0x16,
-	0xd8, 0xd2, 0x5a, 0x00, 0xf2, 0x27, 0xb3, 0xf0, 0x35, 0x46, 0x8d, 0xcd, 0xbe, 0x1b, 0x61, 0x70,
-	0x82, 0x0a, 0x7d, 0x0d, 0x50, 0x68, 0xe0, 0x9e, 0x25, 0x56, 0x01, 0xbe, 0xed, 0xa8, 0x82, 0x77,
-	0x55, 0xf2, 0x22, 0x3c, 0x42, 0x81, 0xc7, 0x70, 0x69, 0xbf, 0x53, 0xe2, 0x69, 0x2d, 0xc0, 0x2f,
-	0xa9, 0xe3, 0x85, 0x6d, 0xb9, 0x8e, 0x4f, 0x8e, 0x1b, 0x41, 0xf9, 0xb2, 0x8e, 0x1b, 0x61, 0x5c,
-	0x4e, 0x3d, 0xbc, 0xaf, 0x66, 0x0e, 0x21, 0xea, 0xa0, 0xe8, 0x66, 0xf7, 0x66, 0xe2, 0x67, 0xd2,
-	0x4a, 0xeb, 0x95, 0x42, 0xd6, 0xf0, 0x1c, 0x1d, 0x7b, 0x55, 0xba, 0x0e, 0x73, 0xb6, 0xd3, 0x0d,
-	0x56, 0xe0, 0xcc, 0x4a, 0xb1, 0x23, 0xe1, 0x38, 0xa2, 0x18, 0xf9, 0x35, 0xaf, 0xfc, 0xe9, 0xfc,
-	0x9a, 0x27, 0xd6, 0x20, 0xcb, 0xe2, 0x04, 0xe1, 0x2d, 0x2c, 0x5e, 0x83, 0x24, 0x1c, 0x47, 0x14,
-	0x68, 0x27, 0x1e, 0x2c, 0x33, 0x22, 0x22, 0x57, 0x0b, 0x0c, 0xe6, 0xfc, 0x49, 0xa2, 0xb7, 0x9f,
-	0x3d, 0xaf, 0x4d, 0x7d, 0xf0, 0xbc, 0x36, 0xf5, 0xd1, 0xf3, 0xda, 0xd4, 0xf7, 0x87, 0x35, 0xe5,
-	0xd9, 0xb0, 0xa6, 0x7c, 0x30, 0xac, 0x29, 0x1f, 0x0d, 0x6b, 0xca, 0xdf, 0x87, 0x35, 0xe5, 0x47,
-	0x1f, 0xd7, 0xa6, 0xde, 0xb9, 0x3c, 0xe1, 0x3f, 0x0a, 0xfe, 0x15, 0x00, 0x00, 0xff, 0xff, 0xa6,
-	0xd4, 0xe9, 0x0d, 0x6f, 0x20, 0x00, 0x00,
+	// 2330 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1a, 0xcd, 0x6f, 0x1c, 0x57,
+	0xdd, 0xb3, 0xb3, 0x5e, 0xaf, 0x7f, 0x1b, 0x3b, 0xf1, 0x0b, 0x09, 0x1b, 0x47, 0xdd, 0x75, 0x26,
+	0x12, 0xb8, 0x69, 0xb2, 0x6e, 0x0c, 0x44, 0x51, 0x72, 0x61, 0xd7, 0x71, 0x52, 0x93, 0xc4, 0x71,
+	0x9f, 0xdd, 0x34, 0x2a, 0x0d, 0x62, 0x76, 0xf6, 0xd9, 0x1e, 0xbc, 0x3b, 0xb3, 0x99, 0xf7, 0xc6,
+	0xa9, 0x0f, 0x88, 0x8a, 0x73, 0x85, 0x38, 0x22, 0x21, 0x10, 0xe2, 0x80, 0x84, 0x54, 0x21, 0x8e,
+	0x9c, 0x40, 0x02, 0x21, 0x22, 0x0e, 0x50, 0x81, 0x10, 0x3d, 0xa0, 0x85, 0x6c, 0xff, 0x02, 0xae,
+	0x3e, 0xa1, 0xf7, 0x31, 0x9f, 0xfb, 0xd1, 0x31, 0x34, 0x56, 0x91, 0x7a, 0xf3, 0xfe, 0x3e, 0xdf,
+	0xfb, 0x7d, 0xff, 0xde, 0x18, 0x5e, 0xd9, 0xbb, 0x4e, 0x6b, 0xb6, 0xbb, 0x64, 0x76, 0xed, 0x25,
+	0x8f, 0x50, 0xd7, 0xf7, 0x2c, 0xb2, 0xb4, 0x7f, 0xb5, 0x49, 0x98, 0x79, 0x75, 0x69, 0x87, 0x38,
+	0xc4, 0x33, 0x19, 0x69, 0xd5, 0xba, 0x9e, 0xcb, 0x5c, 0x74, 0x5e, 0x12, 0xd7, 0xcc, 0xae, 0x5d,
+	0x0b, 0x88, 0x6b, 0x8a, 0x78, 0xfe, 0xca, 0x8e, 0xcd, 0x76, 0xfd, 0x66, 0xcd, 0x72, 0x3b, 0x4b,
+	0x3b, 0xee, 0x8e, 0xbb, 0x24, 0x78, 0x9a, 0xfe, 0xb6, 0xf8, 0x25, 0x7e, 0x88, 0xbf, 0xa4, 0xac,
+	0x79, 0x23, 0xa6, 0xd8, 0x72, 0x3d, 0xae, 0x34, 0xad, 0x6f, 0xfe, 0xcb, 0x11, 0x4d, 0xc7, 0xb4,
+	0x76, 0x6d, 0x87, 0x78, 0x07, 0x4b, 0xdd, 0xbd, 0x9d, 0xe4, 0x69, 0x8f, 0xc2, 0x45, 0x97, 0x3a,
+	0x84, 0x99, 0xc3, 0x74, 0x2d, 0x8d, 0xe2, 0xf2, 0x7c, 0x87, 0xd9, 0x9d, 0x41, 0x35, 0xd7, 0x3e,
+	0x8e, 0x81, 0x5a, 0xbb, 0xa4, 0x63, 0xa6, 0xf9, 0x8c, 0x1f, 0xeb, 0x70, 0xa6, 0xde, 0x6e, 0xbb,
+	0x16, 0x87, 0xdd, 0x22, 0xfb, 0xb6, 0x45, 0x36, 0x99, 0xc9, 0x7c, 0x8a, 0xbe, 0x00, 0x85, 0x96,
+	0x67, 0xef, 0x13, 0xaf, 0xac, 0x2d, 0x68, 0x8b, 0xd3, 0x8d, 0xd9, 0x67, 0xbd, 0xea, 0x44, 0xbf,
+	0x57, 0x2d, 0xdc, 0x12, 0x50, 0xac, 0xb0, 0x68, 0x01, 0xf2, 0x5d, 0xd7, 0x6d, 0x97, 0x73, 0x82,
+	0xea, 0x84, 0xa2, 0xca, 0x6f, 0xb8, 0x6e, 0x1b, 0x0b, 0x8c, 0x90, 0x24, 0x24, 0x97, 0xf5, 0x94,
+	0x24, 0x01, 0xc5, 0x0a, 0x8b, 0x2c, 0x00, 0xcb, 0x75, 0x5a, 0x36, 0xb3, 0x5d, 0x87, 0x96, 0xf3,
+	0x0b, 0xfa, 0x62, 0x69, 0x79, 0xa9, 0x16, 0x79, 0x39, 0xbc, 0x58, 0xad, 0xbb, 0xb7, 0xc3, 0x01,
+	0xb4, 0xc6, 0xed, 0x57, 0xdb, 0xbf, 0x5a, 0x5b, 0x09, 0xf8, 0x1a, 0x48, 0x09, 0x87, 0x10, 0x44,
+	0x71, 0x4c, 0x2c, 0xba, 0x0b, 0xf9, 0x96, 0xc9, 0xcc, 0xf2, 0xe4, 0x82, 0xb6, 0x58, 0x5a, 0xbe,
+	0x32, 0x52, 0xbc, 0xb2, 0x5b, 0x0d, 0x9b, 0x4f, 0x57, 0xdf, 0x61, 0xc4, 0xa1, 0x5c, 0x78, 0x91,
+	0xdf, 0xec, 0x96, 0xc9, 0x4c, 0x2c, 0x84, 0x20, 0x13, 0x4a, 0x0e, 0x61, 0x4f, 0x5d, 0x6f, 0x8f,
+	0x03, 0xcb, 0x05, 0x21, 0xb3, 0x56, 0x1b, 0x13, 0x98, 0xb5, 0x75, 0x45, 0x2f, 0xae, 0xcc, 0xb9,
+	0x1a, 0x27, 0xfb, 0xbd, 0x6a, 0x69, 0x3d, 0x12, 0x83, 0xe3, 0x32, 0x8d, 0x3f, 0x6a, 0x70, 0x4a,
+	0x39, 0xc8, 0x76, 0x1d, 0x4c, 0xa8, 0xdf, 0x66, 0xe8, 0x1b, 0x30, 0x25, 0x6d, 0x46, 0x85, 0x73,
+	0x4a, 0xcb, 0x5f, 0x1a, 0xab, 0x53, 0x2a, 0x4b, 0x4b, 0x69, 0x9c, 0x54, 0xa6, 0x9a, 0x92, 0x78,
+	0x8a, 0x03, 0xa1, 0xe8, 0x21, 0x9c, 0x70, 0xdc, 0x16, 0xd9, 0x24, 0x6d, 0x62, 0x31, 0xd7, 0x13,
+	0x7e, 0x2b, 0x2d, 0x2f, 0xc4, 0x95, 0xf0, 0x2c, 0xe1, 0x96, 0x5f, 0x8f, 0xd1, 0x35, 0x4e, 0xf5,
+	0x7b, 0xd5, 0x13, 0x71, 0x08, 0x4e, 0xc8, 0x31, 0xde, 0xcf, 0x43, 0xa9, 0x61, 0x52, 0xdb, 0x92,
+	0x1a, 0xd1, 0xb7, 0x01, 0x4c, 0xc6, 0x3c, 0xbb, 0xe9, 0x33, 0x71, 0x15, 0xee, 0xf1, 0xeb, 0x63,
+	0xaf, 0x12, 0xe3, 0xae, 0xd5, 0x43, 0xd6, 0x55, 0x87, 0x79, 0x07, 0x8d, 0x8b, 0x81, 0xeb, 0x23,
+	0xc4, 0x77, 0xff, 0x59, 0x9d, 0x79, 0xdd, 0x37, 0xdb, 0xf6, 0xb6, 0x4d, 0x5a, 0xeb, 0x66, 0x87,
+	0xe0, 0x98, 0x42, 0xe4, 0x43, 0xd1, 0x32, 0xbb, 0xa6, 0x65, 0xb3, 0x83, 0x72, 0x4e, 0x28, 0xbf,
+	0x96, 0x59, 0xf9, 0x8a, 0x62, 0x94, 0xaa, 0x2f, 0x28, 0xd5, 0xc5, 0x00, 0x3c, 0xa8, 0x38, 0x54,
+	0x85, 0x36, 0xa0, 0xc0, 0x4c, 0xdb, 0x61, 0xb4, 0xac, 0x0b, 0xa5, 0x8b, 0x19, 0x9c, 0xb7, 0xc5,
+	0x19, 0xa2, 0xcc, 0x11, 0x3f, 0x29, 0x56, 0x72, 0xe6, 0xf7, 0xe0, 0x64, 0xca, 0x18, 0xe8, 0x14,
+	0xe8, 0x7b, 0xe4, 0x40, 0xe6, 0x2e, 0xe6, 0x7f, 0xa2, 0x06, 0x4c, 0xee, 0x9b, 0x6d, 0x9f, 0x88,
+	0x4c, 0x2d, 0x2d, 0x5f, 0xce, 0x12, 0x32, 0x81, 0x50, 0x2c, 0x59, 0x6f, 0xe4, 0xae, 0x6b, 0xf3,
+	0xbb, 0x30, 0x93, 0xb8, 0xfc, 0x10, 0x55, 0xf5, 0xa4, 0xaa, 0x57, 0x32, 0xa8, 0x0a, 0x44, 0xc6,
+	0x34, 0x19, 0x77, 0x60, 0x6e, 0x65, 0xf5, 0x9e, 0xaa, 0x4a, 0x2a, 0x86, 0xd0, 0x32, 0x00, 0x79,
+	0xa7, 0xeb, 0x11, 0xca, 0x33, 0x52, 0xd5, 0xa6, 0x30, 0xe9, 0x57, 0x43, 0x0c, 0x8e, 0x51, 0x19,
+	0x3e, 0xa8, 0x5a, 0xc3, 0xab, 0x95, 0x63, 0x76, 0x88, 0xe2, 0x0b, 0xab, 0x95, 0xf0, 0x90, 0xc0,
+	0xa0, 0x35, 0x98, 0x6c, 0x72, 0x3f, 0xab, 0xb3, 0x2f, 0x66, 0x8d, 0x88, 0xc6, 0x74, 0xbf, 0x57,
+	0x9d, 0x14, 0x00, 0x2c, 0x25, 0x18, 0xef, 0xe5, 0xe0, 0xa5, 0x74, 0xee, 0xad, 0xb8, 0xce, 0xb6,
+	0xbd, 0xe3, 0x7b, 0xe2, 0x07, 0xfa, 0x2a, 0x14, 0xa4, 0x44, 0x75, 0xa0, 0xc5, 0xc0, 0xc1, 0x9b,
+	0x02, 0x7a, 0xd8, 0xab, 0x9e, 0x4d, 0xb3, 0x4a, 0x0c, 0x56, 0x7c, 0x68, 0x11, 0x8a, 0x1e, 0x79,
+	0xe2, 0x13, 0xca, 0xa8, 0x88, 0xe1, 0xe9, 0xc6, 0x09, 0x1e, 0x87, 0x58, 0xc1, 0x70, 0x88, 0x45,
+	0xdf, 0x81, 0xd3, 0x32, 0xbf, 0x13, 0x47, 0x50, 0xb9, 0xfd, 0x6a, 0x16, 0x17, 0xc5, 0xf9, 0x1a,
+	0xe7, 0xd5, 0x51, 0x4f, 0x0f, 0x41, 0xe2, 0x61, 0x9a, 0x8c, 0x8f, 0x34, 0x38, 0x3b, 0xbc, 0x14,
+	0x21, 0x02, 0x53, 0x9e, 0xf8, 0x2b, 0xa8, 0x02, 0x37, 0x32, 0x9c, 0x47, 0xdd, 0x71, 0x74, 0x5d,
+	0x93, 0xbf, 0x29, 0x0e, 0x64, 0xa3, 0x26, 0x14, 0x2c, 0x71, 0x24, 0x95, 0xee, 0x37, 0x8e, 0x54,
+	0x36, 0x93, 0xf7, 0x0f, 0x73, 0x51, 0x82, 0xb1, 0x92, 0x6c, 0xfc, 0x5c, 0x83, 0x93, 0xa9, 0xec,
+	0x41, 0x15, 0xd0, 0x6d, 0x87, 0x89, 0x88, 0xd2, 0xa5, 0x7f, 0xd6, 0x1c, 0xf6, 0x90, 0xc7, 0x39,
+	0xe6, 0x08, 0x74, 0x01, 0xf2, 0x4d, 0xde, 0x43, 0xb9, 0x2f, 0x8a, 0x8d, 0x99, 0x7e, 0xaf, 0x3a,
+	0xdd, 0x70, 0xdd, 0xb6, 0xa4, 0x10, 0x28, 0xf4, 0x45, 0x28, 0x50, 0xe6, 0xd9, 0xce, 0x4e, 0x39,
+	0x2f, 0x22, 0x45, 0x74, 0x8d, 0x4d, 0x01, 0x91, 0x64, 0x0a, 0x8d, 0x2e, 0xc1, 0xd4, 0x3e, 0xf1,
+	0x44, 0x72, 0x4c, 0x0a, 0x4a, 0x51, 0x94, 0x1f, 0x4a, 0x90, 0x24, 0x0d, 0x08, 0x0c, 0x02, 0xb3,
+	0xc9, 0xec, 0x43, 0x9b, 0x41, 0xe6, 0x6a, 0x03, 0xbd, 0x6c, 0xa0, 0xfd, 0x46, 0x16, 0x7b, 0xdd,
+	0x37, 0x1d, 0x66, 0xb3, 0x83, 0xc6, 0x8c, 0x32, 0xca, 0xa4, 0x54, 0x24, 0x65, 0x19, 0xef, 0xe7,
+	0xa0, 0xa4, 0xf4, 0xb4, 0x4d, 0xbb, 0x83, 0x1e, 0xc5, 0x62, 0x56, 0xba, 0xfb, 0x52, 0x76, 0x77,
+	0x37, 0x4e, 0x05, 0xb5, 0x76, 0x48, 0x8c, 0xb7, 0xa0, 0x64, 0xb9, 0x0e, 0x65, 0x9e, 0xac, 0xaf,
+	0xd2, 0xcb, 0x57, 0xb2, 0xc5, 0xb6, 0xe2, 0x6a, 0x9c, 0x56, 0xf2, 0x4b, 0x11, 0x8c, 0xe2, 0xb8,
+	0x58, 0xf4, 0x38, 0x0c, 0x23, 0x59, 0xc0, 0xbf, 0x92, 0x45, 0x01, 0xbf, 0x79, 0xb6, 0x08, 0xfa,
+	0xbd, 0x06, 0xe5, 0x51, 0x4c, 0x89, 0x7c, 0xd7, 0xfe, 0x9b, 0x7c, 0xcf, 0x1d, 0x5b, 0xbe, 0xff,
+	0x46, 0x8b, 0xb9, 0x9d, 0x52, 0xf4, 0x4d, 0x28, 0xf2, 0x79, 0x4d, 0x8c, 0x5f, 0xda, 0xc0, 0x29,
+	0xc6, 0x4c, 0x77, 0x0f, 0x9a, 0xdf, 0x22, 0x16, 0xbb, 0x4f, 0x98, 0x19, 0x55, 0xfa, 0x08, 0x86,
+	0x43, 0xa9, 0x68, 0x1d, 0xf2, 0xb4, 0x4b, 0xac, 0x23, 0x74, 0x38, 0x71, 0xb2, 0xcd, 0x2e, 0xb1,
+	0xa2, 0x5e, 0xc0, 0x7f, 0x61, 0x21, 0xc7, 0xf8, 0x61, 0xdc, 0x13, 0x94, 0x26, 0x3d, 0x31, 0xc2,
+	0xbe, 0xda, 0xb1, 0xd9, 0xf7, 0xd7, 0x61, 0xa5, 0x11, 0xa7, 0xbb, 0x67, 0x53, 0x86, 0xde, 0x1e,
+	0xb0, 0x71, 0x2d, 0x9b, 0x8d, 0x39, 0xb7, 0xb0, 0x70, 0x98, 0x5e, 0x01, 0x24, 0x66, 0xdf, 0xfb,
+	0x30, 0x69, 0x33, 0xd2, 0x09, 0x12, 0x6b, 0x31, 0xab, 0x81, 0xa3, 0xba, 0xb0, 0xc6, 0xd9, 0xb1,
+	0x94, 0x62, 0xfc, 0x29, 0x79, 0x01, 0x6e, 0x78, 0xf4, 0x36, 0x4c, 0x53, 0xd5, 0xea, 0x83, 0xe2,
+	0x90, 0x65, 0x7c, 0x08, 0x47, 0xd0, 0x39, 0xa5, 0x69, 0x3a, 0x80, 0x50, 0x1c, 0x09, 0x8c, 0x65,
+	0x6e, 0xee, 0x28, 0x99, 0x9b, 0x72, 0xfd, 0xc8, 0xcc, 0x7d, 0x02, 0xc3, 0xbc, 0x87, 0xde, 0x82,
+	0x82, 0xdb, 0x35, 0x9f, 0x84, 0x55, 0x75, 0xfc, 0x94, 0xf9, 0x40, 0x90, 0x0e, 0x0b, 0x11, 0xe0,
+	0x2a, 0x25, 0x1a, 0x2b, 0x89, 0xc6, 0xf7, 0x34, 0x38, 0x95, 0x2e, 0x61, 0x47, 0x28, 0x12, 0x1b,
+	0x30, 0xdb, 0x31, 0x99, 0xb5, 0x1b, 0xf6, 0x2a, 0xb5, 0xc7, 0x2d, 0xf6, 0x7b, 0xd5, 0xd9, 0xfb,
+	0x09, 0xcc, 0x61, 0xaf, 0x8a, 0x6e, 0xfb, 0xed, 0xf6, 0x41, 0x72, 0xae, 0x4d, 0xf1, 0x1b, 0x7f,
+	0xcf, 0xc3, 0x4c, 0xa2, 0x60, 0x67, 0x98, 0xb9, 0xea, 0x70, 0xb2, 0x15, 0xd9, 0x9a, 0x23, 0xd4,
+	0x31, 0x3e, 0xaf, 0x88, 0xe3, 0x61, 0x22, 0xf8, 0xd2, 0xf4, 0xc9, 0xb8, 0xd1, 0x3f, 0xe9, 0xb8,
+	0x79, 0x08, 0xb3, 0x66, 0x38, 0x07, 0xdc, 0x77, 0x5b, 0x44, 0x75, 0xe1, 0x9a, 0xe2, 0x9a, 0xad,
+	0x27, 0xb0, 0x87, 0xbd, 0xea, 0xe7, 0xd2, 0xd3, 0x03, 0x87, 0xe3, 0x94, 0x14, 0x74, 0x11, 0x26,
+	0x2d, 0xd7, 0x77, 0x98, 0x68, 0xd5, 0x7a, 0x94, 0x26, 0x2b, 0x1c, 0x88, 0x25, 0x0e, 0x5d, 0x85,
+	0x92, 0xd9, 0xea, 0xd8, 0x4e, 0xdd, 0xb2, 0x08, 0xa5, 0x62, 0xcb, 0x2c, 0xca, 0xfe, 0x5f, 0x8f,
+	0xc0, 0x38, 0x4e, 0x83, 0x3a, 0x30, 0xbb, 0x6d, 0x7b, 0x94, 0xd5, 0xf7, 0x4d, 0xbb, 0x6d, 0x36,
+	0xdb, 0xa4, 0x3c, 0x95, 0xb9, 0x15, 0x6e, 0xfa, 0xcd, 0xa0, 0xd5, 0x9e, 0x0d, 0xae, 0x77, 0x3b,
+	0x21, 0x0c, 0xa7, 0x84, 0xf3, 0xb6, 0xcb, 0xdc, 0x36, 0x91, 0x61, 0x4a, 0xcb, 0xc5, 0xcc, 0xba,
+	0xb6, 0x42, 0xae, 0xa8, 0xed, 0x46, 0x30, 0x8a, 0xe3, 0x62, 0x8d, 0xbf, 0x85, 0xe3, 0xf4, 0x88,
+	0xc9, 0x0f, 0xbd, 0xcc, 0xc7, 0x48, 0x81, 0x52, 0xc1, 0x16, 0x1b, 0x05, 0x05, 0x18, 0x07, 0xf8,
+	0xd8, 0xf3, 0x46, 0x2e, 0xd3, 0xf3, 0x86, 0x9e, 0xe1, 0x79, 0x23, 0x3f, 0xf6, 0x79, 0x23, 0xe5,
+	0xc6, 0xc9, 0x0c, 0x6e, 0x4c, 0xd9, 0xb5, 0xf0, 0x62, 0xec, 0xfa, 0xf5, 0x60, 0x0a, 0x0c, 0x77,
+	0xac, 0x35, 0xd0, 0x2d, 0xd2, 0x1e, 0xd2, 0x40, 0x06, 0xf5, 0x0d, 0x2c, 0x68, 0x8d, 0xa9, 0x7e,
+	0xaf, 0xaa, 0xaf, 0xac, 0xde, 0xc3, 0x5c, 0x86, 0xf1, 0x2b, 0x3d, 0xa8, 0x4f, 0x51, 0x5c, 0x7d,
+	0x56, 0x11, 0xfe, 0xc7, 0x8a, 0x90, 0x8a, 0x8b, 0xa9, 0x17, 0x13, 0x17, 0xff, 0x0e, 0xe7, 0x37,
+	0xf1, 0xdc, 0x80, 0x5e, 0x8a, 0xed, 0xf9, 0x8d, 0x92, 0x62, 0xd7, 0xef, 0x92, 0x03, 0xb9, 0xf4,
+	0x5f, 0x8c, 0x2f, 0xfd, 0xd3, 0xc3, 0x57, 0x01, 0x74, 0x13, 0x0a, 0x64, 0x7b, 0x9b, 0x58, 0x4c,
+	0x25, 0x54, 0xf0, 0x66, 0x53, 0x58, 0x15, 0xd0, 0xc3, 0x5e, 0x75, 0x2e, 0xa6, 0x52, 0x02, 0xb1,
+	0x62, 0x41, 0x6f, 0xc2, 0x34, 0xb3, 0x3b, 0xa4, 0xde, 0x6a, 0x91, 0x96, 0x30, 0x77, 0x72, 0x71,
+	0x18, 0x33, 0xdd, 0x6c, 0xd9, 0x1d, 0x22, 0xf7, 0xaa, 0xad, 0x40, 0x00, 0x8e, 0x64, 0xdd, 0x28,
+	0xfe, 0xe0, 0x27, 0xd5, 0x89, 0x77, 0xff, 0xb1, 0x30, 0x61, 0xfc, 0x34, 0x17, 0x84, 0x6b, 0x64,
+	0x96, 0x8f, 0xbb, 0xf8, 0x6b, 0x50, 0x74, 0xbb, 0x9c, 0xd6, 0x0d, 0x8a, 0xc9, 0xe5, 0x60, 0x86,
+	0x7a, 0xa0, 0xe0, 0x87, 0xbd, 0x6a, 0x39, 0x2d, 0x36, 0xc0, 0xe1, 0x90, 0x3b, 0x32, 0xa1, 0x9e,
+	0xc9, 0x84, 0xf9, 0xa3, 0x9b, 0x70, 0x05, 0xe6, 0x22, 0x17, 0x6f, 0x12, 0xcb, 0x75, 0x5a, 0x54,
+	0x85, 0xda, 0x99, 0x7e, 0xaf, 0x3a, 0xb7, 0x95, 0x46, 0xe2, 0x41, 0x7a, 0xe3, 0x17, 0x1a, 0xcc,
+	0x0d, 0xbc, 0x63, 0xa2, 0x9b, 0x30, 0x63, 0x3b, 0x8c, 0x78, 0xdb, 0xa6, 0x45, 0xd6, 0xa3, 0xec,
+	0x3e, 0xa3, 0x8e, 0x37, 0xb3, 0x16, 0x47, 0xe2, 0x24, 0x2d, 0x3a, 0x07, 0xba, 0xdd, 0x0d, 0x5e,
+	0x30, 0x44, 0x05, 0x59, 0xdb, 0xa0, 0x98, 0xc3, 0x78, 0x29, 0xd8, 0x35, 0xbd, 0xd6, 0x53, 0xd3,
+	0xe3, 0xde, 0xf2, 0x78, 0xed, 0xd4, 0x93, 0xa5, 0xe0, 0xb5, 0x24, 0x1a, 0xa7, 0xe9, 0x8d, 0x9f,
+	0x69, 0x70, 0x6e, 0xe4, 0x58, 0x95, 0xf9, 0xa5, 0xdb, 0x04, 0xe8, 0x9a, 0x9e, 0xd9, 0x21, 0x8c,
+	0x78, 0x54, 0xed, 0x18, 0x47, 0x7c, 0x40, 0x0e, 0xd7, 0x97, 0x8d, 0x50, 0x10, 0x8e, 0x09, 0x35,
+	0x7e, 0x94, 0x83, 0x19, 0xac, 0x52, 0x57, 0xee, 0xca, 0x2f, 0x7e, 0x69, 0xda, 0x48, 0x2c, 0x4d,
+	0xe3, 0xab, 0x7d, 0xe2, 0x6c, 0xa3, 0xd6, 0x26, 0xf4, 0x08, 0x0a, 0x54, 0x7c, 0x44, 0xc8, 0xf4,
+	0xb8, 0x94, 0x94, 0x29, 0xf8, 0x22, 0x17, 0xc8, 0xdf, 0x58, 0xc9, 0x33, 0xfa, 0x1a, 0x54, 0x12,
+	0xf4, 0x7c, 0xe8, 0xf5, 0x3b, 0xc4, 0xc3, 0x64, 0x9b, 0x78, 0xc4, 0xb1, 0x08, 0xba, 0x0c, 0x45,
+	0xb3, 0x6b, 0xdf, 0xf1, 0x5c, 0xbf, 0xab, 0xfc, 0x19, 0x6e, 0x34, 0xf5, 0x8d, 0x35, 0x01, 0xc7,
+	0x21, 0x05, 0xa7, 0x0e, 0x0e, 0xa4, 0xa2, 0x2a, 0xf6, 0xbc, 0x20, 0xe1, 0x38, 0xa4, 0x08, 0xfb,
+	0x56, 0x7e, 0x64, 0xdf, 0x6a, 0x80, 0xee, 0xdb, 0x2d, 0xf5, 0xf2, 0xf2, 0x6a, 0x50, 0x2a, 0xde,
+	0x58, 0xbb, 0x75, 0xd8, 0xab, 0x5e, 0x18, 0xf5, 0x8d, 0x86, 0x1d, 0x74, 0x09, 0xad, 0xbd, 0xb1,
+	0x76, 0x0b, 0x73, 0x66, 0xe3, 0xb7, 0x1a, 0xcc, 0x25, 0x2e, 0x79, 0x0c, 0x9b, 0xdd, 0x83, 0xe4,
+	0x66, 0x77, 0x29, 0xbb, 0xc7, 0x46, 0xec, 0x76, 0xbb, 0xa9, 0x3b, 0x88, 0xe5, 0x6e, 0x33, 0xfd,
+	0xdd, 0x62, 0x31, 0xeb, 0xcb, 0xc9, 0xe8, 0x8f, 0x15, 0xc6, 0x1f, 0x72, 0x70, 0x7a, 0x48, 0x0c,
+	0xa1, 0xc7, 0x00, 0x51, 0x6f, 0x55, 0xfa, 0xc6, 0xf7, 0xc8, 0x81, 0x97, 0xc4, 0x59, 0xf1, 0x35,
+	0x21, 0x82, 0xc6, 0x04, 0x22, 0x0f, 0x4a, 0x1e, 0xa1, 0xc4, 0xdb, 0x27, 0xad, 0xdb, 0xa2, 0xf0,
+	0x73, 0xbb, 0xdd, 0xcc, 0x6e, 0xb7, 0x81, 0xc8, 0x8d, 0x3a, 0x32, 0x8e, 0xe4, 0xe2, 0xb8, 0x12,
+	0xf4, 0x38, 0xb2, 0x9f, 0xfc, 0x3c, 0xb6, 0x9c, 0xe5, 0x3e, 0xc9, 0x0f, 0x7b, 0x63, 0x2c, 0xf9,
+	0x57, 0x0d, 0xce, 0x24, 0xce, 0xb8, 0x45, 0x3a, 0xdd, 0xb6, 0xc9, 0xc8, 0x31, 0x54, 0xa1, 0x47,
+	0x89, 0x2a, 0x74, 0x2d, 0xbb, 0x1d, 0x83, 0x33, 0x8e, 0x7c, 0xc4, 0xf9, 0x8b, 0x06, 0xe7, 0x86,
+	0x72, 0x1c, 0x43, 0x5a, 0xbd, 0x99, 0x4c, 0xab, 0xe5, 0xa3, 0x5f, 0x6b, 0x44, 0x7a, 0xfd, 0x79,
+	0xd4, 0xa5, 0x44, 0x9e, 0xfd, 0x1f, 0x36, 0x0d, 0xe3, 0x97, 0x1a, 0x9c, 0x08, 0x28, 0xf9, 0x76,
+	0x95, 0x61, 0x49, 0x58, 0x06, 0x50, 0xdf, 0xb3, 0x83, 0x87, 0x4d, 0x3d, 0x3a, 0xf6, 0x9d, 0x10,
+	0x83, 0x63, 0x54, 0xe8, 0x6b, 0x80, 0x82, 0x03, 0x6e, 0xb6, 0xc5, 0x28, 0xc0, 0x87, 0x6d, 0x5d,
+	0xf0, 0xce, 0x2b, 0x5e, 0x84, 0x07, 0x28, 0xf0, 0x10, 0x2e, 0xe3, 0x77, 0x5a, 0xd4, 0xad, 0x05,
+	0xf8, 0x53, 0x6a, 0x78, 0x71, 0xb6, 0x91, 0x86, 0x8f, 0xb7, 0x1b, 0x41, 0xf9, 0x69, 0x6d, 0x37,
+	0xe2, 0x70, 0x23, 0xf2, 0xe1, 0x3d, 0x3d, 0x75, 0x09, 0x91, 0x07, 0x59, 0x27, 0xbb, 0xbb, 0xb1,
+	0xff, 0x61, 0x28, 0x2d, 0xbf, 0x9c, 0xe9, 0x34, 0x3c, 0x46, 0x87, 0xbe, 0x07, 0x5c, 0x86, 0xa2,
+	0xe3, 0xb6, 0xe4, 0x08, 0x9c, 0x1a, 0x29, 0xd6, 0x15, 0x1c, 0x87, 0x14, 0x03, 0x9f, 0xda, 0xf3,
+	0x9f, 0xcc, 0xa7, 0x76, 0x31, 0x06, 0xb5, 0xdb, 0x9c, 0x20, 0x78, 0x6a, 0x88, 0xc6, 0x20, 0x05,
+	0xc7, 0x21, 0x05, 0x5a, 0x8f, 0x1a, 0x8b, 0x7c, 0x64, 0xb8, 0x98, 0xa1, 0x31, 0x8f, 0xee, 0x24,
+	0x8d, 0xfa, 0xb3, 0xe7, 0x95, 0x89, 0x0f, 0x9e, 0x57, 0x26, 0x3e, 0x7c, 0x5e, 0x99, 0x78, 0xb7,
+	0x5f, 0xd1, 0x9e, 0xf5, 0x2b, 0xda, 0x07, 0xfd, 0x8a, 0xf6, 0x61, 0xbf, 0xa2, 0xfd, 0xab, 0x5f,
+	0xd1, 0xbe, 0xff, 0x51, 0x65, 0xe2, 0xad, 0xf3, 0x63, 0xfe, 0xdd, 0xe7, 0x3f, 0x01, 0x00, 0x00,
+	0xff, 0xff, 0x6b, 0x79, 0xbf, 0xbf, 0x0c, 0x24, 0x00, 0x00,
 }
 
 func (m *AllocatedDeviceStatus) Marshal() (dAtA []byte, err error) {
@@ -1350,6 +1422,20 @@ func (m *BasicDevice) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.Taints) > 0 {
+		for iNdEx := len(m.Taints) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Taints[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x1a
+		}
+	}
 	if len(m.Capacity) > 0 {
 		keysForCapacity := make([]string, 0, len(m.Capacity))
 		for k := range m.Capacity {
@@ -2037,6 +2123,20 @@ func (m *DeviceRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.Tolerations) > 0 {
+		for iNdEx := len(m.Tolerations) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Tolerations[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x42
+		}
+	}
 	if len(m.FirstAvailable) > 0 {
 		for iNdEx := len(m.FirstAvailable) - 1; iNdEx >= 0; iNdEx-- {
 			{
@@ -2116,6 +2216,20 @@ func (m *DeviceRequestAllocationResult) MarshalToSizedBuffer(dAtA []byte) (int,
 	_ = i
 	var l int
 	_ = l
+	if len(m.Tolerations) > 0 {
+		for iNdEx := len(m.Tolerations) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Tolerations[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x32
+		}
+	}
 	if m.AdminAccess != nil {
 		i--
 		if *m.AdminAccess {
@@ -2204,6 +2318,20 @@ func (m *DeviceSubRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.Tolerations) > 0 {
+		for iNdEx := len(m.Tolerations) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Tolerations[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGenerated(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x3a
+		}
+	}
 	i = encodeVarintGenerated(dAtA, i, uint64(m.Count))
 	i--
 	dAtA[i] = 0x28
@@ -2239,6 +2367,104 @@ func (m *DeviceSubRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *DeviceTaint) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceTaint) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceTaint) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.TimeAdded != nil {
+		{
+			size, err := m.TimeAdded.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x22
+	}
+	i -= len(m.Effect)
+	copy(dAtA[i:], m.Effect)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Effect)))
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.Value)
+	copy(dAtA[i:], m.Value)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.Key)
+	copy(dAtA[i:], m.Key)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
+func (m *DeviceToleration) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *DeviceToleration) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *DeviceToleration) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.TolerationSeconds != nil {
+		i = encodeVarintGenerated(dAtA, i, uint64(*m.TolerationSeconds))
+		i--
+		dAtA[i] = 0x28
+	}
+	i -= len(m.Effect)
+	copy(dAtA[i:], m.Effect)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Effect)))
+	i--
+	dAtA[i] = 0x22
+	i -= len(m.Value)
+	copy(dAtA[i:], m.Value)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Value)))
+	i--
+	dAtA[i] = 0x1a
+	i -= len(m.Operator)
+	copy(dAtA[i:], m.Operator)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Operator)))
+	i--
+	dAtA[i] = 0x12
+	i -= len(m.Key)
+	copy(dAtA[i:], m.Key)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.Key)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
 func (m *NetworkDeviceData) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -2971,6 +3197,12 @@ func (m *BasicDevice) Size() (n int) {
 			n += mapEntrySize + 1 + sovGenerated(uint64(mapEntrySize))
 		}
 	}
+	if len(m.Taints) > 0 {
+		for _, e := range m.Taints {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -3240,6 +3472,12 @@ func (m *DeviceRequest) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if len(m.Tolerations) > 0 {
+		for _, e := range m.Tolerations {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -3260,6 +3498,12 @@ func (m *DeviceRequestAllocationResult) Size() (n int) {
 	if m.AdminAccess != nil {
 		n += 2
 	}
+	if len(m.Tolerations) > 0 {
+		for _, e := range m.Tolerations {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -3295,6 +3539,51 @@ func (m *DeviceSubRequest) Size() (n int) {
 	l = len(m.AllocationMode)
 	n += 1 + l + sovGenerated(uint64(l))
 	n += 1 + sovGenerated(uint64(m.Count))
+	if len(m.Tolerations) > 0 {
+		for _, e := range m.Tolerations {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
+func (m *DeviceTaint) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Effect)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TimeAdded != nil {
+		l = m.TimeAdded.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
+	return n
+}
+
+func (m *DeviceToleration) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.Key)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Operator)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Value)
+	n += 1 + l + sovGenerated(uint64(l))
+	l = len(m.Effect)
+	n += 1 + l + sovGenerated(uint64(l))
+	if m.TolerationSeconds != nil {
+		n += 1 + sovGenerated(uint64(*m.TolerationSeconds))
+	}
 	return n
 }
 
@@ -3568,6 +3857,11 @@ func (this *BasicDevice) String() string {
 	if this == nil {
 		return "nil"
 	}
+	repeatedStringForTaints := "[]DeviceTaint{"
+	for _, f := range this.Taints {
+		repeatedStringForTaints += fmt.Sprintf("%v", f) + ","
+	}
+	repeatedStringForTaints += "}"
 	keysForAttributes := make([]string, 0, len(this.Attributes))
 	for k := range this.Attributes {
 		keysForAttributes = append(keysForAttributes, string(k))
@@ -3591,6 +3885,7 @@ func (this *BasicDevice) String() string {
 	s := strings.Join([]string{`&BasicDevice{`,
 		`Attributes:` + mapStringForAttributes + `,`,
 		`Capacity:` + mapStringForCapacity + `,`,
+		`Taints:` + repeatedStringForTaints + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3803,6 +4098,11 @@ func (this *DeviceRequest) String() string {
 		repeatedStringForFirstAvailable += strings.Replace(strings.Replace(f.String(), "DeviceSubRequest", "DeviceSubRequest", 1), `&`, ``, 1) + ","
 	}
 	repeatedStringForFirstAvailable += "}"
+	repeatedStringForTolerations := "[]DeviceToleration{"
+	for _, f := range this.Tolerations {
+		repeatedStringForTolerations += strings.Replace(strings.Replace(f.String(), "DeviceToleration", "DeviceToleration", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForTolerations += "}"
 	s := strings.Join([]string{`&DeviceRequest{`,
 		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
 		`DeviceClassName:` + fmt.Sprintf("%v", this.DeviceClassName) + `,`,
@@ -3811,6 +4111,7 @@ func (this *DeviceRequest) String() string {
 		`Count:` + fmt.Sprintf("%v", this.Count) + `,`,
 		`AdminAccess:` + valueToStringGenerated(this.AdminAccess) + `,`,
 		`FirstAvailable:` + repeatedStringForFirstAvailable + `,`,
+		`Tolerations:` + repeatedStringForTolerations + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3819,12 +4120,18 @@ func (this *DeviceRequestAllocationResult) String() string {
 	if this == nil {
 		return "nil"
 	}
+	repeatedStringForTolerations := "[]DeviceToleration{"
+	for _, f := range this.Tolerations {
+		repeatedStringForTolerations += strings.Replace(strings.Replace(f.String(), "DeviceToleration", "DeviceToleration", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForTolerations += "}"
 	s := strings.Join([]string{`&DeviceRequestAllocationResult{`,
 		`Request:` + fmt.Sprintf("%v", this.Request) + `,`,
 		`Driver:` + fmt.Sprintf("%v", this.Driver) + `,`,
 		`Pool:` + fmt.Sprintf("%v", this.Pool) + `,`,
 		`Device:` + fmt.Sprintf("%v", this.Device) + `,`,
 		`AdminAccess:` + valueToStringGenerated(this.AdminAccess) + `,`,
+		`Tolerations:` + repeatedStringForTolerations + `,`,
 		`}`,
 	}, "")
 	return s
@@ -3848,12 +4155,32 @@ func (this *DeviceSubRequest) String() string {
 		repeatedStringForSelectors += strings.Replace(strings.Replace(f.String(), "DeviceSelector", "DeviceSelector", 1), `&`, ``, 1) + ","
 	}
 	repeatedStringForSelectors += "}"
+	repeatedStringForTolerations := "[]DeviceToleration{"
+	for _, f := range this.Tolerations {
+		repeatedStringForTolerations += strings.Replace(strings.Replace(f.String(), "DeviceToleration", "DeviceToleration", 1), `&`, ``, 1) + ","
+	}
+	repeatedStringForTolerations += "}"
 	s := strings.Join([]string{`&DeviceSubRequest{`,
 		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
 		`DeviceClassName:` + fmt.Sprintf("%v", this.DeviceClassName) + `,`,
 		`Selectors:` + repeatedStringForSelectors + `,`,
 		`AllocationMode:` + fmt.Sprintf("%v", this.AllocationMode) + `,`,
 		`Count:` + fmt.Sprintf("%v", this.Count) + `,`,
+		`Tolerations:` + repeatedStringForTolerations + `,`,
+		`}`,
+	}, "")
+	return s
+}
+func (this *DeviceToleration) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&DeviceToleration{`,
+		`Key:` + fmt.Sprintf("%v", this.Key) + `,`,
+		`Operator:` + fmt.Sprintf("%v", this.Operator) + `,`,
+		`Value:` + fmt.Sprintf("%v", this.Value) + `,`,
+		`Effect:` + fmt.Sprintf("%v", this.Effect) + `,`,
+		`TolerationSeconds:` + valueToStringGenerated(this.TolerationSeconds) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -4717,6 +5044,40 @@ func (m *BasicDevice) Unmarshal(dAtA []byte) error {
 			}
 			m.Capacity[QualifiedName(mapkey)] = *mapvalue
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Taints", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Taints = append(m.Taints, DeviceTaint{})
+			if err := m.Taints[len(m.Taints)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -6578,6 +6939,40 @@ func (m *DeviceRequest) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tolerations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Tolerations = append(m.Tolerations, DeviceToleration{})
+			if err := m.Tolerations[len(m.Tolerations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -6777,6 +7172,40 @@ func (m *DeviceRequestAllocationResult) Unmarshal(dAtA []byte) error {
 			}
 			b := bool(v != 0)
 			m.AdminAccess = &b
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tolerations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Tolerations = append(m.Tolerations, DeviceToleration{})
+			if err := m.Tolerations[len(m.Tolerations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -7062,6 +7491,420 @@ func (m *DeviceSubRequest) Unmarshal(dAtA []byte) error {
 					break
 				}
 			}
+		case 7:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Tolerations", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Tolerations = append(m.Tolerations, DeviceToleration{})
+			if err := m.Tolerations[len(m.Tolerations)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceTaint) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceTaint: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceTaint: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Effect", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Effect = DeviceTaintEffect(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TimeAdded", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.TimeAdded == nil {
+				m.TimeAdded = &v1.Time{}
+			}
+			if err := m.TimeAdded.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *DeviceToleration) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: DeviceToleration: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: DeviceToleration: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Key = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Operator", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Operator = DeviceTolerationOperator(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Value = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Effect", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Effect = DeviceTaintEffect(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 5:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TolerationSeconds", wireType)
+			}
+			var v int64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.TolerationSeconds = &v
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
diff --git a/staging/src/k8s.io/api/resource/v1beta1/generated.proto b/staging/src/k8s.io/api/resource/v1beta1/generated.proto
index c2afd439050..b8c5a263d30 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/generated.proto
+++ b/staging/src/k8s.io/api/resource/v1beta1/generated.proto
@@ -113,6 +113,18 @@ message BasicDevice {
   //
   // +optional
   map<string, DeviceCapacity> capacity = 2;
+
+  // If specified, these are the driver-defined taints.
+  //
+  // The maximum number of taints is 8.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceTaint taints = 3;
 }
 
 // CELDeviceSelector contains a CEL expression for selecting a device.
@@ -529,6 +541,32 @@ message DeviceRequest {
   // +listType=atomic
   // +featureGate=DRAPrioritizedList
   repeated DeviceSubRequest firstAvailable = 7;
+
+  // If specified, the request's tolerations.
+  //
+  // Tolerations for NoSchedule are required to allocate a
+  // device which has a taint with that effect. The same applies
+  // to NoExecute.
+  //
+  // In addition, should any of the allocated devices get tainted
+  // with NoExecute after allocation and that effect is not tolerated,
+  // then all pods consuming the ResourceClaim get deleted to evict
+  // them. The scheduler will not let new pods reserve the claim while
+  // it has these tainted devices. Once all pods are evicted, the
+  // claim will get deallocated.
+  //
+  // The maximum number of tolerations is 16.
+  //
+  // This field can only be set when deviceClassName is set and no subrequests
+  // are specified in the firstAvailable list.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceToleration tolerations = 8;
 }
 
 // DeviceRequestAllocationResult contains the allocation result for one request.
@@ -580,6 +618,19 @@ message DeviceRequestAllocationResult {
   // +optional
   // +featureGate=DRAAdminAccess
   optional bool adminAccess = 5;
+
+  // A copy of all tolerations specified in the request at the time
+  // when the device got allocated.
+  //
+  // The maximum number of tolerations is 16.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceToleration tolerations = 6;
 }
 
 // DeviceSelector must have exactly one field set.
@@ -661,6 +712,105 @@ message DeviceSubRequest {
   // +optional
   // +oneOf=AllocationMode
   optional int64 count = 5;
+
+  // If specified, the request's tolerations.
+  //
+  // Tolerations for NoSchedule are required to allocate a
+  // device which has a taint with that effect. The same applies
+  // to NoExecute.
+  //
+  // In addition, should any of the allocated devices get tainted
+  // with NoExecute after allocation and that effect is not tolerated,
+  // then all pods consuming the ResourceClaim get deleted to evict
+  // them. The scheduler will not let new pods reserve the claim while
+  // it has these tainted devices. Once all pods are evicted, the
+  // claim will get deallocated.
+  //
+  // The maximum number of tolerations is 16.
+  //
+  // This is an alpha field and requires enabling the DRADeviceTaints
+  // feature gate.
+  //
+  // +optional
+  // +listType=atomic
+  // +featureGate=DRADeviceTaints
+  repeated DeviceToleration tolerations = 7;
+}
+
+// The device this taint is attached to has the "effect" on
+// any claim which does not tolerate the taint and, through the claim,
+// to pods using the claim.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+message DeviceTaint {
+  // The taint key to be applied to a device.
+  // Must be a label name.
+  //
+  // +required
+  optional string key = 1;
+
+  // The taint value corresponding to the taint key.
+  // Must be a label value.
+  //
+  // +optional
+  optional string value = 2;
+
+  // The effect of the taint on claims that do not tolerate the taint
+  // and through such claims on the pods using them.
+  // Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for
+  // nodes is not valid here.
+  //
+  // +required
+  optional string effect = 3;
+
+  // TimeAdded represents the time at which the taint was added.
+  // Added automatically during create or update if not set.
+  //
+  // +optional
+  optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time timeAdded = 4;
+}
+
+// The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches
+// the triple <key,value,effect> using the matching operator <operator>.
+message DeviceToleration {
+  // Key is the taint key that the toleration applies to. Empty means match all taint keys.
+  // If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+  // Must be a label name.
+  //
+  // +optional
+  optional string key = 1;
+
+  // Operator represents a key's relationship to the value.
+  // Valid operators are Exists and Equal. Defaults to Equal.
+  // Exists is equivalent to wildcard for value, so that a ResourceClaim can
+  // tolerate all taints of a particular category.
+  //
+  // +optional
+  // +default="Equal"
+  optional string operator = 2;
+
+  // Value is the taint value the toleration matches to.
+  // If the operator is Exists, the value must be empty, otherwise just a regular string.
+  // Must be a label value.
+  //
+  // +optional
+  optional string value = 3;
+
+  // Effect indicates the taint effect to match. Empty means match all taint effects.
+  // When specified, allowed values are NoSchedule and NoExecute.
+  //
+  // +optional
+  optional string effect = 4;
+
+  // TolerationSeconds represents the period of time the toleration (which must be
+  // of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+  // it is not set, which means tolerate the taint forever (do not evict). Zero and
+  // negative values will be treated as 0 (evict immediately) by the system.
+  // If larger than zero, the time when the pod needs to be evicted is calculated as <time when
+  // taint was adedd> + <toleration seconds>.
+  //
+  // +optional
+  optional int64 tolerationSeconds = 5;
 }
 
 // NetworkDeviceData provides network-related details for the allocated device.
diff --git a/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go
index b9695d69659..4c9a80985f3 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/types_swagger_doc_generated.go
@@ -55,6 +55,7 @@ var map_BasicDevice = map[string]string{
 	"":           "BasicDevice defines one device instance.",
 	"attributes": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
 	"capacity":   "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.",
+	"taints":     "If specified, these are the driver-defined taints.\n\nThe maximum number of taints is 8.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (BasicDevice) SwaggerDoc() map[string]string {
@@ -207,6 +208,7 @@ var map_DeviceRequest = map[string]string{
 	"count":           "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.",
 	"adminAccess":     "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device.  They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.",
 	"firstAvailable":  "FirstAvailable contains subrequests, of which exactly one will be satisfied by the scheduler to satisfy this request. It tries to satisfy them in the order in which they are listed here. So if there are two entries in the list, the scheduler will only check the second one if it determines that the first one cannot be used.\n\nThis field may only be set in the entries of DeviceClaim.Requests.\n\nDRA does not yet implement scoring, so the scheduler will select the first set of devices that satisfies all the requests in the claim. And if the requirements can be satisfied on more than one node, other scheduling features will determine which node is chosen. This means that the set of devices allocated to a claim might not be the optimal set available to the cluster. Scoring will be implemented later.",
+	"tolerations":     "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (DeviceRequest) SwaggerDoc() map[string]string {
@@ -220,6 +222,7 @@ var map_DeviceRequestAllocationResult = map[string]string{
 	"pool":        "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.",
 	"device":      "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.",
 	"adminAccess": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.",
+	"tolerations": "A copy of all tolerations specified in the request at the time when the device got allocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (DeviceRequestAllocationResult) SwaggerDoc() map[string]string {
@@ -242,12 +245,38 @@ var map_DeviceSubRequest = map[string]string{
 	"selectors":       "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this subrequest. All selectors must be satisfied for a device to be considered.",
 	"allocationMode":  "AllocationMode and its related fields define how devices are allocated to satisfy this subrequest. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n  This is the default. The exact number is provided in the\n  count field.\n\n- All: This subrequest is for all of the matching devices in a pool.\n  Allocation will fail if some devices are already allocated,\n  unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other subrequests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.",
 	"count":           "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.",
+	"tolerations":     "If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.",
 }
 
 func (DeviceSubRequest) SwaggerDoc() map[string]string {
 	return map_DeviceSubRequest
 }
 
+var map_DeviceTaint = map[string]string{
+	"":          "The device this taint is attached to has the \"effect\" on any claim which does not tolerate the taint and, through the claim, to pods using the claim.",
+	"key":       "The taint key to be applied to a device. Must be a label name.",
+	"value":     "The taint value corresponding to the taint key. Must be a label value.",
+	"effect":    "The effect of the taint on claims that do not tolerate the taint and through such claims on the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for nodes is not valid here.",
+	"timeAdded": "TimeAdded represents the time at which the taint was added. Added automatically during create or update if not set.",
+}
+
+func (DeviceTaint) SwaggerDoc() map[string]string {
+	return map_DeviceTaint
+}
+
+var map_DeviceToleration = map[string]string{
+	"":                  "The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.",
+	"key":               "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.",
+	"operator":          "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.",
+	"value":             "Value is the taint value the toleration matches to. If the operator is Exists, the value must be empty, otherwise just a regular string. Must be a label value.",
+	"effect":            "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.",
+	"tolerationSeconds": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as <time when taint was adedd> + <toleration seconds>.",
+}
+
+func (DeviceToleration) SwaggerDoc() map[string]string {
+	return map_DeviceToleration
+}
+
 var map_NetworkDeviceData = map[string]string{
 	"":                "NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.",
 	"interfaceName":   "InterfaceName specifies the name of the network interface associated with the allocated device. This might be the name of a physical or virtual network interface being configured in the pod.\n\nMust not be longer than 256 characters.",
diff --git a/staging/src/k8s.io/api/resource/v1beta1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/resource/v1beta1/zz_generated.deepcopy.go
index f2592e39b39..a4d7be37bb9 100644
--- a/staging/src/k8s.io/api/resource/v1beta1/zz_generated.deepcopy.go
+++ b/staging/src/k8s.io/api/resource/v1beta1/zz_generated.deepcopy.go
@@ -99,6 +99,13 @@ func (in *BasicDevice) DeepCopyInto(out *BasicDevice) {
 			(*out)[key] = *val.DeepCopy()
 		}
 	}
+	if in.Taints != nil {
+		in, out := &in.Taints, &out.Taints
+		*out = make([]DeviceTaint, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -489,6 +496,13 @@ func (in *DeviceRequest) DeepCopyInto(out *DeviceRequest) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -510,6 +524,13 @@ func (in *DeviceRequestAllocationResult) DeepCopyInto(out *DeviceRequestAllocati
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -554,6 +575,13 @@ func (in *DeviceSubRequest) DeepCopyInto(out *DeviceSubRequest) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tolerations != nil {
+		in, out := &in.Tolerations, &out.Tolerations
+		*out = make([]DeviceToleration, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	return
 }
 
@@ -567,6 +595,47 @@ func (in *DeviceSubRequest) DeepCopy() *DeviceSubRequest {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceTaint) DeepCopyInto(out *DeviceTaint) {
+	*out = *in
+	if in.TimeAdded != nil {
+		in, out := &in.TimeAdded, &out.TimeAdded
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceTaint.
+func (in *DeviceTaint) DeepCopy() *DeviceTaint {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceTaint)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DeviceToleration) DeepCopyInto(out *DeviceToleration) {
+	*out = *in
+	if in.TolerationSeconds != nil {
+		in, out := &in.TolerationSeconds, &out.TolerationSeconds
+		*out = new(int64)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceToleration.
+func (in *DeviceToleration) DeepCopy() *DeviceToleration {
+	if in == nil {
+		return nil
+	}
+	out := new(DeviceToleration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDeviceData) DeepCopyInto(out *NetworkDeviceData) {
 	*out = *in
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json
new file mode 100644
index 00000000000..84ad1495680
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.json
@@ -0,0 +1,67 @@
+{
+  "kind": "DeviceTaintRule",
+  "apiVersion": "resource.k8s.io/v1alpha3",
+  "metadata": {
+    "name": "nameValue",
+    "generateName": "generateNameValue",
+    "namespace": "namespaceValue",
+    "selfLink": "selfLinkValue",
+    "uid": "uidValue",
+    "resourceVersion": "resourceVersionValue",
+    "generation": 7,
+    "creationTimestamp": "2008-01-01T01:01:01Z",
+    "deletionTimestamp": "2009-01-01T01:01:01Z",
+    "deletionGracePeriodSeconds": 10,
+    "labels": {
+      "labelsKey": "labelsValue"
+    },
+    "annotations": {
+      "annotationsKey": "annotationsValue"
+    },
+    "ownerReferences": [
+      {
+        "apiVersion": "apiVersionValue",
+        "kind": "kindValue",
+        "name": "nameValue",
+        "uid": "uidValue",
+        "controller": true,
+        "blockOwnerDeletion": true
+      }
+    ],
+    "finalizers": [
+      "finalizersValue"
+    ],
+    "managedFields": [
+      {
+        "manager": "managerValue",
+        "operation": "operationValue",
+        "apiVersion": "apiVersionValue",
+        "time": "2004-01-01T01:01:01Z",
+        "fieldsType": "fieldsTypeValue",
+        "fieldsV1": {},
+        "subresource": "subresourceValue"
+      }
+    ]
+  },
+  "spec": {
+    "deviceSelector": {
+      "deviceClassName": "deviceClassNameValue",
+      "driver": "driverValue",
+      "pool": "poolValue",
+      "device": "deviceValue",
+      "selectors": [
+        {
+          "cel": {
+            "expression": "expressionValue"
+          }
+        }
+      ]
+    },
+    "taint": {
+      "key": "keyValue",
+      "value": "valueValue",
+      "effect": "effectValue",
+      "timeAdded": "2004-01-01T01:01:01Z"
+    }
+  }
+}
\ No newline at end of file
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.pb
new file mode 100644
index 0000000000000000000000000000000000000000..60244465bfcc245cd915a3eb004db19e5d4f7ae5
GIT binary patch
literal 543
zcmZ8dy-tHr7=^ZpaM41sL&L~eWBrQ>ajZ^iOk<i3ZWs8dS8gwa3&d(1Tzv~?AHg>;
z={pz)U3~+k7fTzr^ZlK3z7slJLR+Yl0FSc7gI?(H9*K7HJxt?kd|>J)kP{Dvn6UIR
zqhNm3(R&T43{PN$X$EF%3=9&S!o{LxHRn?vW3ODXH#pGXoUl+_bd`+w0`0dKx+6$9
ziJ0g*YkftTJ%7G74C%B$FW+wk8lbBVQYm(U@-vv4S_#F4YojJ+EJ|@&kchFdQj49N
zL!^d;mBQB2zg@ZM>NqB=Ms{UKPV|5<OvzngQ1Cp-E?S>phR2YIhS`kb`Tq<1)_)qi
z_~B#rQ#Yjjf()q7hts%B=BR;c_YZx8XKs~*2=!4$1Jw3K_Qw=+UWIFFenRp;ZA*=#
uhzc9FR&I-;yNOyzhugSdt#UQDkrKkRG>!7Pj=+`%K>%JViltdgvZY^5)VvM=

literal 0
HcmV?d00001

diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
new file mode 100644
index 00000000000..8d06614b992
--- /dev/null
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.DeviceTaintRule.yaml
@@ -0,0 +1,48 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceTaintRule
+metadata:
+  annotations:
+    annotationsKey: annotationsValue
+  creationTimestamp: "2008-01-01T01:01:01Z"
+  deletionGracePeriodSeconds: 10
+  deletionTimestamp: "2009-01-01T01:01:01Z"
+  finalizers:
+  - finalizersValue
+  generateName: generateNameValue
+  generation: 7
+  labels:
+    labelsKey: labelsValue
+  managedFields:
+  - apiVersion: apiVersionValue
+    fieldsType: fieldsTypeValue
+    fieldsV1: {}
+    manager: managerValue
+    operation: operationValue
+    subresource: subresourceValue
+    time: "2004-01-01T01:01:01Z"
+  name: nameValue
+  namespace: namespaceValue
+  ownerReferences:
+  - apiVersion: apiVersionValue
+    blockOwnerDeletion: true
+    controller: true
+    kind: kindValue
+    name: nameValue
+    uid: uidValue
+  resourceVersion: resourceVersionValue
+  selfLink: selfLinkValue
+  uid: uidValue
+spec:
+  deviceSelector:
+    device: deviceValue
+    deviceClassName: deviceClassNameValue
+    driver: driverValue
+    pool: poolValue
+    selectors:
+    - cel:
+        expression: expressionValue
+  taint:
+    effect: effectValue
+    key: keyValue
+    timeAdded: "2004-01-01T01:01:01Z"
+    value: valueValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.json
index b3a610c4b2f..2d53360bc00 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.json
@@ -71,7 +71,25 @@
                 }
               ],
               "allocationMode": "allocationModeValue",
-              "count": 5
+              "count": 5,
+              "tolerations": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "value": "valueValue",
+                  "effect": "effectValue",
+                  "tolerationSeconds": 5
+                }
+              ]
+            }
+          ],
+          "tolerations": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "value": "valueValue",
+              "effect": "effectValue",
+              "tolerationSeconds": 5
             }
           ]
         }
@@ -115,7 +133,16 @@
             "driver": "driverValue",
             "pool": "poolValue",
             "device": "deviceValue",
-            "adminAccess": true
+            "adminAccess": true,
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ]
           }
         ],
         "config": [
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.pb
index e70287ec054f0e6e3be6bfe5f3e82a236fa989fb..041dfae981c46f207120f615834b9a392ce4320f 100644
GIT binary patch
delta 154
zcmcc2^^JRi0n-8QjYcVq90!=W_A+yIGfjTa=*w!rXw}RJVli2nOn%QSCBs#gm{Xb>
z1|pQWQ`6E?lS{xH4OS<x0%0r)CYv&C=bFySb&H9snTacV@;4?^CL^$FDJ-g?#%<PS
H)?fkv6sR#$

delta 58
zcmV-A0LB0I3)2daFan(lu`*-<2h#!y&;kmclkWje1TX<QO_T5eO_QktunOS>3Zw!G
Q%>fEElVbxlv(5u30z<MA&Hw-a

diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.yaml
index c2c12181b3c..a6dc0514053 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaim.yaml
@@ -63,10 +63,22 @@ spec:
         selectors:
         - cel:
             expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
       name: nameValue
       selectors:
       - cel:
           expression: expressionValue
+      tolerations:
+      - effect: effectValue
+        key: keyValue
+        operator: operatorValue
+        tolerationSeconds: 5
+        value: valueValue
 status:
   allocation:
     devices:
@@ -89,6 +101,12 @@ status:
         driver: driverValue
         pool: poolValue
         request: requestValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
     nodeSelector:
       nodeSelectorTerms:
       - matchExpressions:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.json
index 5dabc4458f4..22826de5ec7 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.json
@@ -114,7 +114,25 @@
                   }
                 ],
                 "allocationMode": "allocationModeValue",
-                "count": 5
+                "count": 5,
+                "tolerations": [
+                  {
+                    "key": "keyValue",
+                    "operator": "operatorValue",
+                    "value": "valueValue",
+                    "effect": "effectValue",
+                    "tolerationSeconds": 5
+                  }
+                ]
+              }
+            ],
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
               }
             ]
           }
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.pb
index 832be05eb94529cb012b49fbfd2315d1cf3f7122..a91e9e068aba4420e886f4c858c9c9a44743f7b7 100644
GIT binary patch
delta 177
zcmcc1af)+-1yc{_<^_x?j7-bez%<7JX0E-=T-{8QW0`$f4H&JO89}UiD-$k`?9|Gz
z#GKMpA>RCg)S|?a{30+{imMDH3T7*Dr>3Q)CYOLY8mvxa=@L@m;w?%oEKMygDFz!P
KBs_U9^8x^Yayi`q

delta 47
zcmX@bd6#2?1=D<v%?lV)7@2mmf@${4Ok5Y3xaLicW%gq+V6^g`9LMZCS)64v0B(W~
ATL1t6

diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.yaml
index 13b06c07493..0942c03df69 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceClaimTemplate.yaml
@@ -96,7 +96,19 @@ spec:
           selectors:
           - cel:
               expression: expressionValue
+          tolerations:
+          - effect: effectValue
+            key: keyValue
+            operator: operatorValue
+            tolerationSeconds: 5
+            value: valueValue
         name: nameValue
         selectors:
         - cel:
             expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.json
index a3a916ae363..d6307670cc5 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.json
@@ -90,7 +90,15 @@
           },
           "capacity": {
             "capacityKey": "0"
-          }
+          },
+          "taints": [
+            {
+              "key": "keyValue",
+              "value": "valueValue",
+              "effect": "effectValue",
+              "timeAdded": "2004-01-01T01:01:01Z"
+            }
+          ]
         }
       }
     ]
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.pb
index 9a36629f9a87a81673798852682fa37419c8525e..040fb58c3c19ecc33a334867cdd18a10c6a690b3 100644
GIT binary patch
delta 90
zcmeyuvV?Vl0pq)khN+B99ZZvFFt+eFF>-O{CFZ7vCFYc-3YAXQVsbaq<>JUrt%Qhh
hm4PI{Y$@*4w6xUZ5->-JgX8R@v;Ua|7^E1K7yv&P9UTAw

delta 42
ycmZ3&`h{hJ0pq@nhN+B9Hy9_+U~J(F=Hkpt%uNkT%qdM3a+|Ep<j%~X!~g&?tPF|(

diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.yaml
index 93d7f2e1170..559bd6c1890 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1alpha3.ResourceSlice.yaml
@@ -44,6 +44,11 @@ spec:
           version: versionValue
       capacity:
         capacityKey: "0"
+      taints:
+      - effect: effectValue
+        key: keyValue
+        timeAdded: "2004-01-01T01:01:01Z"
+        value: valueValue
     name: nameValue
   driver: driverValue
   nodeName: nodeNameValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.json
index 7982a35a1c8..5f52f153194 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.json
@@ -71,7 +71,25 @@
                 }
               ],
               "allocationMode": "allocationModeValue",
-              "count": 5
+              "count": 5,
+              "tolerations": [
+                {
+                  "key": "keyValue",
+                  "operator": "operatorValue",
+                  "value": "valueValue",
+                  "effect": "effectValue",
+                  "tolerationSeconds": 5
+                }
+              ]
+            }
+          ],
+          "tolerations": [
+            {
+              "key": "keyValue",
+              "operator": "operatorValue",
+              "value": "valueValue",
+              "effect": "effectValue",
+              "tolerationSeconds": 5
             }
           ]
         }
@@ -115,7 +133,16 @@
             "driver": "driverValue",
             "pool": "poolValue",
             "device": "deviceValue",
-            "adminAccess": true
+            "adminAccess": true,
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
+              }
+            ]
           }
         ],
         "config": [
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.pb
index ed044a4d13ddfadffec03c138630c2341ffde110..889c2db17b3d012cd188e9fcc70ef49bd2d3091a 100644
GIT binary patch
delta 154
zcmcb_^_6>qKGOm2jfN?V90!=W_A+yIGfjTS=*w!rXw}RJVli2nOn%2KCBs#gm{Xb>
z1|pQWQ`6E?lS{xH4OS<x0%0r)CYvyA=bFySb&H9snTacV@>eEPCL^$FDJ-g?#%<PO
H)?fkv5C}0w

delta 58
zcmV-A0LB0H3(^XZF9Mwku`y%;2h#!y&;kmclkNdd1TX<QO_T2dO_QhsunOS>3Zw!G
Q%>fEElVSrkv&{o20z!Eb#Q*>R

diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.yaml
index 5e56d97b587..0e682e0cceb 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaim.yaml
@@ -63,10 +63,22 @@ spec:
         selectors:
         - cel:
             expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
       name: nameValue
       selectors:
       - cel:
           expression: expressionValue
+      tolerations:
+      - effect: effectValue
+        key: keyValue
+        operator: operatorValue
+        tolerationSeconds: 5
+        value: valueValue
 status:
   allocation:
     devices:
@@ -89,6 +101,12 @@ status:
         driver: driverValue
         pool: poolValue
         request: requestValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
     nodeSelector:
       nodeSelectorTerms:
       - matchExpressions:
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.json
index bf5f56abe70..f66a56a55e5 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.json
@@ -114,7 +114,25 @@
                   }
                 ],
                 "allocationMode": "allocationModeValue",
-                "count": 5
+                "count": 5,
+                "tolerations": [
+                  {
+                    "key": "keyValue",
+                    "operator": "operatorValue",
+                    "value": "valueValue",
+                    "effect": "effectValue",
+                    "tolerationSeconds": 5
+                  }
+                ]
+              }
+            ],
+            "tolerations": [
+              {
+                "key": "keyValue",
+                "operator": "operatorValue",
+                "value": "valueValue",
+                "effect": "effectValue",
+                "tolerationSeconds": 5
               }
             ]
           }
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.pb
index 6b6cd72e38c94e9df72cc1c565c813add74d031f..6cbb8e0a648b8d501df993bd417d01a90c8cd5d5 100644
GIT binary patch
delta 177
zcmcb^aguX_Ia3ek=J|{%j7-bez%<7JX0E-=T-{8QW0-we4H&JO89}UiD-$k`?9|Gz
z#GKMpA>RCg)S|?a{30+{imMDH3T7*Dr>3Q)CYOLY8mvxa=@L@m;w?%oEKMygDFz!P
KBs_T!^8x^U1v%9K

delta 47
zcmX@fd52?yIn#WO&GQ*k7@2mmf@${4Ok5Y3xaLicVfJG&V6^g`9LwxGS&U^f0BxWS
AQvd(}

diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml
index 6711b1d802d..524a93574b9 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceClaimTemplate.yaml
@@ -96,7 +96,19 @@ spec:
           selectors:
           - cel:
               expression: expressionValue
+          tolerations:
+          - effect: effectValue
+            key: keyValue
+            operator: operatorValue
+            tolerationSeconds: 5
+            value: valueValue
         name: nameValue
         selectors:
         - cel:
             expression: expressionValue
+        tolerations:
+        - effect: effectValue
+          key: keyValue
+          operator: operatorValue
+          tolerationSeconds: 5
+          value: valueValue
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.json b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.json
index 06b650026d8..7e557c07e32 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.json
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.json
@@ -92,7 +92,15 @@
             "capacityKey": {
               "value": "0"
             }
-          }
+          },
+          "taints": [
+            {
+              "key": "keyValue",
+              "value": "valueValue",
+              "effect": "effectValue",
+              "timeAdded": "2004-01-01T01:01:01Z"
+            }
+          ]
         }
       }
     ]
diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.pb b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.pb
index 3f467050c4462f729d22edacd73a46f41a9b152c..419e82016d177b34fc2686421402a70a24e90ea4 100644
GIT binary patch
delta 90
zcmey$vXpg#KI4at2C0lpT}+dwGq&)zFmiF`CFZ7vCFYc-3YAaRWb!o9<>JUrt%Qhh
hm4PI{Y$@*4w6xUZ5->-JgX8R@v;Ua|7^E1K7yv;>9VGw&

delta 42
ycmZ3=`jusZKI4In2C0lpw-_f+XKdjM<>Jgs%uNkT%qdM3@|di}<jKsS!~g&@Uks7}

diff --git a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.yaml b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.yaml
index f4515c37df6..38417c81f0b 100644
--- a/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.yaml
+++ b/staging/src/k8s.io/api/testdata/HEAD/resource.k8s.io.v1beta1.ResourceSlice.yaml
@@ -45,6 +45,11 @@ spec:
       capacity:
         capacityKey:
           value: "0"
+      taints:
+      - effect: effectValue
+        key: keyValue
+        timeAdded: "2004-01-01T01:01:01Z"
+        value: valueValue
     name: nameValue
   driver: driverValue
   nodeName: nodeNameValue
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go b/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
index f2888de0007..fc4ab5bc2f1 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/internal/internal.go
@@ -12581,6 +12581,12 @@ var schemaYAML = typed.YAMLObject(`types:
         map:
           elementType:
             namedType: io.k8s.apimachinery.pkg.api.resource.Quantity
+    - name: taints
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1alpha3.DeviceTaint
+          elementRelationship: atomic
 - name: io.k8s.api.resource.v1alpha3.CELDeviceSelector
   map:
     fields:
@@ -12759,6 +12765,12 @@ var schemaYAML = typed.YAMLObject(`types:
           elementType:
             namedType: io.k8s.api.resource.v1alpha3.DeviceSelector
           elementRelationship: atomic
+    - name: tolerations
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1alpha3.DeviceToleration
+          elementRelationship: atomic
 - name: io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult
   map:
     fields:
@@ -12781,6 +12793,12 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+    - name: tolerations
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1alpha3.DeviceToleration
+          elementRelationship: atomic
 - name: io.k8s.api.resource.v1alpha3.DeviceSelector
   map:
     fields:
@@ -12810,6 +12828,96 @@ var schemaYAML = typed.YAMLObject(`types:
           elementType:
             namedType: io.k8s.api.resource.v1alpha3.DeviceSelector
           elementRelationship: atomic
+    - name: tolerations
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1alpha3.DeviceToleration
+          elementRelationship: atomic
+- name: io.k8s.api.resource.v1alpha3.DeviceTaint
+  map:
+    fields:
+    - name: effect
+      type:
+        scalar: string
+      default: ""
+    - name: key
+      type:
+        scalar: string
+      default: ""
+    - name: timeAdded
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
+    - name: value
+      type:
+        scalar: string
+- name: io.k8s.api.resource.v1alpha3.DeviceTaintRule
+  map:
+    fields:
+    - name: apiVersion
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+    - name: metadata
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+      default: {}
+    - name: spec
+      type:
+        namedType: io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec
+      default: {}
+- name: io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec
+  map:
+    fields:
+    - name: deviceSelector
+      type:
+        namedType: io.k8s.api.resource.v1alpha3.DeviceTaintSelector
+    - name: taint
+      type:
+        namedType: io.k8s.api.resource.v1alpha3.DeviceTaint
+      default: {}
+- name: io.k8s.api.resource.v1alpha3.DeviceTaintSelector
+  map:
+    fields:
+    - name: device
+      type:
+        scalar: string
+    - name: deviceClassName
+      type:
+        scalar: string
+    - name: driver
+      type:
+        scalar: string
+    - name: pool
+      type:
+        scalar: string
+    - name: selectors
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1alpha3.DeviceSelector
+          elementRelationship: atomic
+- name: io.k8s.api.resource.v1alpha3.DeviceToleration
+  map:
+    fields:
+    - name: effect
+      type:
+        scalar: string
+    - name: key
+      type:
+        scalar: string
+    - name: operator
+      type:
+        scalar: string
+      default: Equal
+    - name: tolerationSeconds
+      type:
+        scalar: numeric
+    - name: value
+      type:
+        scalar: string
 - name: io.k8s.api.resource.v1alpha3.NetworkDeviceData
   map:
     fields:
@@ -13043,6 +13151,12 @@ var schemaYAML = typed.YAMLObject(`types:
         map:
           elementType:
             namedType: io.k8s.api.resource.v1beta1.DeviceCapacity
+    - name: taints
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1beta1.DeviceTaint
+          elementRelationship: atomic
 - name: io.k8s.api.resource.v1beta1.CELDeviceSelector
   map:
     fields:
@@ -13227,6 +13341,12 @@ var schemaYAML = typed.YAMLObject(`types:
           elementType:
             namedType: io.k8s.api.resource.v1beta1.DeviceSelector
           elementRelationship: atomic
+    - name: tolerations
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1beta1.DeviceToleration
+          elementRelationship: atomic
 - name: io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult
   map:
     fields:
@@ -13249,6 +13369,12 @@ var schemaYAML = typed.YAMLObject(`types:
       type:
         scalar: string
       default: ""
+    - name: tolerations
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1beta1.DeviceToleration
+          elementRelationship: atomic
 - name: io.k8s.api.resource.v1beta1.DeviceSelector
   map:
     fields:
@@ -13278,6 +13404,48 @@ var schemaYAML = typed.YAMLObject(`types:
           elementType:
             namedType: io.k8s.api.resource.v1beta1.DeviceSelector
           elementRelationship: atomic
+    - name: tolerations
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.api.resource.v1beta1.DeviceToleration
+          elementRelationship: atomic
+- name: io.k8s.api.resource.v1beta1.DeviceTaint
+  map:
+    fields:
+    - name: effect
+      type:
+        scalar: string
+      default: ""
+    - name: key
+      type:
+        scalar: string
+      default: ""
+    - name: timeAdded
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
+    - name: value
+      type:
+        scalar: string
+- name: io.k8s.api.resource.v1beta1.DeviceToleration
+  map:
+    fields:
+    - name: effect
+      type:
+        scalar: string
+    - name: key
+      type:
+        scalar: string
+    - name: operator
+      type:
+        scalar: string
+      default: Equal
+    - name: tolerationSeconds
+      type:
+        scalar: numeric
+    - name: value
+      type:
+        scalar: string
 - name: io.k8s.api.resource.v1beta1.NetworkDeviceData
   map:
     fields:
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/basicdevice.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/basicdevice.go
index b58e432947b..3fa06e11fdf 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/basicdevice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/basicdevice.go
@@ -28,6 +28,7 @@ import (
 type BasicDeviceApplyConfiguration struct {
 	Attributes map[resourcev1alpha3.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
 	Capacity   map[resourcev1alpha3.QualifiedName]resource.Quantity                 `json:"capacity,omitempty"`
+	Taints     []DeviceTaintApplyConfiguration                                      `json:"taints,omitempty"`
 }
 
 // BasicDeviceApplyConfiguration constructs a declarative configuration of the BasicDevice type for use with
@@ -63,3 +64,16 @@ func (b *BasicDeviceApplyConfiguration) WithCapacity(entries map[resourcev1alpha
 	}
 	return b
 }
+
+// WithTaints adds the given value to the Taints field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Taints field.
+func (b *BasicDeviceApplyConfiguration) WithTaints(values ...*DeviceTaintApplyConfiguration) *BasicDeviceApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTaints")
+		}
+		b.Taints = append(b.Taints, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequest.go
index f91c8b41b26..bff72a3f599 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequest.go
@@ -32,6 +32,7 @@ type DeviceRequestApplyConfiguration struct {
 	Count           *int64                                 `json:"count,omitempty"`
 	AdminAccess     *bool                                  `json:"adminAccess,omitempty"`
 	FirstAvailable  []DeviceSubRequestApplyConfiguration   `json:"firstAvailable,omitempty"`
+	Tolerations     []DeviceTolerationApplyConfiguration   `json:"tolerations,omitempty"`
 }
 
 // DeviceRequestApplyConfiguration constructs a declarative configuration of the DeviceRequest type for use with
@@ -105,3 +106,16 @@ func (b *DeviceRequestApplyConfiguration) WithFirstAvailable(values ...*DeviceSu
 	}
 	return b
 }
+
+// WithTolerations adds the given value to the Tolerations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Tolerations field.
+func (b *DeviceRequestApplyConfiguration) WithTolerations(values ...*DeviceTolerationApplyConfiguration) *DeviceRequestApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTolerations")
+		}
+		b.Tolerations = append(b.Tolerations, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequestallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequestallocationresult.go
index 4c3cffcf465..ec8c78e2e5b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequestallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicerequestallocationresult.go
@@ -21,11 +21,12 @@ package v1alpha3
 // DeviceRequestAllocationResultApplyConfiguration represents a declarative configuration of the DeviceRequestAllocationResult type for use
 // with apply.
 type DeviceRequestAllocationResultApplyConfiguration struct {
-	Request     *string `json:"request,omitempty"`
-	Driver      *string `json:"driver,omitempty"`
-	Pool        *string `json:"pool,omitempty"`
-	Device      *string `json:"device,omitempty"`
-	AdminAccess *bool   `json:"adminAccess,omitempty"`
+	Request     *string                              `json:"request,omitempty"`
+	Driver      *string                              `json:"driver,omitempty"`
+	Pool        *string                              `json:"pool,omitempty"`
+	Device      *string                              `json:"device,omitempty"`
+	AdminAccess *bool                                `json:"adminAccess,omitempty"`
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
 }
 
 // DeviceRequestAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceRequestAllocationResult type for use with
@@ -73,3 +74,16 @@ func (b *DeviceRequestAllocationResultApplyConfiguration) WithAdminAccess(value
 	b.AdminAccess = &value
 	return b
 }
+
+// WithTolerations adds the given value to the Tolerations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Tolerations field.
+func (b *DeviceRequestAllocationResultApplyConfiguration) WithTolerations(values ...*DeviceTolerationApplyConfiguration) *DeviceRequestAllocationResultApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTolerations")
+		}
+		b.Tolerations = append(b.Tolerations, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicesubrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicesubrequest.go
index 408c0daa55b..249dcd1f27b 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicesubrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicesubrequest.go
@@ -30,6 +30,7 @@ type DeviceSubRequestApplyConfiguration struct {
 	Selectors       []DeviceSelectorApplyConfiguration     `json:"selectors,omitempty"`
 	AllocationMode  *resourcev1alpha3.DeviceAllocationMode `json:"allocationMode,omitempty"`
 	Count           *int64                                 `json:"count,omitempty"`
+	Tolerations     []DeviceTolerationApplyConfiguration   `json:"tolerations,omitempty"`
 }
 
 // DeviceSubRequestApplyConfiguration constructs a declarative configuration of the DeviceSubRequest type for use with
@@ -82,3 +83,16 @@ func (b *DeviceSubRequestApplyConfiguration) WithCount(value int64) *DeviceSubRe
 	b.Count = &value
 	return b
 }
+
+// WithTolerations adds the given value to the Tolerations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Tolerations field.
+func (b *DeviceSubRequestApplyConfiguration) WithTolerations(values ...*DeviceTolerationApplyConfiguration) *DeviceSubRequestApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTolerations")
+		}
+		b.Tolerations = append(b.Tolerations, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go
new file mode 100644
index 00000000000..0dcd9a58c36
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaint.go
@@ -0,0 +1,71 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+	resourcev1alpha3 "k8s.io/api/resource/v1alpha3"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// DeviceTaintApplyConfiguration represents a declarative configuration of the DeviceTaint type for use
+// with apply.
+type DeviceTaintApplyConfiguration struct {
+	Key       *string                             `json:"key,omitempty"`
+	Value     *string                             `json:"value,omitempty"`
+	Effect    *resourcev1alpha3.DeviceTaintEffect `json:"effect,omitempty"`
+	TimeAdded *v1.Time                            `json:"timeAdded,omitempty"`
+}
+
+// DeviceTaintApplyConfiguration constructs a declarative configuration of the DeviceTaint type for use with
+// apply.
+func DeviceTaint() *DeviceTaintApplyConfiguration {
+	return &DeviceTaintApplyConfiguration{}
+}
+
+// WithKey sets the Key field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Key field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithKey(value string) *DeviceTaintApplyConfiguration {
+	b.Key = &value
+	return b
+}
+
+// WithValue sets the Value field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Value field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithValue(value string) *DeviceTaintApplyConfiguration {
+	b.Value = &value
+	return b
+}
+
+// WithEffect sets the Effect field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Effect field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithEffect(value resourcev1alpha3.DeviceTaintEffect) *DeviceTaintApplyConfiguration {
+	b.Effect = &value
+	return b
+}
+
+// WithTimeAdded sets the TimeAdded field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TimeAdded field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithTimeAdded(value v1.Time) *DeviceTaintApplyConfiguration {
+	b.TimeAdded = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go
new file mode 100644
index 00000000000..d4f84399a36
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrule.go
@@ -0,0 +1,253 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+	resourcev1alpha3 "k8s.io/api/resource/v1alpha3"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	internal "k8s.io/client-go/applyconfigurations/internal"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// DeviceTaintRuleApplyConfiguration represents a declarative configuration of the DeviceTaintRule type for use
+// with apply.
+type DeviceTaintRuleApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *DeviceTaintRuleSpecApplyConfiguration `json:"spec,omitempty"`
+}
+
+// DeviceTaintRule constructs a declarative configuration of the DeviceTaintRule type for use with
+// apply.
+func DeviceTaintRule(name string) *DeviceTaintRuleApplyConfiguration {
+	b := &DeviceTaintRuleApplyConfiguration{}
+	b.WithName(name)
+	b.WithKind("DeviceTaintRule")
+	b.WithAPIVersion("resource.k8s.io/v1alpha3")
+	return b
+}
+
+// ExtractDeviceTaintRule extracts the applied configuration owned by fieldManager from
+// deviceTaintRule. If no managedFields are found in deviceTaintRule for fieldManager, a
+// DeviceTaintRuleApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// deviceTaintRule must be a unmodified DeviceTaintRule API object that was retrieved from the Kubernetes API.
+// ExtractDeviceTaintRule provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractDeviceTaintRule(deviceTaintRule *resourcev1alpha3.DeviceTaintRule, fieldManager string) (*DeviceTaintRuleApplyConfiguration, error) {
+	return extractDeviceTaintRule(deviceTaintRule, fieldManager, "")
+}
+
+// ExtractDeviceTaintRuleStatus is the same as ExtractDeviceTaintRule except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractDeviceTaintRuleStatus(deviceTaintRule *resourcev1alpha3.DeviceTaintRule, fieldManager string) (*DeviceTaintRuleApplyConfiguration, error) {
+	return extractDeviceTaintRule(deviceTaintRule, fieldManager, "status")
+}
+
+func extractDeviceTaintRule(deviceTaintRule *resourcev1alpha3.DeviceTaintRule, fieldManager string, subresource string) (*DeviceTaintRuleApplyConfiguration, error) {
+	b := &DeviceTaintRuleApplyConfiguration{}
+	err := managedfields.ExtractInto(deviceTaintRule, internal.Parser().Type("io.k8s.api.resource.v1alpha3.DeviceTaintRule"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(deviceTaintRule.Name)
+
+	b.WithKind("DeviceTaintRule")
+	b.WithAPIVersion("resource.k8s.io/v1alpha3")
+	return b, nil
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithKind(value string) *DeviceTaintRuleApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithAPIVersion(value string) *DeviceTaintRuleApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithName(value string) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithGenerateName(value string) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithNamespace(value string) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithUID(value types.UID) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithResourceVersion(value string) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithGeneration(value int64) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithCreationTimestamp(value metav1.Time) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *DeviceTaintRuleApplyConfiguration) WithLabels(entries map[string]string) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *DeviceTaintRuleApplyConfiguration) WithAnnotations(entries map[string]string) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *DeviceTaintRuleApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *DeviceTaintRuleApplyConfiguration) WithFinalizers(values ...string) *DeviceTaintRuleApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *DeviceTaintRuleApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *DeviceTaintRuleApplyConfiguration) WithSpec(value *DeviceTaintRuleSpecApplyConfiguration) *DeviceTaintRuleApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *DeviceTaintRuleApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go
new file mode 100644
index 00000000000..a14ada3d450
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintrulespec.go
@@ -0,0 +1,48 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+// DeviceTaintRuleSpecApplyConfiguration represents a declarative configuration of the DeviceTaintRuleSpec type for use
+// with apply.
+type DeviceTaintRuleSpecApplyConfiguration struct {
+	DeviceSelector *DeviceTaintSelectorApplyConfiguration `json:"deviceSelector,omitempty"`
+	Taint          *DeviceTaintApplyConfiguration         `json:"taint,omitempty"`
+}
+
+// DeviceTaintRuleSpecApplyConfiguration constructs a declarative configuration of the DeviceTaintRuleSpec type for use with
+// apply.
+func DeviceTaintRuleSpec() *DeviceTaintRuleSpecApplyConfiguration {
+	return &DeviceTaintRuleSpecApplyConfiguration{}
+}
+
+// WithDeviceSelector sets the DeviceSelector field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeviceSelector field is set to the value of the last call.
+func (b *DeviceTaintRuleSpecApplyConfiguration) WithDeviceSelector(value *DeviceTaintSelectorApplyConfiguration) *DeviceTaintRuleSpecApplyConfiguration {
+	b.DeviceSelector = value
+	return b
+}
+
+// WithTaint sets the Taint field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Taint field is set to the value of the last call.
+func (b *DeviceTaintRuleSpecApplyConfiguration) WithTaint(value *DeviceTaintApplyConfiguration) *DeviceTaintRuleSpecApplyConfiguration {
+	b.Taint = value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go
new file mode 100644
index 00000000000..aecb2aa2458
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetaintselector.go
@@ -0,0 +1,80 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+// DeviceTaintSelectorApplyConfiguration represents a declarative configuration of the DeviceTaintSelector type for use
+// with apply.
+type DeviceTaintSelectorApplyConfiguration struct {
+	DeviceClassName *string                            `json:"deviceClassName,omitempty"`
+	Driver          *string                            `json:"driver,omitempty"`
+	Pool            *string                            `json:"pool,omitempty"`
+	Device          *string                            `json:"device,omitempty"`
+	Selectors       []DeviceSelectorApplyConfiguration `json:"selectors,omitempty"`
+}
+
+// DeviceTaintSelectorApplyConfiguration constructs a declarative configuration of the DeviceTaintSelector type for use with
+// apply.
+func DeviceTaintSelector() *DeviceTaintSelectorApplyConfiguration {
+	return &DeviceTaintSelectorApplyConfiguration{}
+}
+
+// WithDeviceClassName sets the DeviceClassName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeviceClassName field is set to the value of the last call.
+func (b *DeviceTaintSelectorApplyConfiguration) WithDeviceClassName(value string) *DeviceTaintSelectorApplyConfiguration {
+	b.DeviceClassName = &value
+	return b
+}
+
+// WithDriver sets the Driver field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Driver field is set to the value of the last call.
+func (b *DeviceTaintSelectorApplyConfiguration) WithDriver(value string) *DeviceTaintSelectorApplyConfiguration {
+	b.Driver = &value
+	return b
+}
+
+// WithPool sets the Pool field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Pool field is set to the value of the last call.
+func (b *DeviceTaintSelectorApplyConfiguration) WithPool(value string) *DeviceTaintSelectorApplyConfiguration {
+	b.Pool = &value
+	return b
+}
+
+// WithDevice sets the Device field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Device field is set to the value of the last call.
+func (b *DeviceTaintSelectorApplyConfiguration) WithDevice(value string) *DeviceTaintSelectorApplyConfiguration {
+	b.Device = &value
+	return b
+}
+
+// WithSelectors adds the given value to the Selectors field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Selectors field.
+func (b *DeviceTaintSelectorApplyConfiguration) WithSelectors(values ...*DeviceSelectorApplyConfiguration) *DeviceTaintSelectorApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithSelectors")
+		}
+		b.Selectors = append(b.Selectors, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetoleration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetoleration.go
new file mode 100644
index 00000000000..fe4a67419ac
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1alpha3/devicetoleration.go
@@ -0,0 +1,79 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+	resourcev1alpha3 "k8s.io/api/resource/v1alpha3"
+)
+
+// DeviceTolerationApplyConfiguration represents a declarative configuration of the DeviceToleration type for use
+// with apply.
+type DeviceTolerationApplyConfiguration struct {
+	Key               *string                                    `json:"key,omitempty"`
+	Operator          *resourcev1alpha3.DeviceTolerationOperator `json:"operator,omitempty"`
+	Value             *string                                    `json:"value,omitempty"`
+	Effect            *resourcev1alpha3.DeviceTaintEffect        `json:"effect,omitempty"`
+	TolerationSeconds *int64                                     `json:"tolerationSeconds,omitempty"`
+}
+
+// DeviceTolerationApplyConfiguration constructs a declarative configuration of the DeviceToleration type for use with
+// apply.
+func DeviceToleration() *DeviceTolerationApplyConfiguration {
+	return &DeviceTolerationApplyConfiguration{}
+}
+
+// WithKey sets the Key field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Key field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithKey(value string) *DeviceTolerationApplyConfiguration {
+	b.Key = &value
+	return b
+}
+
+// WithOperator sets the Operator field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Operator field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithOperator(value resourcev1alpha3.DeviceTolerationOperator) *DeviceTolerationApplyConfiguration {
+	b.Operator = &value
+	return b
+}
+
+// WithValue sets the Value field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Value field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithValue(value string) *DeviceTolerationApplyConfiguration {
+	b.Value = &value
+	return b
+}
+
+// WithEffect sets the Effect field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Effect field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithEffect(value resourcev1alpha3.DeviceTaintEffect) *DeviceTolerationApplyConfiguration {
+	b.Effect = &value
+	return b
+}
+
+// WithTolerationSeconds sets the TolerationSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TolerationSeconds field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithTolerationSeconds(value int64) *DeviceTolerationApplyConfiguration {
+	b.TolerationSeconds = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go
index 691a8f15aab..25f3532bafd 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/basicdevice.go
@@ -27,6 +27,7 @@ import (
 type BasicDeviceApplyConfiguration struct {
 	Attributes map[resourcev1beta1.QualifiedName]DeviceAttributeApplyConfiguration `json:"attributes,omitempty"`
 	Capacity   map[resourcev1beta1.QualifiedName]DeviceCapacityApplyConfiguration  `json:"capacity,omitempty"`
+	Taints     []DeviceTaintApplyConfiguration                                     `json:"taints,omitempty"`
 }
 
 // BasicDeviceApplyConfiguration constructs a declarative configuration of the BasicDevice type for use with
@@ -62,3 +63,16 @@ func (b *BasicDeviceApplyConfiguration) WithCapacity(entries map[resourcev1beta1
 	}
 	return b
 }
+
+// WithTaints adds the given value to the Taints field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Taints field.
+func (b *BasicDeviceApplyConfiguration) WithTaints(values ...*DeviceTaintApplyConfiguration) *BasicDeviceApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTaints")
+		}
+		b.Taints = append(b.Taints, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go
index 1099b6dd01f..1be114f02a4 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequest.go
@@ -32,6 +32,7 @@ type DeviceRequestApplyConfiguration struct {
 	Count           *int64                                `json:"count,omitempty"`
 	AdminAccess     *bool                                 `json:"adminAccess,omitempty"`
 	FirstAvailable  []DeviceSubRequestApplyConfiguration  `json:"firstAvailable,omitempty"`
+	Tolerations     []DeviceTolerationApplyConfiguration  `json:"tolerations,omitempty"`
 }
 
 // DeviceRequestApplyConfiguration constructs a declarative configuration of the DeviceRequest type for use with
@@ -105,3 +106,16 @@ func (b *DeviceRequestApplyConfiguration) WithFirstAvailable(values ...*DeviceSu
 	}
 	return b
 }
+
+// WithTolerations adds the given value to the Tolerations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Tolerations field.
+func (b *DeviceRequestApplyConfiguration) WithTolerations(values ...*DeviceTolerationApplyConfiguration) *DeviceRequestApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTolerations")
+		}
+		b.Tolerations = append(b.Tolerations, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go
index c28eb26ab63..aa207351db9 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicerequestallocationresult.go
@@ -21,11 +21,12 @@ package v1beta1
 // DeviceRequestAllocationResultApplyConfiguration represents a declarative configuration of the DeviceRequestAllocationResult type for use
 // with apply.
 type DeviceRequestAllocationResultApplyConfiguration struct {
-	Request     *string `json:"request,omitempty"`
-	Driver      *string `json:"driver,omitempty"`
-	Pool        *string `json:"pool,omitempty"`
-	Device      *string `json:"device,omitempty"`
-	AdminAccess *bool   `json:"adminAccess,omitempty"`
+	Request     *string                              `json:"request,omitempty"`
+	Driver      *string                              `json:"driver,omitempty"`
+	Pool        *string                              `json:"pool,omitempty"`
+	Device      *string                              `json:"device,omitempty"`
+	AdminAccess *bool                                `json:"adminAccess,omitempty"`
+	Tolerations []DeviceTolerationApplyConfiguration `json:"tolerations,omitempty"`
 }
 
 // DeviceRequestAllocationResultApplyConfiguration constructs a declarative configuration of the DeviceRequestAllocationResult type for use with
@@ -73,3 +74,16 @@ func (b *DeviceRequestAllocationResultApplyConfiguration) WithAdminAccess(value
 	b.AdminAccess = &value
 	return b
 }
+
+// WithTolerations adds the given value to the Tolerations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Tolerations field.
+func (b *DeviceRequestAllocationResultApplyConfiguration) WithTolerations(values ...*DeviceTolerationApplyConfiguration) *DeviceRequestAllocationResultApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTolerations")
+		}
+		b.Tolerations = append(b.Tolerations, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go
index 0cc96d76990..f2ea8200134 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicesubrequest.go
@@ -30,6 +30,7 @@ type DeviceSubRequestApplyConfiguration struct {
 	Selectors       []DeviceSelectorApplyConfiguration    `json:"selectors,omitempty"`
 	AllocationMode  *resourcev1beta1.DeviceAllocationMode `json:"allocationMode,omitempty"`
 	Count           *int64                                `json:"count,omitempty"`
+	Tolerations     []DeviceTolerationApplyConfiguration  `json:"tolerations,omitempty"`
 }
 
 // DeviceSubRequestApplyConfiguration constructs a declarative configuration of the DeviceSubRequest type for use with
@@ -82,3 +83,16 @@ func (b *DeviceSubRequestApplyConfiguration) WithCount(value int64) *DeviceSubRe
 	b.Count = &value
 	return b
 }
+
+// WithTolerations adds the given value to the Tolerations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Tolerations field.
+func (b *DeviceSubRequestApplyConfiguration) WithTolerations(values ...*DeviceTolerationApplyConfiguration) *DeviceSubRequestApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithTolerations")
+		}
+		b.Tolerations = append(b.Tolerations, *values[i])
+	}
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go
new file mode 100644
index 00000000000..bfa826f063f
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetaint.go
@@ -0,0 +1,71 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	resourcev1beta1 "k8s.io/api/resource/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// DeviceTaintApplyConfiguration represents a declarative configuration of the DeviceTaint type for use
+// with apply.
+type DeviceTaintApplyConfiguration struct {
+	Key       *string                            `json:"key,omitempty"`
+	Value     *string                            `json:"value,omitempty"`
+	Effect    *resourcev1beta1.DeviceTaintEffect `json:"effect,omitempty"`
+	TimeAdded *v1.Time                           `json:"timeAdded,omitempty"`
+}
+
+// DeviceTaintApplyConfiguration constructs a declarative configuration of the DeviceTaint type for use with
+// apply.
+func DeviceTaint() *DeviceTaintApplyConfiguration {
+	return &DeviceTaintApplyConfiguration{}
+}
+
+// WithKey sets the Key field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Key field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithKey(value string) *DeviceTaintApplyConfiguration {
+	b.Key = &value
+	return b
+}
+
+// WithValue sets the Value field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Value field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithValue(value string) *DeviceTaintApplyConfiguration {
+	b.Value = &value
+	return b
+}
+
+// WithEffect sets the Effect field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Effect field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithEffect(value resourcev1beta1.DeviceTaintEffect) *DeviceTaintApplyConfiguration {
+	b.Effect = &value
+	return b
+}
+
+// WithTimeAdded sets the TimeAdded field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TimeAdded field is set to the value of the last call.
+func (b *DeviceTaintApplyConfiguration) WithTimeAdded(value v1.Time) *DeviceTaintApplyConfiguration {
+	b.TimeAdded = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go
new file mode 100644
index 00000000000..977af67043c
--- /dev/null
+++ b/staging/src/k8s.io/client-go/applyconfigurations/resource/v1beta1/devicetoleration.go
@@ -0,0 +1,79 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	resourcev1beta1 "k8s.io/api/resource/v1beta1"
+)
+
+// DeviceTolerationApplyConfiguration represents a declarative configuration of the DeviceToleration type for use
+// with apply.
+type DeviceTolerationApplyConfiguration struct {
+	Key               *string                                   `json:"key,omitempty"`
+	Operator          *resourcev1beta1.DeviceTolerationOperator `json:"operator,omitempty"`
+	Value             *string                                   `json:"value,omitempty"`
+	Effect            *resourcev1beta1.DeviceTaintEffect        `json:"effect,omitempty"`
+	TolerationSeconds *int64                                    `json:"tolerationSeconds,omitempty"`
+}
+
+// DeviceTolerationApplyConfiguration constructs a declarative configuration of the DeviceToleration type for use with
+// apply.
+func DeviceToleration() *DeviceTolerationApplyConfiguration {
+	return &DeviceTolerationApplyConfiguration{}
+}
+
+// WithKey sets the Key field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Key field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithKey(value string) *DeviceTolerationApplyConfiguration {
+	b.Key = &value
+	return b
+}
+
+// WithOperator sets the Operator field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Operator field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithOperator(value resourcev1beta1.DeviceTolerationOperator) *DeviceTolerationApplyConfiguration {
+	b.Operator = &value
+	return b
+}
+
+// WithValue sets the Value field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Value field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithValue(value string) *DeviceTolerationApplyConfiguration {
+	b.Value = &value
+	return b
+}
+
+// WithEffect sets the Effect field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Effect field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithEffect(value resourcev1beta1.DeviceTaintEffect) *DeviceTolerationApplyConfiguration {
+	b.Effect = &value
+	return b
+}
+
+// WithTolerationSeconds sets the TolerationSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the TolerationSeconds field is set to the value of the last call.
+func (b *DeviceTolerationApplyConfiguration) WithTolerationSeconds(value int64) *DeviceTolerationApplyConfiguration {
+	b.TolerationSeconds = &value
+	return b
+}
diff --git a/staging/src/k8s.io/client-go/applyconfigurations/utils.go b/staging/src/k8s.io/client-go/applyconfigurations/utils.go
index b21bc1e2443..91259600efa 100644
--- a/staging/src/k8s.io/client-go/applyconfigurations/utils.go
+++ b/staging/src/k8s.io/client-go/applyconfigurations/utils.go
@@ -1640,6 +1640,16 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &resourcev1alpha3.DeviceSelectorApplyConfiguration{}
 	case v1alpha3.SchemeGroupVersion.WithKind("DeviceSubRequest"):
 		return &resourcev1alpha3.DeviceSubRequestApplyConfiguration{}
+	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaint"):
+		return &resourcev1alpha3.DeviceTaintApplyConfiguration{}
+	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintRule"):
+		return &resourcev1alpha3.DeviceTaintRuleApplyConfiguration{}
+	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintRuleSpec"):
+		return &resourcev1alpha3.DeviceTaintRuleSpecApplyConfiguration{}
+	case v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintSelector"):
+		return &resourcev1alpha3.DeviceTaintSelectorApplyConfiguration{}
+	case v1alpha3.SchemeGroupVersion.WithKind("DeviceToleration"):
+		return &resourcev1alpha3.DeviceTolerationApplyConfiguration{}
 	case v1alpha3.SchemeGroupVersion.WithKind("NetworkDeviceData"):
 		return &resourcev1alpha3.NetworkDeviceDataApplyConfiguration{}
 	case v1alpha3.SchemeGroupVersion.WithKind("OpaqueDeviceConfiguration"):
@@ -1704,6 +1714,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &applyconfigurationsresourcev1beta1.DeviceSelectorApplyConfiguration{}
 	case resourcev1beta1.SchemeGroupVersion.WithKind("DeviceSubRequest"):
 		return &applyconfigurationsresourcev1beta1.DeviceSubRequestApplyConfiguration{}
+	case resourcev1beta1.SchemeGroupVersion.WithKind("DeviceTaint"):
+		return &applyconfigurationsresourcev1beta1.DeviceTaintApplyConfiguration{}
+	case resourcev1beta1.SchemeGroupVersion.WithKind("DeviceToleration"):
+		return &applyconfigurationsresourcev1beta1.DeviceTolerationApplyConfiguration{}
 	case resourcev1beta1.SchemeGroupVersion.WithKind("NetworkDeviceData"):
 		return &applyconfigurationsresourcev1beta1.NetworkDeviceDataApplyConfiguration{}
 	case resourcev1beta1.SchemeGroupVersion.WithKind("OpaqueDeviceConfiguration"):
diff --git a/staging/src/k8s.io/client-go/informers/generic.go b/staging/src/k8s.io/client-go/informers/generic.go
index 59da79a13ef..f262e8b67da 100644
--- a/staging/src/k8s.io/client-go/informers/generic.go
+++ b/staging/src/k8s.io/client-go/informers/generic.go
@@ -387,6 +387,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		// Group=resource.k8s.io, Version=v1alpha3
 	case v1alpha3.SchemeGroupVersion.WithResource("deviceclasses"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Resource().V1alpha3().DeviceClasses().Informer()}, nil
+	case v1alpha3.SchemeGroupVersion.WithResource("devicetaintrules"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Resource().V1alpha3().DeviceTaintRules().Informer()}, nil
 	case v1alpha3.SchemeGroupVersion.WithResource("resourceclaims"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Resource().V1alpha3().ResourceClaims().Informer()}, nil
 	case v1alpha3.SchemeGroupVersion.WithResource("resourceclaimtemplates"):
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go b/staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go
new file mode 100644
index 00000000000..9a07c8f4e53
--- /dev/null
+++ b/staging/src/k8s.io/client-go/informers/resource/v1alpha3/devicetaintrule.go
@@ -0,0 +1,101 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+	context "context"
+	time "time"
+
+	apiresourcev1alpha3 "k8s.io/api/resource/v1alpha3"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	internalinterfaces "k8s.io/client-go/informers/internalinterfaces"
+	kubernetes "k8s.io/client-go/kubernetes"
+	resourcev1alpha3 "k8s.io/client-go/listers/resource/v1alpha3"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// DeviceTaintRuleInformer provides access to a shared informer and lister for
+// DeviceTaintRules.
+type DeviceTaintRuleInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() resourcev1alpha3.DeviceTaintRuleLister
+}
+
+type deviceTaintRuleInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewDeviceTaintRuleInformer constructs a new informer for DeviceTaintRule type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewDeviceTaintRuleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredDeviceTaintRuleInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredDeviceTaintRuleInformer constructs a new informer for DeviceTaintRule type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredDeviceTaintRuleInformer(client kubernetes.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ResourceV1alpha3().DeviceTaintRules().List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ResourceV1alpha3().DeviceTaintRules().Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ResourceV1alpha3().DeviceTaintRules().List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ResourceV1alpha3().DeviceTaintRules().Watch(ctx, options)
+			},
+		},
+		&apiresourcev1alpha3.DeviceTaintRule{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *deviceTaintRuleInformer) defaultInformer(client kubernetes.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredDeviceTaintRuleInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *deviceTaintRuleInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&apiresourcev1alpha3.DeviceTaintRule{}, f.defaultInformer)
+}
+
+func (f *deviceTaintRuleInformer) Lister() resourcev1alpha3.DeviceTaintRuleLister {
+	return resourcev1alpha3.NewDeviceTaintRuleLister(f.Informer().GetIndexer())
+}
diff --git a/staging/src/k8s.io/client-go/informers/resource/v1alpha3/interface.go b/staging/src/k8s.io/client-go/informers/resource/v1alpha3/interface.go
index 356c46179df..11c7f849af8 100644
--- a/staging/src/k8s.io/client-go/informers/resource/v1alpha3/interface.go
+++ b/staging/src/k8s.io/client-go/informers/resource/v1alpha3/interface.go
@@ -26,6 +26,8 @@ import (
 type Interface interface {
 	// DeviceClasses returns a DeviceClassInformer.
 	DeviceClasses() DeviceClassInformer
+	// DeviceTaintRules returns a DeviceTaintRuleInformer.
+	DeviceTaintRules() DeviceTaintRuleInformer
 	// ResourceClaims returns a ResourceClaimInformer.
 	ResourceClaims() ResourceClaimInformer
 	// ResourceClaimTemplates returns a ResourceClaimTemplateInformer.
@@ -50,6 +52,11 @@ func (v *version) DeviceClasses() DeviceClassInformer {
 	return &deviceClassInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
 }
 
+// DeviceTaintRules returns a DeviceTaintRuleInformer.
+func (v *version) DeviceTaintRules() DeviceTaintRuleInformer {
+	return &deviceTaintRuleInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
 // ResourceClaims returns a ResourceClaimInformer.
 func (v *version) ResourceClaims() ResourceClaimInformer {
 	return &resourceClaimInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go
new file mode 100644
index 00000000000..77e26b6e3a5
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/devicetaintrule.go
@@ -0,0 +1,71 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+	context "context"
+
+	resourcev1alpha3 "k8s.io/api/resource/v1alpha3"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	applyconfigurationsresourcev1alpha3 "k8s.io/client-go/applyconfigurations/resource/v1alpha3"
+	gentype "k8s.io/client-go/gentype"
+	scheme "k8s.io/client-go/kubernetes/scheme"
+)
+
+// DeviceTaintRulesGetter has a method to return a DeviceTaintRuleInterface.
+// A group's client should implement this interface.
+type DeviceTaintRulesGetter interface {
+	DeviceTaintRules() DeviceTaintRuleInterface
+}
+
+// DeviceTaintRuleInterface has methods to work with DeviceTaintRule resources.
+type DeviceTaintRuleInterface interface {
+	Create(ctx context.Context, deviceTaintRule *resourcev1alpha3.DeviceTaintRule, opts v1.CreateOptions) (*resourcev1alpha3.DeviceTaintRule, error)
+	Update(ctx context.Context, deviceTaintRule *resourcev1alpha3.DeviceTaintRule, opts v1.UpdateOptions) (*resourcev1alpha3.DeviceTaintRule, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*resourcev1alpha3.DeviceTaintRule, error)
+	List(ctx context.Context, opts v1.ListOptions) (*resourcev1alpha3.DeviceTaintRuleList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *resourcev1alpha3.DeviceTaintRule, err error)
+	Apply(ctx context.Context, deviceTaintRule *applyconfigurationsresourcev1alpha3.DeviceTaintRuleApplyConfiguration, opts v1.ApplyOptions) (result *resourcev1alpha3.DeviceTaintRule, err error)
+	DeviceTaintRuleExpansion
+}
+
+// deviceTaintRules implements DeviceTaintRuleInterface
+type deviceTaintRules struct {
+	*gentype.ClientWithListAndApply[*resourcev1alpha3.DeviceTaintRule, *resourcev1alpha3.DeviceTaintRuleList, *applyconfigurationsresourcev1alpha3.DeviceTaintRuleApplyConfiguration]
+}
+
+// newDeviceTaintRules returns a DeviceTaintRules
+func newDeviceTaintRules(c *ResourceV1alpha3Client) *deviceTaintRules {
+	return &deviceTaintRules{
+		gentype.NewClientWithListAndApply[*resourcev1alpha3.DeviceTaintRule, *resourcev1alpha3.DeviceTaintRuleList, *applyconfigurationsresourcev1alpha3.DeviceTaintRuleApplyConfiguration](
+			"devicetaintrules",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			"",
+			func() *resourcev1alpha3.DeviceTaintRule { return &resourcev1alpha3.DeviceTaintRule{} },
+			func() *resourcev1alpha3.DeviceTaintRuleList { return &resourcev1alpha3.DeviceTaintRuleList{} },
+			gentype.PrefersProtobuf[*resourcev1alpha3.DeviceTaintRule](),
+		),
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_devicetaintrule.go b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_devicetaintrule.go
new file mode 100644
index 00000000000..62a55561f34
--- /dev/null
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_devicetaintrule.go
@@ -0,0 +1,53 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha3 "k8s.io/api/resource/v1alpha3"
+	resourcev1alpha3 "k8s.io/client-go/applyconfigurations/resource/v1alpha3"
+	gentype "k8s.io/client-go/gentype"
+	typedresourcev1alpha3 "k8s.io/client-go/kubernetes/typed/resource/v1alpha3"
+)
+
+// fakeDeviceTaintRules implements DeviceTaintRuleInterface
+type fakeDeviceTaintRules struct {
+	*gentype.FakeClientWithListAndApply[*v1alpha3.DeviceTaintRule, *v1alpha3.DeviceTaintRuleList, *resourcev1alpha3.DeviceTaintRuleApplyConfiguration]
+	Fake *FakeResourceV1alpha3
+}
+
+func newFakeDeviceTaintRules(fake *FakeResourceV1alpha3) typedresourcev1alpha3.DeviceTaintRuleInterface {
+	return &fakeDeviceTaintRules{
+		gentype.NewFakeClientWithListAndApply[*v1alpha3.DeviceTaintRule, *v1alpha3.DeviceTaintRuleList, *resourcev1alpha3.DeviceTaintRuleApplyConfiguration](
+			fake.Fake,
+			"",
+			v1alpha3.SchemeGroupVersion.WithResource("devicetaintrules"),
+			v1alpha3.SchemeGroupVersion.WithKind("DeviceTaintRule"),
+			func() *v1alpha3.DeviceTaintRule { return &v1alpha3.DeviceTaintRule{} },
+			func() *v1alpha3.DeviceTaintRuleList { return &v1alpha3.DeviceTaintRuleList{} },
+			func(dst, src *v1alpha3.DeviceTaintRuleList) { dst.ListMeta = src.ListMeta },
+			func(list *v1alpha3.DeviceTaintRuleList) []*v1alpha3.DeviceTaintRule {
+				return gentype.ToPointerSlice(list.Items)
+			},
+			func(list *v1alpha3.DeviceTaintRuleList, items []*v1alpha3.DeviceTaintRule) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_resource_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_resource_client.go
index 83dfdb2b937..d6d872d85df 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_resource_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/fake/fake_resource_client.go
@@ -32,6 +32,10 @@ func (c *FakeResourceV1alpha3) DeviceClasses() v1alpha3.DeviceClassInterface {
 	return newFakeDeviceClasses(c)
 }
 
+func (c *FakeResourceV1alpha3) DeviceTaintRules() v1alpha3.DeviceTaintRuleInterface {
+	return newFakeDeviceTaintRules(c)
+}
+
 func (c *FakeResourceV1alpha3) ResourceClaims(namespace string) v1alpha3.ResourceClaimInterface {
 	return newFakeResourceClaims(c, namespace)
 }
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/generated_expansion.go
index cd8862ea842..6a7ffeda810 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/generated_expansion.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/generated_expansion.go
@@ -20,6 +20,8 @@ package v1alpha3
 
 type DeviceClassExpansion interface{}
 
+type DeviceTaintRuleExpansion interface{}
+
 type ResourceClaimExpansion interface{}
 
 type ResourceClaimTemplateExpansion interface{}
diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/resource_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/resource_client.go
index 9b56b72e16c..7e16ac15409 100644
--- a/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/resource_client.go
+++ b/staging/src/k8s.io/client-go/kubernetes/typed/resource/v1alpha3/resource_client.go
@@ -29,6 +29,7 @@ import (
 type ResourceV1alpha3Interface interface {
 	RESTClient() rest.Interface
 	DeviceClassesGetter
+	DeviceTaintRulesGetter
 	ResourceClaimsGetter
 	ResourceClaimTemplatesGetter
 	ResourceSlicesGetter
@@ -43,6 +44,10 @@ func (c *ResourceV1alpha3Client) DeviceClasses() DeviceClassInterface {
 	return newDeviceClasses(c)
 }
 
+func (c *ResourceV1alpha3Client) DeviceTaintRules() DeviceTaintRuleInterface {
+	return newDeviceTaintRules(c)
+}
+
 func (c *ResourceV1alpha3Client) ResourceClaims(namespace string) ResourceClaimInterface {
 	return newResourceClaims(c, namespace)
 }
diff --git a/staging/src/k8s.io/client-go/listers/resource/v1alpha3/devicetaintrule.go b/staging/src/k8s.io/client-go/listers/resource/v1alpha3/devicetaintrule.go
new file mode 100644
index 00000000000..28d94ff2e4c
--- /dev/null
+++ b/staging/src/k8s.io/client-go/listers/resource/v1alpha3/devicetaintrule.go
@@ -0,0 +1,48 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha3
+
+import (
+	resourcev1alpha3 "k8s.io/api/resource/v1alpha3"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// DeviceTaintRuleLister helps list DeviceTaintRules.
+// All objects returned here must be treated as read-only.
+type DeviceTaintRuleLister interface {
+	// List lists all DeviceTaintRules in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*resourcev1alpha3.DeviceTaintRule, err error)
+	// Get retrieves the DeviceTaintRule from the index for a given name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*resourcev1alpha3.DeviceTaintRule, error)
+	DeviceTaintRuleListerExpansion
+}
+
+// deviceTaintRuleLister implements the DeviceTaintRuleLister interface.
+type deviceTaintRuleLister struct {
+	listers.ResourceIndexer[*resourcev1alpha3.DeviceTaintRule]
+}
+
+// NewDeviceTaintRuleLister returns a new DeviceTaintRuleLister.
+func NewDeviceTaintRuleLister(indexer cache.Indexer) DeviceTaintRuleLister {
+	return &deviceTaintRuleLister{listers.New[*resourcev1alpha3.DeviceTaintRule](indexer, resourcev1alpha3.Resource("devicetaintrule"))}
+}
diff --git a/staging/src/k8s.io/client-go/listers/resource/v1alpha3/expansion_generated.go b/staging/src/k8s.io/client-go/listers/resource/v1alpha3/expansion_generated.go
index f626c92837e..ff94d28691c 100644
--- a/staging/src/k8s.io/client-go/listers/resource/v1alpha3/expansion_generated.go
+++ b/staging/src/k8s.io/client-go/listers/resource/v1alpha3/expansion_generated.go
@@ -22,6 +22,10 @@ package v1alpha3
 // DeviceClassLister.
 type DeviceClassListerExpansion interface{}
 
+// DeviceTaintRuleListerExpansion allows custom methods to be added to
+// DeviceTaintRuleLister.
+type DeviceTaintRuleListerExpansion interface{}
+
 // ResourceClaimListerExpansion allows custom methods to be added to
 // ResourceClaimLister.
 type ResourceClaimListerExpansion interface{}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go b/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go
index 36481d9af4e..78febb4cf89 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/api/zz_generated.conversion.go
@@ -24,8 +24,9 @@ package api
 import (
 	unsafe "unsafe"
 
-	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/api/core/v1"
 	v1beta1 "k8s.io/api/resource/v1beta1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
@@ -77,6 +78,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*DeviceTaint)(nil), (*v1beta1.DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_api_DeviceTaint_To_v1beta1_DeviceTaint(a.(*DeviceTaint), b.(*v1beta1.DeviceTaint), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*v1beta1.DeviceTaint)(nil), (*DeviceTaint)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta1_DeviceTaint_To_api_DeviceTaint(a.(*v1beta1.DeviceTaint), b.(*DeviceTaint), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*ResourcePool)(nil), (*v1beta1.ResourcePool)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_api_ResourcePool_To_v1beta1_ResourcePool(a.(*ResourcePool), b.(*v1beta1.ResourcePool), scope)
 	}); err != nil {
@@ -123,6 +134,7 @@ func RegisterConversions(s *runtime.Scheme) error {
 func autoConvert_api_BasicDevice_To_v1beta1_BasicDevice(in *BasicDevice, out *v1beta1.BasicDevice, s conversion.Scope) error {
 	out.Attributes = *(*map[v1beta1.QualifiedName]v1beta1.DeviceAttribute)(unsafe.Pointer(&in.Attributes))
 	out.Capacity = *(*map[v1beta1.QualifiedName]v1beta1.DeviceCapacity)(unsafe.Pointer(&in.Capacity))
+	out.Taints = *(*[]v1beta1.DeviceTaint)(unsafe.Pointer(&in.Taints))
 	return nil
 }
 
@@ -134,6 +146,7 @@ func Convert_api_BasicDevice_To_v1beta1_BasicDevice(in *BasicDevice, out *v1beta
 func autoConvert_v1beta1_BasicDevice_To_api_BasicDevice(in *v1beta1.BasicDevice, out *BasicDevice, s conversion.Scope) error {
 	out.Attributes = *(*map[QualifiedName]DeviceAttribute)(unsafe.Pointer(&in.Attributes))
 	out.Capacity = *(*map[QualifiedName]DeviceCapacity)(unsafe.Pointer(&in.Capacity))
+	out.Taints = *(*[]v1beta1.DeviceTaint)(unsafe.Pointer(&in.Taints))
 	return nil
 }
 
@@ -214,6 +227,32 @@ func Convert_v1beta1_DeviceCapacity_To_api_DeviceCapacity(in *v1beta1.DeviceCapa
 	return autoConvert_v1beta1_DeviceCapacity_To_api_DeviceCapacity(in, out, s)
 }
 
+func autoConvert_api_DeviceTaint_To_v1beta1_DeviceTaint(in *DeviceTaint, out *v1beta1.DeviceTaint, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Value = in.Value
+	out.Effect = v1beta1.DeviceTaintEffect(in.Effect)
+	out.TimeAdded = (*v1.Time)(unsafe.Pointer(in.TimeAdded))
+	return nil
+}
+
+// Convert_api_DeviceTaint_To_v1beta1_DeviceTaint is an autogenerated conversion function.
+func Convert_api_DeviceTaint_To_v1beta1_DeviceTaint(in *DeviceTaint, out *v1beta1.DeviceTaint, s conversion.Scope) error {
+	return autoConvert_api_DeviceTaint_To_v1beta1_DeviceTaint(in, out, s)
+}
+
+func autoConvert_v1beta1_DeviceTaint_To_api_DeviceTaint(in *v1beta1.DeviceTaint, out *DeviceTaint, s conversion.Scope) error {
+	out.Key = in.Key
+	out.Value = in.Value
+	out.Effect = DeviceTaintEffect(in.Effect)
+	out.TimeAdded = (*v1.Time)(unsafe.Pointer(in.TimeAdded))
+	return nil
+}
+
+// Convert_v1beta1_DeviceTaint_To_api_DeviceTaint is an autogenerated conversion function.
+func Convert_v1beta1_DeviceTaint_To_api_DeviceTaint(in *v1beta1.DeviceTaint, out *DeviceTaint, s conversion.Scope) error {
+	return autoConvert_v1beta1_DeviceTaint_To_api_DeviceTaint(in, out, s)
+}
+
 func autoConvert_api_ResourcePool_To_v1beta1_ResourcePool(in *ResourcePool, out *v1beta1.ResourcePool, s conversion.Scope) error {
 	if err := Convert_api_UniqueString_To_string(&in.Name, &out.Name, s); err != nil {
 		return err
@@ -278,7 +317,7 @@ func autoConvert_api_ResourceSliceSpec_To_v1beta1_ResourceSliceSpec(in *Resource
 	if err := Convert_api_UniqueString_To_string(&in.NodeName, &out.NodeName, s); err != nil {
 		return err
 	}
-	out.NodeSelector = (*v1.NodeSelector)(unsafe.Pointer(in.NodeSelector))
+	out.NodeSelector = (*corev1.NodeSelector)(unsafe.Pointer(in.NodeSelector))
 	out.AllNodes = in.AllNodes
 	if in.Devices != nil {
 		in, out := &in.Devices, &out.Devices
@@ -309,7 +348,7 @@ func autoConvert_v1beta1_ResourceSliceSpec_To_api_ResourceSliceSpec(in *v1beta1.
 	if err := Convert_string_To_api_UniqueString(&in.NodeName, &out.NodeName, s); err != nil {
 		return err
 	}
-	out.NodeSelector = (*v1.NodeSelector)(unsafe.Pointer(in.NodeSelector))
+	out.NodeSelector = (*corev1.NodeSelector)(unsafe.Pointer(in.NodeSelector))
 	out.AllNodes = in.AllNodes
 	if in.Devices != nil {
 		in, out := &in.Devices, &out.Devices

From 939c9c0c6baf35816bd19fc4ef4249ef8d740e0d Mon Sep 17 00:00:00 2001
From: Jon Huhn <nojnhuh@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:34:34 -0600
Subject: [PATCH 04/11] DRA: add ResourceSlice tracker

The purpose of the tracker is to emulate a ResourceSlice informer, including
cache and event handlers. In contrast to that informer, the tracker adds taints
from a DeviceTaint such that they appear in the ResourceSlice device
definition. Code using the tracker doesn't need to care where the taints are
coming from.

The main advantage is that it enables fine-grained reactions to taints that
only affect a few devices, the common case. Without this tracker, the pod
eviction controller would have to sync all pods when any slice or any taint
change.

In the scheduler it avoids re-evaluating the selection criteria repeatedly.
The tracker serves as a cross-pod-scheduling cache.
---
 .../internal/queue/fifo.go                    |  112 ++
 .../internal/queue/fifo_test.go               |  117 ++
 .../resourceslice/tracker/tracker.go          |  798 ++++++++
 .../resourceslice/tracker/tracker_test.go     | 1764 +++++++++++++++++
 4 files changed, 2791 insertions(+)
 create mode 100644 staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo.go
 create mode 100644 staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo_test.go
 create mode 100644 staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go
 create mode 100644 staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go

diff --git a/staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo.go b/staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo.go
new file mode 100644
index 00000000000..23d4157d6fd
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo.go
@@ -0,0 +1,112 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// TODO: This is duplicated from ./pkg/scheduler/util/queue because that
+// package is not allowed to be imported here.
+package queue
+
+const (
+	// normalSize limits the size of the buffer that is kept
+	// for reuse.
+	normalSize = 4
+)
+
+// FIFO implements a first-in-first-out queue with unbounded size.
+// The null FIFO is a valid empty queue.
+//
+// Access must be protected by the caller when used concurrently by
+// different goroutines, the queue itself implements no locking.
+type FIFO[T any] struct {
+	// elements contains a buffer for elements which have been
+	// pushed and not popped yet. Two scenarios are possible:
+	// - one chunk in the middle (start <= end)
+	// - one chunk at the end, followed by one chunk at the
+	//   beginning (end <= start)
+	//
+	// start == end can be either an empty queue or a completely
+	// full one (with two chunks).
+	elements []T
+
+	// len counts the number of elements which have been pushed and
+	// not popped yet.
+	len int
+
+	// start is the index of the first valid element.
+	start int
+
+	// end is the index after the last valid element.
+	end int
+}
+
+func (q *FIFO[T]) Len() int {
+	return q.len
+}
+
+func (q *FIFO[T]) Push(element T) {
+	size := len(q.elements)
+	if q.len == size {
+		// Need larger buffer.
+		newSize := size * 2
+		if newSize == 0 {
+			newSize = normalSize
+		}
+		elements := make([]T, newSize)
+		if q.start == 0 {
+			copy(elements, q.elements)
+		} else {
+			copy(elements, q.elements[q.start:])
+			copy(elements[len(q.elements)-q.start:], q.elements[0:q.end])
+		}
+		q.start = 0
+		q.end = q.len
+		q.elements = elements
+		size = newSize
+	}
+	if q.end == size {
+		// Wrap around.
+		q.elements[0] = element
+		q.end = 1
+		q.len++
+		return
+	}
+	q.elements[q.end] = element
+	q.end++
+	q.len++
+}
+
+func (q *FIFO[T]) Pop() (element T, ok bool) {
+	if q.len == 0 {
+		return
+	}
+	element = q.elements[q.start]
+	q.start++
+	if q.start == len(q.elements) {
+		// Wrap around.
+		q.start = 0
+	}
+	q.len--
+
+	// Once it is empty, shrink down to avoid hanging onto
+	// a large buffer forever.
+	if q.len == 0 && len(q.elements) > normalSize {
+		q.elements = make([]T, normalSize)
+		q.start = 0
+		q.end = 0
+	}
+
+	ok = true
+	return
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo_test.go b/staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo_test.go
new file mode 100644
index 00000000000..fd3140ed43c
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/internal/queue/fifo_test.go
@@ -0,0 +1,117 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package queue
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func verifyPop(t *testing.T, expectedValue int, expectedOk bool, queue *FIFO[int]) {
+	t.Helper()
+	actual, ok := queue.Pop()
+	require.Equal(t, expectedOk, ok)
+	require.Equal(t, expectedValue, actual)
+}
+
+func verifyEmpty(t *testing.T, queue *FIFO[int]) {
+	t.Helper()
+	require.Equal(t, 0, queue.Len())
+	verifyPop(t, 0, false, queue)
+}
+
+func TestNull(t *testing.T) {
+	var queue FIFO[int]
+	verifyEmpty(t, &queue)
+}
+
+func TestOnePushPop(t *testing.T) {
+	var queue FIFO[int]
+
+	expected := 10
+	queue.Push(10)
+	require.Equal(t, 1, queue.Len())
+	verifyPop(t, expected, true, &queue)
+	verifyEmpty(t, &queue)
+}
+
+// Pushes some elements, pops all of them, then the same again.
+func TestWrapAroundEmpty(t *testing.T) {
+	var queue FIFO[int]
+
+	for i := 0; i < 5; i++ {
+		queue.Push(i)
+	}
+	require.Equal(t, 5, queue.Len())
+	for i := 0; i < 5; i++ {
+		verifyPop(t, i, true, &queue)
+	}
+	verifyEmpty(t, &queue)
+
+	for i := 5; i < 10; i++ {
+		queue.Push(i)
+	}
+	for i := 5; i < 10; i++ {
+		verifyPop(t, i, true, &queue)
+	}
+	verifyEmpty(t, &queue)
+}
+
+// Pushes some elements, pops one, adds more, then pops all.
+func TestWrapAroundPartial(t *testing.T) {
+	var queue FIFO[int]
+
+	for i := 0; i < 5; i++ {
+		queue.Push(i)
+	}
+	require.Equal(t, 5, queue.Len())
+	verifyPop(t, 0, true, &queue)
+
+	for i := 5; i < 10; i++ {
+		queue.Push(i)
+	}
+	for i := 1; i < 10; i++ {
+		verifyPop(t, i, true, &queue)
+	}
+	verifyEmpty(t, &queue)
+}
+
+// Push an unusual amount of elements, pop all, and verify that
+// the FIFO shrinks back again.
+func TestShrink(t *testing.T) {
+	var queue FIFO[int]
+
+	for i := 0; i < normalSize*2; i++ {
+		queue.Push(i)
+	}
+	require.Equal(t, normalSize*2, queue.Len())
+	require.LessOrEqual(t, 2*normalSize, len(queue.elements))
+
+	// Pop all, should be shrunken when done.
+	for i := 0; i < normalSize*2; i++ {
+		verifyPop(t, i, true, &queue)
+	}
+	require.Equal(t, 0, queue.Len())
+	require.Len(t, queue.elements, normalSize)
+
+	// Still usable after shrinking?
+	queue.Push(42)
+	verifyPop(t, 42, true, &queue)
+	require.Equal(t, 0, queue.Len())
+	require.Len(t, queue.elements, normalSize)
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go
new file mode 100644
index 00000000000..2f198b13099
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker.go
@@ -0,0 +1,798 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tracker
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"slices"
+	"sync"
+
+	"github.com/google/go-cmp/cmp" //nolint:depguard
+
+	v1 "k8s.io/api/core/v1"
+	resourcealphaapi "k8s.io/api/resource/v1alpha3"
+	resourceapi "k8s.io/api/resource/v1beta1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	resourcealphainformers "k8s.io/client-go/informers/resource/v1alpha3"
+	resourceinformers "k8s.io/client-go/informers/resource/v1beta1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+	resourcelisters "k8s.io/client-go/listers/resource/v1beta1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/dynamic-resource-allocation/cel"
+	"k8s.io/dynamic-resource-allocation/internal/queue"
+	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
+)
+
+const (
+	driverPoolDeviceIndexName = "driverPoolDevice"
+
+	anyDriver = "*"
+	anyPool   = "*"
+	anyDevice = "*"
+)
+
+// Tracker maintains a view of ResourceSlice objects with matching
+// DeviceTaintRules applied. It is backed by informers to process
+// potential changes to resolved ResourceSlices asynchronously.
+type Tracker struct {
+	enableDeviceTaints bool
+
+	resourceSliceLister   resourcelisters.ResourceSliceLister
+	resourceSlices        cache.SharedIndexInformer
+	resourceSlicesHandle  cache.ResourceEventHandlerRegistration
+	deviceTaints          cache.SharedIndexInformer
+	deviceTaintsHandle    cache.ResourceEventHandlerRegistration
+	deviceClasses         cache.SharedIndexInformer
+	deviceClassesHandle   cache.ResourceEventHandlerRegistration
+	celCache              *cel.Cache
+	patchedResourceSlices cache.Store
+	broadcaster           record.EventBroadcaster
+	recorder              record.EventRecorder
+	// handleError usually refers to [utilruntime.HandleErrorWithContext] but
+	// may be overridden in tests.
+	handleError func(context.Context, error, string, ...any)
+
+	// Synchronizes updates to these fields related to event handlers.
+	rwMutex sync.RWMutex
+	// All registered event handlers.
+	eventHandlers []cache.ResourceEventHandler
+	// The eventQueue contains functions which deliver an event to one
+	// event handler.
+	//
+	// These functions must be invoked while *not locking* rwMutex because
+	// the event handlers are allowed to access the cache. Holding rwMutex
+	// then would cause a deadlock.
+	//
+	// New functions get added as part of processing a cache update while
+	// the rwMutex is locked. Each function which adds something to the queue
+	// also drains the queue before returning, therefore it is guaranteed
+	// that all event handlers get notified immediately (useful for unit
+	// testing).
+	//
+	// A channel cannot be used here because it cannot have an unbounded
+	// capacity. This could lead to a deadlock (writer holds rwMutex,
+	// gets blocked because capacity is exhausted, reader is in a handler
+	// which tries to lock the rwMutex). Writing into such a channel
+	// while not holding the rwMutex doesn't work because in-order delivery
+	// of events would no longer be guaranteed.
+	eventQueue queue.FIFO[func()]
+}
+
+// Options configure a [Tracker].
+type Options struct {
+	// EnableDeviceTaints controls whether DeviceTaintRules
+	// will be reflected in ResourceSlices reported by the tracker.
+	//
+	// If false, then TaintInformer and ClassInformer
+	// are not needed. The tracker turns into
+	// a thin wrapper around the underlying
+	// SliceInformer, with no processing of its own.
+	EnableDeviceTaints bool
+
+	SliceInformer resourceinformers.ResourceSliceInformer
+	TaintInformer resourcealphainformers.DeviceTaintRuleInformer
+	ClassInformer resourceinformers.DeviceClassInformer
+
+	// KubeClient is used to generate Events when CEL expressions
+	// encounter runtime errors.
+	KubeClient kubernetes.Interface
+}
+
+// StartTracker creates and initializes informers for a new [Tracker].
+func StartTracker(ctx context.Context, opts Options) (finalT *Tracker, finalErr error) {
+	if !opts.EnableDeviceTaints {
+		// Minimal wrapper. All public methods shortcut by calling the underlying informer.
+		return &Tracker{
+			resourceSliceLister: opts.SliceInformer.Lister(),
+			resourceSlices:      opts.SliceInformer.Informer(),
+		}, nil
+	}
+
+	t, err := newTracker(ctx, opts)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		// If we don't return the tracker, stop the partially initialized instance.
+		if finalErr != nil {
+			t.Stop()
+		}
+	}()
+	if err := t.initInformers(ctx); err != nil {
+		return nil, fmt.Errorf("initialize informers: %w", err)
+	}
+	return t, nil
+}
+
+// newTracker is used in testing to construct a tracker without informer event handlers.
+func newTracker(ctx context.Context, opts Options) (finalT *Tracker, finalErr error) {
+	t := &Tracker{
+		enableDeviceTaints:    opts.EnableDeviceTaints,
+		resourceSliceLister:   opts.SliceInformer.Lister(),
+		resourceSlices:        opts.SliceInformer.Informer(),
+		deviceTaints:          opts.TaintInformer.Informer(),
+		deviceClasses:         opts.ClassInformer.Informer(),
+		celCache:              cel.NewCache(10),
+		patchedResourceSlices: cache.NewStore(cache.MetaNamespaceKeyFunc),
+		handleError:           utilruntime.HandleErrorWithContext,
+	}
+	defer func() {
+		// If we don't return the tracker, stop the partially initialized instance.
+		if finalErr != nil {
+			t.Stop()
+		}
+	}()
+	err := t.resourceSlices.AddIndexers(cache.Indexers{driverPoolDeviceIndexName: sliceDriverPoolDeviceIndexFunc})
+	if err != nil {
+		return nil, fmt.Errorf("failed to add %s index to ResourceSlice informer: %w", driverPoolDeviceIndexName, err)
+	}
+	// KubeClient is not always set in unit tests.
+	if opts.KubeClient != nil {
+		t.broadcaster = record.NewBroadcaster(record.WithContext(ctx))
+		t.broadcaster.StartLogging(klog.Infof)
+		t.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: opts.KubeClient.CoreV1().Events("")})
+		t.recorder = t.broadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "resource_slice_tracker"})
+	}
+
+	return t, nil
+}
+
+// initInformers adds event handlers to a tracker constructed with newTracker.
+func (t *Tracker) initInformers(ctx context.Context) error {
+	var err error
+
+	sliceHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc:    t.resourceSliceAdd(ctx),
+		UpdateFunc: t.resourceSliceUpdate(ctx),
+		DeleteFunc: t.resourceSliceDelete(ctx),
+	}
+	t.resourceSlicesHandle, err = t.resourceSlices.AddEventHandler(sliceHandler)
+	if err != nil {
+		return fmt.Errorf("add event handler for ResourceSlices: %w", err)
+	}
+
+	taintHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc:    t.deviceTaintAdd(ctx),
+		UpdateFunc: t.deviceTaintUpdate(ctx),
+		DeleteFunc: t.deviceTaintDelete(ctx),
+	}
+	t.deviceTaintsHandle, err = t.deviceTaints.AddEventHandler(taintHandler)
+	if err != nil {
+		return fmt.Errorf("add event handler for DeviceTaintRules: %w", err)
+	}
+
+	classHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc:    t.deviceClassAdd(ctx),
+		UpdateFunc: t.deviceClassUpdate(ctx),
+		DeleteFunc: t.deviceClassDelete(ctx),
+	}
+	t.deviceClassesHandle, err = t.deviceClasses.AddEventHandler(classHandler)
+	if err != nil {
+		return fmt.Errorf("add event handler for DeviceClasses: %w", err)
+	}
+
+	return nil
+}
+
+// HasSynced returns true if the tracker is done with processing all
+// currently existing input objects. Adding a new event handler at that
+// point is possible and will emit events with up-to-date ResourceSlice
+// objects.
+func (t *Tracker) HasSynced() bool {
+	if !t.enableDeviceTaints {
+		return t.resourceSlices.HasSynced()
+	}
+
+	if t.resourceSlicesHandle != nil && !t.resourceSlicesHandle.HasSynced() {
+		return false
+	}
+	if t.deviceTaintsHandle != nil && !t.deviceTaintsHandle.HasSynced() {
+		return false
+	}
+	if t.deviceClassesHandle != nil && !t.deviceClassesHandle.HasSynced() {
+		return false
+	}
+
+	return true
+}
+
+// Stop ends all background activity and blocks until that shutdown is complete.
+func (t *Tracker) Stop() {
+	if !t.enableDeviceTaints {
+		return
+	}
+
+	if t.broadcaster != nil {
+		t.broadcaster.Shutdown()
+	}
+	_ = t.resourceSlices.RemoveEventHandler(t.resourceSlicesHandle)
+	_ = t.deviceTaints.RemoveEventHandler(t.deviceTaintsHandle)
+	_ = t.deviceClasses.RemoveEventHandler(t.deviceClassesHandle)
+}
+
+// ListPatchedResourceSlices returns all ResourceSlices in the cluster with
+// modifications from DeviceTaints applied.
+func (t *Tracker) ListPatchedResourceSlices() ([]*resourceapi.ResourceSlice, error) {
+	if !t.enableDeviceTaints {
+		return t.resourceSliceLister.List(labels.Everything())
+	}
+
+	return typedSlice[*resourceapi.ResourceSlice](t.patchedResourceSlices.List()), nil
+}
+
+// AddEventHandler adds an event handler to the tracker. Events to a
+// single handler are delivered sequentially, but there is no
+// coordination between different handlers. A handler may use the
+// tracker.
+//
+// The return value can be used to wait for cache synchronization.
+// All currently know ResourceSlices get delivered via Add events
+// before this method returns.
+func (t *Tracker) AddEventHandler(handler cache.ResourceEventHandler) (cache.ResourceEventHandlerRegistration, error) {
+	if !t.enableDeviceTaints {
+		return t.resourceSlices.AddEventHandler(handler)
+	}
+
+	defer t.emitEvents()
+	t.rwMutex.Lock()
+	defer t.rwMutex.Unlock()
+
+	t.eventHandlers = append(t.eventHandlers, handler)
+	allObjs, _ := t.ListPatchedResourceSlices()
+	for _, obj := range allObjs {
+		t.eventQueue.Push(func() {
+			handler.OnAdd(obj, true)
+		})
+	}
+
+	// The tracker itself provides HasSynced for all registered event handlers.
+	// We don't support removal, so returning the same handle here for all
+	// of them is fine.
+	return t, nil
+}
+
+// emitEvents delivers all pending events that are in the queue, in the order
+// in which they were stored there (FIFO).
+func (t *Tracker) emitEvents() {
+	for {
+		t.rwMutex.Lock()
+		deliver, ok := t.eventQueue.Pop()
+		t.rwMutex.Unlock()
+
+		if !ok {
+			return
+		}
+		func() {
+			defer utilruntime.HandleCrash()
+			deliver()
+		}()
+	}
+}
+
+// pushEvent ensures that all currently registered event handlers get
+// notified about a change when the caller starts delivering
+// those with emitEvents.
+//
+// For a delete event, newObj is nil. For an add, oldObj is nil.
+// An update has both as non-nil.
+func (t *Tracker) pushEvent(oldObj, newObj any) {
+	t.rwMutex.Lock()
+	defer t.rwMutex.Unlock()
+	for _, handler := range t.eventHandlers {
+		handler := handler
+		if oldObj == nil {
+			t.eventQueue.Push(func() {
+				handler.OnAdd(newObj, false)
+			})
+		} else if newObj == nil {
+			t.eventQueue.Push(func() {
+				handler.OnDelete(oldObj)
+			})
+		} else {
+			t.eventQueue.Push(func() {
+				handler.OnUpdate(oldObj, newObj)
+			})
+		}
+	}
+}
+
+func sliceDriverPoolDeviceIndexFunc(obj any) ([]string, error) {
+	slice := obj.(*resourceapi.ResourceSlice)
+	drivers := []string{
+		anyDriver,
+		slice.Spec.Driver,
+	}
+	pools := []string{
+		anyPool,
+		slice.Spec.Pool.Name,
+	}
+	indexValues := make([]string, 0, len(drivers)*len(pools)*(1+len(slice.Spec.Devices)))
+	for _, driver := range drivers {
+		for _, pool := range pools {
+			indexValues = append(indexValues, deviceID(driver, pool, anyDevice))
+			for _, device := range slice.Spec.Devices {
+				indexValues = append(indexValues, deviceID(driver, pool, device.Name))
+			}
+		}
+	}
+	return indexValues, nil
+}
+
+func driverPoolDeviceIndexPatchKey(patch *resourcealphaapi.DeviceTaintRule) string {
+	deviceSelector := ptr.Deref(patch.Spec.DeviceSelector, resourcealphaapi.DeviceTaintSelector{})
+	driverKey := ptr.Deref(deviceSelector.Driver, anyDriver)
+	poolKey := ptr.Deref(deviceSelector.Pool, anyPool)
+	deviceKey := ptr.Deref(deviceSelector.Device, anyDevice)
+	return deviceID(driverKey, poolKey, deviceKey)
+}
+
+func (t *Tracker) sliceNamesForPatch(ctx context.Context, patch *resourcealphaapi.DeviceTaintRule) []string {
+	patchKey := driverPoolDeviceIndexPatchKey(patch)
+	sliceNames, err := t.resourceSlices.GetIndexer().IndexKeys(driverPoolDeviceIndexName, patchKey)
+	if err != nil {
+		t.handleError(ctx, err, "failed listing ResourceSlices for driver/pool/device key", "key", patchKey)
+		return nil
+	}
+	return sliceNames
+}
+
+func (t *Tracker) resourceSliceAdd(ctx context.Context) func(obj any) {
+	logger := klog.FromContext(ctx)
+	return func(obj any) {
+		slice, ok := obj.(*resourceapi.ResourceSlice)
+		if !ok {
+			return
+		}
+		logger.V(5).Info("ResourceSlice add", "slice", klog.KObj(slice))
+		t.syncSlice(ctx, slice.Name, true)
+	}
+}
+
+func (t *Tracker) resourceSliceUpdate(ctx context.Context) func(oldObj, newObj any) {
+	logger := klog.FromContext(ctx)
+	return func(oldObj, newObj any) {
+		oldSlice, ok := oldObj.(*resourceapi.ResourceSlice)
+		if !ok {
+			return
+		}
+		newSlice, ok := newObj.(*resourceapi.ResourceSlice)
+		if !ok {
+			return
+		}
+		if loggerV := logger.V(6); loggerV.Enabled() {
+			// While debugging, one needs a full dump of the objects for context *and*
+			// a diff because otherwise small changes would be hard to spot.
+			loggerV.Info("ResourceSlice update", "slice", klog.Format(oldSlice), "oldSlice", klog.Format(newSlice), "diff", cmp.Diff(oldSlice, newSlice))
+		} else {
+			logger.V(5).Info("ResourceSlice update", "slice", klog.KObj(newSlice))
+		}
+		t.syncSlice(ctx, newSlice.Name, true)
+	}
+}
+
+func (t *Tracker) resourceSliceDelete(ctx context.Context) func(obj any) {
+	logger := klog.FromContext(ctx)
+	return func(obj any) {
+		if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+			obj = tombstone.Obj
+		}
+		slice, ok := obj.(*resourceapi.ResourceSlice)
+		if !ok {
+			return
+		}
+		logger.V(5).Info("ResourceSlice delete", "slice", klog.KObj(slice))
+		t.syncSlice(ctx, slice.Name, true)
+	}
+}
+
+func (t *Tracker) deviceTaintAdd(ctx context.Context) func(obj any) {
+	logger := klog.FromContext(ctx)
+	return func(obj any) {
+		patch, ok := obj.(*resourcealphaapi.DeviceTaintRule)
+		if !ok {
+			return
+		}
+		logger.V(5).Info("DeviceTaintRule add", "patch", klog.KObj(patch))
+		for _, sliceName := range t.sliceNamesForPatch(ctx, patch) {
+			t.syncSlice(ctx, sliceName, false)
+		}
+	}
+}
+
+func (t *Tracker) deviceTaintUpdate(ctx context.Context) func(oldObj, newObj any) {
+	logger := klog.FromContext(ctx)
+	return func(oldObj, newObj any) {
+		oldPatch, ok := oldObj.(*resourcealphaapi.DeviceTaintRule)
+		if !ok {
+			return
+		}
+		newPatch, ok := newObj.(*resourcealphaapi.DeviceTaintRule)
+		if !ok {
+			return
+		}
+		if loggerV := logger.V(6); loggerV.Enabled() {
+			loggerV.Info("DeviceTaintRule update", "patch", klog.KObj(newPatch), "diff", cmp.Diff(oldPatch, newPatch))
+		} else {
+			logger.V(5).Info("DeviceTaintRule update", "patch", klog.KObj(newPatch))
+		}
+
+		// Slices that matched the old patch may need to be updated, in
+		// case they no longer match the new patch and need to have the
+		// patch's changes reverted.
+		slicesToSync := sets.New[string]()
+		slicesToSync.Insert(t.sliceNamesForPatch(ctx, oldPatch)...)
+		slicesToSync.Insert(t.sliceNamesForPatch(ctx, newPatch)...)
+		for _, sliceName := range slicesToSync.UnsortedList() {
+			t.syncSlice(ctx, sliceName, false)
+		}
+	}
+}
+
+func (t *Tracker) deviceTaintDelete(ctx context.Context) func(obj any) {
+	logger := klog.FromContext(ctx)
+	return func(obj any) {
+		if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+			obj = tombstone.Obj
+		}
+		patch, ok := obj.(*resourcealphaapi.DeviceTaintRule)
+		if !ok {
+			return
+		}
+		logger.V(5).Info("DeviceTaintRule delete", "patch", klog.KObj(patch))
+		for _, sliceName := range t.sliceNamesForPatch(ctx, patch) {
+			t.syncSlice(ctx, sliceName, false)
+		}
+	}
+}
+
+func (t *Tracker) deviceClassAdd(ctx context.Context) func(obj any) {
+	logger := klog.FromContext(ctx)
+	return func(obj any) {
+		class, ok := obj.(*resourceapi.DeviceClass)
+		if !ok {
+			return
+		}
+		logger.V(5).Info("DeviceClass add", "class", klog.KObj(class))
+		for _, sliceName := range t.resourceSlices.GetIndexer().ListKeys() {
+			t.syncSlice(ctx, sliceName, false)
+		}
+	}
+}
+
+func (t *Tracker) deviceClassUpdate(ctx context.Context) func(oldObj, newObj any) {
+	logger := klog.FromContext(ctx)
+	return func(oldObj, newObj any) {
+		oldClass, ok := oldObj.(*resourceapi.DeviceClass)
+		if !ok {
+			return
+		}
+		newClass, ok := newObj.(*resourceapi.DeviceClass)
+		if !ok {
+			return
+		}
+		if loggerV := logger.V(6); loggerV.Enabled() {
+			loggerV.Info("DeviceClass update", "class", klog.KObj(newClass), "diff", cmp.Diff(oldClass, newClass))
+		} else {
+			logger.V(5).Info("DeviceClass update", "class", klog.KObj(newClass))
+		}
+		for _, sliceName := range t.resourceSlices.GetIndexer().ListKeys() {
+			t.syncSlice(ctx, sliceName, false)
+		}
+	}
+}
+
+func (t *Tracker) deviceClassDelete(ctx context.Context) func(obj any) {
+	logger := klog.FromContext(ctx)
+	return func(obj any) {
+		if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+			obj = tombstone.Obj
+		}
+		class, ok := obj.(*resourceapi.ResourceSlice)
+		if !ok {
+			return
+		}
+		logger.V(5).Info("DeviceClass delete", "class", klog.KObj(class))
+		for _, sliceName := range t.resourceSlices.GetIndexer().ListKeys() {
+			t.syncSlice(ctx, sliceName, false)
+		}
+	}
+}
+
+// syncSlice updates the slice with the given name, applying
+// DeviceTaints that match. sendEvent is used to force the Tracker
+// to publish an event for listeners added by [Tracker.AddEventHandler]. It
+// is set when syncSlice is triggered by a ResourceSlice event to avoid
+// doing costly DeepEqual comparisons where possible.
+func (t *Tracker) syncSlice(ctx context.Context, name string, sendEvent bool) {
+	defer t.emitEvents()
+
+	logger := klog.FromContext(ctx)
+	logger = klog.LoggerWithValues(logger, "resourceslice", name)
+	ctx = klog.NewContext(ctx, logger)
+	logger.V(5).Info("syncing ResourceSlice")
+
+	obj, sliceExists, err := t.resourceSlices.GetIndexer().GetByKey(name)
+	if err != nil {
+		t.handleError(ctx, err, "failed to lookup existing resource slice", "resourceslice", name)
+		return
+	}
+	oldPatchedObj, oldSliceExists, err := t.patchedResourceSlices.GetByKey(name)
+	if err != nil {
+		t.handleError(ctx, err, "failed to lookup cached patched resource slice", "resourceslice", name)
+		return
+	}
+	if !sliceExists {
+		err := t.patchedResourceSlices.Delete(oldPatchedObj)
+		if err != nil {
+			t.handleError(ctx, err, "failed to delete cached patched resource slice", "resourceslice", name)
+			return
+		}
+		t.pushEvent(oldPatchedObj, nil)
+		logger.V(5).Info("patched ResourceSlice deleted")
+		return
+	}
+	var oldPatchedSlice *resourceapi.ResourceSlice
+	if oldSliceExists {
+		var ok bool
+		oldPatchedSlice, ok = oldPatchedObj.(*resourceapi.ResourceSlice)
+		if !ok {
+			t.handleError(ctx, errors.New("invalid type in resource slice cache"), "expectedType", fmt.Sprintf("%T", (*resourceapi.ResourceSlice)(nil)), "gotType", fmt.Sprintf("%T", oldPatchedObj))
+			return
+		}
+	}
+	slice, ok := obj.(*resourceapi.ResourceSlice)
+	if !ok {
+		t.handleError(ctx, errors.New("invalid type in resource slice cache"), fmt.Sprintf("expected type to be %T, got %T", (*resourceapi.ResourceSlice)(nil), obj))
+		return
+	}
+
+	patches := typedSlice[*resourcealphaapi.DeviceTaintRule](t.deviceTaints.GetIndexer().List())
+	patchedSlice, err := t.applyPatches(ctx, slice, patches)
+	if err != nil {
+		t.handleError(ctx, err, "failed to apply patches to ResourceSlice", "resourceslice", klog.KObj(slice))
+		return
+	}
+
+	// When syncSlice is triggered by something other than a ResourceSlice
+	// event, only the device attributes and capacity might change. We
+	// deliberately avoid any costly DeepEqual-style comparisons here.
+	if !sendEvent && oldPatchedSlice != nil {
+		for i := range patchedSlice.Spec.Devices {
+			oldDevice := oldPatchedSlice.Spec.Devices[i]
+			newDevice := patchedSlice.Spec.Devices[i]
+			sendEvent = sendEvent ||
+				!slices.EqualFunc(getTaints(oldDevice), getTaints(newDevice), taintsEqual)
+		}
+	}
+
+	err = t.patchedResourceSlices.Add(patchedSlice)
+	if err != nil {
+		t.handleError(ctx, err, "failed to add patched resource slice to cache", "resourceslice", klog.KObj(patchedSlice))
+		return
+	}
+	if sendEvent {
+		t.pushEvent(oldPatchedObj, patchedSlice)
+	}
+
+	if loggerV := logger.V(6); loggerV.Enabled() {
+		loggerV.Info("ResourceSlice synced", "diff", cmp.Diff(oldPatchedObj, patchedSlice))
+	} else {
+		logger.V(5).Info("ResourceSlice synced")
+	}
+}
+
+func (t *Tracker) applyPatches(ctx context.Context, slice *resourceapi.ResourceSlice, taintRules []*resourcealphaapi.DeviceTaintRule) (*resourceapi.ResourceSlice, error) {
+	logger := klog.FromContext(ctx)
+
+	// slice will be DeepCopied just-in-time, only when necessary.
+	patchedSlice := slice
+
+	for _, taintRule := range taintRules {
+		logger := klog.LoggerWithValues(logger, "deviceTaintRule", klog.KObj(taintRule))
+		logger.V(6).Info("processing DeviceTaintRule")
+
+		deviceSelector := taintRule.Spec.DeviceSelector
+		var deviceClassExprs []cel.CompilationResult
+		var selectorExprs []cel.CompilationResult
+		var deviceName *string
+		if deviceSelector != nil {
+			if deviceSelector.Driver != nil && *deviceSelector.Driver != slice.Spec.Driver {
+				logger.V(7).Info("DeviceTaintRule does not apply, mismatched driver", "sliceDriver", slice.Spec.Driver, "taintDriver", *deviceSelector.Driver)
+				continue
+			}
+			if deviceSelector.Pool != nil && *deviceSelector.Pool != slice.Spec.Pool.Name {
+				logger.V(7).Info("DeviceTaintRule does not apply, mismatched pool", "slicePool", slice.Spec.Pool.Name, "taintPool", *deviceSelector.Pool)
+				continue
+			}
+			deviceName = deviceSelector.Device
+			if deviceSelector.DeviceClassName != nil {
+				logger := logger.WithValues("deviceClassName", *deviceSelector.DeviceClassName)
+				classObj, exists, err := t.deviceClasses.GetIndexer().GetByKey(*deviceSelector.DeviceClassName)
+				if err != nil {
+					return nil, fmt.Errorf("failed to get device class %s for DeviceTaintRule %s", *deviceSelector.DeviceClassName, taintRule.Name)
+				}
+				if !exists {
+					logger.V(7).Info("DeviceTaintRule does not apply, DeviceClass does not exist")
+					continue
+				}
+				class := classObj.(*resourceapi.DeviceClass)
+				for _, selector := range class.Spec.Selectors {
+					if selector.CEL != nil {
+						expr := t.celCache.GetOrCompile(selector.CEL.Expression)
+						deviceClassExprs = append(deviceClassExprs, expr)
+					}
+				}
+			}
+			for _, selector := range deviceSelector.Selectors {
+				if selector.CEL != nil {
+					expr := t.celCache.GetOrCompile(selector.CEL.Expression)
+					selectorExprs = append(selectorExprs, expr)
+				}
+			}
+		}
+	devices:
+		for dIndex, device := range slice.Spec.Devices {
+			deviceID := deviceID(slice.Spec.Driver, slice.Spec.Pool.Name, device.Name)
+			logger := logger.WithValues("device", deviceID)
+
+			if deviceName != nil && *deviceName != device.Name {
+				logger.V(7).Info("DeviceTaintRule does not apply, mismatched device", "sliceDevice", device.Name, "taintDevice", *deviceSelector.Device)
+				continue
+			}
+
+			deviceAttributes := getAttributes(device)
+			deviceCapacity := getCapacity(device)
+
+			for i, expr := range deviceClassExprs {
+				if expr.Error != nil {
+					// Could happen if some future apiserver accepted some
+					// future expression and then got downgraded. Normally
+					// the "stored expression" mechanism prevents that, but
+					// this code here might be more than one release older
+					// than the cluster it runs in.
+					return nil, fmt.Errorf("DeviceTaintRule %s: class %s: selector #%d: CEL compile error: %w", taintRule.Name, *deviceSelector.DeviceClassName, i, expr.Error)
+				}
+				matches, details, err := expr.DeviceMatches(ctx, cel.Device{Driver: slice.Spec.Driver, Attributes: deviceAttributes, Capacity: deviceCapacity})
+				logger.V(7).Info("CEL result", "class", *deviceSelector.DeviceClassName, "selector", i, "expression", expr.Expression, "matches", matches, "actualCost", ptr.Deref(details.ActualCost(), 0), "err", err)
+				if err != nil {
+					continue devices
+				}
+				if !matches {
+					continue devices
+				}
+			}
+
+			for i, expr := range selectorExprs {
+				if expr.Error != nil {
+					// Could happen if some future apiserver accepted some
+					// future expression and then got downgraded. Normally
+					// the "stored expression" mechanism prevents that, but
+					// this code here might be more than one release older
+					// than the cluster it runs in.
+					return nil, fmt.Errorf("DeviceTaintRule %s: selector #%d: CEL compile error: %w", taintRule.Name, i, expr.Error)
+				}
+				matches, details, err := expr.DeviceMatches(ctx, cel.Device{Driver: slice.Spec.Driver, Attributes: deviceAttributes, Capacity: deviceCapacity})
+				logger.V(7).Info("CEL result", "selector", i, "expression", expr.Expression, "matches", matches, "actualCost", ptr.Deref(details.ActualCost(), 0), "err", err)
+				if err != nil {
+					if t.recorder != nil {
+						t.recorder.Eventf(taintRule, v1.EventTypeWarning, "CELRuntimeError", "selector #%d: runtime error: %v", i, err)
+					}
+					continue devices
+				}
+				if !matches {
+					continue devices
+				}
+			}
+
+			logger.V(6).Info("applying matching DeviceTaintRule")
+
+			// TODO: remove conversion once taint is already in the right API package.
+			ta := resourceapi.DeviceTaint{
+				Key:       taintRule.Spec.Taint.Key,
+				Value:     taintRule.Spec.Taint.Value,
+				Effect:    resourceapi.DeviceTaintEffect(taintRule.Spec.Taint.Effect),
+				TimeAdded: taintRule.Spec.Taint.TimeAdded,
+			}
+
+			if patchedSlice == slice {
+				patchedSlice = slice.DeepCopy()
+			}
+
+			appendTaint(&patchedSlice.Spec.Devices[dIndex], ta)
+		}
+	}
+
+	return patchedSlice, nil
+}
+
+func getAttributes(device resourceapi.Device) map[resourceapi.QualifiedName]resourceapi.DeviceAttribute {
+	if device.Basic != nil {
+		return device.Basic.Attributes
+	}
+	return nil
+}
+
+func getCapacity(device resourceapi.Device) map[resourceapi.QualifiedName]resourceapi.DeviceCapacity {
+	if device.Basic != nil {
+		return device.Basic.Capacity
+	}
+	return nil
+}
+
+func getTaints(device resourceapi.Device) []resourceapi.DeviceTaint {
+	if device.Basic != nil {
+		return device.Basic.Taints
+	}
+	return nil
+}
+
+func appendTaint(device *resourceapi.Device, taint resourceapi.DeviceTaint) {
+	if device.Basic != nil {
+		device.Basic.Taints = append(device.Basic.Taints, taint)
+		return
+	}
+}
+
+func taintsEqual(a, b resourceapi.DeviceTaint) bool {
+	return a.Key == b.Key &&
+		a.Effect == b.Effect &&
+		a.Value == b.Value &&
+		a.TimeAdded.Equal(b.TimeAdded) // Equal deals with nil.
+}
+
+func deviceID(driver, pool, device string) string {
+	return driver + "/" + pool + "/" + device
+}
+
+func typedSlice[T any](objs []any) []T {
+	if objs == nil {
+		return nil
+	}
+	typed := make([]T, 0, len(objs))
+	for _, obj := range objs {
+		typed = append(typed, obj.(T))
+	}
+	return typed
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go
new file mode 100644
index 00000000000..1e5feca7cea
--- /dev/null
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/tracker/tracker_test.go
@@ -0,0 +1,1764 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tracker
+
+import (
+	stdcmp "cmp"
+	"context"
+	"slices"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	resourcealphaapi "k8s.io/api/resource/v1alpha3"
+	resourceapi "k8s.io/api/resource/v1beta1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/klog/v2"
+	"k8s.io/klog/v2/ktesting"
+	_ "k8s.io/klog/v2/ktesting/init"
+	"k8s.io/utils/ptr"
+)
+
+type handlerEventType string
+
+const (
+	handlerEventAdd    handlerEventType = "add"
+	handlerEventUpdate handlerEventType = "update"
+	handlerEventDelete handlerEventType = "delete"
+)
+
+type handlerEvent struct {
+	event  handlerEventType
+	oldObj *resourceapi.ResourceSlice
+	newObj *resourceapi.ResourceSlice
+}
+
+type inputEventGenerator struct {
+	addResourceSlice      func(slice *resourceapi.ResourceSlice)
+	deleteResourceSlice   func(name string)
+	addDeviceTaintRule    func(taintRule *resourcealphaapi.DeviceTaintRule)
+	deleteDeviceTaintRule func(name string)
+	addDeviceClass        func(class *resourceapi.DeviceClass)
+	deleteDeviceClass     func(name string)
+}
+
+func inputEventGeneratorForTest(ctx context.Context, t *testing.T, tracker *Tracker) inputEventGenerator {
+	return inputEventGenerator{
+		addResourceSlice: func(slice *resourceapi.ResourceSlice) {
+			oldObj, exists, err := tracker.resourceSlices.GetIndexer().Get(slice)
+			require.NoError(t, err)
+			err = tracker.resourceSlices.GetIndexer().Add(slice)
+			require.NoError(t, err)
+			if !exists {
+				tracker.resourceSliceAdd(ctx)(slice)
+			} else if !apiequality.Semantic.DeepEqual(oldObj, slice) {
+				tracker.resourceSliceUpdate(ctx)(oldObj, slice)
+			}
+		},
+		deleteResourceSlice: func(name string) {
+			oldObj, exists, err := tracker.resourceSlices.GetIndexer().GetByKey(name)
+			require.NoError(t, err)
+			require.True(t, exists, "deleting resource slice that was never created")
+			err = tracker.resourceSlices.GetIndexer().Delete(oldObj)
+			require.NoError(t, err)
+			tracker.resourceSliceDelete(ctx)(oldObj)
+		},
+		addDeviceTaintRule: func(taintRule *resourcealphaapi.DeviceTaintRule) {
+			oldObj, exists, err := tracker.deviceTaints.GetIndexer().Get(taintRule)
+			require.NoError(t, err)
+			err = tracker.deviceTaints.GetIndexer().Add(taintRule)
+			require.NoError(t, err)
+			if !exists {
+				tracker.deviceTaintAdd(ctx)(taintRule)
+			} else if !apiequality.Semantic.DeepEqual(oldObj, taintRule) {
+				tracker.deviceTaintUpdate(ctx)(oldObj, taintRule)
+			}
+		},
+		deleteDeviceTaintRule: func(name string) {
+			oldObj, exists, err := tracker.deviceTaints.GetIndexer().GetByKey(name)
+			require.NoError(t, err)
+			require.True(t, exists, "deleting DeviceTaintRule that was never created")
+			err = tracker.deviceTaints.GetIndexer().Delete(oldObj)
+			require.NoError(t, err)
+			tracker.deviceTaintDelete(ctx)(oldObj)
+		},
+		addDeviceClass: func(class *resourceapi.DeviceClass) {
+			oldObj, exists, err := tracker.deviceClasses.GetIndexer().Get(class)
+			require.NoError(t, err)
+			err = tracker.deviceClasses.GetIndexer().Add(class)
+			require.NoError(t, err)
+			if !exists {
+				tracker.deviceClassAdd(ctx)(class)
+			} else if !apiequality.Semantic.DeepEqual(oldObj, class) {
+				tracker.deviceClassUpdate(ctx)(oldObj, class)
+			}
+		},
+		deleteDeviceClass: func(name string) {
+			oldObj, exists, err := tracker.deviceClasses.GetIndexer().GetByKey(name)
+			require.NoError(t, err)
+			require.True(t, exists, "deleting device class that was never created")
+			err = tracker.deviceClasses.GetIndexer().Delete(oldObj)
+			require.NoError(t, err)
+			tracker.deviceClassDelete(ctx)(oldObj)
+		},
+	}
+}
+
+func TestListPatchedResourceSlices(t *testing.T) {
+	now, _ := time.Parse(time.RFC3339, "2006-01-02T15:04:05Z")
+
+	tests := map[string]struct {
+		deviceTaintsDisabled  bool
+		inputEvents           func(event inputEventGenerator)
+		expectedPatchedSlices []*resourceapi.ResourceSlice
+		expectHandlerEvents   func(t *testing.T, events []handlerEvent)
+		expectEvents          func(t *assert.CollectT, events *v1.EventList)
+		expectUnhandledErrors func(t *testing.T, errs []error)
+	}{
+		"add-slices-no-patches": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addResourceSlice(&resourceapi.ResourceSlice{ObjectMeta: metav1.ObjectMeta{Name: "s1"}})
+				event.addResourceSlice(&resourceapi.ResourceSlice{ObjectMeta: metav1.ObjectMeta{Name: "s2"}})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{ObjectMeta: metav1.ObjectMeta{Name: "s1"}},
+				{ObjectMeta: metav1.ObjectMeta{Name: "s2"}},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 2) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "s1", events[0].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[1].event)
+				assert.Equal(t, "s2", events[1].newObj.Name)
+			},
+		},
+		"update-slices-no-patches": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "s1",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						// no devices
+						Devices: nil,
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "s2",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						// no devices
+						Devices: nil,
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{ObjectMeta: metav1.ObjectMeta{Name: "no-change"}})
+
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "s1",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						// devices!
+						Devices: []resourceapi.Device{
+							{Basic: &resourceapi.BasicDevice{}},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "s2",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						// devices!
+						Devices: []resourceapi.Device{
+							{Basic: &resourceapi.BasicDevice{}},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{ObjectMeta: metav1.ObjectMeta{Name: "no-change"}})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "s1",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: []resourceapi.Device{
+							{Basic: &resourceapi.BasicDevice{}},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "s2",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: []resourceapi.Device{
+							{Basic: &resourceapi.BasicDevice{}},
+						},
+					},
+				},
+				{ObjectMeta: metav1.ObjectMeta{Name: "no-change"}},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 5) {
+					return
+				}
+				// The first events are adds.
+				assert.Equal(t, handlerEventUpdate, events[3].event)
+				assert.Equal(t, "s1", events[3].newObj.Name)
+				assert.Equal(t, "s1", events[3].oldObj.Name)
+				assert.Nil(t, events[3].oldObj.Spec.Devices)
+				assert.NotNil(t, events[3].newObj.Spec.Devices)
+				assert.Equal(t, handlerEventUpdate, events[4].event)
+				assert.Equal(t, "s2", events[4].newObj.Name)
+				assert.Equal(t, "s2", events[4].oldObj.Name)
+				assert.Nil(t, events[4].oldObj.Spec.Devices)
+				assert.NotNil(t, events[4].newObj.Spec.Devices)
+			},
+		},
+		"delete-slices": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addResourceSlice(&resourceapi.ResourceSlice{ObjectMeta: metav1.ObjectMeta{Name: "s1"}})
+				event.addResourceSlice(&resourceapi.ResourceSlice{ObjectMeta: metav1.ObjectMeta{Name: "s2"}})
+				event.addResourceSlice(&resourceapi.ResourceSlice{ObjectMeta: metav1.ObjectMeta{Name: "keep-me"}})
+				event.deleteResourceSlice("s1")
+				event.deleteResourceSlice("s2")
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{ObjectMeta: metav1.ObjectMeta{Name: "keep-me"}},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 5) {
+					return
+				}
+				// The first events are adds.
+				assert.Equal(t, handlerEventDelete, events[3].event)
+				assert.Equal(t, "s1", events[3].oldObj.Name)
+				assert.Equal(t, handlerEventDelete, events[4].event)
+				assert.Equal(t, "s2", events[4].oldObj.Name)
+			},
+		},
+		"patch-all-slices": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "all-slices",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: nil,
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 2) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+				assert.Equal(t, handlerEventUpdate, events[1].event)
+				assert.Equal(t, "slice", events[1].newObj.Name)
+			},
+		},
+		"update-patch": {
+			inputEvents: func(event inputEventGenerator) {
+				taintRule := &resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "taintRule",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Pool: ptr.To("pool-1"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				}
+				event.addDeviceTaintRule(taintRule.DeepCopy())
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice-1",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool-1",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice-2",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool-2",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				taintRule.Spec.DeviceSelector.Pool = ptr.To("pool-2")
+				event.addDeviceTaintRule(taintRule)
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice-1",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool-1",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice-2",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool-2",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 4) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice-1", events[0].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[1].event)
+				assert.Equal(t, "slice-2", events[1].newObj.Name)
+
+				assert.Equal(t, handlerEventUpdate, events[2].event)
+				assert.Equal(t, handlerEventUpdate, events[3].event)
+				assert.ElementsMatch(t, []string{"slice-1", "slice-2"}, []string{events[2].newObj.Name, events[3].newObj.Name})
+			},
+		},
+		"merge-taints": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "merge",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: nil,
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:    "example.com/taint2",
+										Value:  "tainted2",
+										Effect: resourceapi.DeviceTaintEffectNoSchedule,
+									}},
+								},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{
+										{
+											Key:    "example.com/taint2",
+											Value:  "tainted2",
+											Effect: resourceapi.DeviceTaintEffectNoSchedule,
+										},
+										{
+											Key:       "example.com/taint",
+											Value:     "tainted",
+											Effect:    resourceapi.DeviceTaintEffectNoExecute,
+											TimeAdded: &metav1.Time{Time: now},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 1) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+			},
+		},
+		"add-taint-for-driver": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "driver",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Driver: ptr.To("test.example.com"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 2) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[1].event)
+				assert.Equal(t, "wrong-driver", events[1].newObj.Name)
+			},
+		},
+		"add-taint-for-pool": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "pool",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Pool: ptr.To("pool"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-pool",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "other",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-pool",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "other",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 2) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[1].event)
+				assert.Equal(t, "wrong-pool", events[1].newObj.Name)
+			},
+		},
+		"add-taint-for-device": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "device",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Device: ptr.To("device"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Name:  "device",
+								Basic: &resourceapi.BasicDevice{},
+							},
+							{
+								Name:  "wrong-device",
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Pool: resourceapi.ResourcePool{
+							Name: "pool",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Name: "device",
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+							{
+								Name:  "wrong-device",
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 1) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+			},
+		},
+		"add-attribute-for-selector": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "selector",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Selectors: []resourcealphaapi.DeviceSelector{
+								{
+									CEL: &resourcealphaapi.CELDeviceSelector{
+										Expression: `device.driver == "test.example.com"`,
+									},
+								},
+							},
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 2) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[1].event)
+				assert.Equal(t, "wrong-driver", events[1].newObj.Name)
+			},
+		},
+		"selector-does-not-match": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "selector",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Selectors: []resourcealphaapi.DeviceSelector{
+								{
+									CEL: &resourcealphaapi.CELDeviceSelector{
+										Expression: `true`,
+									},
+								},
+								{
+									CEL: &resourcealphaapi.CELDeviceSelector{
+										Expression: `false`,
+									},
+								},
+								{
+									CEL: &resourcealphaapi.CELDeviceSelector{
+										Expression: `true`,
+									},
+								},
+							},
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 1) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+			},
+		},
+		"runtime-CEL-errors-skip-devices": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "selector",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Selectors: []resourcealphaapi.DeviceSelector{
+								{
+									CEL: &resourcealphaapi.CELDeviceSelector{
+										Expression: `device.attributes["test.example.com"].deviceAttr`,
+									},
+								},
+							},
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectEvents: func(t *assert.CollectT, events *v1.EventList) {
+				if !assert.Len(t, events.Items, 1) {
+					return
+				}
+				assert.Equal(t, "selector", events.Items[0].InvolvedObject.Name)
+				assert.Equal(t, "CELRuntimeError", events.Items[0].Reason)
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 1) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+			},
+		},
+		"invalid-CEL-expression-throws-error": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "selector",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Selectors: []resourcealphaapi.DeviceSelector{
+								{
+									CEL: &resourcealphaapi.CELDeviceSelector{
+										Expression: `invalid`,
+									},
+								},
+							},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{},
+			expectUnhandledErrors: func(t *testing.T, errs []error) {
+				if !assert.Len(t, errs, 1) {
+					return
+				}
+				assert.ErrorContains(t, errs[0], "CEL compile error")
+			},
+		},
+		"add-taint-for-device-class": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceClass(&resourceapi.DeviceClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "class.example.com",
+					},
+					Spec: resourceapi.DeviceClassSpec{
+						Selectors: []resourceapi.DeviceSelector{
+							{
+								CEL: &resourceapi.CELDeviceSelector{
+									Expression: `device.driver == "test.example.com"`,
+								},
+							},
+						},
+					},
+				})
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "device-class",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							DeviceClassName: ptr.To("class.example.com"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 2) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[1].event)
+				assert.Equal(t, "wrong-driver", events[1].newObj.Name)
+			},
+		},
+		"filter-all-criteria": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceClass(&resourceapi.DeviceClass{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "class.example.com",
+					},
+					Spec: resourceapi.DeviceClassSpec{
+						Selectors: []resourceapi.DeviceSelector{
+							{
+								CEL: &resourceapi.CELDeviceSelector{
+									Expression: `device.driver == "test.example.com"`,
+								},
+							},
+						},
+					},
+				})
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "all-criteria",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							DeviceClassName: ptr.To("class.example.com"),
+							Driver:          ptr.To("test.example.com"),
+							Pool:            ptr.To("pool"),
+							Device:          ptr.To("device"),
+							Selectors: []resourcealphaapi.DeviceSelector{
+								{
+									CEL: &resourcealphaapi.CELDeviceSelector{
+										Expression: `true`,
+									},
+								},
+							},
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Pool: resourceapi.ResourcePool{
+							Name: "pool",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Name:  "device",
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+				event.addResourceSlice(&resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				})
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "slice",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "test.example.com",
+						Pool: resourceapi.ResourcePool{
+							Name: "pool",
+						},
+						Devices: []resourceapi.Device{
+							{
+								Name: "device",
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "wrong-driver",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Driver: "wrong.example.com",
+						Devices: []resourceapi.Device{
+							{
+								Basic: &resourceapi.BasicDevice{},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 2) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "slice", events[0].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[1].event)
+				assert.Equal(t, "wrong-driver", events[1].newObj.Name)
+			},
+		},
+		"update-patched-slice": {
+			inputEvents: func(event inputEventGenerator) {
+				event.addDeviceTaintRule(&resourcealphaapi.DeviceTaintRule{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "all-slices",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Device: ptr.To("device-1"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				})
+				oneDevice := []resourceapi.Device{
+					{Name: "device-1", Basic: &resourceapi.BasicDevice{}},
+				}
+				threeDevices := []resourceapi.Device{
+					{Name: "device-0", Basic: &resourceapi.BasicDevice{}},
+					{Name: "device-1", Basic: &resourceapi.BasicDevice{}},
+					{Name: "device-2", Basic: &resourceapi.BasicDevice{}},
+				}
+				devicesAdded := &resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "devices-added",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: oneDevice,
+					},
+				}
+				devicesRemoved := &resourceapi.ResourceSlice{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "devices-removed",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: threeDevices,
+					},
+				}
+				event.addResourceSlice(devicesAdded.DeepCopy())
+				devicesAdded.Spec.Devices = threeDevices
+				event.addResourceSlice(devicesAdded)
+				event.addResourceSlice(devicesRemoved.DeepCopy())
+				devicesRemoved.Spec.Devices = oneDevice
+				event.addResourceSlice(devicesRemoved)
+			},
+			expectedPatchedSlices: []*resourceapi.ResourceSlice{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "devices-added",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: []resourceapi.Device{
+							{Name: "device-0", Basic: &resourceapi.BasicDevice{}},
+							{
+								Name: "device-1",
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+							{Name: "device-2", Basic: &resourceapi.BasicDevice{}},
+						},
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "devices-removed",
+					},
+					Spec: resourceapi.ResourceSliceSpec{
+						Devices: []resourceapi.Device{
+							{
+								Name: "device-1",
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Key:       "example.com/taint",
+										Value:     "tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: &metav1.Time{Time: now},
+									}},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectHandlerEvents: func(t *testing.T, events []handlerEvent) {
+				if !assert.Len(t, events, 4) {
+					return
+				}
+				assert.Equal(t, handlerEventAdd, events[0].event)
+				assert.Equal(t, "devices-added", events[0].newObj.Name)
+				assert.Equal(t, handlerEventUpdate, events[1].event)
+				assert.Equal(t, "devices-added", events[1].newObj.Name)
+				assert.Equal(t, handlerEventAdd, events[2].event)
+				assert.Equal(t, "devices-removed", events[2].newObj.Name)
+				assert.Equal(t, handlerEventUpdate, events[3].event)
+				assert.Equal(t, "devices-removed", events[3].newObj.Name)
+			},
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			_, ctx := ktesting.NewTestContext(t)
+
+			kubeClient := fake.NewSimpleClientset()
+			informerFactory := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute)
+
+			var handlerEvents []handlerEvent
+			handler := cache.ResourceEventHandlerFuncs{
+				AddFunc: func(obj interface{}) {
+					handlerEvents = append(handlerEvents, handlerEvent{event: handlerEventAdd, newObj: obj.(*resourceapi.ResourceSlice)})
+				},
+				UpdateFunc: func(oldObj, newObj interface{}) {
+					handlerEvents = append(handlerEvents, handlerEvent{event: handlerEventUpdate, oldObj: oldObj.(*resourceapi.ResourceSlice), newObj: newObj.(*resourceapi.ResourceSlice)})
+				},
+				DeleteFunc: func(obj interface{}) {
+					handlerEvents = append(handlerEvents, handlerEvent{event: handlerEventDelete, oldObj: obj.(*resourceapi.ResourceSlice)})
+				},
+			}
+
+			opts := Options{
+				EnableDeviceTaints: !test.deviceTaintsDisabled,
+				SliceInformer:      informerFactory.Resource().V1beta1().ResourceSlices(),
+				TaintInformer:      informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+				ClassInformer:      informerFactory.Resource().V1beta1().DeviceClasses(),
+				KubeClient:         kubeClient,
+			}
+			tracker, err := newTracker(ctx, opts)
+			require.NoError(t, err)
+			var unhandledErrors []error
+			tracker.handleError = func(_ context.Context, err error, _ string, _ ...any) {
+				unhandledErrors = append(unhandledErrors, err)
+			}
+			_, _ = tracker.AddEventHandler(handler)
+
+			if test.inputEvents != nil {
+				test.inputEvents(inputEventGeneratorForTest(ctx, t, tracker))
+			}
+
+			expectHandlerEvents := test.expectHandlerEvents
+			if expectHandlerEvents == nil {
+				expectHandlerEvents = func(t *testing.T, events []handlerEvent) {
+					assert.Empty(t, events)
+				}
+			}
+			expectHandlerEvents(t, handlerEvents)
+
+			expectUnhandledErrors := test.expectUnhandledErrors
+			if expectUnhandledErrors == nil {
+				expectUnhandledErrors = func(t *testing.T, errs []error) {
+					assert.Empty(t, errs)
+				}
+			}
+			expectUnhandledErrors(t, unhandledErrors)
+
+			// Check ResourceSlices
+			patchedResourceSlices, err := tracker.ListPatchedResourceSlices()
+			require.NoError(t, err, "list patched resource slices")
+			sortResourceSlicesFunc := func(s1, s2 *resourceapi.ResourceSlice) int {
+				return stdcmp.Compare(s1.Name, s2.Name)
+			}
+			slices.SortFunc(test.expectedPatchedSlices, sortResourceSlicesFunc)
+			slices.SortFunc(patchedResourceSlices, sortResourceSlicesFunc)
+			assert.Equal(t, test.expectedPatchedSlices, patchedResourceSlices)
+			expectEvents := test.expectEvents
+			if expectEvents == nil {
+				expectEvents = func(t *assert.CollectT, events *v1.EventList) {
+					assert.Empty(t, events.Items)
+				}
+			}
+			// Events are generated asynchronously. While shutting down the event recorder will flush all
+			// pending events, it is not possible to determine when exactly that flush is complete.
+			assert.EventuallyWithT(
+				t,
+				func(t *assert.CollectT) {
+					events, err := kubeClient.CoreV1().Events("").List(ctx, metav1.ListOptions{})
+					require.NoError(t, err, "list events")
+					expectEvents(t, events)
+				},
+				1*time.Second,
+				10*time.Millisecond,
+				"did not observe expected events",
+			)
+		})
+	}
+}
+
+func BenchmarkEventHandlers(b *testing.B) {
+	now := time.Now()
+	benchmarks := map[string]struct {
+		resourceSlices []*resourceapi.ResourceSlice
+		taintRules     []*resourcealphaapi.DeviceTaintRule
+		loop           func(ctx context.Context, b *testing.B, tracker *Tracker, resourceSlices []*resourceapi.ResourceSlice, taintRules []*resourcealphaapi.DeviceTaintRule, i int)
+	}{
+		"resource-slice-add-no-taint-rules": {
+			resourceSlices: func() []*resourceapi.ResourceSlice {
+				resourceSlices := make([]*resourceapi.ResourceSlice, 1000)
+				for i := range resourceSlices {
+					resourceSlices[i] = &resourceapi.ResourceSlice{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "slice-" + strconv.Itoa(i),
+						},
+						Spec: resourceapi.ResourceSliceSpec{
+							Devices: slices.Repeat([]resourceapi.Device{{Basic: &resourceapi.BasicDevice{}}}, 64),
+						},
+					}
+				}
+				return resourceSlices
+			}(),
+			loop: func(ctx context.Context, b *testing.B, tracker *Tracker, resourceSlices []*resourceapi.ResourceSlice, _ []*resourcealphaapi.DeviceTaintRule, i int) {
+				tracker.resourceSliceAdd(ctx)(resourceSlices[i%len(resourceSlices)])
+			},
+		},
+		"one-patch-to-many-slices-add-taint-rule": {
+			resourceSlices: func() []*resourceapi.ResourceSlice {
+				resourceSlices := make([]*resourceapi.ResourceSlice, 500)
+				for i := range resourceSlices {
+					resourceSlices[i] = &resourceapi.ResourceSlice{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "slice-" + strconv.Itoa(i),
+						},
+						Spec: resourceapi.ResourceSliceSpec{
+							Devices: slices.Repeat([]resourceapi.Device{{Basic: &resourceapi.BasicDevice{}}}, 64),
+						},
+					}
+				}
+				return resourceSlices
+			}(),
+			taintRules: []*resourcealphaapi.DeviceTaintRule{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "taintRule",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: nil, // all slices
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				},
+			},
+			loop: func(ctx context.Context, b *testing.B, tracker *Tracker, resourceSlices []*resourceapi.ResourceSlice, taintRules []*resourcealphaapi.DeviceTaintRule, i int) {
+				tracker.deviceTaintAdd(ctx)(taintRules[i%len(taintRules)])
+			},
+		},
+		"one-patch-to-many-slices-add-slice": {
+			resourceSlices: func() []*resourceapi.ResourceSlice {
+				resourceSlices := make([]*resourceapi.ResourceSlice, 500)
+				for i := range resourceSlices {
+					resourceSlices[i] = &resourceapi.ResourceSlice{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "slice-" + strconv.Itoa(i),
+						},
+						Spec: resourceapi.ResourceSliceSpec{
+							Devices: slices.Repeat([]resourceapi.Device{{Basic: &resourceapi.BasicDevice{}}}, 64),
+						},
+					}
+				}
+				return resourceSlices
+			}(),
+			taintRules: []*resourcealphaapi.DeviceTaintRule{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "taintRule",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: nil, // all slices
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				},
+			},
+			loop: func(ctx context.Context, b *testing.B, tracker *Tracker, resourceSlices []*resourceapi.ResourceSlice, _ []*resourcealphaapi.DeviceTaintRule, i int) {
+				tracker.resourceSliceAdd(ctx)(resourceSlices[i%len(resourceSlices)])
+			},
+		},
+		"one-patched-device-among-many-slices-add-taint-rule": {
+			resourceSlices: func() []*resourceapi.ResourceSlice {
+				nSlices := 500
+				nDevices := 64
+				resourceSlices := make([]*resourceapi.ResourceSlice, nSlices)
+				for i := range resourceSlices {
+					resourceSlices[i] = &resourceapi.ResourceSlice{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "slice-" + strconv.Itoa(i),
+						},
+						Spec: resourceapi.ResourceSliceSpec{
+							Pool: resourceapi.ResourcePool{
+								Name: "pool-" + strconv.Itoa(i),
+							},
+							Devices: func() []resourceapi.Device {
+								devices := make([]resourceapi.Device, nDevices)
+								for j := range devices {
+									devices[j] = resourceapi.Device{
+										Name:  "device-" + strconv.Itoa(j),
+										Basic: &resourceapi.BasicDevice{},
+									}
+								}
+								return devices
+							}(),
+						},
+					}
+				}
+				resourceSlices[nSlices/2].Spec.Devices[nDevices/2].Name = "patchme"
+				return resourceSlices
+			}(),
+			taintRules: []*resourcealphaapi.DeviceTaintRule{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "taintRule",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Device: ptr.To("patchme"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				},
+			},
+			loop: func(ctx context.Context, b *testing.B, tracker *Tracker, resourceSlices []*resourceapi.ResourceSlice, taintRules []*resourcealphaapi.DeviceTaintRule, i int) {
+				tracker.deviceTaintAdd(ctx)(taintRules[i%len(taintRules)])
+			},
+		},
+		"one-patched-device-among-many-slices-add-slice": {
+			resourceSlices: func() []*resourceapi.ResourceSlice {
+				resourceSlices := make([]*resourceapi.ResourceSlice, 500)
+				for i := range resourceSlices {
+					resourceSlices[i] = &resourceapi.ResourceSlice{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "slice-" + strconv.Itoa(i),
+						},
+						Spec: resourceapi.ResourceSliceSpec{
+							Pool: resourceapi.ResourcePool{
+								Name: "pool-" + strconv.Itoa(i),
+							},
+							Devices: func() []resourceapi.Device {
+								nDevices := 64
+								devices := slices.Repeat([]resourceapi.Device{{Basic: &resourceapi.BasicDevice{}}}, nDevices)
+								devices[nDevices/2].Name = "patchme"
+								return devices
+							}(),
+						},
+					}
+				}
+				return resourceSlices
+			}(),
+			taintRules: []*resourcealphaapi.DeviceTaintRule{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "patch",
+					},
+					Spec: resourcealphaapi.DeviceTaintRuleSpec{
+						DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+							Pool:   ptr.To("pool-250"),
+							Device: ptr.To("patchme"),
+						},
+						Taint: resourcealphaapi.DeviceTaint{
+							Key:       "example.com/taint",
+							Value:     "tainted",
+							Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &metav1.Time{Time: now},
+						},
+					},
+				},
+			},
+			loop: func(ctx context.Context, b *testing.B, tracker *Tracker, resourceSlices []*resourceapi.ResourceSlice, patches []*resourcealphaapi.DeviceTaintRule, i int) {
+				tracker.resourceSliceAdd(ctx)(resourceSlices[250]) // the slice affected by the patch
+			},
+		},
+		"one-patch-for-each-of-many-slices-add-taint-rule": {
+			resourceSlices: func() []*resourceapi.ResourceSlice {
+				resourceSlices := make([]*resourceapi.ResourceSlice, 500)
+				for i := range resourceSlices {
+					resourceSlices[i] = &resourceapi.ResourceSlice{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "slice-" + strconv.Itoa(i),
+						},
+						Spec: resourceapi.ResourceSliceSpec{
+							Pool: resourceapi.ResourcePool{
+								Name: "pool-" + strconv.Itoa(i),
+							},
+							Devices: slices.Repeat([]resourceapi.Device{{Basic: &resourceapi.BasicDevice{}}}, 64),
+						},
+					}
+				}
+				return resourceSlices
+			}(),
+			taintRules: func() []*resourcealphaapi.DeviceTaintRule {
+				patches := make([]*resourcealphaapi.DeviceTaintRule, 500)
+				for i := range patches {
+					patches[i] = &resourcealphaapi.DeviceTaintRule{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "taint-rule-" + strconv.Itoa(i),
+						},
+						Spec: resourcealphaapi.DeviceTaintRuleSpec{
+							DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+								Pool: ptr.To("pool-" + strconv.Itoa(i)),
+							},
+							Taint: resourcealphaapi.DeviceTaint{
+								Key:       "example.com/taint",
+								Value:     "tainted",
+								Effect:    resourcealphaapi.DeviceTaintEffectNoExecute,
+								TimeAdded: &metav1.Time{Time: now},
+							},
+						},
+					}
+				}
+				return patches
+			}(),
+			loop: func(ctx context.Context, b *testing.B, tracker *Tracker, resourceSlices []*resourceapi.ResourceSlice, taintRules []*resourcealphaapi.DeviceTaintRule, i int) {
+				tracker.deviceTaintAdd(ctx)(taintRules[i%len(taintRules)])
+			},
+		},
+	}
+
+	newBenchTracker := func(ctx context.Context) *Tracker {
+		kubeClient := fake.NewSimpleClientset()
+		informerFactory := informers.NewSharedInformerFactoryWithOptions(kubeClient, 10*time.Minute)
+		opts := Options{
+			EnableDeviceTaints: true,
+			SliceInformer:      informerFactory.Resource().V1beta1().ResourceSlices(),
+			TaintInformer:      informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+			ClassInformer:      informerFactory.Resource().V1beta1().DeviceClasses(),
+			KubeClient:         kubeClient,
+		}
+		tracker, err := newTracker(ctx, opts)
+		require.NoError(b, err)
+		tracker.handleError = func(_ context.Context, err error, _ string, _ ...any) {
+			b.Error("unexpected unhandled error:", err)
+		}
+		return tracker
+	}
+
+	for name, benchmark := range benchmarks {
+		b.Run(name, func(b *testing.B) {
+			logger, ctx := ktesting.NewTestContext(b)
+			ctx = klog.NewContext(ctx, logger.V(2))
+			tracker := newBenchTracker(ctx)
+
+			for _, slice := range benchmark.resourceSlices {
+				err := tracker.resourceSlices.GetIndexer().Add(slice)
+				require.NoError(b, err)
+			}
+
+			for _, taintRule := range benchmark.taintRules {
+				err := tracker.deviceTaints.GetIndexer().Add(taintRule)
+				require.NoError(b, err)
+			}
+
+			b.ResetTimer()
+			for i := range b.N {
+				benchmark.loop(ctx, b, tracker, benchmark.resourceSlices, benchmark.taintRules, i)
+			}
+		})
+	}
+}

From 6478ca585944dc59630e92f7b5cacff99d952bf6 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Fri, 7 Mar 2025 15:13:14 +0100
Subject: [PATCH 05/11] ktesting: fix per-test logging in TContext.Run and
 WithTB

WithTB was originally defined as "uses the existing logger". But what we want
there and in the newer TContext.Run is the usual per-test logging, now for the
sub-test.
---
 test/utils/ktesting/tcontext.go | 85 +++++++++++++++++----------------
 1 file changed, 45 insertions(+), 40 deletions(-)

diff --git a/test/utils/ktesting/tcontext.go b/test/utils/ktesting/tcontext.go
index 67b94500a82..02ff9eb609e 100644
--- a/test/utils/ktesting/tcontext.go
+++ b/test/utils/ktesting/tcontext.go
@@ -259,45 +259,8 @@ func Init(tb TB, opts ...InitOption) TContext {
 
 	ctx := interruptCtx
 	if c.PerTestOutput {
-		config := ktesting.NewConfig(
-			ktesting.AnyToString(func(v interface{}) string {
-				// For basic types where the string
-				// representation is "obvious" we use
-				// fmt.Sprintf because format.Object always
-				// adds a <"type"> prefix, which is too long
-				// for simple values.
-				switch v := v.(type) {
-				case int, int32, int64, uint, uint32, uint64, float32, float64, bool:
-					return fmt.Sprintf("%v", v)
-				case string:
-					return v
-				default:
-					return strings.TrimSpace(format.Object(v, 1))
-				}
-			}),
-			ktesting.VerbosityFlagName("v"),
-			ktesting.VModuleFlagName("vmodule"),
-			ktesting.BufferLogs(c.BufferLogs),
-		)
-
-		// Copy klog settings instead of making the ktesting logger
-		// configurable directly.
-		var fs flag.FlagSet
-		config.AddFlags(&fs)
-		for _, name := range []string{"v", "vmodule"} {
-			from := flag.CommandLine.Lookup(name)
-			to := fs.Lookup(name)
-			if err := to.Value.Set(from.Value.String()); err != nil {
-				panic(err)
-			}
-		}
-
-		// Ensure consistent logging: this klog.Logger writes to tb, adding the
-		// date/time header, and our own wrapper emulates that behavior for
-		// Log/Logf/...
-		logger := ktesting.NewLogger(tb, config)
+		logger := newLogger(tb, c.BufferLogs)
 		ctx = klog.NewContext(interruptCtx, logger)
-
 		tb = withKlogHeader(tb)
 	}
 
@@ -317,6 +280,47 @@ func Init(tb TB, opts ...InitOption) TContext {
 	return WithCancel(InitCtx(ctx, tb))
 }
 
+func newLogger(tb TB, bufferLogs bool) klog.Logger {
+	config := ktesting.NewConfig(
+		ktesting.AnyToString(func(v interface{}) string {
+			// For basic types where the string
+			// representation is "obvious" we use
+			// fmt.Sprintf because format.Object always
+			// adds a <"type"> prefix, which is too long
+			// for simple values.
+			switch v := v.(type) {
+			case int, int32, int64, uint, uint32, uint64, float32, float64, bool:
+				return fmt.Sprintf("%v", v)
+			case string:
+				return v
+			default:
+				return strings.TrimSpace(format.Object(v, 1))
+			}
+		}),
+		ktesting.VerbosityFlagName("v"),
+		ktesting.VModuleFlagName("vmodule"),
+		ktesting.BufferLogs(bufferLogs),
+	)
+
+	// Copy klog settings instead of making the ktesting logger
+	// configurable directly.
+	var fs flag.FlagSet
+	config.AddFlags(&fs)
+	for _, name := range []string{"v", "vmodule"} {
+		from := flag.CommandLine.Lookup(name)
+		to := fs.Lookup(name)
+		if err := to.Value.Set(from.Value.String()); err != nil {
+			panic(err)
+		}
+	}
+
+	// Ensure consistent logging: this klog.Logger writes to tb, adding the
+	// date/time header, and our own wrapper emulates that behavior for
+	// Log/Logf/...
+	logger := ktesting.NewLogger(tb, config)
+	return logger
+}
+
 type InitOption = initoption.InitOption
 
 // InitCtx is a variant of [Init] which uses an already existing context and
@@ -345,12 +349,13 @@ func InitCtx(ctx context.Context, tb TB, _ ...InitOption) TContext {
 //	       ...
 //	   })
 //
-// WithTB sets up cancellation for the sub-test.
+// WithTB sets up cancellation for the sub-test and uses per-test output.
 //
 // A simpler API is to use TContext.Run as replacement
 // for [testing.T.Run].
 func WithTB(parentCtx TContext, tb TB) TContext {
-	tCtx := InitCtx(parentCtx, tb)
+	tCtx := InitCtx(klog.NewContext(parentCtx, newLogger(tb, false /* don't buffer log output */)), tb)
+
 	tCtx = WithCancel(tCtx)
 	tCtx = WithClients(tCtx,
 		parentCtx.RESTConfig(),

From 13d04d4a92f3069f366738a28d047c6d5275c96c Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Wed, 5 Feb 2025 15:07:58 +0100
Subject: [PATCH 06/11] DRA device taints: copy taintseviction controller

This is a verbatim copy of the current pkg/controller/taintseviction code,
revision fc268ecd09c83c564868dbca1984b9ff2c654482 (v1.33.0 plus one commit),
minus the TimedWorker helper.

The intent is to modify the code such that it enforces eviction of pods which
use tainted devices.
---
 pkg/controller/devicetainteviction/OWNERS     |   8 +
 pkg/controller/devicetainteviction/doc.go     |  19 +
 .../devicetainteviction/metrics/metrics.go    |  60 ++
 .../devicetainteviction/taint_eviction.go     | 614 ++++++++++++
 .../taint_eviction_test.go                    | 941 ++++++++++++++++++
 5 files changed, 1642 insertions(+)
 create mode 100644 pkg/controller/devicetainteviction/OWNERS
 create mode 100644 pkg/controller/devicetainteviction/doc.go
 create mode 100644 pkg/controller/devicetainteviction/metrics/metrics.go
 create mode 100644 pkg/controller/devicetainteviction/taint_eviction.go
 create mode 100644 pkg/controller/devicetainteviction/taint_eviction_test.go

diff --git a/pkg/controller/devicetainteviction/OWNERS b/pkg/controller/devicetainteviction/OWNERS
new file mode 100644
index 00000000000..19c02ee0b10
--- /dev/null
+++ b/pkg/controller/devicetainteviction/OWNERS
@@ -0,0 +1,8 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - sig-scheduling-maintainers
+reviewers:
+  - sig-scheduling
+labels:
+  - sig/scheduling
diff --git a/pkg/controller/devicetainteviction/doc.go b/pkg/controller/devicetainteviction/doc.go
new file mode 100644
index 00000000000..aac6640aa28
--- /dev/null
+++ b/pkg/controller/devicetainteviction/doc.go
@@ -0,0 +1,19 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package tainteviction contains the logic implementing taint-based eviction
+// for Pods running on Nodes with NoExecute taints.
+package tainteviction
diff --git a/pkg/controller/devicetainteviction/metrics/metrics.go b/pkg/controller/devicetainteviction/metrics/metrics.go
new file mode 100644
index 00000000000..600c22c81e7
--- /dev/null
+++ b/pkg/controller/devicetainteviction/metrics/metrics.go
@@ -0,0 +1,60 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package metrics
+
+import (
+	"sync"
+
+	"k8s.io/component-base/metrics"
+	"k8s.io/component-base/metrics/legacyregistry"
+)
+
+const taintEvictionControllerSubsystem = "taint_eviction_controller"
+
+var (
+	// PodDeletionsTotal counts the number of Pods deleted by TaintEvictionController since its start.
+	PodDeletionsTotal = metrics.NewCounter(
+		&metrics.CounterOpts{
+			Subsystem:      taintEvictionControllerSubsystem,
+			Name:           "pod_deletions_total",
+			Help:           "Total number of Pods deleted by TaintEvictionController since its start.",
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+
+	// PodDeletionsLatency tracks the latency, in seconds, between the time when a taint effect has been activated
+	// for the Pod and its deletion.
+	PodDeletionsLatency = metrics.NewHistogram(
+		&metrics.HistogramOpts{
+			Subsystem:      taintEvictionControllerSubsystem,
+			Name:           "pod_deletion_duration_seconds",
+			Help:           "Latency, in seconds, between the time when a taint effect has been activated for the Pod and its deletion via TaintEvictionController.",
+			Buckets:        []float64{0.005, 0.025, 0.1, 0.5, 1, 2.5, 10, 30, 60, 120, 180, 240}, // 5ms to 4m
+			StabilityLevel: metrics.ALPHA,
+		},
+	)
+)
+
+var registerMetrics sync.Once
+
+// Register registers TaintEvictionController metrics.
+func Register() {
+	registerMetrics.Do(func() {
+		legacyregistry.MustRegister(PodDeletionsTotal)
+		legacyregistry.MustRegister(PodDeletionsLatency)
+	})
+}
diff --git a/pkg/controller/devicetainteviction/taint_eviction.go b/pkg/controller/devicetainteviction/taint_eviction.go
new file mode 100644
index 00000000000..48ab6f0ec51
--- /dev/null
+++ b/pkg/controller/devicetainteviction/taint_eviction.go
@@ -0,0 +1,614 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tainteviction
+
+import (
+	"context"
+	"fmt"
+	"hash/fnv"
+	"io"
+	"math"
+	"sync"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	corev1informers "k8s.io/client-go/informers/core/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+	corelisters "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
+	apipod "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/apis/core/helper"
+	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
+	"k8s.io/kubernetes/pkg/controller/tainteviction/metrics"
+	controllerutil "k8s.io/kubernetes/pkg/controller/util/node"
+	utilpod "k8s.io/kubernetes/pkg/util/pod"
+)
+
+const (
+	// TODO (k82cn): Figure out a reasonable number of workers/channels and propagate
+	// the number of workers up making it a parameter of Run() function.
+
+	// NodeUpdateChannelSize defines the size of channel for node update events.
+	NodeUpdateChannelSize = 10
+	// UpdateWorkerSize defines the size of workers for node update or/and pod update.
+	UpdateWorkerSize     = 8
+	podUpdateChannelSize = 1
+	retries              = 5
+)
+
+type nodeUpdateItem struct {
+	nodeName string
+}
+
+type podUpdateItem struct {
+	podName      string
+	podNamespace string
+	nodeName     string
+}
+
+func hash(val string, max int) int {
+	hasher := fnv.New32a()
+	io.WriteString(hasher, val)
+	return int(hasher.Sum32() % uint32(max))
+}
+
+// GetPodsByNodeNameFunc returns the list of pods assigned to the specified node.
+type GetPodsByNodeNameFunc func(nodeName string) ([]*v1.Pod, error)
+
+// Controller listens to Taint/Toleration changes and is responsible for removing Pods
+// from Nodes tainted with NoExecute Taints.
+type Controller struct {
+	name string
+
+	client                clientset.Interface
+	broadcaster           record.EventBroadcaster
+	recorder              record.EventRecorder
+	podLister             corelisters.PodLister
+	podListerSynced       cache.InformerSynced
+	nodeLister            corelisters.NodeLister
+	nodeListerSynced      cache.InformerSynced
+	getPodsAssignedToNode GetPodsByNodeNameFunc
+
+	taintEvictionQueue *TimedWorkerQueue
+	// keeps a map from nodeName to all noExecute taints on that Node
+	taintedNodesLock sync.Mutex
+	taintedNodes     map[string][]v1.Taint
+
+	nodeUpdateChannels []chan nodeUpdateItem
+	podUpdateChannels  []chan podUpdateItem
+
+	nodeUpdateQueue workqueue.TypedInterface[nodeUpdateItem]
+	podUpdateQueue  workqueue.TypedInterface[podUpdateItem]
+}
+
+func deletePodHandler(c clientset.Interface, emitEventFunc func(types.NamespacedName), controllerName string) func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
+	return func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
+		ns := args.NamespacedName.Namespace
+		name := args.NamespacedName.Name
+		klog.FromContext(ctx).Info("Deleting pod", "controller", controllerName, "pod", args.NamespacedName)
+		if emitEventFunc != nil {
+			emitEventFunc(args.NamespacedName)
+		}
+		var err error
+		for i := 0; i < retries; i++ {
+			err = addConditionAndDeletePod(ctx, c, name, ns)
+			if err == nil {
+				metrics.PodDeletionsTotal.Inc()
+				metrics.PodDeletionsLatency.Observe(float64(time.Since(fireAt) * time.Second))
+				break
+			}
+			time.Sleep(10 * time.Millisecond)
+		}
+		return err
+	}
+}
+
+func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, name, ns string) (err error) {
+	pod, err := c.CoreV1().Pods(ns).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+	newStatus := pod.Status.DeepCopy()
+	updated := apipod.UpdatePodCondition(newStatus, &v1.PodCondition{
+		Type:    v1.DisruptionTarget,
+		Status:  v1.ConditionTrue,
+		Reason:  "DeletionByTaintManager",
+		Message: "Taint manager: deleting due to NoExecute taint",
+	})
+	if updated {
+		if _, _, _, err := utilpod.PatchPodStatus(ctx, c, pod.Namespace, pod.Name, pod.UID, pod.Status, *newStatus); err != nil {
+			return err
+		}
+	}
+	return c.CoreV1().Pods(ns).Delete(ctx, name, metav1.DeleteOptions{})
+}
+
+func getNoExecuteTaints(taints []v1.Taint) []v1.Taint {
+	result := []v1.Taint{}
+	for i := range taints {
+		if taints[i].Effect == v1.TaintEffectNoExecute {
+			result = append(result, taints[i])
+		}
+	}
+	return result
+}
+
+// getMinTolerationTime returns minimal toleration time from the given slice, or -1 if it's infinite.
+func getMinTolerationTime(tolerations []v1.Toleration) time.Duration {
+	minTolerationTime := int64(math.MaxInt64)
+	if len(tolerations) == 0 {
+		return 0
+	}
+
+	for i := range tolerations {
+		if tolerations[i].TolerationSeconds != nil {
+			tolerationSeconds := *(tolerations[i].TolerationSeconds)
+			if tolerationSeconds <= 0 {
+				return 0
+			} else if tolerationSeconds < minTolerationTime {
+				minTolerationTime = tolerationSeconds
+			}
+		}
+	}
+
+	if minTolerationTime == int64(math.MaxInt64) {
+		return -1
+	}
+	return time.Duration(minTolerationTime) * time.Second
+}
+
+// New creates a new Controller that will use passed clientset to communicate with the API server.
+func New(ctx context.Context, c clientset.Interface, podInformer corev1informers.PodInformer, nodeInformer corev1informers.NodeInformer, controllerName string) (*Controller, error) {
+	logger := klog.FromContext(ctx)
+	metrics.Register()
+	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
+	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: controllerName})
+
+	podIndexer := podInformer.Informer().GetIndexer()
+
+	tm := &Controller{
+		name: controllerName,
+
+		client:           c,
+		broadcaster:      eventBroadcaster,
+		recorder:         recorder,
+		podLister:        podInformer.Lister(),
+		podListerSynced:  podInformer.Informer().HasSynced,
+		nodeLister:       nodeInformer.Lister(),
+		nodeListerSynced: nodeInformer.Informer().HasSynced,
+		getPodsAssignedToNode: func(nodeName string) ([]*v1.Pod, error) {
+			objs, err := podIndexer.ByIndex("spec.nodeName", nodeName)
+			if err != nil {
+				return nil, err
+			}
+			pods := make([]*v1.Pod, 0, len(objs))
+			for _, obj := range objs {
+				pod, ok := obj.(*v1.Pod)
+				if !ok {
+					continue
+				}
+				pods = append(pods, pod)
+			}
+			return pods, nil
+		},
+		taintedNodes: make(map[string][]v1.Taint),
+
+		nodeUpdateQueue: workqueue.NewTypedWithConfig(workqueue.TypedQueueConfig[nodeUpdateItem]{Name: "noexec_taint_node"}),
+		podUpdateQueue:  workqueue.NewTypedWithConfig(workqueue.TypedQueueConfig[podUpdateItem]{Name: "noexec_taint_pod"}),
+	}
+	tm.taintEvictionQueue = CreateWorkerQueue(deletePodHandler(c, tm.emitPodDeletionEvent, tm.name))
+
+	_, err := podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			pod := obj.(*v1.Pod)
+			tm.PodUpdated(nil, pod)
+		},
+		UpdateFunc: func(prev, obj interface{}) {
+			prevPod := prev.(*v1.Pod)
+			newPod := obj.(*v1.Pod)
+			tm.PodUpdated(prevPod, newPod)
+		},
+		DeleteFunc: func(obj interface{}) {
+			pod, isPod := obj.(*v1.Pod)
+			// We can get DeletedFinalStateUnknown instead of *v1.Pod here and we need to handle that correctly.
+			if !isPod {
+				deletedState, ok := obj.(cache.DeletedFinalStateUnknown)
+				if !ok {
+					logger.Error(nil, "Received unexpected object", "object", obj)
+					return
+				}
+				pod, ok = deletedState.Obj.(*v1.Pod)
+				if !ok {
+					logger.Error(nil, "DeletedFinalStateUnknown contained non-Pod object", "object", deletedState.Obj)
+					return
+				}
+			}
+			tm.PodUpdated(pod, nil)
+		},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("unable to add pod event handler: %w", err)
+	}
+
+	_, err = nodeInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: controllerutil.CreateAddNodeHandler(func(node *v1.Node) error {
+			tm.NodeUpdated(nil, node)
+			return nil
+		}),
+		UpdateFunc: controllerutil.CreateUpdateNodeHandler(func(oldNode, newNode *v1.Node) error {
+			tm.NodeUpdated(oldNode, newNode)
+			return nil
+		}),
+		DeleteFunc: controllerutil.CreateDeleteNodeHandler(logger, func(node *v1.Node) error {
+			tm.NodeUpdated(node, nil)
+			return nil
+		}),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("unable to add node event handler: %w", err)
+	}
+
+	return tm, nil
+}
+
+// Run starts the controller which will run in loop until `stopCh` is closed.
+func (tc *Controller) Run(ctx context.Context) {
+	defer utilruntime.HandleCrash()
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting", "controller", tc.name)
+	defer logger.Info("Shutting down controller", "controller", tc.name)
+
+	// Start events processing pipeline.
+	tc.broadcaster.StartStructuredLogging(3)
+	if tc.client != nil {
+		logger.Info("Sending events to api server")
+		tc.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: tc.client.CoreV1().Events("")})
+	} else {
+		logger.Error(nil, "kubeClient is nil", "controller", tc.name)
+		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+	}
+	defer tc.broadcaster.Shutdown()
+	defer tc.nodeUpdateQueue.ShutDown()
+	defer tc.podUpdateQueue.ShutDown()
+
+	// wait for the cache to be synced
+	if !cache.WaitForNamedCacheSync(tc.name, ctx.Done(), tc.podListerSynced, tc.nodeListerSynced) {
+		return
+	}
+
+	for i := 0; i < UpdateWorkerSize; i++ {
+		tc.nodeUpdateChannels = append(tc.nodeUpdateChannels, make(chan nodeUpdateItem, NodeUpdateChannelSize))
+		tc.podUpdateChannels = append(tc.podUpdateChannels, make(chan podUpdateItem, podUpdateChannelSize))
+	}
+
+	// Functions that are responsible for taking work items out of the workqueues and putting them
+	// into channels.
+	go func(stopCh <-chan struct{}) {
+		for {
+			nodeUpdate, shutdown := tc.nodeUpdateQueue.Get()
+			if shutdown {
+				break
+			}
+			hash := hash(nodeUpdate.nodeName, UpdateWorkerSize)
+			select {
+			case <-stopCh:
+				tc.nodeUpdateQueue.Done(nodeUpdate)
+				return
+			case tc.nodeUpdateChannels[hash] <- nodeUpdate:
+				// tc.nodeUpdateQueue.Done is called by the nodeUpdateChannels worker
+			}
+		}
+	}(ctx.Done())
+
+	go func(stopCh <-chan struct{}) {
+		for {
+			podUpdate, shutdown := tc.podUpdateQueue.Get()
+			if shutdown {
+				break
+			}
+			// The fact that pods are processed by the same worker as nodes is used to avoid races
+			// between node worker setting tc.taintedNodes and pod worker reading this to decide
+			// whether to delete pod.
+			// It's possible that even without this assumption this code is still correct.
+			hash := hash(podUpdate.nodeName, UpdateWorkerSize)
+			select {
+			case <-stopCh:
+				tc.podUpdateQueue.Done(podUpdate)
+				return
+			case tc.podUpdateChannels[hash] <- podUpdate:
+				// tc.podUpdateQueue.Done is called by the podUpdateChannels worker
+			}
+		}
+	}(ctx.Done())
+
+	wg := sync.WaitGroup{}
+	wg.Add(UpdateWorkerSize)
+	for i := 0; i < UpdateWorkerSize; i++ {
+		go tc.worker(ctx, i, wg.Done, ctx.Done())
+	}
+	wg.Wait()
+}
+
+func (tc *Controller) worker(ctx context.Context, worker int, done func(), stopCh <-chan struct{}) {
+	defer done()
+
+	// When processing events we want to prioritize Node updates over Pod updates,
+	// as NodeUpdates that interest the controller should be handled as soon as possible -
+	// we don't want user (or system) to wait until PodUpdate queue is drained before it can
+	// start evicting Pods from tainted Nodes.
+	for {
+		select {
+		case <-stopCh:
+			return
+		case nodeUpdate := <-tc.nodeUpdateChannels[worker]:
+			tc.handleNodeUpdate(ctx, nodeUpdate)
+			tc.nodeUpdateQueue.Done(nodeUpdate)
+		case podUpdate := <-tc.podUpdateChannels[worker]:
+			// If we found a Pod update we need to empty Node queue first.
+		priority:
+			for {
+				select {
+				case nodeUpdate := <-tc.nodeUpdateChannels[worker]:
+					tc.handleNodeUpdate(ctx, nodeUpdate)
+					tc.nodeUpdateQueue.Done(nodeUpdate)
+				default:
+					break priority
+				}
+			}
+			// After Node queue is emptied we process podUpdate.
+			tc.handlePodUpdate(ctx, podUpdate)
+			tc.podUpdateQueue.Done(podUpdate)
+		}
+	}
+}
+
+// PodUpdated is used to notify NoExecuteTaintManager about Pod changes.
+func (tc *Controller) PodUpdated(oldPod *v1.Pod, newPod *v1.Pod) {
+	podName := ""
+	podNamespace := ""
+	nodeName := ""
+	oldTolerations := []v1.Toleration{}
+	if oldPod != nil {
+		podName = oldPod.Name
+		podNamespace = oldPod.Namespace
+		nodeName = oldPod.Spec.NodeName
+		oldTolerations = oldPod.Spec.Tolerations
+	}
+	newTolerations := []v1.Toleration{}
+	if newPod != nil {
+		podName = newPod.Name
+		podNamespace = newPod.Namespace
+		nodeName = newPod.Spec.NodeName
+		newTolerations = newPod.Spec.Tolerations
+	}
+
+	if oldPod != nil && newPod != nil && helper.Semantic.DeepEqual(oldTolerations, newTolerations) && oldPod.Spec.NodeName == newPod.Spec.NodeName {
+		return
+	}
+	updateItem := podUpdateItem{
+		podName:      podName,
+		podNamespace: podNamespace,
+		nodeName:     nodeName,
+	}
+
+	tc.podUpdateQueue.Add(updateItem)
+}
+
+// NodeUpdated is used to notify NoExecuteTaintManager about Node changes.
+func (tc *Controller) NodeUpdated(oldNode *v1.Node, newNode *v1.Node) {
+	nodeName := ""
+	oldTaints := []v1.Taint{}
+	if oldNode != nil {
+		nodeName = oldNode.Name
+		oldTaints = getNoExecuteTaints(oldNode.Spec.Taints)
+	}
+
+	newTaints := []v1.Taint{}
+	if newNode != nil {
+		nodeName = newNode.Name
+		newTaints = getNoExecuteTaints(newNode.Spec.Taints)
+	}
+
+	if oldNode != nil && newNode != nil && helper.Semantic.DeepEqual(oldTaints, newTaints) {
+		return
+	}
+	updateItem := nodeUpdateItem{
+		nodeName: nodeName,
+	}
+
+	tc.nodeUpdateQueue.Add(updateItem)
+}
+
+func (tc *Controller) cancelWorkWithEvent(logger klog.Logger, nsName types.NamespacedName) {
+	if tc.taintEvictionQueue.CancelWork(logger, nsName.String()) {
+		tc.emitCancelPodDeletionEvent(nsName)
+	}
+}
+
+func (tc *Controller) processPodOnNode(
+	ctx context.Context,
+	podNamespacedName types.NamespacedName,
+	nodeName string,
+	tolerations []v1.Toleration,
+	taints []v1.Taint,
+	now time.Time,
+) {
+	logger := klog.FromContext(ctx)
+	if len(taints) == 0 {
+		tc.cancelWorkWithEvent(logger, podNamespacedName)
+	}
+	allTolerated, usedTolerations := v1helper.GetMatchingTolerations(taints, tolerations)
+	if !allTolerated {
+		logger.V(2).Info("Not all taints are tolerated after update for pod on node", "pod", podNamespacedName.String(), "node", klog.KRef("", nodeName))
+		// We're canceling scheduled work (if any), as we're going to delete the Pod right away.
+		tc.cancelWorkWithEvent(logger, podNamespacedName)
+		tc.taintEvictionQueue.AddWork(ctx, NewWorkArgs(podNamespacedName.Name, podNamespacedName.Namespace), now, now)
+		return
+	}
+	minTolerationTime := getMinTolerationTime(usedTolerations)
+	// getMinTolerationTime returns negative value to denote infinite toleration.
+	if minTolerationTime < 0 {
+		logger.V(4).Info("Current tolerations for pod tolerate forever, cancelling any scheduled deletion", "pod", podNamespacedName.String())
+		tc.cancelWorkWithEvent(logger, podNamespacedName)
+		return
+	}
+
+	startTime := now
+	triggerTime := startTime.Add(minTolerationTime)
+	scheduledEviction := tc.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String())
+	if scheduledEviction != nil {
+		startTime = scheduledEviction.CreatedAt
+		if startTime.Add(minTolerationTime).Before(triggerTime) {
+			return
+		}
+		tc.cancelWorkWithEvent(logger, podNamespacedName)
+	}
+	tc.taintEvictionQueue.AddWork(ctx, NewWorkArgs(podNamespacedName.Name, podNamespacedName.Namespace), startTime, triggerTime)
+}
+
+func (tc *Controller) handlePodUpdate(ctx context.Context, podUpdate podUpdateItem) {
+	pod, err := tc.podLister.Pods(podUpdate.podNamespace).Get(podUpdate.podName)
+	logger := klog.FromContext(ctx)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			// Delete
+			podNamespacedName := types.NamespacedName{Namespace: podUpdate.podNamespace, Name: podUpdate.podName}
+			logger.V(4).Info("Noticed pod deletion", "pod", podNamespacedName)
+			tc.cancelWorkWithEvent(logger, podNamespacedName)
+			return
+		}
+		utilruntime.HandleError(fmt.Errorf("could not get pod %s/%s: %v", podUpdate.podName, podUpdate.podNamespace, err))
+		return
+	}
+
+	// We key the workqueue and shard workers by nodeName. If we don't match the current state we should not be the one processing the current object.
+	if pod.Spec.NodeName != podUpdate.nodeName {
+		return
+	}
+
+	// Create or Update
+	podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
+	logger.V(4).Info("Noticed pod update", "pod", podNamespacedName)
+	nodeName := pod.Spec.NodeName
+	if nodeName == "" {
+		return
+	}
+	taints, ok := func() ([]v1.Taint, bool) {
+		tc.taintedNodesLock.Lock()
+		defer tc.taintedNodesLock.Unlock()
+		taints, ok := tc.taintedNodes[nodeName]
+		return taints, ok
+	}()
+	// It's possible that Node was deleted, or Taints were removed before, which triggered
+	// eviction cancelling if it was needed.
+	if !ok {
+		return
+	}
+	tc.processPodOnNode(ctx, podNamespacedName, nodeName, pod.Spec.Tolerations, taints, time.Now())
+}
+
+func (tc *Controller) handleNodeUpdate(ctx context.Context, nodeUpdate nodeUpdateItem) {
+	node, err := tc.nodeLister.Get(nodeUpdate.nodeName)
+	logger := klog.FromContext(ctx)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			// Delete
+			logger.V(4).Info("Noticed node deletion", "node", klog.KRef("", nodeUpdate.nodeName))
+			tc.taintedNodesLock.Lock()
+			defer tc.taintedNodesLock.Unlock()
+			delete(tc.taintedNodes, nodeUpdate.nodeName)
+			return
+		}
+		utilruntime.HandleError(fmt.Errorf("cannot get node %s: %v", nodeUpdate.nodeName, err))
+		return
+	}
+
+	// Create or Update
+	logger.V(4).Info("Noticed node update", "node", klog.KObj(node))
+	taints := getNoExecuteTaints(node.Spec.Taints)
+	func() {
+		tc.taintedNodesLock.Lock()
+		defer tc.taintedNodesLock.Unlock()
+		logger.V(4).Info("Updating known taints on node", "node", klog.KObj(node), "taints", taints)
+		if len(taints) == 0 {
+			delete(tc.taintedNodes, node.Name)
+		} else {
+			tc.taintedNodes[node.Name] = taints
+		}
+	}()
+
+	// This is critical that we update tc.taintedNodes before we call getPodsAssignedToNode:
+	// getPodsAssignedToNode can be delayed as long as all future updates to pods will call
+	// tc.PodUpdated which will use tc.taintedNodes to potentially delete delayed pods.
+	pods, err := tc.getPodsAssignedToNode(node.Name)
+	if err != nil {
+		logger.Error(err, "Failed to get pods assigned to node", "node", klog.KObj(node))
+		return
+	}
+	if len(pods) == 0 {
+		return
+	}
+	// Short circuit, to make this controller a bit faster.
+	if len(taints) == 0 {
+		logger.V(4).Info("All taints were removed from the node. Cancelling all evictions...", "node", klog.KObj(node))
+		for i := range pods {
+			tc.cancelWorkWithEvent(logger, types.NamespacedName{Namespace: pods[i].Namespace, Name: pods[i].Name})
+		}
+		return
+	}
+
+	now := time.Now()
+	for _, pod := range pods {
+		podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
+		tc.processPodOnNode(ctx, podNamespacedName, node.Name, pod.Spec.Tolerations, taints, now)
+	}
+}
+
+func (tc *Controller) emitPodDeletionEvent(nsName types.NamespacedName) {
+	if tc.recorder == nil {
+		return
+	}
+	ref := &v1.ObjectReference{
+		APIVersion: "v1",
+		Kind:       "Pod",
+		Name:       nsName.Name,
+		Namespace:  nsName.Namespace,
+	}
+	tc.recorder.Eventf(ref, v1.EventTypeNormal, "TaintManagerEviction", "Marking for deletion Pod %s", nsName.String())
+}
+
+func (tc *Controller) emitCancelPodDeletionEvent(nsName types.NamespacedName) {
+	if tc.recorder == nil {
+		return
+	}
+	ref := &v1.ObjectReference{
+		APIVersion: "v1",
+		Kind:       "Pod",
+		Name:       nsName.Name,
+		Namespace:  nsName.Namespace,
+	}
+	tc.recorder.Eventf(ref, v1.EventTypeNormal, "TaintManagerEviction", "Cancelling deletion of Pod %s", nsName.String())
+}
diff --git a/pkg/controller/devicetainteviction/taint_eviction_test.go b/pkg/controller/devicetainteviction/taint_eviction_test.go
new file mode 100644
index 00000000000..6c933d5f23d
--- /dev/null
+++ b/pkg/controller/devicetainteviction/taint_eviction_test.go
@@ -0,0 +1,941 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tainteviction
+
+import (
+	"context"
+	"fmt"
+	goruntime "runtime"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	clienttesting "k8s.io/client-go/testing"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/kubernetes/pkg/controller/testutil"
+)
+
+var timeForControllerToProgressForSanityCheck = 20 * time.Millisecond
+
+func getPodsAssignedToNode(ctx context.Context, c *fake.Clientset) GetPodsByNodeNameFunc {
+	return func(nodeName string) ([]*corev1.Pod, error) {
+		selector := fields.SelectorFromSet(fields.Set{"spec.nodeName": nodeName})
+		pods, err := c.CoreV1().Pods(corev1.NamespaceAll).List(ctx, metav1.ListOptions{
+			FieldSelector: selector.String(),
+			LabelSelector: labels.Everything().String(),
+		})
+		if err != nil {
+			return []*corev1.Pod{}, fmt.Errorf("failed to get Pods assigned to node %v", nodeName)
+		}
+		rPods := make([]*corev1.Pod, len(pods.Items))
+		for i := range pods.Items {
+			rPods[i] = &pods.Items[i]
+		}
+		return rPods, nil
+	}
+}
+
+func createNoExecuteTaint(index int) corev1.Taint {
+	now := metav1.Now()
+	return corev1.Taint{
+		Key:       "testTaint" + fmt.Sprintf("%v", index),
+		Value:     "test" + fmt.Sprintf("%v", index),
+		Effect:    corev1.TaintEffectNoExecute,
+		TimeAdded: &now,
+	}
+}
+
+func addToleration(pod *corev1.Pod, index int, duration int64) *corev1.Pod {
+	if pod.Annotations == nil {
+		pod.Annotations = map[string]string{}
+	}
+	if duration < 0 {
+		pod.Spec.Tolerations = []corev1.Toleration{{Key: "testTaint" + fmt.Sprintf("%v", index), Value: "test" + fmt.Sprintf("%v", index), Effect: corev1.TaintEffectNoExecute}}
+
+	} else {
+		pod.Spec.Tolerations = []corev1.Toleration{{Key: "testTaint" + fmt.Sprintf("%v", index), Value: "test" + fmt.Sprintf("%v", index), Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &duration}}
+	}
+	return pod
+}
+
+func addTaintsToNode(node *corev1.Node, key, value string, indices []int) *corev1.Node {
+	taints := []corev1.Taint{}
+	for _, index := range indices {
+		taints = append(taints, createNoExecuteTaint(index))
+	}
+	node.Spec.Taints = taints
+	return node
+}
+
+var alwaysReady = func() bool { return true }
+
+func setupNewController(ctx context.Context, fakeClientSet *fake.Clientset) (*Controller, cache.Indexer, cache.Indexer) {
+	informerFactory := informers.NewSharedInformerFactory(fakeClientSet, 0)
+	podIndexer := informerFactory.Core().V1().Pods().Informer().GetIndexer()
+	nodeIndexer := informerFactory.Core().V1().Nodes().Informer().GetIndexer()
+	mgr, _ := New(ctx, fakeClientSet, informerFactory.Core().V1().Pods(), informerFactory.Core().V1().Nodes(), "taint-eviction-controller")
+	mgr.podListerSynced = alwaysReady
+	mgr.nodeListerSynced = alwaysReady
+	mgr.getPodsAssignedToNode = getPodsAssignedToNode(ctx, fakeClientSet)
+	return mgr, podIndexer, nodeIndexer
+}
+
+type timestampedPod struct {
+	names     []string
+	timestamp time.Duration
+}
+
+type durationSlice []timestampedPod
+
+func (a durationSlice) Len() int           { return len(a) }
+func (a durationSlice) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a durationSlice) Less(i, j int) bool { return a[i].timestamp < a[j].timestamp }
+
+func TestFilterNoExecuteTaints(t *testing.T) {
+	taints := []corev1.Taint{
+		{
+			Key:    "one",
+			Value:  "one",
+			Effect: corev1.TaintEffectNoExecute,
+		},
+		{
+			Key:    "two",
+			Value:  "two",
+			Effect: corev1.TaintEffectNoSchedule,
+		},
+	}
+	taints = getNoExecuteTaints(taints)
+	if len(taints) != 1 || taints[0].Key != "one" {
+		t.Errorf("Filtering doesn't work. Got %v", taints)
+	}
+}
+
+func TestCreatePod(t *testing.T) {
+	testCases := []struct {
+		description  string
+		pod          *corev1.Pod
+		taintedNodes map[string][]corev1.Taint
+		expectPatch  bool
+		expectDelete bool
+	}{
+		{
+			description:  "not scheduled - ignore",
+			pod:          testutil.NewPod("pod1", ""),
+			taintedNodes: map[string][]corev1.Taint{},
+			expectDelete: false,
+		},
+		{
+			description:  "scheduled on untainted Node",
+			pod:          testutil.NewPod("pod1", "node1"),
+			taintedNodes: map[string][]corev1.Taint{},
+			expectDelete: false,
+		},
+		{
+			description: "schedule on tainted Node",
+			pod:         testutil.NewPod("pod1", "node1"),
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "schedule on tainted Node with finite toleration",
+			pod:         addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectDelete: false,
+		},
+		{
+			description: "schedule on tainted Node with infinite toleration",
+			pod:         addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectDelete: false,
+		},
+		{
+			description: "schedule on tainted Node with infinite invalid toleration",
+			pod:         addToleration(testutil.NewPod("pod1", "node1"), 2, -1),
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectPatch:  true,
+			expectDelete: true,
+		},
+	}
+
+	for _, item := range testCases {
+		t.Run(item.description, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.pod}})
+			controller, podIndexer, _ := setupNewController(ctx, fakeClientset)
+			controller.recorder = testutil.NewFakeRecorder()
+			go controller.Run(ctx)
+			controller.taintedNodes = item.taintedNodes
+
+			podIndexer.Add(item.pod)
+			controller.PodUpdated(nil, item.pod)
+
+			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
+
+			cancel()
+		})
+	}
+}
+
+func TestDeletePod(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	fakeClientset := fake.NewSimpleClientset()
+	controller, _, _ := setupNewController(ctx, fakeClientset)
+	controller.recorder = testutil.NewFakeRecorder()
+	go controller.Run(ctx)
+	controller.taintedNodes = map[string][]corev1.Taint{
+		"node1": {createNoExecuteTaint(1)},
+	}
+	controller.PodUpdated(testutil.NewPod("pod1", "node1"), nil)
+	// wait a bit to see if nothing will panic
+	time.Sleep(timeForControllerToProgressForSanityCheck)
+}
+
+func TestUpdatePod(t *testing.T) {
+	testCases := []struct {
+		description               string
+		prevPod                   *corev1.Pod
+		awaitForScheduledEviction bool
+		newPod                    *corev1.Pod
+		taintedNodes              map[string][]corev1.Taint
+		expectPatch               bool
+		expectDelete              bool
+		skipOnWindows             bool
+	}{
+		{
+			description: "scheduling onto tainted Node",
+			prevPod:     testutil.NewPod("pod1", ""),
+			newPod:      testutil.NewPod("pod1", "node1"),
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "scheduling onto tainted Node with toleration",
+			prevPod:     addToleration(testutil.NewPod("pod1", ""), 1, -1),
+			newPod:      addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectDelete: false,
+		},
+		{
+			description:               "removing toleration",
+			prevPod:                   addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
+			newPod:                    testutil.NewPod("pod1", "node1"),
+			awaitForScheduledEviction: true,
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description:               "lengthening toleration shouldn't work",
+			prevPod:                   addToleration(testutil.NewPod("pod1", "node1"), 1, 1),
+			newPod:                    addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
+			awaitForScheduledEviction: true,
+			taintedNodes: map[string][]corev1.Taint{
+				"node1": {createNoExecuteTaint(1)},
+			},
+			expectPatch:   true,
+			expectDelete:  true,
+			skipOnWindows: true,
+		},
+	}
+
+	for _, item := range testCases {
+		t.Run(item.description, func(t *testing.T) {
+			if item.skipOnWindows && goruntime.GOOS == "windows" {
+				// TODO: remove skip once the flaking test has been fixed.
+				t.Skip("Skip flaking test on Windows.")
+			}
+			ctx, cancel := context.WithCancel(context.Background())
+			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.prevPod}})
+			controller, podIndexer, _ := setupNewController(context.TODO(), fakeClientset)
+			controller.recorder = testutil.NewFakeRecorder()
+			controller.taintedNodes = item.taintedNodes
+			go controller.Run(ctx)
+
+			podIndexer.Add(item.prevPod)
+			controller.PodUpdated(nil, item.prevPod)
+
+			if item.awaitForScheduledEviction {
+				nsName := types.NamespacedName{Namespace: item.prevPod.Namespace, Name: item.prevPod.Name}
+				err := wait.PollImmediate(time.Millisecond*10, time.Second, func() (bool, error) {
+					scheduledEviction := controller.taintEvictionQueue.GetWorkerUnsafe(nsName.String())
+					return scheduledEviction != nil, nil
+				})
+				if err != nil {
+					t.Fatalf("Failed to await for scheduled eviction: %q", err)
+				}
+			}
+
+			podIndexer.Update(item.newPod)
+			controller.PodUpdated(item.prevPod, item.newPod)
+
+			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
+			cancel()
+		})
+	}
+}
+
+func TestCreateNode(t *testing.T) {
+	testCases := []struct {
+		description  string
+		pods         []corev1.Pod
+		node         *corev1.Node
+		expectPatch  bool
+		expectDelete bool
+	}{
+		{
+			description: "Creating Node matching already assigned Pod",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+			},
+			node:         testutil.NewNode("node1"),
+			expectPatch:  false,
+			expectDelete: false,
+		},
+		{
+			description: "Creating tainted Node matching already assigned Pod",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+			},
+			node:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "Creating tainted Node matching already assigned tolerating Pod",
+			pods: []corev1.Pod{
+				*addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
+			},
+			node:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectPatch:  false,
+			expectDelete: false,
+		},
+	}
+
+	for _, item := range testCases {
+		ctx, cancel := context.WithCancel(context.Background())
+		fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
+		controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
+		nodeIndexer.Add(item.node)
+		controller.recorder = testutil.NewFakeRecorder()
+		go controller.Run(ctx)
+		controller.NodeUpdated(nil, item.node)
+
+		verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
+
+		cancel()
+	}
+}
+
+func TestDeleteNode(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	fakeClientset := fake.NewSimpleClientset()
+	controller, _, _ := setupNewController(ctx, fakeClientset)
+	controller.recorder = testutil.NewFakeRecorder()
+	controller.taintedNodes = map[string][]corev1.Taint{
+		"node1": {createNoExecuteTaint(1)},
+	}
+	go controller.Run(ctx)
+	controller.NodeUpdated(testutil.NewNode("node1"), nil)
+
+	// await until controller.taintedNodes is empty
+	err := wait.PollImmediate(10*time.Millisecond, time.Second, func() (bool, error) {
+		controller.taintedNodesLock.Lock()
+		defer controller.taintedNodesLock.Unlock()
+		_, ok := controller.taintedNodes["node1"]
+		return !ok, nil
+	})
+	if err != nil {
+		t.Errorf("Failed to await for processing node deleted: %q", err)
+	}
+	cancel()
+}
+
+func TestUpdateNode(t *testing.T) {
+	testCases := []struct {
+		description     string
+		pods            []corev1.Pod
+		oldNode         *corev1.Node
+		newNode         *corev1.Node
+		expectPatch     bool
+		expectDelete    bool
+		additionalSleep time.Duration
+	}{
+		{
+			description: "Added taint, expect node patched and deleted",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+			},
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "Added tolerated taint",
+			pods: []corev1.Pod{
+				*addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
+			},
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectDelete: false,
+		},
+		{
+			description: "Only one added taint tolerated",
+			pods: []corev1.Pod{
+				*addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
+			},
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "Taint removed",
+			pods: []corev1.Pod{
+				*addToleration(testutil.NewPod("pod1", "node1"), 1, 1),
+			},
+			oldNode:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			newNode:         testutil.NewNode("node1"),
+			expectDelete:    false,
+			additionalSleep: 1500 * time.Millisecond,
+		},
+		{
+			description: "Pod with multiple tolerations are evicted when first one runs out",
+			pods: []corev1.Pod{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "default",
+						Name:      "pod1",
+					},
+					Spec: corev1.PodSpec{
+						NodeName: "node1",
+						Tolerations: []corev1.Toleration{
+							{Key: "testTaint1", Value: "test1", Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &[]int64{1}[0]},
+							{Key: "testTaint2", Value: "test2", Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &[]int64{100}[0]},
+						},
+					},
+					Status: corev1.PodStatus{
+						Conditions: []corev1.PodCondition{
+							{
+								Type:   corev1.PodReady,
+								Status: corev1.ConditionTrue,
+							},
+						},
+					},
+				},
+			},
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+	}
+
+	for _, item := range testCases {
+		t.Run(item.description, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
+			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
+			nodeIndexer.Add(item.newNode)
+			controller.recorder = testutil.NewFakeRecorder()
+			go controller.Run(ctx)
+			controller.NodeUpdated(item.oldNode, item.newNode)
+
+			if item.additionalSleep > 0 {
+				time.Sleep(item.additionalSleep)
+			}
+
+			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
+		})
+	}
+}
+
+func TestUpdateNodeWithMultipleTaints(t *testing.T) {
+	taint1 := createNoExecuteTaint(1)
+	taint2 := createNoExecuteTaint(2)
+
+	minute := int64(60)
+	pod := testutil.NewPod("pod1", "node1")
+	pod.Spec.Tolerations = []corev1.Toleration{
+		{Key: taint1.Key, Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoExecute},
+		{Key: taint2.Key, Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &minute},
+	}
+	podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
+
+	untaintedNode := testutil.NewNode("node1")
+
+	doubleTaintedNode := testutil.NewNode("node1")
+	doubleTaintedNode.Spec.Taints = []corev1.Taint{taint1, taint2}
+
+	singleTaintedNode := testutil.NewNode("node1")
+	singleTaintedNode.Spec.Taints = []corev1.Taint{taint1}
+
+	ctx, cancel := context.WithCancel(context.TODO())
+	fakeClientset := fake.NewSimpleClientset(pod)
+	controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
+	controller.recorder = testutil.NewFakeRecorder()
+	go controller.Run(ctx)
+
+	// no taint
+	nodeIndexer.Add(untaintedNode)
+	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
+	// verify pod is not queued for deletion
+	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
+		t.Fatalf("pod queued for deletion with no taints")
+	}
+
+	// no taint -> infinitely tolerated taint
+	nodeIndexer.Update(singleTaintedNode)
+	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
+	// verify pod is not queued for deletion
+	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
+		t.Fatalf("pod queued for deletion with permanently tolerated taint")
+	}
+
+	// infinitely tolerated taint -> temporarily tolerated taint
+	nodeIndexer.Update(doubleTaintedNode)
+	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
+	// verify pod is queued for deletion
+	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) == nil {
+		t.Fatalf("pod not queued for deletion after addition of temporarily tolerated taint")
+	}
+
+	// temporarily tolerated taint -> infinitely tolerated taint
+	nodeIndexer.Update(singleTaintedNode)
+	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
+	// verify pod is not queued for deletion
+	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
+		t.Fatalf("pod queued for deletion after removal of temporarily tolerated taint")
+	}
+
+	// verify pod is not deleted
+	for _, action := range fakeClientset.Actions() {
+		if action.GetVerb() == "delete" && action.GetResource().Resource == "pods" {
+			t.Error("Unexpected deletion")
+		}
+	}
+	cancel()
+}
+
+func TestUpdateNodeWithMultiplePods(t *testing.T) {
+	testCases := []struct {
+		description         string
+		pods                []corev1.Pod
+		oldNode             *corev1.Node
+		newNode             *corev1.Node
+		expectedDeleteTimes durationSlice
+	}{
+		{
+			description: "Pods with different toleration times are evicted appropriately",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+				*addToleration(testutil.NewPod("pod2", "node1"), 1, 1),
+				*addToleration(testutil.NewPod("pod3", "node1"), 1, -1),
+			},
+			oldNode: testutil.NewNode("node1"),
+			newNode: addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectedDeleteTimes: durationSlice{
+				{[]string{"pod1"}, 0},
+				{[]string{"pod2"}, time.Second},
+			},
+		},
+		{
+			description: "Evict all pods not matching all taints instantly",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+				*addToleration(testutil.NewPod("pod2", "node1"), 1, 1),
+				*addToleration(testutil.NewPod("pod3", "node1"), 1, -1),
+			},
+			oldNode: testutil.NewNode("node1"),
+			newNode: addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
+			expectedDeleteTimes: durationSlice{
+				{[]string{"pod1", "pod2", "pod3"}, 0},
+			},
+		},
+	}
+
+	for _, item := range testCases {
+		t.Run(item.description, func(t *testing.T) {
+			t.Logf("Starting testcase %q", item.description)
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
+			sort.Sort(item.expectedDeleteTimes)
+			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
+			nodeIndexer.Add(item.newNode)
+			controller.recorder = testutil.NewFakeRecorder()
+			go controller.Run(ctx)
+			controller.NodeUpdated(item.oldNode, item.newNode)
+
+			startedAt := time.Now()
+			for i := range item.expectedDeleteTimes {
+				if i == 0 || item.expectedDeleteTimes[i-1].timestamp != item.expectedDeleteTimes[i].timestamp {
+					// compute a grace duration to give controller time to process updates. Choose big
+					// enough intervals in the test cases above to avoid flakes.
+					var increment time.Duration
+					if i == len(item.expectedDeleteTimes)-1 || item.expectedDeleteTimes[i+1].timestamp == item.expectedDeleteTimes[i].timestamp {
+						increment = 500 * time.Millisecond
+					} else {
+						increment = ((item.expectedDeleteTimes[i+1].timestamp - item.expectedDeleteTimes[i].timestamp) / time.Duration(2))
+					}
+
+					sleepTime := item.expectedDeleteTimes[i].timestamp - time.Since(startedAt) + increment
+					if sleepTime < 0 {
+						sleepTime = 0
+					}
+					t.Logf("Sleeping for %v", sleepTime)
+					time.Sleep(sleepTime)
+				}
+
+				for delay, podName := range item.expectedDeleteTimes[i].names {
+					deleted := false
+					for _, action := range fakeClientset.Actions() {
+						deleteAction, ok := action.(clienttesting.DeleteActionImpl)
+						if !ok {
+							t.Logf("Found not-delete action with verb %v. Ignoring.", action.GetVerb())
+							continue
+						}
+						if deleteAction.GetResource().Resource != "pods" {
+							continue
+						}
+						if podName == deleteAction.GetName() {
+							deleted = true
+						}
+					}
+					if !deleted {
+						t.Errorf("Failed to deleted pod %v after %v", podName, delay)
+					}
+				}
+				for _, action := range fakeClientset.Actions() {
+					deleteAction, ok := action.(clienttesting.DeleteActionImpl)
+					if !ok {
+						t.Logf("Found not-delete action with verb %v. Ignoring.", action.GetVerb())
+						continue
+					}
+					if deleteAction.GetResource().Resource != "pods" {
+						continue
+					}
+					deletedPodName := deleteAction.GetName()
+					expected := false
+					for _, podName := range item.expectedDeleteTimes[i].names {
+						if podName == deletedPodName {
+							expected = true
+						}
+					}
+					if !expected {
+						t.Errorf("Pod %v was deleted even though it shouldn't have", deletedPodName)
+					}
+				}
+				fakeClientset.ClearActions()
+			}
+		})
+	}
+}
+
+func TestGetMinTolerationTime(t *testing.T) {
+	one := int64(1)
+	two := int64(2)
+	oneSec := 1 * time.Second
+
+	tests := []struct {
+		tolerations []corev1.Toleration
+		expected    time.Duration
+	}{
+		{
+			tolerations: []corev1.Toleration{},
+			expected:    0,
+		},
+		{
+			tolerations: []corev1.Toleration{
+				{
+					TolerationSeconds: nil,
+				},
+			},
+			expected: -1,
+		},
+		{
+			tolerations: []corev1.Toleration{
+				{
+					TolerationSeconds: &one,
+				},
+				{
+					TolerationSeconds: &two,
+				},
+			},
+			expected: oneSec,
+		},
+
+		{
+			tolerations: []corev1.Toleration{
+				{
+					TolerationSeconds: &one,
+				},
+				{
+					TolerationSeconds: nil,
+				},
+			},
+			expected: oneSec,
+		},
+		{
+			tolerations: []corev1.Toleration{
+				{
+					TolerationSeconds: nil,
+				},
+				{
+					TolerationSeconds: &one,
+				},
+			},
+			expected: oneSec,
+		},
+	}
+
+	for _, test := range tests {
+		got := getMinTolerationTime(test.tolerations)
+		if got != test.expected {
+			t.Errorf("Incorrect min toleration time: got %v, expected %v", got, test.expected)
+		}
+	}
+}
+
+// TestEventualConsistency verifies if getPodsAssignedToNode returns incomplete data
+// (e.g. due to watch latency), it will reconcile the remaining pods eventually.
+// This scenario is partially covered by TestUpdatePods, but given this is an important
+// property of TaintManager, it's better to have explicit test for this.
+func TestEventualConsistency(t *testing.T) {
+	testCases := []struct {
+		description  string
+		pods         []corev1.Pod
+		prevPod      *corev1.Pod
+		newPod       *corev1.Pod
+		oldNode      *corev1.Node
+		newNode      *corev1.Node
+		expectPatch  bool
+		expectDelete bool
+	}{
+		{
+			description: "existing pod2 scheduled onto tainted Node",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+			},
+			prevPod:      testutil.NewPod("pod2", ""),
+			newPod:       testutil.NewPod("pod2", "node1"),
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "existing pod2 with taint toleration scheduled onto tainted Node",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+			},
+			prevPod:      addToleration(testutil.NewPod("pod2", ""), 1, 100),
+			newPod:       addToleration(testutil.NewPod("pod2", "node1"), 1, 100),
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "new pod2 created on tainted Node",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+			},
+			prevPod:      nil,
+			newPod:       testutil.NewPod("pod2", "node1"),
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+		{
+			description: "new pod2 with tait toleration created on tainted Node",
+			pods: []corev1.Pod{
+				*testutil.NewPod("pod1", "node1"),
+			},
+			prevPod:      nil,
+			newPod:       addToleration(testutil.NewPod("pod2", "node1"), 1, 100),
+			oldNode:      testutil.NewNode("node1"),
+			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
+			expectPatch:  true,
+			expectDelete: true,
+		},
+	}
+
+	for _, item := range testCases {
+		t.Run(item.description, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+
+			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
+			controller, podIndexer, nodeIndexer := setupNewController(ctx, fakeClientset)
+			nodeIndexer.Add(item.newNode)
+			controller.recorder = testutil.NewFakeRecorder()
+			go controller.Run(ctx)
+
+			if item.prevPod != nil {
+				podIndexer.Add(item.prevPod)
+				controller.PodUpdated(nil, item.prevPod)
+			}
+
+			// First we simulate NodeUpdate that should delete 'pod1'. It doesn't know about 'pod2' yet.
+			controller.NodeUpdated(item.oldNode, item.newNode)
+
+			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
+			fakeClientset.ClearActions()
+
+			// And now the delayed update of 'pod2' comes to the TaintManager. We should delete it as well.
+			podIndexer.Update(item.newPod)
+			controller.PodUpdated(item.prevPod, item.newPod)
+			// wait a bit
+			time.Sleep(timeForControllerToProgressForSanityCheck)
+		})
+	}
+}
+
+func verifyPodActions(t *testing.T, description string, fakeClientset *fake.Clientset, expectPatch, expectDelete bool) {
+	t.Helper()
+	podPatched := false
+	podDeleted := false
+	// use Poll instead of PollImmediate to give some processing time to the controller that the expected
+	// actions are likely to be already sent
+	err := wait.Poll(10*time.Millisecond, 5*time.Second, func() (bool, error) {
+		for _, action := range fakeClientset.Actions() {
+			if action.GetVerb() == "patch" && action.GetResource().Resource == "pods" {
+				podPatched = true
+			}
+			if action.GetVerb() == "delete" && action.GetResource().Resource == "pods" {
+				podDeleted = true
+			}
+		}
+		return podPatched == expectPatch && podDeleted == expectDelete, nil
+	})
+	if err != nil {
+		t.Errorf("Failed waiting for the expected actions: %q", err)
+	}
+	if podPatched != expectPatch {
+		t.Errorf("[%v]Unexpected test result. Expected patch %v, got %v", description, expectPatch, podPatched)
+	}
+	if podDeleted != expectDelete {
+		t.Errorf("[%v]Unexpected test result. Expected delete %v, got %v", description, expectDelete, podDeleted)
+	}
+}
+
+// TestPodDeletionEvent Verify that the output events are as expected
+func TestPodDeletionEvent(t *testing.T) {
+	f := func(path cmp.Path) bool {
+		switch path.String() {
+		// These fields change at runtime, so ignore it
+		case "LastTimestamp", "FirstTimestamp", "ObjectMeta.Name":
+			return true
+		}
+		return false
+	}
+
+	t.Run("emitPodDeletionEvent", func(t *testing.T) {
+		controller := &Controller{}
+		recorder := testutil.NewFakeRecorder()
+		controller.recorder = recorder
+		controller.emitPodDeletionEvent(types.NamespacedName{
+			Name:      "test",
+			Namespace: "test",
+		})
+		want := []*corev1.Event{
+			{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+				},
+				InvolvedObject: corev1.ObjectReference{
+					Kind:       "Pod",
+					APIVersion: "v1",
+					Namespace:  "test",
+					Name:       "test",
+				},
+				Reason:  "TaintManagerEviction",
+				Type:    "Normal",
+				Count:   1,
+				Message: "Marking for deletion Pod test/test",
+				Source:  corev1.EventSource{Component: "nodeControllerTest"},
+			},
+		}
+		if diff := cmp.Diff(want, recorder.Events, cmp.FilterPath(f, cmp.Ignore())); len(diff) > 0 {
+			t.Errorf("emitPodDeletionEvent() returned data (-want,+got):\n%s", diff)
+		}
+	})
+
+	t.Run("emitCancelPodDeletionEvent", func(t *testing.T) {
+		controller := &Controller{}
+		recorder := testutil.NewFakeRecorder()
+		controller.recorder = recorder
+		controller.emitCancelPodDeletionEvent(types.NamespacedName{
+			Name:      "test",
+			Namespace: "test",
+		})
+		want := []*corev1.Event{
+			{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+				},
+				InvolvedObject: corev1.ObjectReference{
+					Kind:       "Pod",
+					APIVersion: "v1",
+					Namespace:  "test",
+					Name:       "test",
+				},
+				Reason:  "TaintManagerEviction",
+				Type:    "Normal",
+				Count:   1,
+				Message: "Cancelling deletion of Pod test/test",
+				Source:  corev1.EventSource{Component: "nodeControllerTest"},
+			},
+		}
+		if diff := cmp.Diff(want, recorder.Events, cmp.FilterPath(f, cmp.Ignore())); len(diff) > 0 {
+			t.Errorf("emitPodDeletionEvent() returned data (-want,+got):\n%s", diff)
+		}
+	})
+}

From a027b439e58cc0ccae23991c8f25674138e97bc8 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Fri, 7 Mar 2025 15:21:52 +0100
Subject: [PATCH 07/11] DRA: add device taint eviction controller

The controller is derived from the node taint eviction controller.
In contrast to that controller it tracks the UID of pods to prevent
deleting the wrong pod when it got replaced.
---
 .../app/controllermanager.go                  |    1 +
 .../app/controllermanager_test.go             |    1 +
 cmd/kube-controller-manager/app/core.go       |   27 +
 .../names/controller_names.go                 |    1 +
 hack/verify-prometheus-imports.sh             |    1 +
 .../device_taint_eviction.go                  |  916 +++++++++
 .../device_taint_eviction_test.go             | 1754 +++++++++++++++++
 pkg/controller/devicetainteviction/doc.go     |    8 +-
 .../devicetainteviction/metrics/metrics.go    |   78 +-
 .../devicetainteviction/taint_eviction.go     |  614 ------
 .../taint_eviction_test.go                    |  941 ---------
 .../tainteviction/namespacedobject.go         |   50 +
 .../tainteviction/taint_eviction.go           |    8 +-
 pkg/controller/tainteviction/timed_workers.go |   47 +-
 .../dynamicresources/dynamicresources_test.go |    2 +-
 pkg/scheduler/testing/wrappers.go             |   20 +-
 .../rbac/bootstrappolicy/controller_policy.go |   18 +
 17 files changed, 2888 insertions(+), 1599 deletions(-)
 create mode 100644 pkg/controller/devicetainteviction/device_taint_eviction.go
 create mode 100644 pkg/controller/devicetainteviction/device_taint_eviction_test.go
 delete mode 100644 pkg/controller/devicetainteviction/taint_eviction.go
 delete mode 100644 pkg/controller/devicetainteviction/taint_eviction_test.go
 create mode 100644 pkg/controller/tainteviction/namespacedobject.go

diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go
index dc847d66e5d..822f334c94c 100644
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@@ -588,6 +588,7 @@ func NewControllerDescriptors() map[string]*ControllerDescriptor {
 	// feature gated
 	register(newStorageVersionGarbageCollectorControllerDescriptor())
 	register(newResourceClaimControllerDescriptor())
+	register(newDeviceTaintEvictionControllerDescriptor())
 	register(newLegacyServiceAccountTokenCleanerControllerDescriptor())
 	register(newValidatingAdmissionPolicyStatusControllerDescriptor())
 	register(newTaintEvictionControllerDescriptor())
diff --git a/cmd/kube-controller-manager/app/controllermanager_test.go b/cmd/kube-controller-manager/app/controllermanager_test.go
index 88af44ed6d6..dd99d4c8269 100644
--- a/cmd/kube-controller-manager/app/controllermanager_test.go
+++ b/cmd/kube-controller-manager/app/controllermanager_test.go
@@ -93,6 +93,7 @@ func TestControllerNamesDeclaration(t *testing.T) {
 		names.EphemeralVolumeController,
 		names.StorageVersionGarbageCollectorController,
 		names.ResourceClaimController,
+		names.DeviceTaintEvictionController,
 		names.LegacyServiceAccountTokenCleanerController,
 		names.ValidatingAdmissionPolicyStatusController,
 		names.ServiceCIDRController,
diff --git a/cmd/kube-controller-manager/app/core.go b/cmd/kube-controller-manager/app/core.go
index a6b9f5bb6e3..500903de4d0 100644
--- a/cmd/kube-controller-manager/app/core.go
+++ b/cmd/kube-controller-manager/app/core.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/names"
 	pkgcontroller "k8s.io/kubernetes/pkg/controller"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction"
 	endpointcontroller "k8s.io/kubernetes/pkg/controller/endpoint"
 	"k8s.io/kubernetes/pkg/controller/garbagecollector"
 	namespacecontroller "k8s.io/kubernetes/pkg/controller/namespace"
@@ -231,6 +232,32 @@ func startTaintEvictionController(ctx context.Context, controllerContext Control
 	return nil, true, nil
 }
 
+func newDeviceTaintEvictionControllerDescriptor() *ControllerDescriptor {
+	return &ControllerDescriptor{
+		name:     names.DeviceTaintEvictionController,
+		initFunc: startDeviceTaintEvictionController,
+		requiredFeatureGates: []featuregate.Feature{
+			// TODO update app.TestFeatureGatedControllersShouldNotDefineAliases when removing these feature gates.
+			features.DynamicResourceAllocation,
+			features.DRADeviceTaints,
+		},
+	}
+}
+
+func startDeviceTaintEvictionController(ctx context.Context, controllerContext ControllerContext, controllerName string) (controller.Interface, bool, error) {
+	deviceTaintEvictionController := devicetainteviction.New(
+		controllerContext.ClientBuilder.ClientOrDie(names.DeviceTaintEvictionController),
+		controllerContext.InformerFactory.Core().V1().Pods(),
+		controllerContext.InformerFactory.Resource().V1beta1().ResourceClaims(),
+		controllerContext.InformerFactory.Resource().V1beta1().ResourceSlices(),
+		controllerContext.InformerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		controllerContext.InformerFactory.Resource().V1beta1().DeviceClasses(),
+		controllerName,
+	)
+	go deviceTaintEvictionController.Run(ctx)
+	return nil, true, nil
+}
+
 func newCloudNodeLifecycleControllerDescriptor() *ControllerDescriptor {
 	return &ControllerDescriptor{
 		name:                      cpnames.CloudNodeLifecycleController,
diff --git a/cmd/kube-controller-manager/names/controller_names.go b/cmd/kube-controller-manager/names/controller_names.go
index db88935c4c7..7aa1b6998c0 100644
--- a/cmd/kube-controller-manager/names/controller_names.go
+++ b/cmd/kube-controller-manager/names/controller_names.go
@@ -69,6 +69,7 @@ const (
 	NodeIpamController                                 = "node-ipam-controller"
 	NodeLifecycleController                            = "node-lifecycle-controller"
 	TaintEvictionController                            = "taint-eviction-controller"
+	DeviceTaintEvictionController                      = "device-taint-eviction-controller"
 	PersistentVolumeBinderController                   = "persistentvolume-binder-controller"
 	PersistentVolumeAttachDetachController             = "persistentvolume-attach-detach-controller"
 	PersistentVolumeExpanderController                 = "persistentvolume-expander-controller"
diff --git a/hack/verify-prometheus-imports.sh b/hack/verify-prometheus-imports.sh
index ba1321e1e41..18a67e77922 100755
--- a/hack/verify-prometheus-imports.sh
+++ b/hack/verify-prometheus-imports.sh
@@ -37,6 +37,7 @@ source "${KUBE_ROOT}/hack/lib/util.sh"
 # See: https://github.com/kubernetes/kubernetes/issues/89267
 allowed_prometheus_importers=(
   ./cluster/images/etcd-version-monitor/etcd-version-monitor.go
+  ./pkg/controller/devicetainteviction/device_taint_eviction_test.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram_test.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram_vec.go
diff --git a/pkg/controller/devicetainteviction/device_taint_eviction.go b/pkg/controller/devicetainteviction/device_taint_eviction.go
new file mode 100644
index 00000000000..a2cc9354a58
--- /dev/null
+++ b/pkg/controller/devicetainteviction/device_taint_eviction.go
@@ -0,0 +1,916 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetainteviction
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"slices"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/google/go-cmp/cmp" //nolint:depguard // Discouraged for production use (https://github.com/kubernetes/kubernetes/issues/104821) but has no good alternative for logging.
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1beta1"
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
+	coreinformers "k8s.io/client-go/informers/core/v1"
+	resourcealphainformers "k8s.io/client-go/informers/resource/v1alpha3"
+	resourceinformers "k8s.io/client-go/informers/resource/v1beta1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+	corelisters "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/dynamic-resource-allocation/resourceclaim"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
+	"k8s.io/klog/v2"
+	apipod "k8s.io/kubernetes/pkg/api/v1/pod"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction/metrics"
+	"k8s.io/kubernetes/pkg/controller/tainteviction"
+	utilpod "k8s.io/kubernetes/pkg/util/pod"
+)
+
+const (
+	// retries is the number of times that the controller tries to delete a pod
+	// that needs to be evicted.
+	retries = 5
+)
+
+// Controller listens to Taint changes of DRA devices and Toleration changes of ResourceClaims,
+// then deletes Pods which use ResourceClaims that don't tolerate a NoExecute taint.
+// Pods which have already reached a final state (aka terminated) don't need to be deleted.
+//
+// All of the logic which identifies pods which need to be evicted runs in the
+// handle* event handlers. They don't call any blocking method. All the blocking
+// calls happen in a [tainteviction.TimedWorkerQueue], using the context passed to Run.
+//
+// The [resourceslicetracker] takes care of applying taints defined in DeviceTaintRules
+// to ResourceSlices. This controller here receives modified ResourceSlices with all
+// applicable taints from that tracker and doesn't need to care about where a
+// taint came from, the DRA driver or a DeviceTaintRule.
+type Controller struct {
+	name string
+
+	// logger is the general-purpose logger to be used for background activities.
+	logger klog.Logger
+
+	// handlerLogger is specifically for logging during event handling. It may be nil
+	// if no such logging is desired.
+	eventLogger *klog.Logger
+
+	client        clientset.Interface
+	recorder      record.EventRecorder
+	podInformer   coreinformers.PodInformer
+	podLister     corelisters.PodLister
+	claimInformer resourceinformers.ResourceClaimInformer
+	sliceInformer resourceinformers.ResourceSliceInformer
+	taintInformer resourcealphainformers.DeviceTaintRuleInformer
+	classInformer resourceinformers.DeviceClassInformer
+	haveSynced    []cache.InformerSynced
+	metrics       metrics.Metrics
+
+	// evictPod ensures that the pod gets evicted at the specified time.
+	// It doesn't block.
+	evictPod func(pod tainteviction.NamespacedObject, fireAt time.Time)
+
+	// cancelEvict cancels eviction set up with evictPod earlier.
+	// Idempotent, returns false if there was nothing to cancel.
+	cancelEvict func(pod tainteviction.NamespacedObject) bool
+
+	// allocatedClaims holds all currently known allocated claims.
+	allocatedClaims map[types.NamespacedName]allocatedClaim // A value is slightly more efficient in BenchmarkTaintUntaint (less allocations!).
+
+	// pools indexes all slices by driver and pool name.
+	pools map[poolID]pool
+
+	hasSynced atomic.Int32
+}
+
+type poolID struct {
+	driverName, poolName string
+}
+
+type pool struct {
+	slices        sets.Set[*resourceapi.ResourceSlice]
+	maxGeneration int64
+}
+
+// addSlice adds one slice to the pool.
+func (p *pool) addSlice(slice *resourceapi.ResourceSlice) {
+	if slice == nil {
+		return
+	}
+	if p.slices == nil {
+		p.slices = sets.New[*resourceapi.ResourceSlice]()
+		p.maxGeneration = math.MinInt64
+	}
+	p.slices.Insert(slice)
+
+	// Adding a slice can only increase the generation.
+	if slice.Spec.Pool.Generation > p.maxGeneration {
+		p.maxGeneration = slice.Spec.Pool.Generation
+	}
+}
+
+// removeSlice removes a slice. It must have been added before.
+func (p *pool) removeSlice(slice *resourceapi.ResourceSlice) {
+	if slice == nil {
+		return
+	}
+	p.slices.Delete(slice)
+
+	// Removing a slice might have decreased the generation to
+	// that of some other slice.
+	if slice.Spec.Pool.Generation == p.maxGeneration {
+		maxGeneration := int64(math.MinInt64)
+		for slice := range p.slices {
+			if slice.Spec.Pool.Generation > maxGeneration {
+				maxGeneration = slice.Spec.Pool.Generation
+			}
+		}
+		p.maxGeneration = maxGeneration
+	}
+}
+
+// getTaintedDevices appends all device taints with NoExecute effect.
+// The result is sorted by device name.
+func (p pool) getTaintedDevices() []taintedDevice {
+	var buffer []taintedDevice
+	for slice := range p.slices {
+		if slice.Spec.Pool.Generation != p.maxGeneration {
+			continue
+		}
+		for _, device := range slice.Spec.Devices {
+			if device.Basic == nil {
+				// Unknown device type, not supported.
+				continue
+			}
+			for _, taint := range device.Basic.Taints {
+				if taint.Effect != resourceapi.DeviceTaintEffectNoExecute {
+					continue
+				}
+				buffer = append(buffer, taintedDevice{deviceName: device.Name, taint: taint})
+			}
+		}
+	}
+
+	// slices.SortFunc is more efficient than sort.Slice here.
+	slices.SortFunc(buffer, func(a, b taintedDevice) int {
+		return strings.Compare(a.deviceName, b.deviceName)
+	})
+	return buffer
+}
+
+// getDevice looks up one device by name. Out-dated slices are ignored.
+func (p pool) getDevice(deviceName string) *resourceapi.BasicDevice {
+	for slice := range p.slices {
+		if slice.Spec.Pool.Generation != p.maxGeneration {
+			continue
+		}
+		for _, device := range slice.Spec.Devices {
+			if device.Basic == nil {
+				// Unknown device type, not supported.
+				continue
+			}
+			if device.Name == deviceName {
+				return device.Basic
+			}
+		}
+	}
+
+	return nil
+}
+
+type taintedDevice struct {
+	deviceName string
+	taint      resourceapi.DeviceTaint
+}
+
+// allocatedClaim is a ResourceClaim which has an allocation result. It
+// may or may not be tainted such that pods need to be evicted.
+type allocatedClaim struct {
+	*resourceapi.ResourceClaim
+
+	// evictionTime, if non-nil, is the time at which pods using this claim need to be evicted.
+	// This is the smallest value of all such per-device values.
+	// For each device, the value is calculated as `<time of setting the taint> +
+	// <toleration seconds, 0 if not set>`.
+	evictionTime *metav1.Time
+}
+
+func (tc *Controller) deletePodHandler(c clientset.Interface, emitEventFunc func(tainteviction.NamespacedObject)) func(ctx context.Context, fireAt time.Time, args *tainteviction.WorkArgs) error {
+	return func(ctx context.Context, fireAt time.Time, args *tainteviction.WorkArgs) error {
+		klog.FromContext(ctx).Info("Deleting pod", "pod", args.Object)
+		var err error
+		for i := 0; i < retries; i++ {
+			err = addConditionAndDeletePod(ctx, c, args.Object, &emitEventFunc)
+			if apierrors.IsNotFound(err) {
+				// Not a problem, the work is done.
+				// But we didn't do it, so don't
+				// bump the metric.
+				return nil
+			}
+			if err == nil {
+				tc.metrics.PodDeletionsTotal.Inc()
+				tc.metrics.PodDeletionsLatency.Observe(float64(time.Since(fireAt).Seconds()))
+				return nil
+			}
+			time.Sleep(10 * time.Millisecond)
+		}
+		return err
+	}
+}
+
+func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, podRef tainteviction.NamespacedObject, emitEventFunc *func(tainteviction.NamespacedObject)) (err error) {
+	pod, err := c.CoreV1().Pods(podRef.Namespace).Get(ctx, podRef.Name, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	if pod.UID != podRef.UID {
+		// This special error suppresses event logging in our caller and prevents further retries.
+		// We can stop because the pod we were meant to evict is already gone and happens to
+		// be replaced by some other pod which reuses the same name.
+		return apierrors.NewNotFound(v1.SchemeGroupVersion.WithResource("pods").GroupResource(), pod.Name)
+	}
+
+	// Emit the event only once, and only if we are actually doing something.
+	if *emitEventFunc != nil {
+		(*emitEventFunc)(podRef)
+		*emitEventFunc = nil
+	}
+
+	newStatus := pod.Status.DeepCopy()
+	updated := apipod.UpdatePodCondition(newStatus, &v1.PodCondition{
+		Type:    v1.DisruptionTarget,
+		Status:  v1.ConditionTrue,
+		Reason:  "DeletionByDeviceTaintManager",
+		Message: "Device Taint manager: deleting due to NoExecute taint",
+	})
+	if updated {
+		if _, _, _, err := utilpod.PatchPodStatus(ctx, c, pod.Namespace, pod.Name, pod.UID, pod.Status, *newStatus); err != nil {
+			return err
+		}
+	}
+	// Unlikely, but it could happen that the pod we got above got replaced with
+	// another pod using the same name in the meantime. Include a precondition
+	// to prevent that race. This delete attempt then fails and the next one detects
+	// the new pod and stops retrying.
+	return c.CoreV1().Pods(podRef.Namespace).Delete(ctx, podRef.Name, metav1.DeleteOptions{
+		Preconditions: &metav1.Preconditions{
+			UID: &podRef.UID,
+		},
+	})
+}
+
+// New creates a new Controller that will use passed clientset to communicate with the API server.
+// Spawns no goroutines. That happens in Run.
+func New(c clientset.Interface, podInformer coreinformers.PodInformer, claimInformer resourceinformers.ResourceClaimInformer, sliceInformer resourceinformers.ResourceSliceInformer, taintInformer resourcealphainformers.DeviceTaintRuleInformer, classInformer resourceinformers.DeviceClassInformer, controllerName string) *Controller {
+	metrics.Register() // It would be nicer to pass the controller name here, but that probably would break generating https://kubernetes.io/docs/reference/instrumentation/metrics.
+
+	tc := &Controller{
+		name: controllerName,
+
+		client:          c,
+		podInformer:     podInformer,
+		podLister:       podInformer.Lister(),
+		claimInformer:   claimInformer,
+		sliceInformer:   sliceInformer,
+		taintInformer:   taintInformer,
+		classInformer:   classInformer,
+		allocatedClaims: make(map[types.NamespacedName]allocatedClaim),
+		pools:           make(map[poolID]pool),
+		// Instantiate all informers now to ensure that they get started.
+		haveSynced: []cache.InformerSynced{
+			podInformer.Informer().HasSynced,
+			claimInformer.Informer().HasSynced,
+			sliceInformer.Informer().HasSynced,
+			taintInformer.Informer().HasSynced,
+			classInformer.Informer().HasSynced,
+		},
+		metrics: metrics.Global,
+	}
+
+	return tc
+}
+
+// Run starts the controller which will run until the context is done.
+func (tc *Controller) Run(ctx context.Context) {
+	defer utilruntime.HandleCrash()
+	logger := klog.FromContext(ctx)
+	logger.Info("Starting", "controller", tc.name)
+	defer logger.Info("Shutting down controller", "controller", tc.name)
+	tc.logger = logger
+
+	// Doing debug logging?
+	if loggerV := logger.V(6); loggerV.Enabled() {
+		tc.eventLogger = &loggerV
+	}
+
+	// Delayed construction of broadcaster because it spawns goroutines.
+	// tc.recorder.Eventf is a local in-memory operation which never
+	// blocks, so it is safe to call from an event handler. The
+	// actual API calls then happen in those spawned goroutines.
+	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
+	tc.recorder = eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: tc.name}).WithLogger(logger)
+	defer eventBroadcaster.Shutdown()
+
+	taintEvictionQueue := tainteviction.CreateWorkerQueue(tc.deletePodHandler(tc.client, tc.emitPodDeletionEvent))
+	evictPod := tc.evictPod
+	tc.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
+		// Only relevant for testing.
+		if evictPod != nil {
+			evictPod(podRef, fireAt)
+		}
+		taintEvictionQueue.UpdateWork(ctx, &tainteviction.WorkArgs{Object: podRef}, time.Now(), fireAt)
+	}
+	cancelEvict := tc.cancelEvict
+	tc.cancelEvict = func(podRef tainteviction.NamespacedObject) bool {
+		if cancelEvict != nil {
+			cancelEvict(podRef)
+		}
+		return taintEvictionQueue.CancelWork(logger, podRef.NamespacedName.String())
+	}
+
+	// Start events processing pipeline.
+	eventBroadcaster.StartStructuredLogging(3)
+	if tc.client != nil {
+		logger.Info("Sending events to api server")
+		eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: tc.client.CoreV1().Events("")})
+	} else {
+		logger.Error(nil, "kubeClient is nil", "controller", tc.name)
+		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
+	}
+	defer eventBroadcaster.Shutdown()
+
+	// mutex serializes event processing.
+	var mutex sync.Mutex
+
+	claimHandler, _ := tc.claimInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			claim, ok := obj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleClaimChange(nil, claim)
+		},
+		UpdateFunc: func(oldObj, newObj any) {
+			oldClaim, ok := oldObj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", oldObj))
+				return
+			}
+			newClaim, ok := newObj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", newObj))
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleClaimChange(oldClaim, newClaim)
+		},
+		DeleteFunc: func(obj any) {
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+			claim, ok := obj.(*resourceapi.ResourceClaim)
+			if !ok {
+				logger.Error(nil, "Expected ResourceClaim", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleClaimChange(claim, nil)
+		},
+	})
+	defer func() {
+		_ = tc.claimInformer.Informer().RemoveEventHandler(claimHandler)
+	}()
+	tc.haveSynced = append(tc.haveSynced, claimHandler.HasSynced)
+
+	podHandler, _ := tc.podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			pod, ok := obj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected ResourcePod", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handlePodChange(nil, pod)
+		},
+		UpdateFunc: func(oldObj, newObj any) {
+			oldPod, ok := oldObj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", oldObj))
+				return
+			}
+			newPod, ok := newObj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", newObj))
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handlePodChange(oldPod, newPod)
+		},
+		DeleteFunc: func(obj any) {
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				obj = tombstone.Obj
+			}
+			pod, ok := obj.(*v1.Pod)
+			if !ok {
+				logger.Error(nil, "Expected Pod", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handlePodChange(pod, nil)
+		},
+	})
+	defer func() {
+		_ = tc.podInformer.Informer().RemoveEventHandler(podHandler)
+	}()
+	tc.haveSynced = append(tc.haveSynced, podHandler.HasSynced)
+
+	opts := resourceslicetracker.Options{
+		EnableDeviceTaints: true,
+		SliceInformer:      tc.sliceInformer,
+		TaintInformer:      tc.taintInformer,
+		ClassInformer:      tc.classInformer,
+		KubeClient:         tc.client,
+	}
+	sliceTracker, err := resourceslicetracker.StartTracker(ctx, opts)
+	if err != nil {
+		logger.Info("Failed to initialize ResourceSlice tracker; device taint processing leading to Pod eviction is now paused", "err", err)
+		return
+	}
+	tc.haveSynced = append(tc.haveSynced, sliceTracker.HasSynced)
+	defer sliceTracker.Stop()
+
+	// Wait for tracker to sync before we react to events.
+	// This doesn't have to be perfect, it merely avoids unnecessary
+	// work which might be done as events get emitted for intermediate
+	// state.
+	if !cache.WaitForNamedCacheSyncWithContext(ctx, tc.haveSynced...) {
+		return
+	}
+	logger.V(1).Info("Underlying informers have synced")
+
+	_, _ = sliceTracker.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj any) {
+			slice, ok := obj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleSliceChange(nil, slice)
+		},
+		UpdateFunc: func(oldObj, newObj any) {
+			oldSlice, ok := oldObj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", oldObj))
+				return
+			}
+			newSlice, ok := newObj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", newObj))
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleSliceChange(oldSlice, newSlice)
+		},
+		DeleteFunc: func(obj any) {
+			// No need to check for DeletedFinalStateUnknown here, the resourceslicetracker doesn't use that.
+			slice, ok := obj.(*resourceapi.ResourceSlice)
+			if !ok {
+				logger.Error(nil, "Expected ResourceSlice", "actual", fmt.Sprintf("%T", obj))
+				return
+			}
+			mutex.Lock()
+			defer mutex.Unlock()
+			tc.handleSliceChange(slice, nil)
+		},
+	})
+
+	// sliceTracker.AddEventHandler blocked while delivering events for all known
+	// ResourceSlices. Therefore our own state is up-to-date once we get here.
+	tc.hasSynced.Store(1)
+
+	<-ctx.Done()
+}
+
+func (tc *Controller) handleClaimChange(oldClaim, newClaim *resourceapi.ResourceClaim) {
+	claim := newClaim
+	if claim == nil {
+		claim = oldClaim
+	}
+	name := newNamespacedName(claim)
+	if tc.eventLogger != nil {
+		// This is intentionally very verbose for debugging.
+		tc.eventLogger.Info("ResourceClaim changed", "claimObject", name, "oldClaim", klog.Format(oldClaim), "newClaim", klog.Format(newClaim), "diff", cmp.Diff(oldClaim, newClaim))
+	}
+
+	// Deleted?
+	if newClaim == nil {
+		delete(tc.allocatedClaims, name)
+		tc.handlePods(claim)
+		return
+	}
+
+	// Added?
+	if oldClaim == nil {
+		if claim.Status.Allocation == nil {
+			return
+		}
+		tc.allocatedClaims[name] = allocatedClaim{
+			ResourceClaim: claim,
+			evictionTime:  tc.evictionTime(claim.Status.Allocation),
+		}
+		tc.handlePods(claim)
+		return
+	}
+
+	// If we have two claims, the UID might still be different. Unlikely, but not impossible...
+	// Treat this like a remove + add.
+	if oldClaim.UID != newClaim.UID {
+		tc.handleClaimChange(oldClaim, nil)
+		tc.handleClaimChange(nil, newClaim)
+		return
+	}
+
+	syncBothClaims := func() {
+		// ReservedFor may have changed. If it did, sync both old and new lists,
+		// otherwise only once (same list).
+		if !slices.Equal(oldClaim.Status.ReservedFor, newClaim.Status.ReservedFor) {
+			tc.handlePods(oldClaim)
+			tc.handlePods(newClaim)
+		} else {
+			tc.handlePods(claim)
+		}
+	}
+
+	// Allocation added?
+	if oldClaim.Status.Allocation == nil && newClaim.Status.Allocation != nil {
+		tc.allocatedClaims[name] = allocatedClaim{
+			ResourceClaim: claim,
+			evictionTime:  tc.evictionTime(claim.Status.Allocation),
+		}
+		syncBothClaims()
+		return
+	}
+
+	// Allocation removed?
+	if oldClaim.Status.Allocation != nil && newClaim.Status.Allocation == nil {
+		delete(tc.allocatedClaims, name)
+		syncBothClaims()
+		return
+	}
+
+	// Allocated before and after?
+	if claim.Status.Allocation != nil {
+		// The Allocation is immutable, so we don't need to recompute the eviction
+		// time. Storing the newer claim is enough.
+		tc.allocatedClaims[name] = allocatedClaim{
+			ResourceClaim: claim,
+			evictionTime:  tc.allocatedClaims[name].evictionTime,
+		}
+		syncBothClaims()
+		return
+	}
+
+	// If we get here, nothing changed.
+}
+
+// evictionTime returns the earliest TimeAdded of any NoExecute taint in any allocated device
+// unless that taint is tolerated, nil if none.
+func (tc *Controller) evictionTime(allocation *resourceapi.AllocationResult) *metav1.Time {
+	var evictionTime *metav1.Time
+
+	for _, allocatedDevice := range allocation.Devices.Results {
+		device := tc.pools[poolID{driverName: allocatedDevice.Driver, poolName: allocatedDevice.Pool}].getDevice(allocatedDevice.Device)
+		if device == nil {
+			// Unknown device? Can't be tainted...
+			continue
+		}
+
+	nextTaint:
+		for _, taint := range device.Taints {
+			if taint.Effect != resourceapi.DeviceTaintEffectNoExecute {
+				continue
+			}
+
+			newEvictionTime := taint.TimeAdded
+			haveToleration := false
+			tolerationSeconds := int64(math.MaxInt64)
+			for _, toleration := range allocatedDevice.Tolerations {
+				if toleration.Effect == resourceapi.DeviceTaintEffectNoExecute &&
+					resourceclaim.ToleratesTaint(toleration, taint) {
+					if toleration.TolerationSeconds == nil {
+						// Tolerate forever -> ignore taint.
+						continue nextTaint
+					}
+					newTolerationSeconds := *toleration.TolerationSeconds
+					if newTolerationSeconds < 0 {
+						newTolerationSeconds = 0
+					}
+					if newTolerationSeconds < tolerationSeconds {
+						tolerationSeconds = newTolerationSeconds
+					}
+					haveToleration = true
+				}
+			}
+			if haveToleration {
+				newEvictionTime = &metav1.Time{Time: newEvictionTime.Add(time.Duration(tolerationSeconds) * time.Second)}
+			}
+
+			if evictionTime == nil {
+				evictionTime = newEvictionTime
+				continue
+			}
+			if newEvictionTime != nil && newEvictionTime.Before(evictionTime) {
+				evictionTime = newEvictionTime
+			}
+		}
+	}
+
+	return evictionTime
+}
+
+func (tc *Controller) handleSliceChange(oldSlice, newSlice *resourceapi.ResourceSlice) {
+	slice := newSlice
+	if slice == nil {
+		slice = oldSlice
+	}
+	poolID := poolID{
+		driverName: slice.Spec.Driver,
+		poolName:   slice.Spec.Pool.Name,
+	}
+	if tc.eventLogger != nil {
+		// This is intentionally very verbose for debugging.
+		tc.eventLogger.Info("ResourceSlice changed", "pool", poolID, "oldSlice", klog.Format(oldSlice), "newSlice", klog.Format(newSlice), "diff", cmp.Diff(oldSlice, newSlice))
+	}
+
+	// Determine old and new device taints. Only devices
+	// where something changes trigger additional checks for claims
+	// using them.
+	//
+	// The pre-allocated slices are small enough to be allocated on
+	// the stack (https://stackoverflow.com/a/69187698/222305).
+	p := tc.pools[poolID]
+	oldDeviceTaints := p.getTaintedDevices()
+	p.removeSlice(oldSlice)
+	p.addSlice(newSlice)
+	if len(p.slices) == 0 {
+		delete(tc.pools, poolID)
+	} else {
+		tc.pools[poolID] = p
+	}
+	newDeviceTaints := p.getTaintedDevices()
+
+	// Now determine differences. This depends on both slices having been sorted
+	// by device name.
+	if len(oldDeviceTaints) == 0 && len(newDeviceTaints) == 0 {
+		// Both empty, no changes.
+		return
+	}
+	modifiedDevices := sets.New[string]()
+	o, n := 0, 0
+	for o < len(oldDeviceTaints) || n < len(newDeviceTaints) {
+		// Iterate over devices in both slices with the same name.
+		for o < len(oldDeviceTaints) && n < len(newDeviceTaints) && oldDeviceTaints[o].deviceName == newDeviceTaints[n].deviceName {
+			if !apiequality.Semantic.DeepEqual(oldDeviceTaints[o].taint, newDeviceTaints[n].taint) { // TODO: hard-code the comparison?
+				modifiedDevices.Insert(oldDeviceTaints[o].deviceName)
+			}
+			o++
+			n++
+		}
+
+		// Step over old devices which were removed.
+		newDeviceName := ""
+		if n < len(newDeviceTaints) {
+			newDeviceName = newDeviceTaints[n].deviceName
+		}
+		for o < len(oldDeviceTaints) && oldDeviceTaints[o].deviceName != newDeviceName {
+			modifiedDevices.Insert(oldDeviceTaints[o].deviceName)
+			o++
+		}
+
+		// Step over new devices which were added.
+		oldDeviceName := ""
+		if o < len(oldDeviceTaints) {
+			oldDeviceName = oldDeviceTaints[o].deviceName
+		}
+		if n < len(newDeviceTaints) && newDeviceTaints[n].deviceName != oldDeviceName {
+			modifiedDevices.Insert(newDeviceTaints[n].deviceName)
+			n++
+		}
+	}
+
+	// Now find all claims using at least one modified device,
+	// update their eviction time, and handle their consuming pods.
+	for name, claim := range tc.allocatedClaims {
+		if !usesDevice(claim.Status.Allocation, poolID, modifiedDevices) {
+			continue
+		}
+		newEvictionTime := tc.evictionTime(claim.ResourceClaim.Status.Allocation)
+		if newEvictionTime.Equal(claim.evictionTime) {
+			// No change.
+			continue
+		}
+		claim.evictionTime = newEvictionTime
+		tc.allocatedClaims[name] = claim
+		// We could collect pods which depend on claims with changes.
+		// In practice, most pods probably depend on one claim, so
+		// it is probably more efficient to avoid building such a map
+		// to make the common case simple.
+		tc.handlePods(claim.ResourceClaim)
+	}
+}
+
+func usesDevice(allocation *resourceapi.AllocationResult, pool poolID, modifiedDevices sets.Set[string]) bool {
+	for _, device := range allocation.Devices.Results {
+		if device.Driver == pool.driverName &&
+			device.Pool == pool.poolName &&
+			modifiedDevices.Has(device.Device) {
+			return true
+		}
+	}
+	return false
+}
+
+func (tc *Controller) handlePodChange(oldPod, newPod *v1.Pod) {
+	pod := newPod
+	if pod == nil {
+		pod = oldPod
+	}
+	if tc.eventLogger != nil {
+		// This is intentionally very verbose for debugging.
+		tc.eventLogger.Info("Pod changed", "pod", klog.KObj(pod), "oldPod", klog.Format(oldPod), "newPod", klog.Format(newPod), "diff", cmp.Diff(oldPod, newPod))
+	}
+	if newPod == nil {
+		// Nothing left to do for it. No need to emit an event here, it's gone.
+		tc.cancelEvict(newObject(oldPod))
+		return
+	}
+
+	// Pods get updated quite frequently. There's no need
+	// to check them again unless something changed regarding
+	// their claims.
+	//
+	// In particular this prevents adding the pod again
+	// directly after the eviction condition got added
+	// to it.
+	if oldPod != nil &&
+		apiequality.Semantic.DeepEqual(oldPod.Status.ResourceClaimStatuses, newPod.Status.ResourceClaimStatuses) {
+		return
+	}
+
+	tc.handlePod(newPod)
+}
+
+func (tc *Controller) handlePods(claim *resourceapi.ResourceClaim) {
+	for _, consumer := range claim.Status.ReservedFor {
+		if consumer.APIGroup == "" && consumer.Resource == "pods" {
+			pod, err := tc.podInformer.Lister().Pods(claim.Namespace).Get(consumer.Name)
+			if err != nil {
+				if apierrors.IsNotFound(err) {
+					return
+				}
+				// Should not happen.
+				utilruntime.HandleErrorWithLogger(tc.logger, err, "retrieve pod from cache")
+				return
+			}
+			if pod.UID != consumer.UID {
+				// Not the pod we were looking for.
+				return
+			}
+			tc.handlePod(pod)
+		}
+	}
+}
+
+func (tc *Controller) handlePod(pod *v1.Pod) {
+	// Not scheduled yet? No need to evict.
+	if pod.Spec.NodeName == "" {
+		return
+	}
+
+	// If any claim in use by the pod is tainted such that the taint is not tolerated,
+	// the pod needs to be evicted.
+	var evictionTime *metav1.Time
+	for i := range pod.Spec.ResourceClaims {
+		claimName, mustCheckOwner, err := resourceclaim.Name(pod, &pod.Spec.ResourceClaims[i])
+		if err != nil {
+			// Not created yet or unsupported. Definitely not tainted.
+			continue
+		}
+		if claimName == nil {
+			// Claim not needed.
+			continue
+		}
+		allocatedClaim, ok := tc.allocatedClaims[types.NamespacedName{Namespace: pod.Namespace, Name: *claimName}]
+		if !ok {
+			// Referenced, but not found or not allocated. Also not tainted.
+			continue
+		}
+		if mustCheckOwner && resourceclaim.IsForPod(pod, allocatedClaim.ResourceClaim) != nil {
+			// Claim and pod don't match. Ignore the claim.
+			continue
+		}
+		if !resourceclaim.IsReservedForPod(pod, allocatedClaim.ResourceClaim) {
+			// The pod isn't the one which is allowed and/or supposed to use the claim.
+			// Perhaps that pod instance already got deleted and we are looking at its
+			// replacement under the same name. Either way, ignore.
+			continue
+		}
+		if allocatedClaim.evictionTime == nil {
+			continue
+		}
+		if evictionTime == nil || allocatedClaim.evictionTime.Before(evictionTime) {
+			evictionTime = allocatedClaim.evictionTime
+		}
+	}
+
+	podRef := newObject(pod)
+	if evictionTime != nil {
+		tc.evictPod(podRef, evictionTime.Time)
+	} else {
+		tc.cancelWorkWithEvent(podRef)
+	}
+}
+
+func (tc *Controller) cancelWorkWithEvent(podRef tainteviction.NamespacedObject) {
+	if tc.cancelEvict(podRef) {
+		tc.emitCancelPodDeletionEvent(podRef)
+	}
+}
+
+func (tc *Controller) emitPodDeletionEvent(podRef tainteviction.NamespacedObject) {
+	if tc.recorder == nil {
+		return
+	}
+	ref := &v1.ObjectReference{
+		APIVersion: "v1",
+		Kind:       "Pod",
+		Name:       podRef.Name,
+		Namespace:  podRef.Namespace,
+		UID:        podRef.UID,
+	}
+	tc.recorder.Eventf(ref, v1.EventTypeNormal, "DeviceTaintManagerEviction", "Marking for deletion")
+}
+
+func (tc *Controller) emitCancelPodDeletionEvent(podRef tainteviction.NamespacedObject) {
+	if tc.recorder == nil {
+		return
+	}
+	ref := &v1.ObjectReference{
+		APIVersion: "v1",
+		Kind:       "Pod",
+		Name:       podRef.Name,
+		Namespace:  podRef.Namespace,
+		UID:        podRef.UID,
+	}
+	tc.recorder.Eventf(ref, v1.EventTypeNormal, "DeviceTaintManagerEviction", "Cancelling deletion")
+}
+
+func newNamespacedName(obj metav1.Object) types.NamespacedName {
+	return types.NamespacedName{
+		Namespace: obj.GetNamespace(),
+		Name:      obj.GetName(),
+	}
+}
+
+func newObject(obj metav1.Object) tainteviction.NamespacedObject {
+	return tainteviction.NamespacedObject{
+		NamespacedName: newNamespacedName(obj),
+		UID:            obj.GetUID(),
+	}
+}
diff --git a/pkg/controller/devicetainteviction/device_taint_eviction_test.go b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
new file mode 100644
index 00000000000..74afd0e9c66
--- /dev/null
+++ b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
@@ -0,0 +1,1754 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devicetainteviction
+
+import (
+	"errors"
+	"fmt"
+	"math"
+	"slices"
+	"sort"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/onsi/gomega"
+	"github.com/onsi/gomega/gstruct"
+	gomegatypes "github.com/onsi/gomega/types"
+	"github.com/prometheus/client_golang/prometheus"
+	dto "github.com/prometheus/client_model/go"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	v1 "k8s.io/api/core/v1"
+	resourceapi "k8s.io/api/resource/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	core "k8s.io/client-go/testing"
+	metricstestutil "k8s.io/component-base/metrics/testutil"
+	"k8s.io/klog/v2"
+	"k8s.io/kubernetes/pkg/controller/devicetainteviction/metrics"
+	"k8s.io/kubernetes/pkg/controller/tainteviction"
+	controllertestutil "k8s.io/kubernetes/pkg/controller/testutil"
+	st "k8s.io/kubernetes/pkg/scheduler/testing"
+	"k8s.io/kubernetes/test/utils/ktesting"
+	"k8s.io/utils/ptr"
+)
+
+// setup creates a controller which is ready to have its handle* methods called.
+func setup(tb testing.TB) *testContext {
+	tCtx := ktesting.Init(tb)
+	fakeClientset := fake.NewSimpleClientset()
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := New(fakeClientset,
+		informerFactory.Core().V1().Pods(),
+		informerFactory.Resource().V1beta1().ResourceClaims(),
+		informerFactory.Resource().V1beta1().ResourceSlices(),
+		informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		informerFactory.Resource().V1beta1().DeviceClasses(),
+		"device-taint-eviction",
+	)
+	tContext := &testContext{
+		TContext:        tCtx,
+		Controller:      controller,
+		recorder:        controllertestutil.NewFakeRecorder(),
+		client:          fakeClientset,
+		informerFactory: informerFactory,
+	}
+	tContext.logger = tCtx.Logger()
+	// Always log, not matter what the -v value is.
+	controller.eventLogger = &tContext.logger
+	tContext.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
+		// Always replace an existing entry for the same pod.
+		index := slices.IndexFunc(tContext.evicting, func(e evictAt) bool {
+			return e.podRef == podRef
+		})
+		e := evictAt{podRef, fireAt}
+		if index == -1 {
+			tContext.evicting = append(tContext.evicting, e)
+		} else {
+			tContext.evicting[index] = e
+		}
+		sort.Slice(tContext.evicting, func(i, j int) bool {
+			switch strings.Compare(tContext.evicting[i].podRef.Namespace, tContext.evicting[j].podRef.Namespace) {
+			case 1:
+				return false
+			case -1:
+				return true
+			}
+			return tContext.evicting[i].podRef.Name < tContext.evicting[j].podRef.Name
+		})
+	}
+	tContext.cancelEvict = func(pod tainteviction.NamespacedObject) bool {
+		index := slices.IndexFunc(tContext.evicting, func(e evictAt) bool { return e.podRef == pod })
+		if index >= 0 {
+			tContext.evicting = slices.Delete(tContext.evicting, index, index+1)
+			return true
+		}
+		return false
+	}
+	tContext.Controller.recorder = tContext.recorder
+
+	return tContext
+}
+
+type testContext struct {
+	ktesting.TContext
+	*Controller
+	evicting        []evictAt // sorted by namespace, name
+	recorder        *controllertestutil.FakeRecorder
+	client          *fake.Clientset
+	informerFactory informers.SharedInformerFactory
+}
+
+type evictAt struct {
+	podRef tainteviction.NamespacedObject
+	fireAt time.Time
+}
+
+type state struct {
+	pods            []*v1.Pod
+	allocatedClaims []allocatedClaim
+	slices          []*resourceapi.ResourceSlice
+	evicting        []evictAt
+}
+
+func (s state) allocatedClaimsAsMap() map[types.NamespacedName]allocatedClaim {
+	claims := make(map[types.NamespacedName]allocatedClaim)
+	for _, claim := range s.allocatedClaims {
+		claims[types.NamespacedName{Namespace: claim.Namespace, Name: claim.Name}] = claim
+	}
+	return claims
+}
+
+func (s state) slicesAsMap() map[poolID]pool {
+	pools := make(map[poolID]pool)
+	for _, slice := range s.slices {
+		id := poolID{driverName: slice.Spec.Driver, poolName: slice.Spec.Pool.Name}
+		pool := pools[id]
+		if pool.slices == nil {
+			pool.slices = sets.New[*resourceapi.ResourceSlice]()
+		}
+		pool.slices.Insert(slice)
+		pools[id] = pool
+	}
+	for id, pool := range pools {
+		maxGeneration := int64(math.MinInt64)
+		for slice := range pool.slices {
+			if slice.Spec.Pool.Generation > maxGeneration {
+				maxGeneration = slice.Spec.Pool.Generation
+			}
+		}
+		pool.maxGeneration = maxGeneration
+		pools[id] = pool
+	}
+	return pools
+}
+
+type testCase struct {
+	initialState state
+
+	// events contains pairs of old and new objects which will
+	// be passed to handle* methods.
+	// Objects can be slices, claims, and pods.
+	// [add], [remove], and [update] can be used to produce
+	// such pairs.
+	//
+	// Alternatively, it can also contain a list of such pairs.
+	// Those will be applied in the order in which they appear
+	// in each event entry.
+	events []any
+
+	finalState state
+	wantEvents []*v1.Event
+}
+
+func add[T any](obj *T) [2]*T {
+	return [2]*T{nil, obj}
+}
+
+func remove[T any](obj *T) [2]*T {
+	return [2]*T{obj, nil}
+}
+
+func update[T any](oldObj, newObj *T) [2]*T {
+	return [2]*T{oldObj, newObj}
+}
+
+var (
+	podKind      = v1.SchemeGroupVersion.WithKind("Pod")
+	nodeName     = "worker"
+	nodeName2    = "worker-2"
+	driver       = "some-driver"
+	podName      = "my-pod"
+	podUID       = "1234"
+	className    = "my-resource-class"
+	resourceName = "my-resource"
+	claimName    = podName + "-" + resourceName
+	namespace    = "default"
+	taintTime    = metav1.Now() // This cannot be a fixed value in the past, otherwise the "seconds since taint time" delta overflows.
+	taintKey     = "example.com/taint"
+	taintValue   = "something"
+	simpleSlice  = st.MakeResourceSlice(nodeName, driver).
+			Device("instance").
+			Obj()
+	slice = st.MakeResourceSlice(nodeName, driver).
+		Device("instance").
+		Device("instance-no-schedule", resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoSchedule}).
+		Device("instance-no-execute", resourceapi.DeviceTaint{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime}).
+		Obj()
+	sliceReplaced = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Name += "-updated"
+		slice.Spec.Pool.Generation++
+		return slice
+	}()
+	sliceUnknownDevices = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		for i := range slice.Spec.Devices {
+			slice.Spec.Devices[i].Basic = nil
+		}
+		return slice
+	}()
+	sliceTainted = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Spec.Devices[0].Basic.Taints = []resourceapi.DeviceTaint{{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, Value: taintValue, TimeAdded: &taintTime}}
+		return slice
+	}()
+	sliceTaintedExtended = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		slice.Spec.Devices = append(slice.Spec.Devices, *slice.Spec.Devices[0].DeepCopy())
+		slice.Spec.Devices[len(slice.Spec.Devices)-1].Name += "-other"
+		return slice
+	}()
+	sliceTaintedNoSchedule = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		for i := range slice.Spec.Devices {
+			for j := range slice.Spec.Devices[i].Basic.Taints {
+				slice.Spec.Devices[i].Basic.Taints[j].Effect = resourceapi.DeviceTaintEffectNoSchedule
+			}
+		}
+		return slice
+	}()
+	sliceTaintedValueOther = func() *resourceapi.ResourceSlice {
+		slice := sliceTainted.DeepCopy()
+		for i := range slice.Spec.Devices {
+			for j := range slice.Spec.Devices[i].Basic.Taints {
+				slice.Spec.Devices[i].Basic.Taints[j].Value += "-other"
+			}
+		}
+		return slice
+	}()
+	sliceTaintedTwice = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Spec.Devices[0].Basic.Taints = []resourceapi.DeviceTaint{
+			{Key: taintKey, Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime},
+			{Key: taintKey + "-other", Effect: resourceapi.DeviceTaintEffectNoExecute, TimeAdded: &taintTime},
+		}
+		return slice
+	}()
+	sliceUntainted = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Spec.Devices[1].Basic.Taints = nil
+		slice.Spec.Devices[2].Basic.Taints = nil
+		return slice
+	}()
+	slice2 = func() *resourceapi.ResourceSlice {
+		slice := slice.DeepCopy()
+		slice.Name += "-2"
+		slice.Spec.NodeName = nodeName2
+		slice.Spec.Pool.Name = nodeName2
+		slice.Spec.Pool.Generation++
+		return slice
+	}()
+	claim = st.MakeResourceClaim().
+		Name(claimName).
+		Namespace(namespace).
+		Request(className).
+		Obj()
+	allocationResult = &resourceapi.AllocationResult{
+		Devices: resourceapi.DeviceAllocationResult{
+			Results: []resourceapi.DeviceRequestAllocationResult{{
+				Driver:  driver,
+				Pool:    nodeName,
+				Device:  "instance",
+				Request: "req-1",
+			}},
+		},
+	}
+	inUseClaim = st.FromResourceClaim(claim).
+			OwnerReference(podName, podUID, podKind).
+			Allocation(allocationResult).
+			ReservedForPod(podName, types.UID(podUID)).
+			Obj()
+	// A test may run for an hour without reaching the end of this period.
+	tolerationDuration       = 60 * 60 * time.Second
+	inUseClaimWithToleration = func() *resourceapi.ResourceClaim {
+		claim := inUseClaim.DeepCopy()
+		claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+			Key:               taintKey,
+			Operator:          resourceapi.DeviceTolerationOpEqual,
+			Value:             taintValue,
+			Effect:            resourceapi.DeviceTaintEffectNoExecute,
+			TolerationSeconds: ptr.To(int64(tolerationDuration.Seconds())),
+		}}
+		return claim
+	}()
+	inUseClaimOld = st.FromResourceClaim(inUseClaim).
+			OwnerReference(podName, podUID+"-other", podKind).
+			UID("other").
+			Obj()
+	podWithClaimName = st.MakePod().Name(podName).Namespace(namespace).
+				UID(podUID).
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
+				Node(nodeName).
+				Obj()
+	podWithClaimNameOther = st.MakePod().Name(podName).Namespace(namespace).
+				UID(podUID + "-other").
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimName: &claimName}).
+				Node(nodeName).
+				Obj()
+	podWithClaimTemplate = st.MakePod().Name(podName).Namespace(namespace).
+				UID(podUID).
+				PodResourceClaims(v1.PodResourceClaim{Name: resourceName, ResourceClaimTemplateName: &claimName}).
+				Node(nodeName).
+				Obj()
+	podWithClaimTemplateInStatus = func() *v1.Pod {
+		pod := podWithClaimTemplate.DeepCopy()
+		pod.Status.ResourceClaimStatuses = []v1.PodResourceClaimStatus{
+			{
+				Name:              pod.Spec.ResourceClaims[0].Name,
+				ResourceClaimName: &claimName,
+			},
+		}
+		return pod
+	}()
+	podWithClaimTemplateNoClaimInStatus = func() *v1.Pod {
+		pod := podWithClaimTemplate.DeepCopy()
+		pod.Status.ResourceClaimStatuses = []v1.PodResourceClaimStatus{
+			{
+				Name: pod.Spec.ResourceClaims[0].Name,
+				// This is valid: it was decided that the pod should run without
+				// its claim generated for it. Not used in practice.
+				ResourceClaimName: nil,
+			},
+		}
+		return pod
+	}()
+	cancelPodEviction = &v1.Event{
+		InvolvedObject: v1.ObjectReference{
+			Kind:       "Pod",
+			APIVersion: "v1",
+			Namespace:  namespace,
+			Name:       podName,
+			UID:        types.UID(podUID),
+		},
+		Reason:  "DeviceTaintManagerEviction",
+		Message: "Cancelling deletion",
+		Type:    v1.EventTypeNormal,
+		Source: v1.EventSource{
+			Component: "nodeControllerTest",
+		},
+		Count: 1,
+	}
+)
+
+func matchDeletionEvent() gomegatypes.GomegaMatcher {
+	return matchEvent("Marking for deletion")
+}
+
+func matchCancellationEvent() gomegatypes.GomegaMatcher {
+	return matchEvent("Cancelling deletion")
+}
+
+func matchEvent(message string) gomegatypes.GomegaMatcher {
+	return gomega.ConsistOf(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+		"Source":  gomega.HaveField("Component", gomega.Equal("device-taint-eviction")),
+		"Reason":  gomega.Equal("DeviceTaintManagerEviction"),
+		"Message": gomega.Equal(message),
+		"Count":   gomega.Equal(int32(1)),
+		"InvolvedObject": gomega.Equal(v1.ObjectReference{
+			Kind:       "Pod",
+			APIVersion: "v1",
+			Namespace:  namespace,
+			Name:       podName,
+			UID:        types.UID(podUID),
+		}),
+	}))
+}
+
+func listEvents(tCtx ktesting.TContext) []v1.Event {
+	events, err := tCtx.Client().CoreV1().Events("").List(tCtx, metav1.ListOptions{})
+	tCtx.ExpectNoError(err, "list events")
+	return events.Items
+}
+
+// TestHandlers covers the event handler logic. Each test case starts with
+// some known state, applies a sequence of independent events in all
+// permutations of their order, then checks against the expected final
+// state. The final state must be the same in all permutations. This simulates
+// the random order in which informer updates can be perceived.
+func TestHandlers(t *testing.T) {
+	t.Parallel()
+
+	for name, tc := range map[string]testCase{
+		"empty": {},
+		"populate-pools": {
+			events: []any{
+				add(slice),
+				add(slice2),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{slice, slice2},
+			},
+		},
+		"update-pools": {
+			initialState: state{
+				slices: []*resourceapi.ResourceSlice{slice, slice2},
+			},
+			events: []any{
+				update(slice, sliceUntainted),
+				remove(slice2),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceUntainted},
+			},
+		},
+		"untainted-claim": {
+			events: []any{
+				add(slice),
+				add(slice2),
+				add(inUseClaim),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{slice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"tainted-claim": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"evict-pod-resourceclaim": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"evict-pod-resourceclaim-again": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimName},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+			events: []any{
+				[]any{remove(sliceTainted), add(sliceTainted)},
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+			// It is debatable whether the controller should react
+			// to slice changes (a deletion in this case)
+			// quickly. On the one hand we want to cancel eviction
+			// quickly in case that a taint goes away, on the other
+			// hand it can also restore the previous state and emit
+			// an event, as in this test case.
+			//
+			// At the moment, the code reliably cancels right away.
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"evict-pod-resourceclaim-unrelated-changes": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimName},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+			events: []any{
+				update(sliceTainted, sliceTaintedExtended),
+				update(inUseClaim, inUseClaim),             // No real change here, good enough for testing some code paths.
+				update(podWithClaimName, podWithClaimName), // Same here.
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTaintedExtended, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"evict-pod-resourceclaimtemplate": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplateInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+		},
+		"evict-pod-later": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaimWithToleration),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &metav1.Time{Time: taintTime.Add(tolerationDuration)}}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(tolerationDuration)}},
+			},
+		},
+		"evict-pod-later-many": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Key:               taintKey + "-other",
+							Operator:          resourceapi.DeviceTolerationOpEqual,
+							Value:             taintValue,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(20)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Key:               taintKey + "-other",
+							Operator:          resourceapi.DeviceTolerationOpEqual,
+							Value:             taintValue,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(20)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(30 * time.Second)}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(30 * time.Second)}},
+			},
+		},
+		"evict-pod-toleration-mismatch": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Key:               taintKey + "-other",
+						Operator:          resourceapi.DeviceTolerationOpEqual,
+						Value:             taintValue,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Key:               taintKey + "-other",
+						Operator:          resourceapi.DeviceTolerationOpEqual,
+						Value:             taintValue,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Time}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"no-evict-pod-toleration-forever": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}()}},
+			},
+		},
+		"no-evict-pod-toleration-forever-many": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator: resourceapi.DeviceTolerationOpExists,
+							Effect:   resourceapi.DeviceTaintEffectNoExecute,
+						},
+					}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator: resourceapi.DeviceTolerationOpExists,
+							Effect:   resourceapi.DeviceTaintEffectNoExecute,
+						},
+					}
+					return claim
+				}()}},
+			},
+		},
+		"evict-pod-partial-toleration": {
+			events: []any{
+				add(sliceTaintedTwice),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Key:      taintKey,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTaintedTwice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator: resourceapi.DeviceTolerationOpExists,
+						Key:      taintKey,
+						Effect:   resourceapi.DeviceTaintEffectNoExecute,
+					}}
+					return claim
+				}(), evictionTime: &taintTime}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"evict-pod-many-taints": {
+			events: []any{
+				add(sliceTaintedTwice),
+				add(slice2),
+				add(func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey + "-other",
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}()),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTaintedTwice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey,
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(60)),
+						},
+						{
+							Operator:          resourceapi.DeviceTolerationOpExists,
+							Key:               taintKey + "-other",
+							Effect:            resourceapi.DeviceTaintEffectNoExecute,
+							TolerationSeconds: ptr.To(int64(30)),
+						},
+					}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(30 * time.Second)}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(30 * time.Second)}},
+			},
+		},
+		"no-evict-pod-not-scheduled": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(func() *v1.Pod {
+					pod := podWithClaimName.DeepCopy()
+					pod.Spec.NodeName = ""
+					return pod
+				}()),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"no-evict-no-taint": {
+			events: []any{
+				add(simpleSlice),
+				add(inUseClaim),
+				add(podWithClaimName),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{simpleSlice},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"no-evict-no-taint-update": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimName},
+				slices:          []*resourceapi.ResourceSlice{simpleSlice},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			events: []any{
+				update(simpleSlice, simpleSlice),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{simpleSlice},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"no-evict-pod-resourceclaimtemplate-no-status": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplate),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"no-evict-pod-resourceclaimtemplate-no-claim": {
+			// It doesn't make sense to have a claim generated for the pod and
+			// then have no claim listed for the pod, but for the sake of completeness...
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplateNoClaimInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"no-evict-unknown-device": {
+			events: []any{
+				add(sliceUnknownDevices),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimTemplateInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceUnknownDevices, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+		},
+		"no-evict-wrong-pod": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaim),
+				add(podWithClaimNameOther),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+		},
+		"evict-wrong-pod-replaced": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimNameOther},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+			},
+			events: []any{
+				[]any{remove(podWithClaimNameOther), add(podWithClaimName)},
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimName), taintTime.Time}},
+			},
+		},
+		"cancel-eviction-remove-taint": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				update(sliceTainted, slice),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{slice, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"cancel-eviction-reduce-taint": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				update(sliceTainted, sliceTaintedNoSchedule),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTaintedNoSchedule, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"eviction-change-taint": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &metav1.Time{Time: taintTime.Add(tolerationDuration)}}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time.Add(tolerationDuration)}},
+			},
+			events: []any{
+				// Going from a taint which is tolerated for 60 seconds to one which isn't.
+				update(sliceTainted, sliceTaintedValueOther),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTaintedValueOther, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimWithToleration, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+		},
+		"cancel-eviction-remove-taint-in-new-slice": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				// This moves the in-use device from one slice to another and removes the taint at the same time.
+				remove(sliceTainted),
+				add(sliceReplaced),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceReplaced, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"cancel-eviction-remove-slice": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				remove(sliceTainted),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim}},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"cancel-eviction-pod-deletion": {
+			initialState: state{
+				pods:   []*v1.Pod{podWithClaimName},
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator:          resourceapi.DeviceTolerationOpExists,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(60 * time.Second)}}},
+				evicting: []evictAt{{newObject(podWithClaimName), taintTime.Time.Add(60 * time.Second)}},
+			},
+			events: []any{
+				remove(podWithClaimName),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: func() *resourceapi.ResourceClaim {
+					claim := inUseClaim.DeepCopy()
+					claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+						Operator:          resourceapi.DeviceTolerationOpExists,
+						Effect:            resourceapi.DeviceTaintEffectNoExecute,
+						TolerationSeconds: ptr.To(int64(60)),
+					}}
+					return claim
+				}(), evictionTime: &metav1.Time{Time: taintTime.Add(60 * time.Second)}}},
+			},
+		},
+		"no-evict-wrong-resourceclaim": {
+			events: []any{
+				add(sliceTainted),
+				add(slice2),
+				add(inUseClaimOld), // pod not the owner
+				add(podWithClaimTemplateInStatus),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimOld, evictionTime: &taintTime}},
+			},
+		},
+		"evict-wrong-resourceclaim-replaced": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaimOld, evictionTime: &taintTime}},
+			},
+			events: []any{
+				update(inUseClaimOld, inUseClaim),
+			},
+			finalState: state{
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+		},
+		"no-evict-resourceclaim-deallocated": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				// This removes the allocation while the pod is scheduled.
+				// The normal situation for this is when the pod has terminated.
+				// The abnormal one is a forced status update, which is similar
+				// to a forced removal.
+				//
+				// It is debatable whether controller should try to "fix" the
+				// cluster in those abnormal situations by evicting the pod.
+				// Currently it doesn't because that is not it's job and
+				// could cause problems by itself if not done carefully,
+				// like killing a pod that still can run.
+				update(inUseClaim, claim),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+		"no-evict-resourceclaim-deleted": {
+			initialState: state{
+				pods:            []*v1.Pod{podWithClaimTemplateInStatus},
+				slices:          []*resourceapi.ResourceSlice{sliceTainted, slice2},
+				allocatedClaims: []allocatedClaim{{ResourceClaim: inUseClaim, evictionTime: &taintTime}},
+				evicting:        []evictAt{{newObject(podWithClaimTemplateInStatus), taintTime.Time}},
+			},
+			events: []any{
+				// Same as for "no-evict-resourceclaim-deallocated" this can be normal
+				// (pod has terminated) and abnormal (force-delete).
+				remove(inUseClaim),
+			},
+			finalState: state{
+				slices: []*resourceapi.ResourceSlice{sliceTainted, slice2},
+			},
+			wantEvents: []*v1.Event{cancelPodEviction},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			numEvents := len(tc.events)
+			if numEvents <= 1 {
+				// No permutations.
+				tContext := setup(t)
+				testHandlers(tContext, tc)
+				return
+			}
+
+			permutation := make([]int, numEvents)
+			var permutate func(depth int)
+			permutate = func(depth int) {
+				if depth >= numEvents {
+					// Define a sub-test which runs the current permutation of events.
+					events := make([]any, numEvents)
+					for i := 0; i < numEvents; i++ {
+						events[i] = tc.events[permutation[i]]
+					}
+					tc := tc
+					tc.events = events
+					name := strings.Trim(fmt.Sprintf("%v", permutation), "[]")
+					t.Run(name, func(t *testing.T) {
+						tContext := setup(t)
+						testHandlers(tContext, tc)
+					})
+					return
+				}
+				for i := 0; i < numEvents; i++ {
+					if slices.Index(permutation[0:depth], i) != -1 {
+						// Already taken.
+						continue
+					}
+					// Pick it for the current position in permutation,
+					// continue with next position.
+					permutation[depth] = i
+					permutate(depth + 1)
+				}
+			}
+			permutate(0)
+		})
+	}
+}
+
+func testHandlers(tContext *testContext, tc testCase) {
+	// Shallow copy of slice and maps is sufficient for now.
+	tContext.evicting = slices.Clone(tc.initialState.evicting)
+	tContext.allocatedClaims = tc.initialState.allocatedClaimsAsMap()
+	tContext.pools = tc.initialState.slicesAsMap()
+
+	// Pods are the only items which get retrieved from the informer cache,
+	// so for those (and only those) we have to keep the store up-to-date.
+	store := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+	for _, pod := range tc.initialState.pods {
+		tContext.ExpectNoError(store.Add(pod))
+	}
+
+	for _, event := range tc.events {
+		switch event := event.(type) {
+		case []any:
+			for _, event := range event {
+				applyEventPair(tContext, event)
+			}
+		default:
+			applyEventPair(tContext, event)
+		}
+	}
+
+	// Use nil instead of empty map or slice to avoid nil vs. empty differences.
+	if len(tContext.evicting) == 0 {
+		tContext.evicting = nil
+	}
+	if len(tContext.recorder.Events) == 0 {
+		tContext.recorder.Events = nil
+	}
+	assert.Equal(tContext, tc.finalState.evicting, tContext.evicting, "evicting pods")
+	assert.Equal(tContext, tc.finalState.allocatedClaimsAsMap(), tContext.allocatedClaims, "allocated claims")
+	if !assert.Equal(tContext, tc.finalState.slicesAsMap(), tContext.pools, "pools") {
+		for key := range tContext.pools {
+			assert.Equal(tContext, tc.finalState.slicesAsMap()[key], tContext.pools[key], "pool")
+		}
+	}
+	if diff := cmp.Diff(tc.wantEvents, tContext.recorder.Events, cmpopts.IgnoreTypes(metav1.ObjectMeta{}, metav1.Time{})); diff != "" {
+		tContext.Errorf("unexpected events (-want, +got):\n%s", diff)
+	}
+}
+
+func applyEventPair(tContext *testContext, event any) {
+	store := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+
+	switch pair := event.(type) {
+	case [2]*resourceapi.ResourceSlice:
+		tContext.handleSliceChange(pair[0], pair[1])
+	case [2]*resourceapi.ResourceClaim:
+		tContext.handleClaimChange(pair[0], pair[1])
+	case [2]*v1.Pod:
+		switch {
+		case pair[0] != nil && pair[1] != nil:
+			tContext.ExpectNoError(store.Update(pair[1]))
+		case pair[0] != nil:
+			tContext.ExpectNoError(store.Delete(pair[0]))
+		default:
+			tContext.ExpectNoError(store.Add(pair[1]))
+		}
+		tContext.handlePodChange(pair[0], pair[1])
+	default:
+		tContext.Fatalf("unexpected event type %T", event)
+	}
+}
+
+func startTestController(tCtx ktesting.TContext, informerFactory informers.SharedInformerFactory) *Controller {
+	controller := New(tCtx.Client(),
+		informerFactory.Core().V1().Pods(),
+		informerFactory.Resource().V1beta1().ResourceClaims(),
+		informerFactory.Resource().V1beta1().ResourceSlices(),
+		informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		informerFactory.Resource().V1beta1().DeviceClasses(),
+		"device-taint-eviction",
+	)
+	controller.metrics = metrics.New(300 /* one large initial bucket for testing */)
+	// Always log, not matter what the -v value is.
+	logger := klog.FromContext(tCtx)
+	controller.eventLogger = &logger
+	informerFactory.Start(tCtx.Done())
+	return controller
+}
+
+func testPodDeletionsMetrics(controller *Controller, total int) error {
+	// We cannot predict the sum of the latencies. Therefore we leave it at zero here
+	// and replace expected (>= 0) values when gathering.
+	expectedMetric := fmt.Sprintf(`# HELP device_taint_eviction_controller_pod_deletion_duration_seconds [ALPHA] Latency, in seconds, between the time when a device taint effect has been activated and a Pod's deletion via DeviceTaintEvictionController.
+# TYPE device_taint_eviction_controller_pod_deletion_duration_seconds histogram
+device_taint_eviction_controller_pod_deletion_duration_seconds_bucket{le="300"} %[1]d
+device_taint_eviction_controller_pod_deletion_duration_seconds_bucket{le="+Inf"} %[1]d
+device_taint_eviction_controller_pod_deletion_duration_seconds_sum 0
+device_taint_eviction_controller_pod_deletion_duration_seconds_count %[1]d
+# HELP device_taint_eviction_controller_pod_deletions_total [ALPHA] Total number of Pods deleted by DeviceTaintEvictionController since its start.
+# TYPE device_taint_eviction_controller_pod_deletions_total counter
+device_taint_eviction_controller_pod_deletions_total %[1]d
+`, total)
+	names := []string{
+		controller.metrics.PodDeletionsTotal.FQName(),
+		controller.metrics.PodDeletionsLatency.FQName(),
+	}
+	gather := func() ([]*dto.MetricFamily, error) {
+		got, err := controller.metrics.Gather()
+		for _, mf := range got {
+			for _, m := range mf.Metric {
+				if m.Histogram == nil || m.Histogram.SampleSum == nil || *m.Histogram.SampleSum < 0 {
+					continue
+				}
+				m.Histogram.SampleSum = ptr.To(float64(0))
+			}
+		}
+		return got, err
+	}
+
+	return metricstestutil.GatherAndCompare(prometheus.GathererFunc(gather), strings.NewReader(expectedMetric), names...)
+}
+
+// TestEviction runs through the full flow of starting the controller and evicting one pod.
+// This scenario is the same as "evict-pod-resourceclaim" above. It also covers all
+// event handlers by leading to the same end state through several different combinations
+// of initial objects and add/update/delete calls.
+func TestEviction(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	pod := podWithClaimName.DeepCopy()
+	for name, tt := range map[string]struct {
+		initialObjects []runtime.Object
+		afterSync      func(tCtx ktesting.TContext)
+	}{
+		"initial": {
+			initialObjects: []runtime.Object{
+				sliceTainted,
+				inUseClaim,
+				pod,
+			},
+		},
+		"add": {
+			afterSync: func(tCtx ktesting.TContext) {
+				var err error
+				_, err = tCtx.Client().CoreV1().Pods(pod.Namespace).Create(tCtx, pod, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create pod")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceSlices().Create(tCtx, sliceTainted, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create slice")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).Create(tCtx, inUseClaim, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create claim")
+			},
+		},
+		"update": {
+			initialObjects: []runtime.Object{
+				slice,
+				claim,
+				func() *v1.Pod {
+					pod := pod.DeepCopy()
+					pod.Spec.NodeName = ""
+					return pod
+				}(),
+			},
+			afterSync: func(tCtx ktesting.TContext) {
+				var err error
+				_, err = tCtx.Client().CoreV1().Pods(pod.Namespace).Update(tCtx, pod, metav1.UpdateOptions{})
+				require.NoError(tCtx, err, "update pod")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceSlices().Update(tCtx, sliceTainted, metav1.UpdateOptions{})
+				require.NoError(tCtx, err, "update slice")
+				_, err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).UpdateStatus(tCtx, inUseClaim, metav1.UpdateOptions{})
+				require.NoError(tCtx, err, "update claim")
+			},
+		},
+		"delete": {
+			initialObjects: []runtime.Object{
+				sliceTainted,
+				func() *resourceapi.ResourceSlice {
+					// This has a higher generation and thus "shadows" sliceTainted until it gets removed.
+					slice := slice.DeepCopy()
+					slice.Name += "-other"
+					slice.Spec.Pool.Generation += 100
+					return slice
+				}(),
+				claim,
+				pod,
+			},
+			afterSync: func(tCtx ktesting.TContext) {
+				var err error
+
+				err = tCtx.Client().ResourceV1beta1().ResourceSlices().Delete(tCtx, slice.Name+"-other", metav1.DeleteOptions{})
+				require.NoError(tCtx, err, "delete slice")
+				err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).Delete(tCtx, inUseClaim.Name, metav1.DeleteOptions{})
+				require.NoError(tCtx, err, "delete claim")
+
+				// Re-create after deletion to enabled the normal flow.
+				_, err = tCtx.Client().ResourceV1beta1().ResourceClaims(inUseClaim.Namespace).Create(tCtx, inUseClaim, metav1.CreateOptions{})
+				require.NoError(tCtx, err, "create claim")
+			},
+		},
+	} {
+		tCtx.Run(name, func(tCtx ktesting.TContext) {
+			tCtx.Parallel()
+			fakeClientset := fake.NewSimpleClientset(tt.initialObjects...)
+			tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+			var mutex sync.Mutex
+			var podUpdates int
+			var updatedPod *v1.Pod
+			var podDeletions int
+
+			fakeClientset.PrependReactor("patch", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+				mutex.Lock()
+				defer mutex.Unlock()
+				podUpdates++
+				podName := action.(core.PatchAction).GetName()
+				assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+				return false, nil, nil
+			})
+			fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+				mutex.Lock()
+				defer mutex.Unlock()
+				podDeletions++
+				podName := action.(core.DeleteAction).GetName()
+				assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+				obj, err := fakeClientset.Tracker().Get(v1.SchemeGroupVersion.WithResource("pods"), pod.Namespace, pod.Name)
+				require.NoError(tCtx, err)
+				updatedPod = obj.(*v1.Pod)
+				return false, nil, nil
+			})
+			informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+			controller := startTestController(tCtx, informerFactory)
+			defer informerFactory.Shutdown()
+
+			var wg sync.WaitGroup
+			defer func() {
+				tCtx.Log("Waiting for goroutine termination...")
+				tCtx.Cancel("time to stop")
+				wg.Wait()
+			}()
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				controller.Run(tCtx)
+			}()
+
+			// Eventually the controller should have synced it's informers.
+			require.Eventually(tCtx, func() bool {
+				return controller.hasSynced.Load() > 0
+			}, 30*time.Second, time.Millisecond, "controller synced")
+			if tt.afterSync != nil {
+				tt.afterSync(tCtx)
+			}
+
+			// Eventually the pod gets deleted (= evicted).
+			assert.Eventually(tCtx, func() bool {
+				_, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+				return apierrors.IsNotFound(err)
+			}, 30*time.Second, time.Millisecond, "pod evicted")
+
+			pod := pod.DeepCopy()
+			pod.Status.Conditions = []v1.PodCondition{{
+				Type:    v1.DisruptionTarget,
+				Status:  v1.ConditionTrue,
+				Reason:  "DeletionByDeviceTaintManager",
+				Message: "Device Taint manager: deleting due to NoExecute taint",
+			}}
+			if diff := cmp.Diff(pod, updatedPod, cmpopts.IgnoreTypes(metav1.Time{})); diff != "" {
+				tCtx.Errorf("unexpected modified pod (-want, +got):\n%s", diff)
+			}
+
+			// Shortly after deletion we should also see updated metrics.
+			// This is the last thing the controller does for a pod.
+			ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
+				return testPodDeletionsMetrics(controller, 1)
+			}).WithTimeout(30*time.Second).Should(gomega.Succeed(), "pod eviction done")
+
+			// We also don't want any other events, in particular not a cancellation event
+			// because the pod deletion was observed or another occurrence of the same event.
+			ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+				mutex.Lock()
+				defer mutex.Unlock()
+				assert.Equal(tCtx, 1, podUpdates, "number of pod update calls")
+				assert.Equal(tCtx, 1, podDeletions, "number of pod delete calls")
+				gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+				tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 1))
+				return nil
+			}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+		})
+	}
+}
+
+// TestCancelEviction deletes the pod before the controller deletes it
+// or removes the slice. Either way, eviction gets cancelled.
+func TestCancelEviction(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	tCtx.Run("pod-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, true) })
+	tCtx.Run("slice-deleted", func(tCtx ktesting.TContext) { testCancelEviction(tCtx, false) })
+}
+
+func testCancelEviction(tCtx ktesting.TContext, deletePod bool) {
+	// The claim tolerates the taint long enough for us to
+	// do something which cancels eviction.
+	pod := podWithClaimName.DeepCopy()
+	slice := sliceTainted.DeepCopy()
+	slice.Spec.Devices[0].Basic.Taints[0].TimeAdded = &metav1.Time{Time: time.Now()}
+	claim := inUseClaim.DeepCopy()
+	claim.Status.Allocation.Devices.Results[0].Tolerations = []resourceapi.DeviceToleration{{
+		Operator:          resourceapi.DeviceTolerationOpExists,
+		Effect:            resourceapi.DeviceTaintEffectNoExecute,
+		TolerationSeconds: ptr.To(int64(60)),
+	}}
+	fakeClientset := fake.NewSimpleClientset(
+		slice,
+		claim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var mutex sync.Mutex
+	podEvicting := false
+	controller.evictPod = func(podRef tainteviction.NamespacedObject, fireAt time.Time) {
+		assert.Equal(tCtx, newObject(pod), podRef)
+		mutex.Lock()
+		defer mutex.Unlock()
+		podEvicting = true
+	}
+	controller.cancelEvict = func(podRef tainteviction.NamespacedObject) bool {
+		assert.Equal(tCtx, newObject(pod), podRef)
+		mutex.Lock()
+		defer mutex.Unlock()
+		podEvicting = false
+		return false
+	}
+
+	var wg sync.WaitGroup
+	defer func() {
+		tCtx.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually the pod gets scheduled for eviction.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podEvicting
+	}).WithTimeout(30 * time.Second).Should(gomega.BeTrueBecause("pod pending eviction"))
+
+	// Now we can delete the pod or slice.
+	if deletePod {
+		tCtx.ExpectNoError(fakeClientset.CoreV1().Pods(pod.Namespace).Delete(tCtx, pod.Name, metav1.DeleteOptions{}))
+	} else {
+		tCtx.ExpectNoError(fakeClientset.ResourceV1beta1().ResourceSlices().Delete(tCtx, slice.Name, metav1.DeleteOptions{}))
+	}
+
+	// Shortly after deletion we should also see the cancellation.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podEvicting
+	}).WithTimeout(30 * time.Second).Should(gomega.BeFalseBecause("pod no longer pending eviction"))
+
+	// Whether we get an event depends on whether the pod still exists.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		matchEvents := matchCancellationEvent()
+		if deletePod {
+			matchEvents = gomega.BeEmpty()
+		}
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchEvents)
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// TestParallelPodDeletion covers the scenario that a pod gets deleted right before
+// trying to evict it.
+func TestParallelPodDeletion(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	// This scenario is the same as "evict-pod-resourceclaim" above.
+	pod := podWithClaimName.DeepCopy()
+	fakeClientset := fake.NewSimpleClientset(
+		sliceTainted,
+		slice2,
+		inUseClaim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	var mutex sync.Mutex
+	var podGets int
+	var podDeletions int
+
+	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podGets++
+		podName := action.(core.GetAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+
+		// This gets called directly before eviction. Pretend that it is deleted.
+		err = fakeClientset.Tracker().Delete(v1.SchemeGroupVersion.WithResource("pods"), pod.Namespace, pod.Name)
+		assert.NoError(tCtx, err, "delete pod") //nolint:testifylint // Here recording an unknown error and continuing is okay.
+		return true, nil, apierrors.NewNotFound(v1.SchemeGroupVersion.WithResource("pods").GroupResource(), pod.Name)
+	})
+	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podDeletions++
+		podName := action.(core.DeleteAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+		return false, nil, nil
+	})
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var wg sync.WaitGroup
+	defer func() {
+		tCtx.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually the pod gets deleted, in this test by us.
+	assert.Eventually(tCtx, func() bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podGets >= 1
+	}, 30*time.Second, time.Millisecond, "pod eviction started")
+
+	// We don't want any events.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		mutex.Lock()
+		defer mutex.Unlock()
+		assert.Equal(tCtx, 1, podGets, "number of pod get calls")
+		assert.Equal(tCtx, 0, podDeletions, "number of pod delete calls")
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(gomega.BeEmpty())
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// TestRetry covers the scenario that an eviction attempt must be retried.
+func TestRetry(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	// This scenario is the same as "evict-pod-resourceclaim" above.
+	pod := podWithClaimName.DeepCopy()
+	fakeClientset := fake.NewSimpleClientset(
+		sliceTainted,
+		slice2,
+		inUseClaim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	var mutex sync.Mutex
+	var podGets int
+	var podDeletions int
+
+	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podGets++
+		podName := action.(core.GetAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+
+		// This gets called directly before eviction. Pretend that there is an intermittent error.
+		if podGets == 1 {
+			return true, nil, apierrors.NewInternalError(errors.New("fake error"))
+		}
+		return false, nil, nil
+	})
+	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podDeletions++
+		podName := action.(core.DeleteAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+		return false, nil, nil
+	})
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var wg sync.WaitGroup
+	defer func() {
+		t.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually the pod gets deleted.
+	ktesting.Eventually(tCtx, func(tCtx ktesting.TContext) error {
+		return testPodDeletionsMetrics(controller, 1)
+	}).WithTimeout(30*time.Second).Should(gomega.Succeed(), "pod eviction done")
+
+	// Now we can check the API calls.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		mutex.Lock()
+		defer mutex.Unlock()
+		assert.Equal(tCtx, 2, podGets, "number of pod get calls")
+		assert.Equal(tCtx, 1, podDeletions, "number of pod delete calls")
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 1))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// TestRetry covers the scenario that an eviction attempt fails.
+func TestEvictionFailure(t *testing.T) {
+	tCtx := ktesting.Init(t)
+	tCtx.Parallel()
+
+	// This scenario is the same as "evict-pod-resourceclaim" above.
+	pod := podWithClaimName.DeepCopy()
+	fakeClientset := fake.NewSimpleClientset(
+		sliceTainted,
+		slice2,
+		inUseClaim,
+		pod,
+	)
+	tCtx = ktesting.WithClients(tCtx, nil, nil, fakeClientset, nil, nil)
+
+	pod, err := fakeClientset.CoreV1().Pods(pod.Namespace).Get(tCtx, pod.Name, metav1.GetOptions{})
+	require.NoError(tCtx, err, "get pod before eviction")
+	assert.Equal(tCtx, podWithClaimName, pod, "test pod")
+
+	var mutex sync.Mutex
+	var podGets int
+	var podDeletions int
+
+	fakeClientset.PrependReactor("get", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podGets++
+		podName := action.(core.GetAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of patched pod")
+		return false, nil, nil
+	})
+	fakeClientset.PrependReactor("delete", "pods", func(action core.Action) (handled bool, ret runtime.Object, err error) {
+		mutex.Lock()
+		defer mutex.Unlock()
+		podDeletions++
+		podName := action.(core.DeleteAction).GetName()
+		assert.Equal(t, podWithClaimName.Name, podName, "name of deleted pod")
+		return true, nil, apierrors.NewInternalError(errors.New("fake error"))
+	})
+	informerFactory := informers.NewSharedInformerFactory(fakeClientset, 0)
+	controller := startTestController(tCtx, informerFactory)
+	defer informerFactory.Shutdown()
+
+	var wg sync.WaitGroup
+	defer func() {
+		t.Log("Waiting for goroutine termination...")
+		tCtx.Cancel("time to stop")
+		wg.Wait()
+	}()
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		controller.Run(tCtx)
+	}()
+
+	// Eventually deletion is attempted a few times.
+	assert.Eventually(tCtx, func() bool {
+		mutex.Lock()
+		defer mutex.Unlock()
+		return podDeletions >= retries
+	}, 30*time.Second, time.Millisecond, "pod eviction failed")
+
+	// Now we can check the API calls.
+	ktesting.Consistently(tCtx, func(tCtx ktesting.TContext) error {
+		mutex.Lock()
+		defer mutex.Unlock()
+		assert.Equal(tCtx, retries, podGets, "number of pod get calls")
+		assert.Equal(tCtx, retries, podDeletions, "number of pod delete calls")
+		gomega.NewWithT(tCtx).Expect(listEvents(tCtx)).Should(matchDeletionEvent())
+		tCtx.ExpectNoError(testPodDeletionsMetrics(controller, 0))
+		return nil
+	}).WithTimeout(5 * time.Second).Should(gomega.Succeed())
+}
+
+// BenchTaintUntaint checks the full flow of detecting a claim as
+// tainted because of a new DeviceTaintRule, starting to evict its
+// consumer, and then undoing that when the DeviceTaintRule is removed.
+func BenchmarkTaintUntaint(b *testing.B) {
+	tContext := setup(b)
+	podStore := tContext.informerFactory.Core().V1().Pods().Informer().GetStore()
+	// No output, comment out if output is desired.
+	tContext.Controller.eventLogger = nil
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		// Add objects...
+		tContext.handleSliceChange(nil, slice)
+		tContext.handleClaimChange(nil, inUseClaimWithToleration)
+		require.NoError(tContext, podStore.Add(podWithClaimName), "add pod")
+		tContext.handlePodChange(nil, podWithClaimName)
+		require.Empty(tContext, tContext.evicting)
+
+		// Now evict.
+		tContext.handleSliceChange(slice, sliceTainted)
+
+		// Because informer event handlers are synchronous, we get the expected result immediately.
+		require.NotEmpty(tContext, tContext.evicting)
+
+		// ... and remove them again.
+		tContext.handleSliceChange(sliceTainted, slice)
+		require.Empty(tContext, tContext.evicting)
+
+		tContext.handlePodChange(podWithClaimName, nil)
+		require.NoError(tContext, podStore.Delete(podWithClaimName), "remove pod")
+		tContext.handleClaimChange(inUseClaimWithToleration, nil)
+		tContext.handleSliceChange(slice, nil)
+	}
+}
diff --git a/pkg/controller/devicetainteviction/doc.go b/pkg/controller/devicetainteviction/doc.go
index aac6640aa28..84157386c6c 100644
--- a/pkg/controller/devicetainteviction/doc.go
+++ b/pkg/controller/devicetainteviction/doc.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2023 The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,6 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package tainteviction contains the logic implementing taint-based eviction
-// for Pods running on Nodes with NoExecute taints.
-package tainteviction
+// Package devicetainteviction contains the logic implementing taint-based eviction
+// for Pods using tainted devices (https://github.com/kubernetes/enhancements/issues/5055).
+package devicetainteviction
diff --git a/pkg/controller/devicetainteviction/metrics/metrics.go b/pkg/controller/devicetainteviction/metrics/metrics.go
index 600c22c81e7..977ed70b74b 100644
--- a/pkg/controller/devicetainteviction/metrics/metrics.go
+++ b/pkg/controller/devicetainteviction/metrics/metrics.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2023 The Kubernetes Authors.
+Copyright 2025 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -23,30 +23,11 @@ import (
 	"k8s.io/component-base/metrics/legacyregistry"
 )
 
-const taintEvictionControllerSubsystem = "taint_eviction_controller"
+// controllerSubsystem must be kept in sync with the controller name in cmd/kube-controller-manager/names.
+const controllerSubsystem = "device_taint_eviction_controller"
 
 var (
-	// PodDeletionsTotal counts the number of Pods deleted by TaintEvictionController since its start.
-	PodDeletionsTotal = metrics.NewCounter(
-		&metrics.CounterOpts{
-			Subsystem:      taintEvictionControllerSubsystem,
-			Name:           "pod_deletions_total",
-			Help:           "Total number of Pods deleted by TaintEvictionController since its start.",
-			StabilityLevel: metrics.ALPHA,
-		},
-	)
-
-	// PodDeletionsLatency tracks the latency, in seconds, between the time when a taint effect has been activated
-	// for the Pod and its deletion.
-	PodDeletionsLatency = metrics.NewHistogram(
-		&metrics.HistogramOpts{
-			Subsystem:      taintEvictionControllerSubsystem,
-			Name:           "pod_deletion_duration_seconds",
-			Help:           "Latency, in seconds, between the time when a taint effect has been activated for the Pod and its deletion via TaintEvictionController.",
-			Buckets:        []float64{0.005, 0.025, 0.1, 0.5, 1, 2.5, 10, 30, 60, 120, 180, 240}, // 5ms to 4m
-			StabilityLevel: metrics.ALPHA,
-		},
-	)
+	Global = New()
 )
 
 var registerMetrics sync.Once
@@ -54,7 +35,54 @@ var registerMetrics sync.Once
 // Register registers TaintEvictionController metrics.
 func Register() {
 	registerMetrics.Do(func() {
-		legacyregistry.MustRegister(PodDeletionsTotal)
-		legacyregistry.MustRegister(PodDeletionsLatency)
+		legacyregistry.MustRegister(Global.PodDeletionsTotal)
+		legacyregistry.MustRegister(Global.PodDeletionsLatency)
 	})
 }
+
+// New returns new instances of all metrics for testing in parallel.
+// Optionally, buckets for the histograms can be specified.
+func New(buckets ...float64) Metrics {
+	if len(buckets) == 0 {
+		buckets = []float64{0.005, 0.025, 0.1, 0.5, 1, 2.5, 10, 30, 60, 120, 180, 240} // 5ms to 4m
+	}
+	m := Metrics{
+		KubeRegistry: metrics.NewKubeRegistry(),
+		PodDeletionsTotal: metrics.NewCounter(
+			&metrics.CounterOpts{
+				Subsystem:      controllerSubsystem,
+				Name:           "pod_deletions_total",
+				Help:           "Total number of Pods deleted by DeviceTaintEvictionController since its start.",
+				StabilityLevel: metrics.ALPHA,
+			},
+		),
+		PodDeletionsLatency: metrics.NewHistogram(
+			&metrics.HistogramOpts{
+				Subsystem:      controllerSubsystem,
+				Name:           "pod_deletion_duration_seconds",
+				Help:           "Latency, in seconds, between the time when a device taint effect has been activated and a Pod's deletion via DeviceTaintEvictionController.",
+				Buckets:        []float64{0.005, 0.025, 0.1, 0.5, 1, 2.5, 10, 30, 60, 120, 180, 240}, // 5ms to 4m,
+				StabilityLevel: metrics.ALPHA,
+			},
+		),
+	}
+
+	// This has to be done after construction, otherwise ./hack/update-generated-stable-metrics.sh
+	// fails to find the default buckets.
+	if len(buckets) > 0 {
+		m.PodDeletionsLatency.HistogramOpts.Buckets = buckets
+	}
+
+	m.KubeRegistry.MustRegister(m.PodDeletionsTotal, m.PodDeletionsLatency)
+	return m
+}
+
+// Metrics contains all metrics supported by the device taint eviction controller.
+// It implements [metrics.Gatherer].
+type Metrics struct {
+	metrics.KubeRegistry
+	PodDeletionsTotal   *metrics.Counter
+	PodDeletionsLatency *metrics.Histogram
+}
+
+var _ metrics.Gatherer = Metrics{}
diff --git a/pkg/controller/devicetainteviction/taint_eviction.go b/pkg/controller/devicetainteviction/taint_eviction.go
deleted file mode 100644
index 48ab6f0ec51..00000000000
--- a/pkg/controller/devicetainteviction/taint_eviction.go
+++ /dev/null
@@ -1,614 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package tainteviction
-
-import (
-	"context"
-	"fmt"
-	"hash/fnv"
-	"io"
-	"math"
-	"sync"
-	"time"
-
-	v1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	corev1informers "k8s.io/client-go/informers/core/v1"
-	clientset "k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/scheme"
-	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
-	corelisters "k8s.io/client-go/listers/core/v1"
-	"k8s.io/client-go/tools/cache"
-	"k8s.io/client-go/tools/record"
-	"k8s.io/client-go/util/workqueue"
-	"k8s.io/klog/v2"
-	apipod "k8s.io/kubernetes/pkg/api/v1/pod"
-	"k8s.io/kubernetes/pkg/apis/core/helper"
-	v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
-	"k8s.io/kubernetes/pkg/controller/tainteviction/metrics"
-	controllerutil "k8s.io/kubernetes/pkg/controller/util/node"
-	utilpod "k8s.io/kubernetes/pkg/util/pod"
-)
-
-const (
-	// TODO (k82cn): Figure out a reasonable number of workers/channels and propagate
-	// the number of workers up making it a parameter of Run() function.
-
-	// NodeUpdateChannelSize defines the size of channel for node update events.
-	NodeUpdateChannelSize = 10
-	// UpdateWorkerSize defines the size of workers for node update or/and pod update.
-	UpdateWorkerSize     = 8
-	podUpdateChannelSize = 1
-	retries              = 5
-)
-
-type nodeUpdateItem struct {
-	nodeName string
-}
-
-type podUpdateItem struct {
-	podName      string
-	podNamespace string
-	nodeName     string
-}
-
-func hash(val string, max int) int {
-	hasher := fnv.New32a()
-	io.WriteString(hasher, val)
-	return int(hasher.Sum32() % uint32(max))
-}
-
-// GetPodsByNodeNameFunc returns the list of pods assigned to the specified node.
-type GetPodsByNodeNameFunc func(nodeName string) ([]*v1.Pod, error)
-
-// Controller listens to Taint/Toleration changes and is responsible for removing Pods
-// from Nodes tainted with NoExecute Taints.
-type Controller struct {
-	name string
-
-	client                clientset.Interface
-	broadcaster           record.EventBroadcaster
-	recorder              record.EventRecorder
-	podLister             corelisters.PodLister
-	podListerSynced       cache.InformerSynced
-	nodeLister            corelisters.NodeLister
-	nodeListerSynced      cache.InformerSynced
-	getPodsAssignedToNode GetPodsByNodeNameFunc
-
-	taintEvictionQueue *TimedWorkerQueue
-	// keeps a map from nodeName to all noExecute taints on that Node
-	taintedNodesLock sync.Mutex
-	taintedNodes     map[string][]v1.Taint
-
-	nodeUpdateChannels []chan nodeUpdateItem
-	podUpdateChannels  []chan podUpdateItem
-
-	nodeUpdateQueue workqueue.TypedInterface[nodeUpdateItem]
-	podUpdateQueue  workqueue.TypedInterface[podUpdateItem]
-}
-
-func deletePodHandler(c clientset.Interface, emitEventFunc func(types.NamespacedName), controllerName string) func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
-	return func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
-		ns := args.NamespacedName.Namespace
-		name := args.NamespacedName.Name
-		klog.FromContext(ctx).Info("Deleting pod", "controller", controllerName, "pod", args.NamespacedName)
-		if emitEventFunc != nil {
-			emitEventFunc(args.NamespacedName)
-		}
-		var err error
-		for i := 0; i < retries; i++ {
-			err = addConditionAndDeletePod(ctx, c, name, ns)
-			if err == nil {
-				metrics.PodDeletionsTotal.Inc()
-				metrics.PodDeletionsLatency.Observe(float64(time.Since(fireAt) * time.Second))
-				break
-			}
-			time.Sleep(10 * time.Millisecond)
-		}
-		return err
-	}
-}
-
-func addConditionAndDeletePod(ctx context.Context, c clientset.Interface, name, ns string) (err error) {
-	pod, err := c.CoreV1().Pods(ns).Get(ctx, name, metav1.GetOptions{})
-	if err != nil {
-		return err
-	}
-	newStatus := pod.Status.DeepCopy()
-	updated := apipod.UpdatePodCondition(newStatus, &v1.PodCondition{
-		Type:    v1.DisruptionTarget,
-		Status:  v1.ConditionTrue,
-		Reason:  "DeletionByTaintManager",
-		Message: "Taint manager: deleting due to NoExecute taint",
-	})
-	if updated {
-		if _, _, _, err := utilpod.PatchPodStatus(ctx, c, pod.Namespace, pod.Name, pod.UID, pod.Status, *newStatus); err != nil {
-			return err
-		}
-	}
-	return c.CoreV1().Pods(ns).Delete(ctx, name, metav1.DeleteOptions{})
-}
-
-func getNoExecuteTaints(taints []v1.Taint) []v1.Taint {
-	result := []v1.Taint{}
-	for i := range taints {
-		if taints[i].Effect == v1.TaintEffectNoExecute {
-			result = append(result, taints[i])
-		}
-	}
-	return result
-}
-
-// getMinTolerationTime returns minimal toleration time from the given slice, or -1 if it's infinite.
-func getMinTolerationTime(tolerations []v1.Toleration) time.Duration {
-	minTolerationTime := int64(math.MaxInt64)
-	if len(tolerations) == 0 {
-		return 0
-	}
-
-	for i := range tolerations {
-		if tolerations[i].TolerationSeconds != nil {
-			tolerationSeconds := *(tolerations[i].TolerationSeconds)
-			if tolerationSeconds <= 0 {
-				return 0
-			} else if tolerationSeconds < minTolerationTime {
-				minTolerationTime = tolerationSeconds
-			}
-		}
-	}
-
-	if minTolerationTime == int64(math.MaxInt64) {
-		return -1
-	}
-	return time.Duration(minTolerationTime) * time.Second
-}
-
-// New creates a new Controller that will use passed clientset to communicate with the API server.
-func New(ctx context.Context, c clientset.Interface, podInformer corev1informers.PodInformer, nodeInformer corev1informers.NodeInformer, controllerName string) (*Controller, error) {
-	logger := klog.FromContext(ctx)
-	metrics.Register()
-	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
-	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: controllerName})
-
-	podIndexer := podInformer.Informer().GetIndexer()
-
-	tm := &Controller{
-		name: controllerName,
-
-		client:           c,
-		broadcaster:      eventBroadcaster,
-		recorder:         recorder,
-		podLister:        podInformer.Lister(),
-		podListerSynced:  podInformer.Informer().HasSynced,
-		nodeLister:       nodeInformer.Lister(),
-		nodeListerSynced: nodeInformer.Informer().HasSynced,
-		getPodsAssignedToNode: func(nodeName string) ([]*v1.Pod, error) {
-			objs, err := podIndexer.ByIndex("spec.nodeName", nodeName)
-			if err != nil {
-				return nil, err
-			}
-			pods := make([]*v1.Pod, 0, len(objs))
-			for _, obj := range objs {
-				pod, ok := obj.(*v1.Pod)
-				if !ok {
-					continue
-				}
-				pods = append(pods, pod)
-			}
-			return pods, nil
-		},
-		taintedNodes: make(map[string][]v1.Taint),
-
-		nodeUpdateQueue: workqueue.NewTypedWithConfig(workqueue.TypedQueueConfig[nodeUpdateItem]{Name: "noexec_taint_node"}),
-		podUpdateQueue:  workqueue.NewTypedWithConfig(workqueue.TypedQueueConfig[podUpdateItem]{Name: "noexec_taint_pod"}),
-	}
-	tm.taintEvictionQueue = CreateWorkerQueue(deletePodHandler(c, tm.emitPodDeletionEvent, tm.name))
-
-	_, err := podInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: func(obj interface{}) {
-			pod := obj.(*v1.Pod)
-			tm.PodUpdated(nil, pod)
-		},
-		UpdateFunc: func(prev, obj interface{}) {
-			prevPod := prev.(*v1.Pod)
-			newPod := obj.(*v1.Pod)
-			tm.PodUpdated(prevPod, newPod)
-		},
-		DeleteFunc: func(obj interface{}) {
-			pod, isPod := obj.(*v1.Pod)
-			// We can get DeletedFinalStateUnknown instead of *v1.Pod here and we need to handle that correctly.
-			if !isPod {
-				deletedState, ok := obj.(cache.DeletedFinalStateUnknown)
-				if !ok {
-					logger.Error(nil, "Received unexpected object", "object", obj)
-					return
-				}
-				pod, ok = deletedState.Obj.(*v1.Pod)
-				if !ok {
-					logger.Error(nil, "DeletedFinalStateUnknown contained non-Pod object", "object", deletedState.Obj)
-					return
-				}
-			}
-			tm.PodUpdated(pod, nil)
-		},
-	})
-	if err != nil {
-		return nil, fmt.Errorf("unable to add pod event handler: %w", err)
-	}
-
-	_, err = nodeInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: controllerutil.CreateAddNodeHandler(func(node *v1.Node) error {
-			tm.NodeUpdated(nil, node)
-			return nil
-		}),
-		UpdateFunc: controllerutil.CreateUpdateNodeHandler(func(oldNode, newNode *v1.Node) error {
-			tm.NodeUpdated(oldNode, newNode)
-			return nil
-		}),
-		DeleteFunc: controllerutil.CreateDeleteNodeHandler(logger, func(node *v1.Node) error {
-			tm.NodeUpdated(node, nil)
-			return nil
-		}),
-	})
-	if err != nil {
-		return nil, fmt.Errorf("unable to add node event handler: %w", err)
-	}
-
-	return tm, nil
-}
-
-// Run starts the controller which will run in loop until `stopCh` is closed.
-func (tc *Controller) Run(ctx context.Context) {
-	defer utilruntime.HandleCrash()
-	logger := klog.FromContext(ctx)
-	logger.Info("Starting", "controller", tc.name)
-	defer logger.Info("Shutting down controller", "controller", tc.name)
-
-	// Start events processing pipeline.
-	tc.broadcaster.StartStructuredLogging(3)
-	if tc.client != nil {
-		logger.Info("Sending events to api server")
-		tc.broadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: tc.client.CoreV1().Events("")})
-	} else {
-		logger.Error(nil, "kubeClient is nil", "controller", tc.name)
-		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
-	}
-	defer tc.broadcaster.Shutdown()
-	defer tc.nodeUpdateQueue.ShutDown()
-	defer tc.podUpdateQueue.ShutDown()
-
-	// wait for the cache to be synced
-	if !cache.WaitForNamedCacheSync(tc.name, ctx.Done(), tc.podListerSynced, tc.nodeListerSynced) {
-		return
-	}
-
-	for i := 0; i < UpdateWorkerSize; i++ {
-		tc.nodeUpdateChannels = append(tc.nodeUpdateChannels, make(chan nodeUpdateItem, NodeUpdateChannelSize))
-		tc.podUpdateChannels = append(tc.podUpdateChannels, make(chan podUpdateItem, podUpdateChannelSize))
-	}
-
-	// Functions that are responsible for taking work items out of the workqueues and putting them
-	// into channels.
-	go func(stopCh <-chan struct{}) {
-		for {
-			nodeUpdate, shutdown := tc.nodeUpdateQueue.Get()
-			if shutdown {
-				break
-			}
-			hash := hash(nodeUpdate.nodeName, UpdateWorkerSize)
-			select {
-			case <-stopCh:
-				tc.nodeUpdateQueue.Done(nodeUpdate)
-				return
-			case tc.nodeUpdateChannels[hash] <- nodeUpdate:
-				// tc.nodeUpdateQueue.Done is called by the nodeUpdateChannels worker
-			}
-		}
-	}(ctx.Done())
-
-	go func(stopCh <-chan struct{}) {
-		for {
-			podUpdate, shutdown := tc.podUpdateQueue.Get()
-			if shutdown {
-				break
-			}
-			// The fact that pods are processed by the same worker as nodes is used to avoid races
-			// between node worker setting tc.taintedNodes and pod worker reading this to decide
-			// whether to delete pod.
-			// It's possible that even without this assumption this code is still correct.
-			hash := hash(podUpdate.nodeName, UpdateWorkerSize)
-			select {
-			case <-stopCh:
-				tc.podUpdateQueue.Done(podUpdate)
-				return
-			case tc.podUpdateChannels[hash] <- podUpdate:
-				// tc.podUpdateQueue.Done is called by the podUpdateChannels worker
-			}
-		}
-	}(ctx.Done())
-
-	wg := sync.WaitGroup{}
-	wg.Add(UpdateWorkerSize)
-	for i := 0; i < UpdateWorkerSize; i++ {
-		go tc.worker(ctx, i, wg.Done, ctx.Done())
-	}
-	wg.Wait()
-}
-
-func (tc *Controller) worker(ctx context.Context, worker int, done func(), stopCh <-chan struct{}) {
-	defer done()
-
-	// When processing events we want to prioritize Node updates over Pod updates,
-	// as NodeUpdates that interest the controller should be handled as soon as possible -
-	// we don't want user (or system) to wait until PodUpdate queue is drained before it can
-	// start evicting Pods from tainted Nodes.
-	for {
-		select {
-		case <-stopCh:
-			return
-		case nodeUpdate := <-tc.nodeUpdateChannels[worker]:
-			tc.handleNodeUpdate(ctx, nodeUpdate)
-			tc.nodeUpdateQueue.Done(nodeUpdate)
-		case podUpdate := <-tc.podUpdateChannels[worker]:
-			// If we found a Pod update we need to empty Node queue first.
-		priority:
-			for {
-				select {
-				case nodeUpdate := <-tc.nodeUpdateChannels[worker]:
-					tc.handleNodeUpdate(ctx, nodeUpdate)
-					tc.nodeUpdateQueue.Done(nodeUpdate)
-				default:
-					break priority
-				}
-			}
-			// After Node queue is emptied we process podUpdate.
-			tc.handlePodUpdate(ctx, podUpdate)
-			tc.podUpdateQueue.Done(podUpdate)
-		}
-	}
-}
-
-// PodUpdated is used to notify NoExecuteTaintManager about Pod changes.
-func (tc *Controller) PodUpdated(oldPod *v1.Pod, newPod *v1.Pod) {
-	podName := ""
-	podNamespace := ""
-	nodeName := ""
-	oldTolerations := []v1.Toleration{}
-	if oldPod != nil {
-		podName = oldPod.Name
-		podNamespace = oldPod.Namespace
-		nodeName = oldPod.Spec.NodeName
-		oldTolerations = oldPod.Spec.Tolerations
-	}
-	newTolerations := []v1.Toleration{}
-	if newPod != nil {
-		podName = newPod.Name
-		podNamespace = newPod.Namespace
-		nodeName = newPod.Spec.NodeName
-		newTolerations = newPod.Spec.Tolerations
-	}
-
-	if oldPod != nil && newPod != nil && helper.Semantic.DeepEqual(oldTolerations, newTolerations) && oldPod.Spec.NodeName == newPod.Spec.NodeName {
-		return
-	}
-	updateItem := podUpdateItem{
-		podName:      podName,
-		podNamespace: podNamespace,
-		nodeName:     nodeName,
-	}
-
-	tc.podUpdateQueue.Add(updateItem)
-}
-
-// NodeUpdated is used to notify NoExecuteTaintManager about Node changes.
-func (tc *Controller) NodeUpdated(oldNode *v1.Node, newNode *v1.Node) {
-	nodeName := ""
-	oldTaints := []v1.Taint{}
-	if oldNode != nil {
-		nodeName = oldNode.Name
-		oldTaints = getNoExecuteTaints(oldNode.Spec.Taints)
-	}
-
-	newTaints := []v1.Taint{}
-	if newNode != nil {
-		nodeName = newNode.Name
-		newTaints = getNoExecuteTaints(newNode.Spec.Taints)
-	}
-
-	if oldNode != nil && newNode != nil && helper.Semantic.DeepEqual(oldTaints, newTaints) {
-		return
-	}
-	updateItem := nodeUpdateItem{
-		nodeName: nodeName,
-	}
-
-	tc.nodeUpdateQueue.Add(updateItem)
-}
-
-func (tc *Controller) cancelWorkWithEvent(logger klog.Logger, nsName types.NamespacedName) {
-	if tc.taintEvictionQueue.CancelWork(logger, nsName.String()) {
-		tc.emitCancelPodDeletionEvent(nsName)
-	}
-}
-
-func (tc *Controller) processPodOnNode(
-	ctx context.Context,
-	podNamespacedName types.NamespacedName,
-	nodeName string,
-	tolerations []v1.Toleration,
-	taints []v1.Taint,
-	now time.Time,
-) {
-	logger := klog.FromContext(ctx)
-	if len(taints) == 0 {
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-	}
-	allTolerated, usedTolerations := v1helper.GetMatchingTolerations(taints, tolerations)
-	if !allTolerated {
-		logger.V(2).Info("Not all taints are tolerated after update for pod on node", "pod", podNamespacedName.String(), "node", klog.KRef("", nodeName))
-		// We're canceling scheduled work (if any), as we're going to delete the Pod right away.
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-		tc.taintEvictionQueue.AddWork(ctx, NewWorkArgs(podNamespacedName.Name, podNamespacedName.Namespace), now, now)
-		return
-	}
-	minTolerationTime := getMinTolerationTime(usedTolerations)
-	// getMinTolerationTime returns negative value to denote infinite toleration.
-	if minTolerationTime < 0 {
-		logger.V(4).Info("Current tolerations for pod tolerate forever, cancelling any scheduled deletion", "pod", podNamespacedName.String())
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-		return
-	}
-
-	startTime := now
-	triggerTime := startTime.Add(minTolerationTime)
-	scheduledEviction := tc.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String())
-	if scheduledEviction != nil {
-		startTime = scheduledEviction.CreatedAt
-		if startTime.Add(minTolerationTime).Before(triggerTime) {
-			return
-		}
-		tc.cancelWorkWithEvent(logger, podNamespacedName)
-	}
-	tc.taintEvictionQueue.AddWork(ctx, NewWorkArgs(podNamespacedName.Name, podNamespacedName.Namespace), startTime, triggerTime)
-}
-
-func (tc *Controller) handlePodUpdate(ctx context.Context, podUpdate podUpdateItem) {
-	pod, err := tc.podLister.Pods(podUpdate.podNamespace).Get(podUpdate.podName)
-	logger := klog.FromContext(ctx)
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			// Delete
-			podNamespacedName := types.NamespacedName{Namespace: podUpdate.podNamespace, Name: podUpdate.podName}
-			logger.V(4).Info("Noticed pod deletion", "pod", podNamespacedName)
-			tc.cancelWorkWithEvent(logger, podNamespacedName)
-			return
-		}
-		utilruntime.HandleError(fmt.Errorf("could not get pod %s/%s: %v", podUpdate.podName, podUpdate.podNamespace, err))
-		return
-	}
-
-	// We key the workqueue and shard workers by nodeName. If we don't match the current state we should not be the one processing the current object.
-	if pod.Spec.NodeName != podUpdate.nodeName {
-		return
-	}
-
-	// Create or Update
-	podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
-	logger.V(4).Info("Noticed pod update", "pod", podNamespacedName)
-	nodeName := pod.Spec.NodeName
-	if nodeName == "" {
-		return
-	}
-	taints, ok := func() ([]v1.Taint, bool) {
-		tc.taintedNodesLock.Lock()
-		defer tc.taintedNodesLock.Unlock()
-		taints, ok := tc.taintedNodes[nodeName]
-		return taints, ok
-	}()
-	// It's possible that Node was deleted, or Taints were removed before, which triggered
-	// eviction cancelling if it was needed.
-	if !ok {
-		return
-	}
-	tc.processPodOnNode(ctx, podNamespacedName, nodeName, pod.Spec.Tolerations, taints, time.Now())
-}
-
-func (tc *Controller) handleNodeUpdate(ctx context.Context, nodeUpdate nodeUpdateItem) {
-	node, err := tc.nodeLister.Get(nodeUpdate.nodeName)
-	logger := klog.FromContext(ctx)
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-			// Delete
-			logger.V(4).Info("Noticed node deletion", "node", klog.KRef("", nodeUpdate.nodeName))
-			tc.taintedNodesLock.Lock()
-			defer tc.taintedNodesLock.Unlock()
-			delete(tc.taintedNodes, nodeUpdate.nodeName)
-			return
-		}
-		utilruntime.HandleError(fmt.Errorf("cannot get node %s: %v", nodeUpdate.nodeName, err))
-		return
-	}
-
-	// Create or Update
-	logger.V(4).Info("Noticed node update", "node", klog.KObj(node))
-	taints := getNoExecuteTaints(node.Spec.Taints)
-	func() {
-		tc.taintedNodesLock.Lock()
-		defer tc.taintedNodesLock.Unlock()
-		logger.V(4).Info("Updating known taints on node", "node", klog.KObj(node), "taints", taints)
-		if len(taints) == 0 {
-			delete(tc.taintedNodes, node.Name)
-		} else {
-			tc.taintedNodes[node.Name] = taints
-		}
-	}()
-
-	// This is critical that we update tc.taintedNodes before we call getPodsAssignedToNode:
-	// getPodsAssignedToNode can be delayed as long as all future updates to pods will call
-	// tc.PodUpdated which will use tc.taintedNodes to potentially delete delayed pods.
-	pods, err := tc.getPodsAssignedToNode(node.Name)
-	if err != nil {
-		logger.Error(err, "Failed to get pods assigned to node", "node", klog.KObj(node))
-		return
-	}
-	if len(pods) == 0 {
-		return
-	}
-	// Short circuit, to make this controller a bit faster.
-	if len(taints) == 0 {
-		logger.V(4).Info("All taints were removed from the node. Cancelling all evictions...", "node", klog.KObj(node))
-		for i := range pods {
-			tc.cancelWorkWithEvent(logger, types.NamespacedName{Namespace: pods[i].Namespace, Name: pods[i].Name})
-		}
-		return
-	}
-
-	now := time.Now()
-	for _, pod := range pods {
-		podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
-		tc.processPodOnNode(ctx, podNamespacedName, node.Name, pod.Spec.Tolerations, taints, now)
-	}
-}
-
-func (tc *Controller) emitPodDeletionEvent(nsName types.NamespacedName) {
-	if tc.recorder == nil {
-		return
-	}
-	ref := &v1.ObjectReference{
-		APIVersion: "v1",
-		Kind:       "Pod",
-		Name:       nsName.Name,
-		Namespace:  nsName.Namespace,
-	}
-	tc.recorder.Eventf(ref, v1.EventTypeNormal, "TaintManagerEviction", "Marking for deletion Pod %s", nsName.String())
-}
-
-func (tc *Controller) emitCancelPodDeletionEvent(nsName types.NamespacedName) {
-	if tc.recorder == nil {
-		return
-	}
-	ref := &v1.ObjectReference{
-		APIVersion: "v1",
-		Kind:       "Pod",
-		Name:       nsName.Name,
-		Namespace:  nsName.Namespace,
-	}
-	tc.recorder.Eventf(ref, v1.EventTypeNormal, "TaintManagerEviction", "Cancelling deletion of Pod %s", nsName.String())
-}
diff --git a/pkg/controller/devicetainteviction/taint_eviction_test.go b/pkg/controller/devicetainteviction/taint_eviction_test.go
deleted file mode 100644
index 6c933d5f23d..00000000000
--- a/pkg/controller/devicetainteviction/taint_eviction_test.go
+++ /dev/null
@@ -1,941 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package tainteviction
-
-import (
-	"context"
-	"fmt"
-	goruntime "runtime"
-	"sort"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes/fake"
-	clienttesting "k8s.io/client-go/testing"
-	"k8s.io/client-go/tools/cache"
-	"k8s.io/kubernetes/pkg/controller/testutil"
-)
-
-var timeForControllerToProgressForSanityCheck = 20 * time.Millisecond
-
-func getPodsAssignedToNode(ctx context.Context, c *fake.Clientset) GetPodsByNodeNameFunc {
-	return func(nodeName string) ([]*corev1.Pod, error) {
-		selector := fields.SelectorFromSet(fields.Set{"spec.nodeName": nodeName})
-		pods, err := c.CoreV1().Pods(corev1.NamespaceAll).List(ctx, metav1.ListOptions{
-			FieldSelector: selector.String(),
-			LabelSelector: labels.Everything().String(),
-		})
-		if err != nil {
-			return []*corev1.Pod{}, fmt.Errorf("failed to get Pods assigned to node %v", nodeName)
-		}
-		rPods := make([]*corev1.Pod, len(pods.Items))
-		for i := range pods.Items {
-			rPods[i] = &pods.Items[i]
-		}
-		return rPods, nil
-	}
-}
-
-func createNoExecuteTaint(index int) corev1.Taint {
-	now := metav1.Now()
-	return corev1.Taint{
-		Key:       "testTaint" + fmt.Sprintf("%v", index),
-		Value:     "test" + fmt.Sprintf("%v", index),
-		Effect:    corev1.TaintEffectNoExecute,
-		TimeAdded: &now,
-	}
-}
-
-func addToleration(pod *corev1.Pod, index int, duration int64) *corev1.Pod {
-	if pod.Annotations == nil {
-		pod.Annotations = map[string]string{}
-	}
-	if duration < 0 {
-		pod.Spec.Tolerations = []corev1.Toleration{{Key: "testTaint" + fmt.Sprintf("%v", index), Value: "test" + fmt.Sprintf("%v", index), Effect: corev1.TaintEffectNoExecute}}
-
-	} else {
-		pod.Spec.Tolerations = []corev1.Toleration{{Key: "testTaint" + fmt.Sprintf("%v", index), Value: "test" + fmt.Sprintf("%v", index), Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &duration}}
-	}
-	return pod
-}
-
-func addTaintsToNode(node *corev1.Node, key, value string, indices []int) *corev1.Node {
-	taints := []corev1.Taint{}
-	for _, index := range indices {
-		taints = append(taints, createNoExecuteTaint(index))
-	}
-	node.Spec.Taints = taints
-	return node
-}
-
-var alwaysReady = func() bool { return true }
-
-func setupNewController(ctx context.Context, fakeClientSet *fake.Clientset) (*Controller, cache.Indexer, cache.Indexer) {
-	informerFactory := informers.NewSharedInformerFactory(fakeClientSet, 0)
-	podIndexer := informerFactory.Core().V1().Pods().Informer().GetIndexer()
-	nodeIndexer := informerFactory.Core().V1().Nodes().Informer().GetIndexer()
-	mgr, _ := New(ctx, fakeClientSet, informerFactory.Core().V1().Pods(), informerFactory.Core().V1().Nodes(), "taint-eviction-controller")
-	mgr.podListerSynced = alwaysReady
-	mgr.nodeListerSynced = alwaysReady
-	mgr.getPodsAssignedToNode = getPodsAssignedToNode(ctx, fakeClientSet)
-	return mgr, podIndexer, nodeIndexer
-}
-
-type timestampedPod struct {
-	names     []string
-	timestamp time.Duration
-}
-
-type durationSlice []timestampedPod
-
-func (a durationSlice) Len() int           { return len(a) }
-func (a durationSlice) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
-func (a durationSlice) Less(i, j int) bool { return a[i].timestamp < a[j].timestamp }
-
-func TestFilterNoExecuteTaints(t *testing.T) {
-	taints := []corev1.Taint{
-		{
-			Key:    "one",
-			Value:  "one",
-			Effect: corev1.TaintEffectNoExecute,
-		},
-		{
-			Key:    "two",
-			Value:  "two",
-			Effect: corev1.TaintEffectNoSchedule,
-		},
-	}
-	taints = getNoExecuteTaints(taints)
-	if len(taints) != 1 || taints[0].Key != "one" {
-		t.Errorf("Filtering doesn't work. Got %v", taints)
-	}
-}
-
-func TestCreatePod(t *testing.T) {
-	testCases := []struct {
-		description  string
-		pod          *corev1.Pod
-		taintedNodes map[string][]corev1.Taint
-		expectPatch  bool
-		expectDelete bool
-	}{
-		{
-			description:  "not scheduled - ignore",
-			pod:          testutil.NewPod("pod1", ""),
-			taintedNodes: map[string][]corev1.Taint{},
-			expectDelete: false,
-		},
-		{
-			description:  "scheduled on untainted Node",
-			pod:          testutil.NewPod("pod1", "node1"),
-			taintedNodes: map[string][]corev1.Taint{},
-			expectDelete: false,
-		},
-		{
-			description: "schedule on tainted Node",
-			pod:         testutil.NewPod("pod1", "node1"),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "schedule on tainted Node with finite toleration",
-			pod:         addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectDelete: false,
-		},
-		{
-			description: "schedule on tainted Node with infinite toleration",
-			pod:         addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectDelete: false,
-		},
-		{
-			description: "schedule on tainted Node with infinite invalid toleration",
-			pod:         addToleration(testutil.NewPod("pod1", "node1"), 2, -1),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.pod}})
-			controller, podIndexer, _ := setupNewController(ctx, fakeClientset)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-			controller.taintedNodes = item.taintedNodes
-
-			podIndexer.Add(item.pod)
-			controller.PodUpdated(nil, item.pod)
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-
-			cancel()
-		})
-	}
-}
-
-func TestDeletePod(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	fakeClientset := fake.NewSimpleClientset()
-	controller, _, _ := setupNewController(ctx, fakeClientset)
-	controller.recorder = testutil.NewFakeRecorder()
-	go controller.Run(ctx)
-	controller.taintedNodes = map[string][]corev1.Taint{
-		"node1": {createNoExecuteTaint(1)},
-	}
-	controller.PodUpdated(testutil.NewPod("pod1", "node1"), nil)
-	// wait a bit to see if nothing will panic
-	time.Sleep(timeForControllerToProgressForSanityCheck)
-}
-
-func TestUpdatePod(t *testing.T) {
-	testCases := []struct {
-		description               string
-		prevPod                   *corev1.Pod
-		awaitForScheduledEviction bool
-		newPod                    *corev1.Pod
-		taintedNodes              map[string][]corev1.Taint
-		expectPatch               bool
-		expectDelete              bool
-		skipOnWindows             bool
-	}{
-		{
-			description: "scheduling onto tainted Node",
-			prevPod:     testutil.NewPod("pod1", ""),
-			newPod:      testutil.NewPod("pod1", "node1"),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "scheduling onto tainted Node with toleration",
-			prevPod:     addToleration(testutil.NewPod("pod1", ""), 1, -1),
-			newPod:      addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectDelete: false,
-		},
-		{
-			description:               "removing toleration",
-			prevPod:                   addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			newPod:                    testutil.NewPod("pod1", "node1"),
-			awaitForScheduledEviction: true,
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description:               "lengthening toleration shouldn't work",
-			prevPod:                   addToleration(testutil.NewPod("pod1", "node1"), 1, 1),
-			newPod:                    addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			awaitForScheduledEviction: true,
-			taintedNodes: map[string][]corev1.Taint{
-				"node1": {createNoExecuteTaint(1)},
-			},
-			expectPatch:   true,
-			expectDelete:  true,
-			skipOnWindows: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			if item.skipOnWindows && goruntime.GOOS == "windows" {
-				// TODO: remove skip once the flaking test has been fixed.
-				t.Skip("Skip flaking test on Windows.")
-			}
-			ctx, cancel := context.WithCancel(context.Background())
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: []corev1.Pod{*item.prevPod}})
-			controller, podIndexer, _ := setupNewController(context.TODO(), fakeClientset)
-			controller.recorder = testutil.NewFakeRecorder()
-			controller.taintedNodes = item.taintedNodes
-			go controller.Run(ctx)
-
-			podIndexer.Add(item.prevPod)
-			controller.PodUpdated(nil, item.prevPod)
-
-			if item.awaitForScheduledEviction {
-				nsName := types.NamespacedName{Namespace: item.prevPod.Namespace, Name: item.prevPod.Name}
-				err := wait.PollImmediate(time.Millisecond*10, time.Second, func() (bool, error) {
-					scheduledEviction := controller.taintEvictionQueue.GetWorkerUnsafe(nsName.String())
-					return scheduledEviction != nil, nil
-				})
-				if err != nil {
-					t.Fatalf("Failed to await for scheduled eviction: %q", err)
-				}
-			}
-
-			podIndexer.Update(item.newPod)
-			controller.PodUpdated(item.prevPod, item.newPod)
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-			cancel()
-		})
-	}
-}
-
-func TestCreateNode(t *testing.T) {
-	testCases := []struct {
-		description  string
-		pods         []corev1.Pod
-		node         *corev1.Node
-		expectPatch  bool
-		expectDelete bool
-	}{
-		{
-			description: "Creating Node matching already assigned Pod",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			node:         testutil.NewNode("node1"),
-			expectPatch:  false,
-			expectDelete: false,
-		},
-		{
-			description: "Creating tainted Node matching already assigned Pod",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			node:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "Creating tainted Node matching already assigned tolerating Pod",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, -1),
-			},
-			node:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  false,
-			expectDelete: false,
-		},
-	}
-
-	for _, item := range testCases {
-		ctx, cancel := context.WithCancel(context.Background())
-		fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-		controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-		nodeIndexer.Add(item.node)
-		controller.recorder = testutil.NewFakeRecorder()
-		go controller.Run(ctx)
-		controller.NodeUpdated(nil, item.node)
-
-		verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-
-		cancel()
-	}
-}
-
-func TestDeleteNode(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	fakeClientset := fake.NewSimpleClientset()
-	controller, _, _ := setupNewController(ctx, fakeClientset)
-	controller.recorder = testutil.NewFakeRecorder()
-	controller.taintedNodes = map[string][]corev1.Taint{
-		"node1": {createNoExecuteTaint(1)},
-	}
-	go controller.Run(ctx)
-	controller.NodeUpdated(testutil.NewNode("node1"), nil)
-
-	// await until controller.taintedNodes is empty
-	err := wait.PollImmediate(10*time.Millisecond, time.Second, func() (bool, error) {
-		controller.taintedNodesLock.Lock()
-		defer controller.taintedNodesLock.Unlock()
-		_, ok := controller.taintedNodes["node1"]
-		return !ok, nil
-	})
-	if err != nil {
-		t.Errorf("Failed to await for processing node deleted: %q", err)
-	}
-	cancel()
-}
-
-func TestUpdateNode(t *testing.T) {
-	testCases := []struct {
-		description     string
-		pods            []corev1.Pod
-		oldNode         *corev1.Node
-		newNode         *corev1.Node
-		expectPatch     bool
-		expectDelete    bool
-		additionalSleep time.Duration
-	}{
-		{
-			description: "Added taint, expect node patched and deleted",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "Added tolerated taint",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectDelete: false,
-		},
-		{
-			description: "Only one added taint tolerated",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, 100),
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "Taint removed",
-			pods: []corev1.Pod{
-				*addToleration(testutil.NewPod("pod1", "node1"), 1, 1),
-			},
-			oldNode:         addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			newNode:         testutil.NewNode("node1"),
-			expectDelete:    false,
-			additionalSleep: 1500 * time.Millisecond,
-		},
-		{
-			description: "Pod with multiple tolerations are evicted when first one runs out",
-			pods: []corev1.Pod{
-				{
-					ObjectMeta: metav1.ObjectMeta{
-						Namespace: "default",
-						Name:      "pod1",
-					},
-					Spec: corev1.PodSpec{
-						NodeName: "node1",
-						Tolerations: []corev1.Toleration{
-							{Key: "testTaint1", Value: "test1", Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &[]int64{1}[0]},
-							{Key: "testTaint2", Value: "test2", Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &[]int64{100}[0]},
-						},
-					},
-					Status: corev1.PodStatus{
-						Conditions: []corev1.PodCondition{
-							{
-								Type:   corev1.PodReady,
-								Status: corev1.ConditionTrue,
-							},
-						},
-					},
-				},
-			},
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-			nodeIndexer.Add(item.newNode)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-			controller.NodeUpdated(item.oldNode, item.newNode)
-
-			if item.additionalSleep > 0 {
-				time.Sleep(item.additionalSleep)
-			}
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-		})
-	}
-}
-
-func TestUpdateNodeWithMultipleTaints(t *testing.T) {
-	taint1 := createNoExecuteTaint(1)
-	taint2 := createNoExecuteTaint(2)
-
-	minute := int64(60)
-	pod := testutil.NewPod("pod1", "node1")
-	pod.Spec.Tolerations = []corev1.Toleration{
-		{Key: taint1.Key, Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoExecute},
-		{Key: taint2.Key, Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoExecute, TolerationSeconds: &minute},
-	}
-	podNamespacedName := types.NamespacedName{Namespace: pod.Namespace, Name: pod.Name}
-
-	untaintedNode := testutil.NewNode("node1")
-
-	doubleTaintedNode := testutil.NewNode("node1")
-	doubleTaintedNode.Spec.Taints = []corev1.Taint{taint1, taint2}
-
-	singleTaintedNode := testutil.NewNode("node1")
-	singleTaintedNode.Spec.Taints = []corev1.Taint{taint1}
-
-	ctx, cancel := context.WithCancel(context.TODO())
-	fakeClientset := fake.NewSimpleClientset(pod)
-	controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-	controller.recorder = testutil.NewFakeRecorder()
-	go controller.Run(ctx)
-
-	// no taint
-	nodeIndexer.Add(untaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is not queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
-		t.Fatalf("pod queued for deletion with no taints")
-	}
-
-	// no taint -> infinitely tolerated taint
-	nodeIndexer.Update(singleTaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is not queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
-		t.Fatalf("pod queued for deletion with permanently tolerated taint")
-	}
-
-	// infinitely tolerated taint -> temporarily tolerated taint
-	nodeIndexer.Update(doubleTaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) == nil {
-		t.Fatalf("pod not queued for deletion after addition of temporarily tolerated taint")
-	}
-
-	// temporarily tolerated taint -> infinitely tolerated taint
-	nodeIndexer.Update(singleTaintedNode)
-	controller.handleNodeUpdate(ctx, nodeUpdateItem{"node1"})
-	// verify pod is not queued for deletion
-	if controller.taintEvictionQueue.GetWorkerUnsafe(podNamespacedName.String()) != nil {
-		t.Fatalf("pod queued for deletion after removal of temporarily tolerated taint")
-	}
-
-	// verify pod is not deleted
-	for _, action := range fakeClientset.Actions() {
-		if action.GetVerb() == "delete" && action.GetResource().Resource == "pods" {
-			t.Error("Unexpected deletion")
-		}
-	}
-	cancel()
-}
-
-func TestUpdateNodeWithMultiplePods(t *testing.T) {
-	testCases := []struct {
-		description         string
-		pods                []corev1.Pod
-		oldNode             *corev1.Node
-		newNode             *corev1.Node
-		expectedDeleteTimes durationSlice
-	}{
-		{
-			description: "Pods with different toleration times are evicted appropriately",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-				*addToleration(testutil.NewPod("pod2", "node1"), 1, 1),
-				*addToleration(testutil.NewPod("pod3", "node1"), 1, -1),
-			},
-			oldNode: testutil.NewNode("node1"),
-			newNode: addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectedDeleteTimes: durationSlice{
-				{[]string{"pod1"}, 0},
-				{[]string{"pod2"}, time.Second},
-			},
-		},
-		{
-			description: "Evict all pods not matching all taints instantly",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-				*addToleration(testutil.NewPod("pod2", "node1"), 1, 1),
-				*addToleration(testutil.NewPod("pod3", "node1"), 1, -1),
-			},
-			oldNode: testutil.NewNode("node1"),
-			newNode: addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1, 2}),
-			expectedDeleteTimes: durationSlice{
-				{[]string{"pod1", "pod2", "pod3"}, 0},
-			},
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			t.Logf("Starting testcase %q", item.description)
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-			sort.Sort(item.expectedDeleteTimes)
-			controller, _, nodeIndexer := setupNewController(ctx, fakeClientset)
-			nodeIndexer.Add(item.newNode)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-			controller.NodeUpdated(item.oldNode, item.newNode)
-
-			startedAt := time.Now()
-			for i := range item.expectedDeleteTimes {
-				if i == 0 || item.expectedDeleteTimes[i-1].timestamp != item.expectedDeleteTimes[i].timestamp {
-					// compute a grace duration to give controller time to process updates. Choose big
-					// enough intervals in the test cases above to avoid flakes.
-					var increment time.Duration
-					if i == len(item.expectedDeleteTimes)-1 || item.expectedDeleteTimes[i+1].timestamp == item.expectedDeleteTimes[i].timestamp {
-						increment = 500 * time.Millisecond
-					} else {
-						increment = ((item.expectedDeleteTimes[i+1].timestamp - item.expectedDeleteTimes[i].timestamp) / time.Duration(2))
-					}
-
-					sleepTime := item.expectedDeleteTimes[i].timestamp - time.Since(startedAt) + increment
-					if sleepTime < 0 {
-						sleepTime = 0
-					}
-					t.Logf("Sleeping for %v", sleepTime)
-					time.Sleep(sleepTime)
-				}
-
-				for delay, podName := range item.expectedDeleteTimes[i].names {
-					deleted := false
-					for _, action := range fakeClientset.Actions() {
-						deleteAction, ok := action.(clienttesting.DeleteActionImpl)
-						if !ok {
-							t.Logf("Found not-delete action with verb %v. Ignoring.", action.GetVerb())
-							continue
-						}
-						if deleteAction.GetResource().Resource != "pods" {
-							continue
-						}
-						if podName == deleteAction.GetName() {
-							deleted = true
-						}
-					}
-					if !deleted {
-						t.Errorf("Failed to deleted pod %v after %v", podName, delay)
-					}
-				}
-				for _, action := range fakeClientset.Actions() {
-					deleteAction, ok := action.(clienttesting.DeleteActionImpl)
-					if !ok {
-						t.Logf("Found not-delete action with verb %v. Ignoring.", action.GetVerb())
-						continue
-					}
-					if deleteAction.GetResource().Resource != "pods" {
-						continue
-					}
-					deletedPodName := deleteAction.GetName()
-					expected := false
-					for _, podName := range item.expectedDeleteTimes[i].names {
-						if podName == deletedPodName {
-							expected = true
-						}
-					}
-					if !expected {
-						t.Errorf("Pod %v was deleted even though it shouldn't have", deletedPodName)
-					}
-				}
-				fakeClientset.ClearActions()
-			}
-		})
-	}
-}
-
-func TestGetMinTolerationTime(t *testing.T) {
-	one := int64(1)
-	two := int64(2)
-	oneSec := 1 * time.Second
-
-	tests := []struct {
-		tolerations []corev1.Toleration
-		expected    time.Duration
-	}{
-		{
-			tolerations: []corev1.Toleration{},
-			expected:    0,
-		},
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: nil,
-				},
-			},
-			expected: -1,
-		},
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: &one,
-				},
-				{
-					TolerationSeconds: &two,
-				},
-			},
-			expected: oneSec,
-		},
-
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: &one,
-				},
-				{
-					TolerationSeconds: nil,
-				},
-			},
-			expected: oneSec,
-		},
-		{
-			tolerations: []corev1.Toleration{
-				{
-					TolerationSeconds: nil,
-				},
-				{
-					TolerationSeconds: &one,
-				},
-			},
-			expected: oneSec,
-		},
-	}
-
-	for _, test := range tests {
-		got := getMinTolerationTime(test.tolerations)
-		if got != test.expected {
-			t.Errorf("Incorrect min toleration time: got %v, expected %v", got, test.expected)
-		}
-	}
-}
-
-// TestEventualConsistency verifies if getPodsAssignedToNode returns incomplete data
-// (e.g. due to watch latency), it will reconcile the remaining pods eventually.
-// This scenario is partially covered by TestUpdatePods, but given this is an important
-// property of TaintManager, it's better to have explicit test for this.
-func TestEventualConsistency(t *testing.T) {
-	testCases := []struct {
-		description  string
-		pods         []corev1.Pod
-		prevPod      *corev1.Pod
-		newPod       *corev1.Pod
-		oldNode      *corev1.Node
-		newNode      *corev1.Node
-		expectPatch  bool
-		expectDelete bool
-	}{
-		{
-			description: "existing pod2 scheduled onto tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      testutil.NewPod("pod2", ""),
-			newPod:       testutil.NewPod("pod2", "node1"),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "existing pod2 with taint toleration scheduled onto tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      addToleration(testutil.NewPod("pod2", ""), 1, 100),
-			newPod:       addToleration(testutil.NewPod("pod2", "node1"), 1, 100),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "new pod2 created on tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      nil,
-			newPod:       testutil.NewPod("pod2", "node1"),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-		{
-			description: "new pod2 with tait toleration created on tainted Node",
-			pods: []corev1.Pod{
-				*testutil.NewPod("pod1", "node1"),
-			},
-			prevPod:      nil,
-			newPod:       addToleration(testutil.NewPod("pod2", "node1"), 1, 100),
-			oldNode:      testutil.NewNode("node1"),
-			newNode:      addTaintsToNode(testutil.NewNode("node1"), "testTaint1", "taint1", []int{1}),
-			expectPatch:  true,
-			expectDelete: true,
-		},
-	}
-
-	for _, item := range testCases {
-		t.Run(item.description, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			fakeClientset := fake.NewSimpleClientset(&corev1.PodList{Items: item.pods})
-			controller, podIndexer, nodeIndexer := setupNewController(ctx, fakeClientset)
-			nodeIndexer.Add(item.newNode)
-			controller.recorder = testutil.NewFakeRecorder()
-			go controller.Run(ctx)
-
-			if item.prevPod != nil {
-				podIndexer.Add(item.prevPod)
-				controller.PodUpdated(nil, item.prevPod)
-			}
-
-			// First we simulate NodeUpdate that should delete 'pod1'. It doesn't know about 'pod2' yet.
-			controller.NodeUpdated(item.oldNode, item.newNode)
-
-			verifyPodActions(t, item.description, fakeClientset, item.expectPatch, item.expectDelete)
-			fakeClientset.ClearActions()
-
-			// And now the delayed update of 'pod2' comes to the TaintManager. We should delete it as well.
-			podIndexer.Update(item.newPod)
-			controller.PodUpdated(item.prevPod, item.newPod)
-			// wait a bit
-			time.Sleep(timeForControllerToProgressForSanityCheck)
-		})
-	}
-}
-
-func verifyPodActions(t *testing.T, description string, fakeClientset *fake.Clientset, expectPatch, expectDelete bool) {
-	t.Helper()
-	podPatched := false
-	podDeleted := false
-	// use Poll instead of PollImmediate to give some processing time to the controller that the expected
-	// actions are likely to be already sent
-	err := wait.Poll(10*time.Millisecond, 5*time.Second, func() (bool, error) {
-		for _, action := range fakeClientset.Actions() {
-			if action.GetVerb() == "patch" && action.GetResource().Resource == "pods" {
-				podPatched = true
-			}
-			if action.GetVerb() == "delete" && action.GetResource().Resource == "pods" {
-				podDeleted = true
-			}
-		}
-		return podPatched == expectPatch && podDeleted == expectDelete, nil
-	})
-	if err != nil {
-		t.Errorf("Failed waiting for the expected actions: %q", err)
-	}
-	if podPatched != expectPatch {
-		t.Errorf("[%v]Unexpected test result. Expected patch %v, got %v", description, expectPatch, podPatched)
-	}
-	if podDeleted != expectDelete {
-		t.Errorf("[%v]Unexpected test result. Expected delete %v, got %v", description, expectDelete, podDeleted)
-	}
-}
-
-// TestPodDeletionEvent Verify that the output events are as expected
-func TestPodDeletionEvent(t *testing.T) {
-	f := func(path cmp.Path) bool {
-		switch path.String() {
-		// These fields change at runtime, so ignore it
-		case "LastTimestamp", "FirstTimestamp", "ObjectMeta.Name":
-			return true
-		}
-		return false
-	}
-
-	t.Run("emitPodDeletionEvent", func(t *testing.T) {
-		controller := &Controller{}
-		recorder := testutil.NewFakeRecorder()
-		controller.recorder = recorder
-		controller.emitPodDeletionEvent(types.NamespacedName{
-			Name:      "test",
-			Namespace: "test",
-		})
-		want := []*corev1.Event{
-			{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-				},
-				InvolvedObject: corev1.ObjectReference{
-					Kind:       "Pod",
-					APIVersion: "v1",
-					Namespace:  "test",
-					Name:       "test",
-				},
-				Reason:  "TaintManagerEviction",
-				Type:    "Normal",
-				Count:   1,
-				Message: "Marking for deletion Pod test/test",
-				Source:  corev1.EventSource{Component: "nodeControllerTest"},
-			},
-		}
-		if diff := cmp.Diff(want, recorder.Events, cmp.FilterPath(f, cmp.Ignore())); len(diff) > 0 {
-			t.Errorf("emitPodDeletionEvent() returned data (-want,+got):\n%s", diff)
-		}
-	})
-
-	t.Run("emitCancelPodDeletionEvent", func(t *testing.T) {
-		controller := &Controller{}
-		recorder := testutil.NewFakeRecorder()
-		controller.recorder = recorder
-		controller.emitCancelPodDeletionEvent(types.NamespacedName{
-			Name:      "test",
-			Namespace: "test",
-		})
-		want := []*corev1.Event{
-			{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: "test",
-				},
-				InvolvedObject: corev1.ObjectReference{
-					Kind:       "Pod",
-					APIVersion: "v1",
-					Namespace:  "test",
-					Name:       "test",
-				},
-				Reason:  "TaintManagerEviction",
-				Type:    "Normal",
-				Count:   1,
-				Message: "Cancelling deletion of Pod test/test",
-				Source:  corev1.EventSource{Component: "nodeControllerTest"},
-			},
-		}
-		if diff := cmp.Diff(want, recorder.Events, cmp.FilterPath(f, cmp.Ignore())); len(diff) > 0 {
-			t.Errorf("emitPodDeletionEvent() returned data (-want,+got):\n%s", diff)
-		}
-	})
-}
diff --git a/pkg/controller/tainteviction/namespacedobject.go b/pkg/controller/tainteviction/namespacedobject.go
new file mode 100644
index 00000000000..f0fee51f225
--- /dev/null
+++ b/pkg/controller/tainteviction/namespacedobject.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tainteviction
+
+import (
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// NamespacedObject comprises a resource name with a mandatory namespace
+// and optional UID. It gets rendered as "<namespace>/<name>[:<uid>]"
+// (text output) or as an object (JSON output).
+type NamespacedObject struct {
+	types.NamespacedName
+	UID types.UID
+}
+
+// String returns the general purpose string representation
+func (n NamespacedObject) String() string {
+	if n.UID != "" {
+		return n.Namespace + string(types.Separator) + n.Name + ":" + string(n.UID)
+	}
+	return n.Namespace + string(types.Separator) + n.Name
+}
+
+// MarshalLog emits a struct containing required key/value pair
+func (n NamespacedObject) MarshalLog() interface{} {
+	return struct {
+		Name      string    `json:"name"`
+		Namespace string    `json:"namespace,omitempty"`
+		UID       types.UID `json:"uid,omitempty"`
+	}{
+		Name:      n.Name,
+		Namespace: n.Namespace,
+		UID:       n.UID,
+	}
+}
diff --git a/pkg/controller/tainteviction/taint_eviction.go b/pkg/controller/tainteviction/taint_eviction.go
index aeae369534a..14a77c11546 100644
--- a/pkg/controller/tainteviction/taint_eviction.go
+++ b/pkg/controller/tainteviction/taint_eviction.go
@@ -106,11 +106,11 @@ type Controller struct {
 
 func deletePodHandler(c clientset.Interface, emitEventFunc func(types.NamespacedName), controllerName string) func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
 	return func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
-		ns := args.NamespacedName.Namespace
-		name := args.NamespacedName.Name
-		klog.FromContext(ctx).Info("Deleting pod", "controller", controllerName, "pod", args.NamespacedName)
+		ns := args.Object.Namespace
+		name := args.Object.Name
+		klog.FromContext(ctx).Info("Deleting pod", "controller", controllerName, "pod", args.Object)
 		if emitEventFunc != nil {
-			emitEventFunc(args.NamespacedName)
+			emitEventFunc(args.Object.NamespacedName)
 		}
 		var err error
 		for i := 0; i < retries; i++ {
diff --git a/pkg/controller/tainteviction/timed_workers.go b/pkg/controller/tainteviction/timed_workers.go
index fa7615d9b9a..732b81bbc79 100644
--- a/pkg/controller/tainteviction/timed_workers.go
+++ b/pkg/controller/tainteviction/timed_workers.go
@@ -28,18 +28,23 @@ import (
 
 // WorkArgs keeps arguments that will be passed to the function executed by the worker.
 type WorkArgs struct {
-	NamespacedName types.NamespacedName
+	// Object is the work item. The UID is only set if it was set when adding the work item.
+	Object NamespacedObject
 }
 
-// KeyFromWorkArgs creates a key for the given `WorkArgs`
+// KeyFromWorkArgs creates a key for the given `WorkArgs`.
+//
+// The key is the same as the NamespacedName of the object in the work item,
+// i.e. the UID is ignored. There cannot be two different
+// work items with the same NamespacedName and different UIDs.
 func (w *WorkArgs) KeyFromWorkArgs() string {
-	return w.NamespacedName.String()
+	return w.Object.NamespacedName.String()
 }
 
-// NewWorkArgs is a helper function to create new `WorkArgs`
+// NewWorkArgs is a helper function to create new `WorkArgs` without a UID.
 func NewWorkArgs(name, namespace string) *WorkArgs {
 	return &WorkArgs{
-		NamespacedName: types.NamespacedName{Namespace: namespace, Name: name},
+		Object: NamespacedObject{NamespacedName: types.NamespacedName{Namespace: namespace, Name: name}},
 	}
 }
 
@@ -102,31 +107,59 @@ func CreateWorkerQueue(f func(ctx context.Context, fireAt time.Time, args *WorkA
 
 func (q *TimedWorkerQueue) getWrappedWorkerFunc(key string) func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
 	return func(ctx context.Context, fireAt time.Time, args *WorkArgs) error {
+		logger := klog.FromContext(ctx)
+		logger.V(4).Info("Firing worker", "item", key, "firedTime", fireAt)
 		err := q.workFunc(ctx, fireAt, args)
 		q.Lock()
 		defer q.Unlock()
+		logger.V(4).Info("Worker finished, removing", "item", key, "err", err)
 		delete(q.workers, key)
 		return err
 	}
 }
 
 // AddWork adds a work to the WorkerQueue which will be executed not earlier than `fireAt`.
+// If replace is false, an existing work item will not get replaced, otherwise it
+// gets canceled and the new one is added instead.
 func (q *TimedWorkerQueue) AddWork(ctx context.Context, args *WorkArgs, createdAt time.Time, fireAt time.Time) {
 	key := args.KeyFromWorkArgs()
 	logger := klog.FromContext(ctx)
-	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
 
 	q.Lock()
 	defer q.Unlock()
 	if _, exists := q.workers[key]; exists {
-		logger.Info("Trying to add already existing work, skipping", "args", args)
+		logger.V(4).Info("Trying to add already existing work, skipping", "item", key, "createTime", createdAt, "firedTime", fireAt)
 		return
 	}
+	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
+	worker := createWorker(ctx, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
+	q.workers[key] = worker
+}
+
+// UpdateWork adds or replaces a work item such that it will be executed not earlier than `fireAt`.
+// This is a cheap no-op when the old and new fireAt are the same.
+func (q *TimedWorkerQueue) UpdateWork(ctx context.Context, args *WorkArgs, createdAt time.Time, fireAt time.Time) {
+	key := args.KeyFromWorkArgs()
+	logger := klog.FromContext(ctx)
+
+	q.Lock()
+	defer q.Unlock()
+	if worker, exists := q.workers[key]; exists {
+		if worker.FireAt.Compare(fireAt) == 0 {
+			logger.V(4).Info("Keeping existing work, same time", "item", key, "createTime", worker.CreatedAt, "firedTime", worker.FireAt)
+			return
+		}
+		logger.V(4).Info("Replacing existing work", "item", key, "createTime", worker.CreatedAt, "firedTime", worker.FireAt)
+		worker.Cancel()
+	}
+	logger.V(4).Info("Adding TimedWorkerQueue item and to be fired at firedTime", "item", key, "createTime", createdAt, "firedTime", fireAt)
 	worker := createWorker(ctx, args, createdAt, fireAt, q.getWrappedWorkerFunc(key), q.clock)
 	q.workers[key] = worker
 }
 
 // CancelWork removes scheduled function execution from the queue. Returns true if work was cancelled.
+// The key must be the same as the one returned by WorkArgs.KeyFromWorkArgs, i.e.
+// the result of NamespacedName.String.
 func (q *TimedWorkerQueue) CancelWork(logger klog.Logger, key string) bool {
 	q.Lock()
 	defer q.Unlock()
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
index 0b85ac77aac..50dfbd596ef 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
@@ -95,7 +95,7 @@ var (
 
 	// Node with "instance-1" device and no device attributes.
 	workerNode      = &st.MakeNode().Name(nodeName).Label("kubernetes.io/hostname", nodeName).Node
-	workerNodeSlice = st.MakeResourceSlice(nodeName, driver).Device("instance-1", nil).Obj()
+	workerNodeSlice = st.MakeResourceSlice(nodeName, driver).Device("instance-1").Obj()
 
 	// Node with same device, but now with a "healthy" boolean attribute.
 	workerNode2      = &st.MakeNode().Name(node2Name).Label("kubernetes.io/hostname", node2Name).Node
diff --git a/pkg/scheduler/testing/wrappers.go b/pkg/scheduler/testing/wrappers.go
index dc9daec425f..0c4db3c7685 100644
--- a/pkg/scheduler/testing/wrappers.go
+++ b/pkg/scheduler/testing/wrappers.go
@@ -1188,9 +1188,23 @@ func (wrapper *ResourceSliceWrapper) Devices(names ...string) *ResourceSliceWrap
 	return wrapper
 }
 
-// Device sets the devices field of the inner object.
-func (wrapper *ResourceSliceWrapper) Device(name string, attrs map[resourceapi.QualifiedName]resourceapi.DeviceAttribute) *ResourceSliceWrapper {
-	wrapper.Spec.Devices = append(wrapper.Spec.Devices, resourceapi.Device{Name: name, Basic: &resourceapi.BasicDevice{Attributes: attrs}})
+// Device extends the devices field of the inner object.
+// The device must have a name and may have arbitrary additional fields.
+func (wrapper *ResourceSliceWrapper) Device(name string, otherFields ...any) *ResourceSliceWrapper {
+	device := resourceapi.Device{Name: name, Basic: &resourceapi.BasicDevice{}}
+	for _, field := range otherFields {
+		switch typedField := field.(type) {
+		case map[resourceapi.QualifiedName]resourceapi.DeviceAttribute:
+			device.Basic.Attributes = typedField
+		case map[resourceapi.QualifiedName]resourceapi.DeviceCapacity:
+			device.Basic.Capacity = typedField
+		case resourceapi.DeviceTaint:
+			device.Basic.Taints = append(device.Basic.Taints, typedField)
+		default:
+			panic(fmt.Sprintf("expected a type which matches a field in BasicDevice, got %T", field))
+		}
+	}
+	wrapper.Spec.Devices = append(wrapper.Spec.Devices, device)
 	return wrapper
 }
 
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index 1f7858b3011..ec9cea0314f 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -215,6 +215,24 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 				eventsRule(),
 			},
 		})
+		if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints) {
+			addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
+				// Same name as in k8s.io/kubernetes/cmd/kube-controller-manager/names.
+				ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "device-taint-eviction-controller"},
+				Rules: []rbacv1.PolicyRule{
+					// Deletes pods to evict them.
+					rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
+					// Sets pod conditions.
+					rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
+					// The rest is read-only.
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie(),
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("resourceslices").RuleOrDie(),
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("deviceclasses").RuleOrDie(),
+					rbacv1helpers.NewRule("get", "list", "watch").Groups(resourceGroup).Resources("devicetaintrules").RuleOrDie(),
+					eventsRule(),
+				},
+			})
+		}
 	}
 
 	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{

From 5760a4f2820a16c60e226ed9d7b977ca445284ee Mon Sep 17 00:00:00 2001
From: Jon Huhn <nojnhuh@users.noreply.github.com>
Date: Wed, 26 Feb 2025 17:07:23 -0600
Subject: [PATCH 08/11] DRA scheduler: device taints and tolerations

Thanks to the tracker, the plugin sees all taints directly in the device
definition and can compare it against the tolerations of a request while
trying to find a device for the request.

When the feature is turnedd off, taints are ignored during scheduling.
---
 pkg/scheduler/eventhandlers.go                |   4 +-
 pkg/scheduler/eventhandlers_test.go           |  43 ++-
 .../lister_contract_test.go                   |   2 +-
 pkg/scheduler/framework/listers.go            |   9 +-
 .../plugins/dynamicresources/dra_manager.go   |  12 +-
 .../dynamicresources/dynamicresources.go      |   6 +-
 .../dynamicresources/dynamicresources_test.go |  78 ++++-
 .../framework/plugins/feature/feature.go      |   1 +
 pkg/scheduler/framework/plugins/registry.go   |   1 +
 pkg/scheduler/scheduler.go                    |  21 +-
 .../authorizer/rbac/bootstrappolicy/policy.go |   3 +
 .../testdata/cluster-roles-featuregates.yaml  |   8 +
 .../structured/allocator.go                   |  37 +++
 .../structured/allocator_test.go              | 290 ++++++++++++++++--
 test/integration/scheduler_perf/dra.go        |  26 +-
 .../dra/performance-config.yaml               |  63 +++-
 .../dra/templates/devicetaintrule.yaml        |  11 +
 .../resourceclaimtemplate-toleration.yaml     |  13 +
 18 files changed, 577 insertions(+), 51 deletions(-)
 create mode 100644 test/integration/scheduler_perf/dra/templates/devicetaintrule.yaml
 create mode 100644 test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-toleration.yaml

diff --git a/pkg/scheduler/eventhandlers.go b/pkg/scheduler/eventhandlers.go
index a6b1f066c77..09c4200ff3a 100644
--- a/pkg/scheduler/eventhandlers.go
+++ b/pkg/scheduler/eventhandlers.go
@@ -33,6 +33,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 	corev1helpers "k8s.io/component-helpers/scheduling/corev1"
 	corev1nodeaffinity "k8s.io/component-helpers/scheduling/corev1/nodeaffinity"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/backend/queue"
@@ -366,6 +367,7 @@ func addAllEventHandlers(
 	informerFactory informers.SharedInformerFactory,
 	dynInformerFactory dynamicinformer.DynamicSharedInformerFactory,
 	resourceClaimCache *assumecache.AssumeCache,
+	resourceSliceTracker *resourceslicetracker.Tracker,
 	gvkMap map[framework.EventResource]framework.ActionType,
 ) error {
 	var (
@@ -555,7 +557,7 @@ func addAllEventHandlers(
 			}
 		case framework.ResourceSlice:
 			if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
-				if handlerRegistration, err = informerFactory.Resource().V1beta1().ResourceSlices().Informer().AddEventHandler(
+				if handlerRegistration, err = resourceSliceTracker.AddEventHandler(
 					buildEvtResHandler(at, framework.ResourceSlice),
 				); err != nil {
 					return err
diff --git a/pkg/scheduler/eventhandlers_test.go b/pkg/scheduler/eventhandlers_test.go
index 935e0005a61..a1bd9321d01 100644
--- a/pkg/scheduler/eventhandlers_test.go
+++ b/pkg/scheduler/eventhandlers_test.go
@@ -28,12 +28,14 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	v1 "k8s.io/api/core/v1"
+	resourcealphaapi "k8s.io/api/resource/v1alpha3"
 	resourceapi "k8s.io/api/resource/v1beta1"
 	storagev1 "k8s.io/api/storage/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/util/sets"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/ktesting"
 
@@ -395,6 +397,7 @@ func TestAddAllEventHandlers(t *testing.T) {
 		name                   string
 		gvkMap                 map[framework.EventResource]framework.ActionType
 		enableDRA              bool
+		enableDRADeviceTaints  bool
 		expectStaticInformers  map[reflect.Type]bool
 		expectDynamicInformers map[schema.GroupVersionResource]bool
 	}{
@@ -423,7 +426,7 @@ func TestAddAllEventHandlers(t *testing.T) {
 			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
 		},
 		{
-			name: "all DRA events enabled",
+			name: "core DRA events enabled",
 			gvkMap: map[framework.EventResource]framework.ActionType{
 				framework.ResourceClaim: framework.Add,
 				framework.ResourceSlice: framework.Add,
@@ -440,6 +443,26 @@ func TestAddAllEventHandlers(t *testing.T) {
 			},
 			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
 		},
+		{
+			name: "all DRA events enabled",
+			gvkMap: map[framework.EventResource]framework.ActionType{
+				framework.ResourceClaim: framework.Add,
+				framework.ResourceSlice: framework.Add,
+				framework.DeviceClass:   framework.Add,
+			},
+			enableDRA:             true,
+			enableDRADeviceTaints: true,
+			expectStaticInformers: map[reflect.Type]bool{
+				reflect.TypeOf(&v1.Pod{}):                           true,
+				reflect.TypeOf(&v1.Node{}):                          true,
+				reflect.TypeOf(&v1.Namespace{}):                     true,
+				reflect.TypeOf(&resourceapi.ResourceClaim{}):        true,
+				reflect.TypeOf(&resourceapi.ResourceSlice{}):        true,
+				reflect.TypeOf(&resourcealphaapi.DeviceTaintRule{}): true,
+				reflect.TypeOf(&resourceapi.DeviceClass{}):          true,
+			},
+			expectDynamicInformers: map[schema.GroupVersionResource]bool{},
+		},
 		{
 			name: "add GVKs handlers defined in framework dynamically",
 			gvkMap: map[framework.EventResource]framework.ActionType{
@@ -499,6 +522,7 @@ func TestAddAllEventHandlers(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicResourceAllocation, tt.enableDRA)
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DRADeviceTaints, tt.enableDRADeviceTaints)
 
 			logger, ctx := ktesting.NewTestContext(t)
 			ctx, cancel := context.WithCancel(ctx)
@@ -515,12 +539,27 @@ func TestAddAllEventHandlers(t *testing.T) {
 			dynclient := dyfake.NewSimpleDynamicClient(scheme)
 			dynInformerFactory := dynamicinformer.NewDynamicSharedInformerFactory(dynclient, 0)
 			var resourceClaimCache *assumecache.AssumeCache
+			var resourceSliceTracker *resourceslicetracker.Tracker
 			if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
 				resourceClaimInformer := informerFactory.Resource().V1beta1().ResourceClaims().Informer()
 				resourceClaimCache = assumecache.NewAssumeCache(logger, resourceClaimInformer, "ResourceClaim", "", nil)
+				var err error
+				opts := resourceslicetracker.Options{
+					EnableDeviceTaints: utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
+					SliceInformer:      informerFactory.Resource().V1beta1().ResourceSlices(),
+				}
+				if opts.EnableDeviceTaints {
+					opts.TaintInformer = informerFactory.Resource().V1alpha3().DeviceTaintRules()
+					opts.ClassInformer = informerFactory.Resource().V1beta1().DeviceClasses()
+
+				}
+				resourceSliceTracker, err = resourceslicetracker.StartTracker(ctx, opts)
+				if err != nil {
+					t.Fatalf("couldn't start resource slice tracker: %v", err)
+				}
 			}
 
-			if err := addAllEventHandlers(&testSched, informerFactory, dynInformerFactory, resourceClaimCache, tt.gvkMap); err != nil {
+			if err := addAllEventHandlers(&testSched, informerFactory, dynInformerFactory, resourceClaimCache, resourceSliceTracker, tt.gvkMap); err != nil {
 				t.Fatalf("Add event handlers failed, error = %v", err)
 			}
 
diff --git a/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go b/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go
index 77528ff001c..23335adf1b8 100644
--- a/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go
+++ b/pkg/scheduler/framework/autoscaler_contract/lister_contract_test.go
@@ -72,7 +72,7 @@ func (c *shareListerContract) StorageInfos() framework.StorageInfoLister {
 
 type resourceSliceListerContract struct{}
 
-func (c *resourceSliceListerContract) List() ([]*resourceapi.ResourceSlice, error) {
+func (c *resourceSliceListerContract) ListWithDeviceTaintRules() ([]*resourceapi.ResourceSlice, error) {
 	return nil, nil
 }
 
diff --git a/pkg/scheduler/framework/listers.go b/pkg/scheduler/framework/listers.go
index f6e04dfa8f2..e56266ba1c6 100644
--- a/pkg/scheduler/framework/listers.go
+++ b/pkg/scheduler/framework/listers.go
@@ -50,8 +50,13 @@ type SharedLister interface {
 
 // ResourceSliceLister can be used to obtain ResourceSlices.
 type ResourceSliceLister interface {
-	// List returns a list of all ResourceSlices.
-	List() ([]*resourceapi.ResourceSlice, error)
+	// ListWithDeviceTaintRules returns a list of all ResourceSlices with DeviceTaintRules applied
+	// if the DRADeviceTaints feature is enabled, otherwise without them.
+	//
+	// k8s.io/dynamic-resource-allocation/resourceslice/tracker provides an implementation
+	// of the necessary logic. That tracker can be instantiated as a replacement for
+	// a normal ResourceSlice informer and provides a ListPatchedResourceSlices method.
+	ListWithDeviceTaintRules() ([]*resourceapi.ResourceSlice, error)
 }
 
 // DeviceClassLister can be used to obtain DeviceClasses.
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go b/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go
index db10e126acf..47d3d5de4ce 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dra_manager.go
@@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/informers"
 	resourcelisters "k8s.io/client-go/listers/resource/v1beta1"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/dynamic-resource-allocation/structured"
 	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
@@ -44,8 +45,9 @@ type DefaultDRAManager struct {
 	deviceClassLister    *deviceClassLister
 }
 
-func NewDRAManager(ctx context.Context, claimsCache *assumecache.AssumeCache, informerFactory informers.SharedInformerFactory) *DefaultDRAManager {
+func NewDRAManager(ctx context.Context, claimsCache *assumecache.AssumeCache, resourceSliceTracker *resourceslicetracker.Tracker, informerFactory informers.SharedInformerFactory) *DefaultDRAManager {
 	logger := klog.FromContext(ctx)
+
 	manager := &DefaultDRAManager{
 		resourceClaimTracker: &claimTracker{
 			cache:               claimsCache,
@@ -53,7 +55,7 @@ func NewDRAManager(ctx context.Context, claimsCache *assumecache.AssumeCache, in
 			allocatedDevices:    newAllocatedDevices(logger),
 			logger:              logger,
 		},
-		resourceSliceLister: &resourceSliceLister{sliceLister: informerFactory.Resource().V1beta1().ResourceSlices().Lister()},
+		resourceSliceLister: &resourceSliceLister{tracker: resourceSliceTracker},
 		deviceClassLister:   &deviceClassLister{classLister: informerFactory.Resource().V1beta1().DeviceClasses().Lister()},
 	}
 
@@ -79,11 +81,11 @@ func (s *DefaultDRAManager) DeviceClasses() framework.DeviceClassLister {
 var _ framework.ResourceSliceLister = &resourceSliceLister{}
 
 type resourceSliceLister struct {
-	sliceLister resourcelisters.ResourceSliceLister
+	tracker *resourceslicetracker.Tracker
 }
 
-func (l *resourceSliceLister) List() ([]*resourceapi.ResourceSlice, error) {
-	return l.sliceLister.List(labels.Everything())
+func (l *resourceSliceLister) ListWithDeviceTaintRules() ([]*resourceapi.ResourceSlice, error) {
+	return l.tracker.ListPatchedResourceSlices()
 }
 
 var _ framework.DeviceClassLister = &deviceClassLister{}
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go
index 3b792d0bd17..5c10516240e 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources.go
@@ -106,6 +106,7 @@ type DynamicResources struct {
 	enableAdminAccess         bool
 	enablePrioritizedList     bool
 	enableSchedulingQueueHint bool
+	enableDeviceTaints        bool
 
 	fh         framework.Handle
 	clientset  kubernetes.Interface
@@ -123,6 +124,7 @@ func New(ctx context.Context, plArgs runtime.Object, fh framework.Handle, fts fe
 	pl := &DynamicResources{
 		enabled:                   true,
 		enableAdminAccess:         fts.EnableDRAAdminAccess,
+		enableDeviceTaints:        fts.EnableDRADeviceTaints,
 		enablePrioritizedList:     fts.EnableDRAPrioritizedList,
 		enableSchedulingQueueHint: fts.EnableSchedulingQueueHint,
 
@@ -448,11 +450,11 @@ func (pl *DynamicResources) PreFilter(ctx context.Context, state *framework.Cycl
 		if err != nil {
 			return nil, statusError(logger, err)
 		}
-		slices, err := pl.draManager.ResourceSlices().List()
+		slices, err := pl.draManager.ResourceSlices().ListWithDeviceTaintRules()
 		if err != nil {
 			return nil, statusError(logger, err)
 		}
-		allocator, err := structured.NewAllocator(ctx, pl.enableAdminAccess, pl.enablePrioritizedList, allocateClaims, allAllocatedDevices, pl.draManager.DeviceClasses(), slices, pl.celCache)
+		allocator, err := structured.NewAllocator(ctx, pl.enableAdminAccess, pl.enablePrioritizedList, pl.enableDeviceTaints, allocateClaims, allAllocatedDevices, pl.draManager.DeviceClasses(), slices, pl.celCache)
 		if err != nil {
 			return nil, statusError(logger, err)
 		}
diff --git a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
index 50dfbd596ef..09c1515a5d6 100644
--- a/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
+++ b/pkg/scheduler/framework/plugins/dynamicresources/dynamicresources_test.go
@@ -38,6 +38,7 @@ import (
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
 	cgotesting "k8s.io/client-go/testing"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/kubernetes/pkg/scheduler/framework"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/feature"
 	"k8s.io/kubernetes/pkg/scheduler/framework/runtime"
@@ -183,8 +184,22 @@ var (
 	otherAllocatedClaim = st.FromResourceClaim(otherClaim).
 				Allocation(allocationResult).
 				Obj()
+
+	deviceTaint = resourceapi.DeviceTaint{
+		Key:    "taint-key",
+		Value:  "taint-value",
+		Effect: resourceapi.DeviceTaintEffectNoSchedule,
+	}
 )
 
+func taintDevices(slice *resourceapi.ResourceSlice) *resourceapi.ResourceSlice {
+	slice = slice.DeepCopy()
+	for i := range slice.Spec.Devices {
+		slice.Spec.Devices[i].Basic.Taints = append(slice.Spec.Devices[i].Basic.Taints, deviceTaint)
+	}
+	return slice
+}
+
 func reserve(claim *resourceapi.ResourceClaim, pod *v1.Pod) *resourceapi.ResourceClaim {
 	return st.FromResourceClaim(claim).
 		ReservedForPod(pod.Name, types.UID(pod.UID)).
@@ -343,6 +358,7 @@ func TestPlugin(t *testing.T) {
 		disableDRA bool
 
 		enableDRAPrioritizedList bool
+		enableDRADeviceTaints    bool
 	}{
 		"empty": {
 			pod: st.MakePod().Name("foo").Namespace("default").Obj(),
@@ -604,6 +620,56 @@ func TestPlugin(t *testing.T) {
 			},
 		},
 
+		// The two test cases for device tainting only need to cover
+		// whether the feature gate is passed through to the allocator
+		// correctly. The actual logic around device taints and allocation
+		// is in the allocator.
+		"tainted-device-disabled": {
+			enableDRADeviceTaints: false,
+			pod:                   podWithClaimName,
+			claims:                []*resourceapi.ResourceClaim{pendingClaim},
+			classes:               []*resourceapi.DeviceClass{deviceClass},
+			objs:                  []apiruntime.Object{taintDevices(workerNodeSlice)},
+			want: want{
+				reserve: result{
+					inFlightClaim: allocatedClaim,
+				},
+				prebind: result{
+					assumedClaim: reserve(allocatedClaim, podWithClaimName),
+					changes: change{
+						claim: func(claim *resourceapi.ResourceClaim) *resourceapi.ResourceClaim {
+							if claim.Name == claimName {
+								claim = claim.DeepCopy()
+								claim.Finalizers = allocatedClaim.Finalizers
+								claim.Status = inUseClaim.Status
+							}
+							return claim
+						},
+					},
+				},
+				postbind: result{
+					assumedClaim: reserve(allocatedClaim, podWithClaimName),
+				},
+			},
+		},
+		"tainted-device-enabled": {
+			enableDRADeviceTaints: true,
+			pod:                   podWithClaimName,
+			claims:                []*resourceapi.ResourceClaim{pendingClaim},
+			classes:               []*resourceapi.DeviceClass{deviceClass},
+			objs:                  []apiruntime.Object{taintDevices(workerNodeSlice)},
+			want: want{
+				filter: perNodeResult{
+					workerNode.Name: {
+						status: framework.NewStatus(framework.UnschedulableAndUnresolvable, `cannot allocate all claims`),
+					},
+				},
+				postfilter: result{
+					status: framework.NewStatus(framework.Unschedulable, `still not schedulable`),
+				},
+			},
+		},
+
 		"request-admin-access-with-DRAAdminAccess-featuregate": {
 			// When the DRAAdminAccess feature gate is enabled,
 			// Because the pending claim asks for admin access,
@@ -920,6 +986,7 @@ func TestPlugin(t *testing.T) {
 			}
 			features := feature.Features{
 				EnableDRAAdminAccess:            tc.enableDRAAdminAccess,
+				EnableDRADeviceTaints:           tc.enableDRADeviceTaints,
 				EnableDynamicResourceAllocation: !tc.disableDRA,
 				EnableDRAPrioritizedList:        tc.enableDRAPrioritizedList,
 			}
@@ -1189,7 +1256,16 @@ func setup(t *testing.T, nodes []*v1.Node, claims []*resourceapi.ResourceClaim,
 	tc.client.PrependReactor("*", "*", reactor)
 
 	tc.informerFactory = informers.NewSharedInformerFactory(tc.client, 0)
-	tc.draManager = NewDRAManager(tCtx, assumecache.NewAssumeCache(tCtx.Logger(), tc.informerFactory.Resource().V1beta1().ResourceClaims().Informer(), "resource claim", "", nil), tc.informerFactory)
+	resourceSliceTrackerOpts := resourceslicetracker.Options{
+		EnableDeviceTaints: true,
+		SliceInformer:      tc.informerFactory.Resource().V1beta1().ResourceSlices(),
+		TaintInformer:      tc.informerFactory.Resource().V1alpha3().DeviceTaintRules(),
+		ClassInformer:      tc.informerFactory.Resource().V1beta1().DeviceClasses(),
+		KubeClient:         tc.client,
+	}
+	resourceSliceTracker, err := resourceslicetracker.StartTracker(tCtx, resourceSliceTrackerOpts)
+	require.NoError(t, err, "couldn't start resource slice tracker")
+	tc.draManager = NewDRAManager(tCtx, assumecache.NewAssumeCache(tCtx.Logger(), tc.informerFactory.Resource().V1beta1().ResourceClaims().Informer(), "resource claim", "", nil), resourceSliceTracker, tc.informerFactory)
 	opts := []runtime.Option{
 		runtime.WithClientSet(tc.client),
 		runtime.WithInformerFactory(tc.informerFactory),
diff --git a/pkg/scheduler/framework/plugins/feature/feature.go b/pkg/scheduler/framework/plugins/feature/feature.go
index 0b598525001..34ff221b108 100644
--- a/pkg/scheduler/framework/plugins/feature/feature.go
+++ b/pkg/scheduler/framework/plugins/feature/feature.go
@@ -22,6 +22,7 @@ package feature
 type Features struct {
 	EnableDRAPrioritizedList                     bool
 	EnableDRAAdminAccess                         bool
+	EnableDRADeviceTaints                        bool
 	EnableDynamicResourceAllocation              bool
 	EnableVolumeCapacityPriority                 bool
 	EnableVolumeAttributesClass                  bool
diff --git a/pkg/scheduler/framework/plugins/registry.go b/pkg/scheduler/framework/plugins/registry.go
index 1579ba9b1ec..998f4c5d796 100644
--- a/pkg/scheduler/framework/plugins/registry.go
+++ b/pkg/scheduler/framework/plugins/registry.go
@@ -48,6 +48,7 @@ func NewInTreeRegistry() runtime.Registry {
 	fts := plfeature.Features{
 		EnableDRAPrioritizedList:                     feature.DefaultFeatureGate.Enabled(features.DRAPrioritizedList),
 		EnableDRAAdminAccess:                         feature.DefaultFeatureGate.Enabled(features.DRAAdminAccess),
+		EnableDRADeviceTaints:                        feature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
 		EnableDynamicResourceAllocation:              feature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation),
 		EnableVolumeCapacityPriority:                 feature.DefaultFeatureGate.Enabled(features.VolumeCapacityPriority),
 		EnableVolumeAttributesClass:                  feature.DefaultFeatureGate.Enabled(features.VolumeAttributesClass),
diff --git a/pkg/scheduler/scheduler.go b/pkg/scheduler/scheduler.go
index 857fa1af9e8..27cc8b294f6 100644
--- a/pkg/scheduler/scheduler.go
+++ b/pkg/scheduler/scheduler.go
@@ -33,6 +33,7 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/klog/v2"
 	configv1 "k8s.io/kube-scheduler/config/v1"
 	"k8s.io/kubernetes/pkg/features"
@@ -307,11 +308,27 @@ func New(ctx context.Context,
 	waitingPods := frameworkruntime.NewWaitingPodsMap()
 
 	var resourceClaimCache *assumecache.AssumeCache
+	var resourceSliceTracker *resourceslicetracker.Tracker
 	var draManager framework.SharedDRAManager
 	if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
 		resourceClaimInformer := informerFactory.Resource().V1beta1().ResourceClaims().Informer()
 		resourceClaimCache = assumecache.NewAssumeCache(logger, resourceClaimInformer, "ResourceClaim", "", nil)
-		draManager = dynamicresources.NewDRAManager(ctx, resourceClaimCache, informerFactory)
+		resourceSliceTrackerOpts := resourceslicetracker.Options{
+			EnableDeviceTaints: utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
+			SliceInformer:      informerFactory.Resource().V1beta1().ResourceSlices(),
+			KubeClient:         client,
+		}
+		// If device taints are disabled, the additional informers are not needed and
+		// the tracker turns into a simple wrapper around the slice informer.
+		if resourceSliceTrackerOpts.EnableDeviceTaints {
+			resourceSliceTrackerOpts.TaintInformer = informerFactory.Resource().V1alpha3().DeviceTaintRules()
+			resourceSliceTrackerOpts.ClassInformer = informerFactory.Resource().V1beta1().DeviceClasses()
+		}
+		resourceSliceTracker, err = resourceslicetracker.StartTracker(ctx, resourceSliceTrackerOpts)
+		if err != nil {
+			return nil, fmt.Errorf("couldn't start resource slice tracker: %w", err)
+		}
+		draManager = dynamicresources.NewDRAManager(ctx, resourceClaimCache, resourceSliceTracker, informerFactory)
 	}
 
 	profiles, err := profile.NewMap(ctx, options.profiles, registry, recorderFactory,
@@ -389,7 +406,7 @@ func New(ctx context.Context,
 	sched.NextPod = podQueue.Pop
 	sched.applyDefaultHandlers()
 
-	if err = addAllEventHandlers(sched, informerFactory, dynInformerFactory, resourceClaimCache, unionedGVKs(queueingHintsPerProfile)); err != nil {
+	if err = addAllEventHandlers(sched, informerFactory, dynInformerFactory, resourceClaimCache, resourceSliceTracker, unionedGVKs(queueingHintsPerProfile)); err != nil {
 		return nil, fmt.Errorf("adding event handlers: %w", err)
 	}
 
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 34a362a2f8e..2ec187937c0 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -628,6 +628,9 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			rbacv1helpers.NewRule(ReadUpdate...).Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie(),
 			rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("resourceslices").RuleOrDie(),
 		)
+		if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
+			kubeSchedulerRules = append(kubeSchedulerRules, rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("devicetaintrules").RuleOrDie())
+		}
 	}
 	roles = append(roles, rbacv1.ClusterRole{
 		// a role to use for the kube-scheduler
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
index 1e707ad9064..894f8c98cd1 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
@@ -968,6 +968,14 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - resource.k8s.io
+    resources:
+    - devicetaintrules
+    verbs:
+    - get
+    - list
+    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go
index 4a4b5add94b..382e4aca06f 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator.go
@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	draapi "k8s.io/dynamic-resource-allocation/api"
 	"k8s.io/dynamic-resource-allocation/cel"
+	"k8s.io/dynamic-resource-allocation/resourceclaim"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 )
@@ -49,6 +50,7 @@ type deviceClassLister interface {
 type Allocator struct {
 	adminAccessEnabled     bool
 	prioritizedListEnabled bool
+	deviceTaintsEnabled    bool
 	claimsToAllocate       []*resourceapi.ResourceClaim
 	allocatedDevices       sets.Set[DeviceID]
 	classLister            deviceClassLister
@@ -63,6 +65,7 @@ type Allocator struct {
 func NewAllocator(ctx context.Context,
 	adminAccessEnabled bool,
 	prioritizedListEnabled bool,
+	deviceTaintsEnabled bool,
 	claimsToAllocate []*resourceapi.ResourceClaim,
 	allocatedDevices sets.Set[DeviceID],
 	classLister deviceClassLister,
@@ -72,6 +75,7 @@ func NewAllocator(ctx context.Context,
 	return &Allocator{
 		adminAccessEnabled:     adminAccessEnabled,
 		prioritizedListEnabled: prioritizedListEnabled,
+		deviceTaintsEnabled:    deviceTaintsEnabled,
 		claimsToAllocate:       claimsToAllocate,
 		allocatedDevices:       allocatedDevices,
 		classLister:            classLister,
@@ -956,6 +960,12 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 		subRequestName = requestData.request.name()
 	}
 
+	// Might be tainted, in which case the taint has to be tolerated.
+	// The check is skipped if the feature is disabled.
+	if alloc.deviceTaintsEnabled && !allTaintsTolerated(device.basic, request) {
+		return false, nil, nil
+	}
+
 	// It's available. Now check constraints.
 	for i, constraint := range alloc.constraints[r.claimIndex] {
 		added := constraint.add(baseRequestName, subRequestName, device.basic, device.id)
@@ -1005,6 +1015,24 @@ func (alloc *allocator) allocateDevice(r deviceIndices, device deviceWithID, mus
 	}, nil
 }
 
+func allTaintsTolerated(device *draapi.BasicDevice, request requestAccessor) bool {
+	for _, taint := range device.Taints {
+		if !taintTolerated(taint, request) {
+			return false
+		}
+	}
+	return true
+}
+
+func taintTolerated(taint resourceapi.DeviceTaint, request requestAccessor) bool {
+	for _, toleration := range request.tolerations() {
+		if resourceclaim.ToleratesTaint(toleration, taint) {
+			return true
+		}
+	}
+	return false
+}
+
 // createNodeSelector constructs a node selector for the allocation, if needed,
 // otherwise it returns nil.
 func (alloc *allocator) createNodeSelector(result []internalDeviceResult) (*v1.NodeSelector, error) {
@@ -1065,6 +1093,7 @@ type requestAccessor interface {
 	adminAccess() bool
 	hasAdminAccess() bool
 	selectors() []resourceapi.DeviceSelector
+	tolerations() []resourceapi.DeviceToleration
 }
 
 // deviceRequestAccessor is an implementation of the
@@ -1101,6 +1130,10 @@ func (d *deviceRequestAccessor) selectors() []resourceapi.DeviceSelector {
 	return d.request.Selectors
 }
 
+func (d *deviceRequestAccessor) tolerations() []resourceapi.DeviceToleration {
+	return d.request.Tolerations
+}
+
 // deviceSubRequestAccessor is an implementation of the
 // requestAccessor interface for DeviceSubRequests.
 type deviceSubRequestAccessor struct {
@@ -1135,6 +1168,10 @@ func (d *deviceSubRequestAccessor) selectors() []resourceapi.DeviceSelector {
 	return d.subRequest.Selectors
 }
 
+func (d *deviceSubRequestAccessor) tolerations() []resourceapi.DeviceToleration {
+	return d.subRequest.Tolerations
+}
+
 func addNewNodeSelectorRequirements(from []v1.NodeSelectorRequirement, to *[]v1.NodeSelectorRequirement) {
 	for _, requirement := range from {
 		if !containsNodeSelectorRequirement(*to, requirement) {
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator_test.go b/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator_test.go
index 992bf046906..ce362e0c521 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator_test.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/structured/allocator_test.go
@@ -147,8 +147,8 @@ func classWithConfig(name, driver, attribute string) *resourceapi.DeviceClass {
 }
 
 // generate a ResourceClaim object with the given name and device requests.
-func claimWithRequests(name string, constraints []resourceapi.DeviceConstraint, requests ...resourceapi.DeviceRequest) *resourceapi.ResourceClaim {
-	return &resourceapi.ResourceClaim{
+func claimWithRequests(name string, constraints []resourceapi.DeviceConstraint, requests ...resourceapi.DeviceRequest) wrapResourceClaim {
+	return wrapResourceClaim{&resourceapi.ResourceClaim{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
 		},
@@ -158,7 +158,7 @@ func claimWithRequests(name string, constraints []resourceapi.DeviceConstraint,
 				Constraints: constraints,
 			},
 		},
-	}
+	}}
 }
 
 // generate a DeviceRequest object with the given name, class and selectors.
@@ -191,14 +191,28 @@ func requestWithPrioritizedList(name string, prioritizedRequests ...resourceapi.
 }
 
 // generate a ResourceClaim object with the given name, request and class.
-func claim(name, req, class string, constraints ...resourceapi.DeviceConstraint) *resourceapi.ResourceClaim {
+func claim(name, req, class string, constraints ...resourceapi.DeviceConstraint) wrapResourceClaim {
 	claim := claimWithRequests(name, constraints, request(req, class, 1))
 	return claim
 }
 
+type wrapResourceClaim struct{ *resourceapi.ResourceClaim }
+
+func (in wrapResourceClaim) obj() *resourceapi.ResourceClaim {
+	return in.ResourceClaim
+}
+
+func (in wrapResourceClaim) withTolerations(tolerations ...resourceapi.DeviceToleration) wrapResourceClaim {
+	out := in.DeepCopy()
+	for i := range out.Spec.Devices.Requests {
+		out.Spec.Devices.Requests[i].Tolerations = append(out.Spec.Devices.Requests[i].Tolerations, tolerations...)
+	}
+	return wrapResourceClaim{out}
+}
+
 // generate a ResourceClaim object with the given name, request, class, and attribute.
 // attribute is used to generate parameters in a form of JSON {attribute: attributeValue}.
-func claimWithDeviceConfig(name, request, class, driver, attribute string) *resourceapi.ResourceClaim {
+func claimWithDeviceConfig(name, request, class, driver, attribute string) wrapResourceClaim {
 	claim := claim(name, request, class)
 	claim.Spec.Devices.Config = []resourceapi.DeviceClaimConfiguration{
 		{
@@ -208,7 +222,7 @@ func claimWithDeviceConfig(name, request, class, driver, attribute string) *reso
 	return claim
 }
 
-func claimWithAll(name string, requests []resourceapi.DeviceRequest, constraints []resourceapi.DeviceConstraint, configs []resourceapi.DeviceClaimConfiguration) *resourceapi.ResourceClaim {
+func claimWithAll(name string, requests []resourceapi.DeviceRequest, constraints []resourceapi.DeviceConstraint, configs []resourceapi.DeviceClaimConfiguration) wrapResourceClaim {
 	claim := claimWithRequests(name, constraints, requests...)
 	claim.Spec.Devices.Config = configs
 	return claim
@@ -222,7 +236,7 @@ func deviceClaimConfig(requests []string, deviceConfig resourceapi.DeviceConfigu
 }
 
 // generate a Device object with the given name, capacity and attributes.
-func device(name string, capacity map[resourceapi.QualifiedName]resource.Quantity, attributes map[resourceapi.QualifiedName]resourceapi.DeviceAttribute) resourceapi.Device {
+func device(name string, capacity map[resourceapi.QualifiedName]resource.Quantity, attributes map[resourceapi.QualifiedName]resourceapi.DeviceAttribute) wrapDevice {
 	device := resourceapi.Device{
 		Name: name,
 		Basic: &resourceapi.BasicDevice{
@@ -233,14 +247,27 @@ func device(name string, capacity map[resourceapi.QualifiedName]resource.Quantit
 	for name, quantity := range capacity {
 		device.Basic.Capacity[name] = resourceapi.DeviceCapacity{Value: quantity}
 	}
-	return device
+	return wrapDevice(device)
+}
+
+type wrapDevice resourceapi.Device
+
+func (in wrapDevice) obj() resourceapi.Device {
+	return resourceapi.Device(in)
+}
+
+func (in wrapDevice) withTaints(taints ...resourceapi.DeviceTaint) wrapDevice {
+	inDevice := resourceapi.Device(in)
+	device := inDevice.DeepCopy()
+	device.Basic.Taints = append(device.Basic.Taints, taints...)
+	return wrapDevice(*device)
 }
 
 // generate a ResourceSlice object with the given name, node,
 // driver and pool names, generation and a list of devices.
 // The nodeSelection parameter may be a string (= node name),
 // true (= all nodes), or a node selector (= specific nodes).
-func slice(name string, nodeSelection any, pool, driver string, devices ...resourceapi.Device) *resourceapi.ResourceSlice {
+func slice(name string, nodeSelection any, pool, driver string, devices ...wrapDevice) *resourceapi.ResourceSlice {
 	slice := &resourceapi.ResourceSlice{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -252,10 +279,11 @@ func slice(name string, nodeSelection any, pool, driver string, devices ...resou
 				ResourceSliceCount: 1,
 				Generation:         1,
 			},
-			Devices: devices,
 		},
 	}
-
+	for _, device := range devices {
+		slice.Spec.Devices = append(slice.Spec.Devices, resourceapi.Device(device))
+	}
 	switch nodeSelection := nodeSelection.(type) {
 	case *v1.NodeSelector:
 		slice.Spec.NodeSelector = nodeSelection
@@ -389,6 +417,19 @@ func objects[T any](objs ...T) []T {
 	return objs
 }
 
+// convert a list of wrapper objects to a slice
+func unwrap[T any, O wrapper[T]](objs ...O) []T {
+	out := make([]T, len(objs))
+	for i, obj := range objs {
+		out[i] = obj.obj()
+	}
+	return out
+}
+
+type wrapper[T any] interface {
+	obj() T
+}
+
 // generate a ResourceSlice object with the given parameters and no devices
 func sliceWithNoDevices(name string, nodeSelection any, pool, driver string) *resourceapi.ResourceSlice {
 	return slice(name, nodeSelection, pool, driver)
@@ -401,7 +442,7 @@ func sliceWithOneDevice(name string, nodeSelection any, pool, driver string) *re
 
 // generate a ResourceSclie object with the given parameters and the specified number of devices.
 func sliceWithMultipleDevices(name string, nodeSelection any, pool, driver string, count int) *resourceapi.ResourceSlice {
-	var devices []resourceapi.Device
+	var devices []wrapDevice
 	for i := 0; i < count; i++ {
 		devices = append(devices, device(fmt.Sprintf("device-%d", i), nil, nil))
 	}
@@ -414,11 +455,36 @@ func TestAllocator(t *testing.T) {
 	stringAttribute := resourceapi.FullyQualifiedName(driverA + "/" + "stringAttribute")
 	versionAttribute := resourceapi.FullyQualifiedName(driverA + "/" + "driverVersion")
 	intAttribute := resourceapi.FullyQualifiedName(driverA + "/" + "numa")
+	taintKey := "taint-key"
+	taintValue := "taint-value"
+	taintValue2 := "taint-value-2"
+	taintNoSchedule := resourceapi.DeviceTaint{
+		Key:    taintKey,
+		Value:  taintValue,
+		Effect: resourceapi.DeviceTaintEffectNoSchedule,
+	}
+	taintNoExecute := resourceapi.DeviceTaint{
+		Key:    taintKey,
+		Value:  taintValue2,
+		Effect: resourceapi.DeviceTaintEffectNoExecute,
+	}
+	tolerationNoSchedule := resourceapi.DeviceToleration{
+		Operator: resourceapi.DeviceTolerationOpExists,
+		Key:      taintKey,
+		Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+	}
+	tolerationNoExecute := resourceapi.DeviceToleration{
+		Operator: resourceapi.DeviceTolerationOpEqual,
+		Key:      taintKey,
+		Value:    taintValue2,
+		Effect:   resourceapi.DeviceTaintEffectNoExecute,
+	}
 
 	testcases := map[string]struct {
 		adminAccess      bool
 		prioritizedList  bool
-		claimsToAllocate []*resourceapi.ResourceClaim
+		deviceTaints     bool
+		claimsToAllocate []wrapResourceClaim
 		allocatedDevices []DeviceID
 		classes          []*resourceapi.DeviceClass
 		slices           []*resourceapi.ResourceSlice
@@ -955,11 +1021,11 @@ func TestAllocator(t *testing.T) {
 		},
 		"all-devices-some-allocated-admin-access": {
 			adminAccess: true,
-			claimsToAllocate: func() []*resourceapi.ResourceClaim {
+			claimsToAllocate: func() []wrapResourceClaim {
 				c := claim(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].AdminAccess = ptr.To(true)
 				c.Spec.Devices.Requests[0].AllocationMode = resourceapi.DeviceAllocationModeAll
-				return []*resourceapi.ResourceClaim{c}
+				return []wrapResourceClaim{c}
 			}(),
 			allocatedDevices: []DeviceID{
 				MakeDeviceID(driverA, pool1, device1),
@@ -978,7 +1044,7 @@ func TestAllocator(t *testing.T) {
 		"all-devices-slice-without-devices-prioritized-list": {
 			prioritizedList: true,
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claimWithRequests(claim0, nil,
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
@@ -1004,7 +1070,7 @@ func TestAllocator(t *testing.T) {
 		"all-devices-no-slices-prioritized-list": {
 			prioritizedList: true,
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claimWithRequests(claim0, nil,
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
@@ -1029,7 +1095,7 @@ func TestAllocator(t *testing.T) {
 		"all-devices-some-allocated-prioritized-list": {
 			prioritizedList: true,
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claimWithRequests(claim0, nil,
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
@@ -1152,10 +1218,10 @@ func TestAllocator(t *testing.T) {
 		},
 		"admin-access-disabled": {
 			adminAccess: false,
-			claimsToAllocate: func() []*resourceapi.ResourceClaim {
+			claimsToAllocate: func() []wrapResourceClaim {
 				c := claim(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].AdminAccess = ptr.To(true)
-				return []*resourceapi.ResourceClaim{c}
+				return []wrapResourceClaim{c}
 			}(),
 			classes: objects(class(classA, driverA)),
 			slices:  objects(sliceWithOneDevice(slice1, node1, pool1, driverA)),
@@ -1166,10 +1232,10 @@ func TestAllocator(t *testing.T) {
 		},
 		"admin-access-enabled": {
 			adminAccess: true,
-			claimsToAllocate: func() []*resourceapi.ResourceClaim {
+			claimsToAllocate: func() []wrapResourceClaim {
 				c := claim(claim0, req0, classA)
 				c.Spec.Devices.Requests[0].AdminAccess = ptr.To(true)
-				return []*resourceapi.ResourceClaim{c}
+				return []wrapResourceClaim{c}
 			}(),
 			allocatedDevices: []DeviceID{
 				MakeDeviceID(driverA, pool1, device1),
@@ -1250,7 +1316,7 @@ func TestAllocator(t *testing.T) {
 		},
 		"with-constraint-not-matching-int-attribute-all-devices": {
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claimWithRequests(
 						claim0,
 						[]resourceapi.DeviceConstraint{{MatchAttribute: &intAttribute}},
@@ -1434,7 +1500,7 @@ func TestAllocator(t *testing.T) {
 		},
 		"unknown-selector": {
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claim(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].Selectors = []resourceapi.DeviceSelector{
 						{ /* empty = unknown future selector */ },
@@ -1450,7 +1516,7 @@ func TestAllocator(t *testing.T) {
 		},
 		"unknown-allocation-mode": {
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claim(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].AllocationMode = resourceapi.DeviceAllocationMode("future-mode")
 					return claim
@@ -1464,7 +1530,7 @@ func TestAllocator(t *testing.T) {
 		},
 		"unknown-constraint": {
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claim(claim0, req0, classA)
 					claim.Spec.Devices.Constraints = []resourceapi.DeviceConstraint{
 						{ /* empty = unknown */ },
@@ -1492,7 +1558,7 @@ func TestAllocator(t *testing.T) {
 		},
 		"invalid-CEL-one-device": {
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claim(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].Selectors = []resourceapi.DeviceSelector{
 						{CEL: &resourceapi.CELDeviceSelector{Expression: "noSuchVar"}},
@@ -1522,7 +1588,7 @@ func TestAllocator(t *testing.T) {
 		},
 		"invalid-CEL-all-devices": {
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claim(claim0, req0, classA)
 					claim.Spec.Devices.Requests[0].Selectors = []resourceapi.DeviceSelector{
 						{CEL: &resourceapi.CELDeviceSelector{Expression: "noSuchVar"}},
@@ -1846,7 +1912,7 @@ func TestAllocator(t *testing.T) {
 		"prioritized-list-subrequests-with-allocation-mode-all": {
 			prioritizedList: true,
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claimWithRequests(claim0, nil,
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
@@ -1909,7 +1975,7 @@ func TestAllocator(t *testing.T) {
 		"prioritized-list-disabled": {
 			prioritizedList: false,
 			claimsToAllocate: objects(
-				func() *resourceapi.ResourceClaim {
+				func() wrapResourceClaim {
 					claim := claimWithRequests(claim0, nil,
 						requestWithPrioritizedList(req0,
 							subRequest(subReq0, classA, 1),
@@ -2038,6 +2104,168 @@ func TestAllocator(t *testing.T) {
 				deviceAllocationResult(req0SubReq1, driverA, pool1, device1, false),
 			)},
 		},
+		"tainted-two-devices": {
+			deviceTaints:     true,
+			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+				device(device2, nil, nil).withTaints(taintNoExecute),
+			)),
+			node: node(node1, region1),
+		},
+		"tainted-one-device-two-taints": {
+			deviceTaints:     true,
+			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule, taintNoExecute),
+			)),
+			node: node(node1, region1),
+		},
+		"tainted-two-devices-tolerated": {
+			deviceTaints:     true,
+			claimsToAllocate: objects(claim(claim0, req0, classA).withTolerations(tolerationNoExecute)),
+			classes:          objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+				device(device2, nil, nil).withTaints(taintNoExecute),
+			)),
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device2, false), // Only second device's taints are tolerated.
+			)},
+		},
+		"tainted-one-device-two-taints-both-tolerated": {
+			deviceTaints:     true,
+			claimsToAllocate: objects(claim(claim0, req0, classA).withTolerations(tolerationNoSchedule, tolerationNoExecute)),
+			classes:          objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule, taintNoExecute),
+			)),
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device1, false),
+			)},
+		},
+		"tainted-disabled": {
+			deviceTaints:     false,
+			claimsToAllocate: objects(claim(claim0, req0, classA)),
+			classes:          objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule, taintNoExecute),
+			)),
+			node: node(node1, region1),
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device1, false),
+			)},
+		},
+		"tainted-prioritized-list": {
+			deviceTaints:    true,
+			prioritizedList: true,
+			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
+				subRequest(subReq0, classB, 1),
+				subRequest(subReq1, classA, 1),
+			))),
+			classes: objects(class(classA, driverA), class(classB, driverB)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+			)),
+			node: node(node1, region1),
+		},
+		"tainted-prioritized-list-disabled": {
+			deviceTaints:    false,
+			prioritizedList: true,
+			claimsToAllocate: objects(claimWithRequests(claim0, nil, requestWithPrioritizedList(req0,
+				subRequest(subReq0, classB, 1),
+				subRequest(subReq1, classA, 1),
+			))),
+			classes: objects(class(classA, driverA), class(classB, driverB)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+			)),
+			node: node(node1, region1),
+
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0SubReq1, driverA, pool1, device1, false),
+			)},
+		},
+		"tainted-admin-access": {
+			deviceTaints: true,
+			adminAccess:  true,
+			claimsToAllocate: func() []wrapResourceClaim {
+				c := claim(claim0, req0, classA)
+				c.Spec.Devices.Requests[0].AdminAccess = ptr.To(true)
+				return []wrapResourceClaim{c}
+			}(),
+			allocatedDevices: []DeviceID{
+				MakeDeviceID(driverA, pool1, device1),
+				MakeDeviceID(driverA, pool1, device2),
+			},
+			classes: objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+			)),
+			node: node(node1, region1),
+		},
+		"tainted-admin-access-disabled": {
+			deviceTaints: false,
+			adminAccess:  true,
+			claimsToAllocate: func() []wrapResourceClaim {
+				c := claim(claim0, req0, classA)
+				c.Spec.Devices.Requests[0].AdminAccess = ptr.To(true)
+				return []wrapResourceClaim{c}
+			}(),
+			allocatedDevices: []DeviceID{
+				MakeDeviceID(driverA, pool1, device1),
+				MakeDeviceID(driverA, pool1, device2),
+			},
+			classes: objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+			)),
+			node: node(node1, region1),
+
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device1, true),
+			)},
+		},
+		"tainted-all-devices-single": {
+			deviceTaints: true,
+			claimsToAllocate: objects(claimWithRequests(claim0, nil, resourceapi.DeviceRequest{
+				Name:            req0,
+				AllocationMode:  resourceapi.DeviceAllocationModeAll,
+				DeviceClassName: classA,
+			})),
+			classes: objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+			)),
+			node: node(node1, region1),
+		},
+		"tainted-all-devices-single-disabled": {
+			deviceTaints: false,
+			claimsToAllocate: objects(claimWithRequests(claim0, nil, resourceapi.DeviceRequest{
+				Name:            req0,
+				AllocationMode:  resourceapi.DeviceAllocationModeAll,
+				DeviceClassName: classA,
+			})),
+			classes: objects(class(classA, driverA)),
+			slices: objects(slice(slice1, node1, pool1, driverA,
+				device(device1, nil, nil).withTaints(taintNoSchedule),
+			)),
+			node: node(node1, region1),
+
+			expectResults: []any{allocationResult(
+				localNodeSelector(node1),
+				deviceAllocationResult(req0, driverA, pool1, device1, false),
+			)},
+		},
 	}
 
 	for name, tc := range testcases {
@@ -2056,7 +2284,7 @@ func TestAllocator(t *testing.T) {
 			allocatedDevices := slices.Clone(tc.allocatedDevices)
 			slices := slices.Clone(tc.slices)
 
-			allocator, err := NewAllocator(ctx, tc.adminAccess, tc.prioritizedList, claimsToAllocate, sets.New(allocatedDevices...), classLister, slices, cel.NewCache(1))
+			allocator, err := NewAllocator(ctx, tc.adminAccess, tc.prioritizedList, tc.deviceTaints, unwrap(claimsToAllocate...), sets.New(allocatedDevices...), classLister, slices, cel.NewCache(1))
 			g.Expect(err).ToNot(gomega.HaveOccurred())
 
 			results, err := allocator.Allocate(ctx, tc.node)
diff --git a/test/integration/scheduler_perf/dra.go b/test/integration/scheduler_perf/dra.go
index 0090f41ff43..c91fef184b5 100644
--- a/test/integration/scheduler_perf/dra.go
+++ b/test/integration/scheduler_perf/dra.go
@@ -26,6 +26,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	v1 "k8s.io/api/core/v1"
+	resourcealphaapi "k8s.io/api/resource/v1alpha3"
 	resourceapi "k8s.io/api/resource/v1beta1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -35,6 +36,7 @@ import (
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/dynamic-resource-allocation/cel"
+	resourceslicetracker "k8s.io/dynamic-resource-allocation/resourceslice/tracker"
 	"k8s.io/dynamic-resource-allocation/structured"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/scheduler/framework/plugins/dynamicresources"
@@ -277,7 +279,18 @@ func (op *allocResourceClaimsOp) run(tCtx ktesting.TContext) {
 	informerFactory := informers.NewSharedInformerFactory(tCtx.Client(), 0)
 	claimInformer := informerFactory.Resource().V1beta1().ResourceClaims().Informer()
 	nodeLister := informerFactory.Core().V1().Nodes().Lister()
-	draManager := dynamicresources.NewDRAManager(tCtx, assumecache.NewAssumeCache(tCtx.Logger(), claimInformer, "ResourceClaim", "", nil), informerFactory)
+	resourceSliceTrackerOpts := resourceslicetracker.Options{
+		EnableDeviceTaints: utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
+		SliceInformer:      informerFactory.Resource().V1beta1().ResourceSlices(),
+		KubeClient:         tCtx.Client(),
+	}
+	if resourceSliceTrackerOpts.EnableDeviceTaints {
+		resourceSliceTrackerOpts.TaintInformer = informerFactory.Resource().V1alpha3().DeviceTaintRules()
+		resourceSliceTrackerOpts.ClassInformer = informerFactory.Resource().V1beta1().DeviceClasses()
+	}
+	resourceSliceTracker, err := resourceslicetracker.StartTracker(tCtx, resourceSliceTrackerOpts)
+	tCtx.ExpectNoError(err, "start resource slice tracker")
+	draManager := dynamicresources.NewDRAManager(tCtx, assumecache.NewAssumeCache(tCtx.Logger(), claimInformer, "ResourceClaim", "", nil), resourceSliceTracker, informerFactory)
 	informerFactory.Start(tCtx.Done())
 	defer func() {
 		tCtx.Cancel("allocResourceClaimsOp.run is shutting down")
@@ -290,13 +303,17 @@ func (op *allocResourceClaimsOp) run(tCtx ktesting.TContext) {
 		reflect.TypeOf(&resourceapi.ResourceSlice{}): true,
 		reflect.TypeOf(&v1.Node{}):                   true,
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints) {
+		expectSyncedInformers[reflect.TypeOf(&resourcealphaapi.DeviceTaintRule{})] = true
+	}
+
 	require.Equal(tCtx, expectSyncedInformers, syncedInformers, "synced informers")
 	celCache := cel.NewCache(10)
 
 	// The set of nodes is assumed to be fixed at this point.
 	nodes, err := nodeLister.List(labels.Everything())
 	tCtx.ExpectNoError(err, "list nodes")
-	slices, err := draManager.ResourceSlices().List()
+	slices, err := draManager.ResourceSlices().ListWithDeviceTaintRules()
 	tCtx.ExpectNoError(err, "list slices")
 
 	// Allocate one claim at a time, picking nodes randomly. Each
@@ -321,7 +338,10 @@ claims:
 			}
 		}
 
-		allocator, err := structured.NewAllocator(tCtx, utilfeature.DefaultFeatureGate.Enabled(features.DRAAdminAccess), utilfeature.DefaultFeatureGate.Enabled(features.DRAPrioritizedList),
+		allocator, err := structured.NewAllocator(tCtx,
+			utilfeature.DefaultFeatureGate.Enabled(features.DRAAdminAccess),
+			utilfeature.DefaultFeatureGate.Enabled(features.DRAPrioritizedList),
+			utilfeature.DefaultFeatureGate.Enabled(features.DRADeviceTaints),
 			[]*resourceapi.ResourceClaim{claim}, allocatedDevices, draManager.DeviceClasses(), slices, celCache)
 		tCtx.ExpectNoError(err, "create allocator")
 
diff --git a/test/integration/scheduler_perf/dra/performance-config.yaml b/test/integration/scheduler_perf/dra/performance-config.yaml
index 77badbaa57f..ed4847ab7bb 100644
--- a/test/integration/scheduler_perf/dra/performance-config.yaml
+++ b/test/integration/scheduler_perf/dra/performance-config.yaml
@@ -353,7 +353,68 @@
       initClaims: 0
       maxClaimsPerNode: 10
       duration: 2s
- 
+
+# SchedulingWithResourceClaimTemplateToleration is a variant of SchedulingWithResourceClaimTemplate
+# with a claim template that tolerates the taint defined in a DeviceTaintRule.
+- name: SchedulingWithResourceClaimTemplateToleration
+  featureGates:
+    DynamicResourceAllocation: true
+    DRADeviceTaints: true
+  workloadTemplate:
+  - opcode: createNodes
+    countParam: $nodesWithoutDRA
+  - opcode: createAny
+    templatePath: templates/devicetaintrule.yaml
+  - opcode: createNodes
+    nodeTemplatePath: templates/node-with-dra-test-driver.yaml
+    countParam: $nodesWithDRA
+  - opcode: createResourceDriver
+    driverName: test-driver.cdi.k8s.io
+    nodes: scheduler-perf-dra-*
+    maxClaimsPerNodeParam: $maxClaimsPerNode
+  - opcode: createAny
+    templatePath: templates/deviceclass.yaml
+  - opcode: createAny
+    templatePath: templates/resourceclaimtemplate-toleration.yaml
+    namespace: init
+  - opcode: createPods
+    namespace: init
+    countParam: $initPods
+    podTemplatePath: templates/pod-with-claim-template.yaml
+  - opcode: createAny
+    templatePath: templates/resourceclaimtemplate-toleration.yaml
+    namespace: test
+  - opcode: createPods
+    namespace: test
+    countParam: $measurePods
+    podTemplatePath: templates/pod-with-claim-template.yaml
+    collectMetrics: true
+  workloads:
+  - name: fast
+    featureGates:
+      SchedulerQueueingHints: false
+    labels: [integration-test, short]
+    params:
+      # This testcase runs through all code paths without
+      # taking too long overall.
+      nodesWithDRA: 1
+      nodesWithoutDRA: 1
+      initPods: 0
+      measurePods: 10
+      maxClaimsPerNode: 10
+  - name: fast_QueueingHintsEnabled
+    featureGates:
+      SchedulerQueueingHints: true
+    labels: [integration-test, short]
+    params:
+      # This testcase runs through all code paths without
+      # taking too long overall.
+      nodesWithDRA: 1
+      nodesWithoutDRA: 1
+      initPods: 0
+      measurePods: 10
+      maxClaimsPerNode: 10
+
 # SchedulingWithResourceClaimTemplate uses ResourceClaims
 # with deterministic names that are shared between pods.
 # There is a fixed ratio of 1:5 between claims and pods.
diff --git a/test/integration/scheduler_perf/dra/templates/devicetaintrule.yaml b/test/integration/scheduler_perf/dra/templates/devicetaintrule.yaml
new file mode 100644
index 00000000000..4e4be2d4624
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/devicetaintrule.yaml
@@ -0,0 +1,11 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: DeviceTaintRule
+metadata:
+  name: taint-all-devices
+spec:
+  # Empty selector -> all devices!
+  deviceSelector:
+  taint:
+    key: example.com/taint
+    value: tainted
+    effect: NoSchedule
diff --git a/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-toleration.yaml b/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-toleration.yaml
new file mode 100644
index 00000000000..9cb7f2d6007
--- /dev/null
+++ b/test/integration/scheduler_perf/dra/templates/resourceclaimtemplate-toleration.yaml
@@ -0,0 +1,13 @@
+apiVersion: resource.k8s.io/v1alpha3
+kind: ResourceClaimTemplate
+metadata:
+  name: test-claim-template
+spec:
+  spec:
+    devices:
+      requests:
+      - name: req-0
+        deviceClassName: test-class
+        tolerations:
+        - key: example.com/taint
+          operator: Exists

From 2499663b84e6a3dc51e8c2f3a9b1010e158febb9 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Sun, 16 Mar 2025 09:48:36 +0100
Subject: [PATCH 09/11] DRA E2E: tests for device taints

---
 test/e2e/dra/deploy.go      | 15 ++++++-
 test/e2e/dra/dra.go         | 89 +++++++++++++++++++++++++++++++++++++
 test/e2e/dra/kind.yaml      |  2 +-
 test/e2e/feature/feature.go | 10 +++++
 4 files changed, 113 insertions(+), 3 deletions(-)

diff --git a/test/e2e/dra/deploy.go b/test/e2e/dra/deploy.go
index 37fc5226e0e..34cbca686ae 100644
--- a/test/e2e/dra/deploy.go
+++ b/test/e2e/dra/deploy.go
@@ -87,6 +87,9 @@ type Resources struct {
 
 	// Number of devices called "device-000", "device-001", ... on each node or in the cluster.
 	MaxAllocations int
+
+	// Tainted causes all devices to be published with a NoExecute taint.
+	Tainted bool
 }
 
 //go:embed test-driver/deploy/example/plugin-permissions.yaml
@@ -299,10 +302,18 @@ func (d *Driver) SetUp(nodes *Nodes, resources Resources, devicesPerNode ...map[
 			maxAllocations = 10
 		}
 		for i := 0; i < maxAllocations; i++ {
-			slice.Spec.Devices = append(slice.Spec.Devices, resourceapi.Device{
+			device := resourceapi.Device{
 				Name:  fmt.Sprintf("device-%d", i),
 				Basic: &resourceapi.BasicDevice{},
-			})
+			}
+			if resources.Tainted {
+				device.Basic.Taints = []resourceapi.DeviceTaint{{
+					Key:    "example.com/taint",
+					Value:  "tainted",
+					Effect: resourceapi.DeviceTaintEffectNoSchedule,
+				}}
+			}
+			slice.Spec.Devices = append(slice.Spec.Devices, device)
 		}
 
 		_, err := d.f.ClientSet.ResourceV1beta1().ResourceSlices().Create(ctx, slice, metav1.CreateOptions{})
diff --git a/test/e2e/dra/dra.go b/test/e2e/dra/dra.go
index b93c44a9b1e..b6fca88e063 100644
--- a/test/e2e/dra/dra.go
+++ b/test/e2e/dra/dra.go
@@ -35,6 +35,7 @@ import (
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
+	resourcealphaapi "k8s.io/api/resource/v1alpha3"
 	resourceapi "k8s.io/api/resource/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -1280,6 +1281,88 @@ var _ = framework.SIGDescribe("node")("DRA", feature.DynamicResourceAllocation,
 		prioritizedListTests()
 	})
 
+	framework.Context("with device taints", feature.DRADeviceTaints, framework.WithFeatureGate(features.DRADeviceTaints), func() {
+		nodes := NewNodes(f, 1, 1)
+		driver := NewDriver(f, nodes, func() Resources {
+			return Resources{
+				Tainted: true,
+			}
+		})
+		b := newBuilder(f, driver)
+
+		f.It("DeviceTaint keeps pod pending", func(ctx context.Context) {
+			pod, template := b.podInline()
+			b.create(ctx, pod, template)
+			framework.ExpectNoError(e2epod.WaitForPodNameUnschedulableInNamespace(ctx, f.ClientSet, pod.Name, f.Namespace.Name))
+		})
+
+		f.It("DeviceToleration enables pod scheduling", func(ctx context.Context) {
+			pod, template := b.podInline()
+			template.Spec.Spec.Devices.Requests[0].Tolerations = []resourceapi.DeviceToleration{{
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+				Operator: resourceapi.DeviceTolerationOpExists,
+				// No key: tolerate *all* taints with this effect.
+			}}
+			b.create(ctx, pod, template)
+			b.testPod(ctx, f, pod)
+		})
+
+		f.It("DeviceTaintRule evicts pod", func(ctx context.Context) {
+			pod, template := b.podInline()
+			template.Spec.Spec.Devices.Requests[0].Tolerations = []resourceapi.DeviceToleration{{
+				Effect:   resourceapi.DeviceTaintEffectNoSchedule,
+				Operator: resourceapi.DeviceTolerationOpExists,
+				// No key: tolerate *all* taints with this effect.
+			}}
+			// Add a finalizer to ensure that we get a chance to test the pod status after eviction (= deletion).
+			pod.Finalizers = []string{"e2e-test/dont-delete-me"}
+			b.create(ctx, pod, template)
+			b.testPod(ctx, f, pod)
+			ginkgo.DeferCleanup(func(ctx context.Context) {
+				// Unblock shutdown by removing the finalizer.
+				pod, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(ctx, pod.Name, metav1.GetOptions{})
+				framework.ExpectNoError(err, "get pod")
+				pod.Finalizers = nil
+				_, err = f.ClientSet.CoreV1().Pods(f.Namespace.Name).Update(ctx, pod, metav1.UpdateOptions{})
+				framework.ExpectNoError(err, "remove finalizers from pod")
+			})
+
+			// Now evict it.
+			ginkgo.By("Evicting pod...")
+			taint := &resourcealphaapi.DeviceTaintRule{
+				ObjectMeta: metav1.ObjectMeta{
+					GenerateName: "device-taint-rule-" + f.UniqueName + "-",
+				},
+				Spec: resourcealphaapi.DeviceTaintRuleSpec{
+					// All devices of the current driver instance.
+					DeviceSelector: &resourcealphaapi.DeviceTaintSelector{
+						Driver: &driver.Name,
+					},
+					Taint: resourcealphaapi.DeviceTaint{
+						Effect: resourcealphaapi.DeviceTaintEffectNoExecute,
+						Key:    "test.example.com/evict",
+						Value:  "now",
+						// No TimeAdded, gets defaulted.
+					},
+				},
+			}
+			createdTaint := b.create(ctx, taint)
+			taint = createdTaint[0].(*resourcealphaapi.DeviceTaintRule)
+			gomega.Expect(*taint).Should(gomega.HaveField("Spec.Taint.TimeAdded.Time", gomega.BeTemporally("~", time.Now(), time.Minute /* allow for some clock drift and delays */)))
+
+			framework.ExpectNoError(e2epod.WaitForPodTerminatingInNamespaceTimeout(ctx, f.ClientSet, pod.Name, f.Namespace.Name, f.Timeouts.PodStart))
+			pod, err := f.ClientSet.CoreV1().Pods(f.Namespace.Name).Get(ctx, pod.Name, metav1.GetOptions{})
+			framework.ExpectNoError(err, "get pod")
+			gomega.Expect(pod).Should(gomega.HaveField("Status.Conditions", gomega.ContainElement(gstruct.MatchFields(gstruct.IgnoreExtras, gstruct.Fields{
+				// LastTransitionTime is unknown.
+				"Type":    gomega.Equal(v1.DisruptionTarget),
+				"Status":  gomega.Equal(v1.ConditionTrue),
+				"Reason":  gomega.Equal("DeletionByDeviceTaintManager"),
+				"Message": gomega.Equal("Device Taint manager: deleting due to NoExecute taint"),
+			}))))
+		})
+	})
+
 	// TODO (https://github.com/kubernetes/kubernetes/issues/123699): move most of the test below into `testDriver` so that they get
 	// executed with different parameters.
 
@@ -2006,6 +2089,12 @@ func (b *builder) create(ctx context.Context, objs ...klog.KMetadata) []klog.KMe
 				err := b.f.ClientSet.ResourceV1beta1().ResourceSlices().Delete(ctx, createdObj.GetName(), metav1.DeleteOptions{})
 				framework.ExpectNoError(err, "delete node resource slice")
 			})
+		case *resourcealphaapi.DeviceTaintRule:
+			createdObj, err = b.f.ClientSet.ResourceV1alpha3().DeviceTaintRules().Create(ctx, obj, metav1.CreateOptions{})
+			ginkgo.DeferCleanup(func(ctx context.Context) {
+				err := b.f.ClientSet.ResourceV1alpha3().DeviceTaintRules().Delete(ctx, createdObj.GetName(), metav1.DeleteOptions{})
+				framework.ExpectNoError(err, "delete DeviceTaintRule")
+			})
 		case *appsv1.DaemonSet:
 			createdObj, err = b.f.ClientSet.AppsV1().DaemonSets(b.f.Namespace.Name).Create(ctx, obj, metav1.CreateOptions{})
 			// Cleanup not really needed, but speeds up namespace shutdown.
diff --git a/test/e2e/dra/kind.yaml b/test/e2e/dra/kind.yaml
index d96893d144f..4ac92b39a2c 100644
--- a/test/e2e/dra/kind.yaml
+++ b/test/e2e/dra/kind.yaml
@@ -20,7 +20,7 @@ nodes:
           v: "5"
     apiServer:
         extraArgs:
-          runtime-config: "resource.k8s.io/v1beta1=true"
+          runtime-config: "resource.k8s.io/v1alpha3=true,resource.k8s.io/v1beta1=true"
   - |
     kind: InitConfiguration
     nodeRegistration:
diff --git a/test/e2e/feature/feature.go b/test/e2e/feature/feature.go
index 831dd9adc4d..1d910d84213 100644
--- a/test/e2e/feature/feature.go
+++ b/test/e2e/feature/feature.go
@@ -112,6 +112,16 @@ var (
 	//   is enabled such that passing CDI device IDs through CRI fields is supported
 	DRAAdminAccess = framework.WithFeature(framework.ValidFeatures.Add("DRAAdminAccess"))
 
+	// owning-sig: sig-scheduling
+	// kep: https://kep.k8s.io/5055
+	// test-infra jobs:
+	// - "ci-kind-dra-all" in https://testgrid.k8s.io/sig-node-dynamic-resource-allocation
+	//
+	// This label is used for tests which need:
+	// - the DynamicResourceAllocation *and* DRADeviceTaints feature gates
+	// - the resource.k8s.io API group, including version v1alpha3
+	DRADeviceTaints = framework.WithFeature(framework.ValidFeatures.Add("DRADeviceTaints"))
+
 	// TODO: document the feature (owning SIG, when to use this feature for a test)
 	// OWNER: sig-node
 	// Testing downward API huge pages

From 37b47f47244c9306ba9346b3f4e0118a5efa5305 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Sun, 16 Mar 2025 21:21:04 +0100
Subject: [PATCH 10/11] DRA helper: support dropped fields and TimeAdded
 defaults

Both the new DeviceTaint.TimeAdded and dropped fields when
the DRADeviceTaints feature is disabled confused the ResourceSlice
controller because what is stored and sent back can be different
from what the controller wants to store.

It's now more lenient regarding TimeAdded (doesn't need to be exact because of
rounding during serialization, only having a value on the server is okay)
and dropped fields (doesn't try to store them again). It also preserves
a server-side TimeAdded when updating slices.
---
 .../resourceslice/resourceslicecontroller.go  |  98 ++++++++++++++-
 .../resourceslicecontroller_test.go           | 114 ++++++++++++++++++
 test/integration/dra/dra_test.go              |  71 +++++++++++
 3 files changed, 281 insertions(+), 2 deletions(-)

diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go
index 9d937bca73b..248df0e66eb 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -31,6 +32,7 @@ import (
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -546,7 +548,7 @@ func (c *Controller) syncPool(ctx context.Context, poolName string) error {
 			if !apiequality.Semantic.DeepEqual(&currentSlice.Spec.Pool, &desiredPool) ||
 				!apiequality.Semantic.DeepEqual(currentSlice.Spec.NodeSelector, pool.NodeSelector) ||
 				currentSlice.Spec.AllNodes != desiredAllNodes ||
-				!apiequality.Semantic.DeepEqual(currentSlice.Spec.Devices, pool.Slices[i].Devices) {
+				!DevicesDeepEqual(currentSlice.Spec.Devices, pool.Slices[i].Devices) {
 				changedDesiredSlices.Insert(i)
 				logger.V(5).Info("Need to update slice", "slice", klog.KObj(currentSlice), "matchIndex", i)
 			}
@@ -586,7 +588,8 @@ func (c *Controller) syncPool(ctx context.Context, poolName string) error {
 			// have listed the existing slice.
 			slice.Spec.NodeSelector = pool.NodeSelector
 			slice.Spec.AllNodes = desiredAllNodes
-			slice.Spec.Devices = pool.Slices[i].Devices
+			// Preserve TimeAdded from existing device, if there is a matching device and taint.
+			slice.Spec.Devices = copyTaintTimeAdded(slice.Spec.Devices, pool.Slices[i].Devices)
 
 			logger.V(5).Info("Updating existing resource slice", "slice", klog.KObj(slice))
 			slice, err := c.kubeClient.ResourceV1beta1().ResourceSlices().Update(ctx, slice, metav1.UpdateOptions{})
@@ -595,6 +598,16 @@ func (c *Controller) syncPool(ctx context.Context, poolName string) error {
 			}
 			atomic.AddInt64(&c.numUpdates, 1)
 			c.sliceStore.Mutation(slice)
+
+			// Some fields may have been dropped. When we receive
+			// the updated slice through the informer, the
+			// DeepEqual fails and the controller would try to
+			// update again, etc.  To break that cycle, update our
+			// desired state of the world so that it matches what
+			// we can store.
+			//
+			// TODO (https://github.com/kubernetes/kubernetes/issues/130856): check for dropped fields and report them to the DRA driver.
+			pool.Slices[i].Devices = slice.Spec.Devices
 		}
 
 		// Create new slices.
@@ -652,6 +665,16 @@ func (c *Controller) syncPool(ctx context.Context, poolName string) error {
 			atomic.AddInt64(&c.numCreates, 1)
 			c.sliceStore.Mutation(slice)
 			added = true
+
+			// Some fields may have been dropped. When we receive
+			// the created slice through the informer, the
+			// DeepEqual fails and the controller would try to
+			// update, which again suffers from dropped fields,
+			// etc. To break that cycle, update our desired state
+			// of the world so that it matches what we can store.
+			//
+			// TODO (https://github.com/kubernetes/kubernetes/issues/130856): check for dropped fields and report them to the DRA driver.
+			pool.Slices[i].Devices = slice.Spec.Devices
 		}
 		if added {
 			// Check that the recently added slice(s) really exist even
@@ -713,3 +736,74 @@ func sameSlice(existingSlice *resourceapi.ResourceSlice, desiredSlice *Slice) bo
 	// Same number of devices, names all present -> equal.
 	return true
 }
+
+// copyTaintTimeAdded copies existing TimeAdded values from one slice into
+// the other if the other one doesn't have it for a taint. Both input
+// slices are read-only.
+func copyTaintTimeAdded(from, to []resourceapi.Device) []resourceapi.Device {
+	to = slices.Clone(to)
+	for i, toDevice := range to {
+		index := slices.IndexFunc(from, func(fromDevice resourceapi.Device) bool {
+			return fromDevice.Name == toDevice.Name
+		})
+		if index < 0 {
+			// No matching device.
+			continue
+		}
+		fromDevice := from[index]
+		if fromDevice.Basic == nil || toDevice.Basic == nil {
+			continue
+		}
+		for j, toTaint := range toDevice.Basic.Taints {
+			if toTaint.TimeAdded != nil {
+				// Already set.
+				continue
+			}
+			// Preserve the old TimeAdded if all other fields are the same.
+			index := slices.IndexFunc(fromDevice.Basic.Taints, func(fromTaint resourceapi.DeviceTaint) bool {
+				return toTaint.Key == fromTaint.Key &&
+					toTaint.Value == fromTaint.Value &&
+					toTaint.Effect == fromTaint.Effect
+			})
+			if index < 0 {
+				// No matching old taint.
+				continue
+			}
+			// In practice, devices are unlikely to have many
+			// taints.  Just clone the entire device before we
+			// motify it, it's unlikely that we do this more than once.
+			to[i] = *toDevice.DeepCopy()
+			to[i].Basic.Taints[j].TimeAdded = fromDevice.Basic.Taints[index].TimeAdded
+		}
+	}
+	return to
+}
+
+// DevicesDeepEqual compares two slices of Devices. It behaves like
+// apiequality.Semantic.DeepEqual, with one small difference:
+// a nil DeviceTaint.TimeAdded is equal to a non-nil time.
+// Also, rounding to full seconds (caused by round-tripping) is
+// tolerated.
+func DevicesDeepEqual(a, b []resourceapi.Device) bool {
+	return devicesSemantic.DeepEqual(a, b)
+}
+
+var devicesSemantic = func() conversion.Equalities {
+	semantic := apiequality.Semantic.Copy()
+	if err := semantic.AddFunc(deviceTaintEqual); err != nil {
+		panic(err)
+	}
+	return semantic
+}()
+
+func deviceTaintEqual(a, b resourceapi.DeviceTaint) bool {
+	if a.TimeAdded != nil && b.TimeAdded != nil {
+		delta := b.TimeAdded.Time.Sub(a.TimeAdded.Time)
+		if delta < -time.Second || delta > time.Second {
+			return false
+		}
+	}
+	return a.Key == b.Key &&
+		a.Value == b.Value &&
+		a.Effect == b.Effect
+}
diff --git a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go
index c8727074065..e65d350554f 100644
--- a/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go
+++ b/staging/src/k8s.io/dynamic-resource-allocation/resourceslice/resourceslicecontroller_test.go
@@ -85,6 +85,8 @@ func TestControllerSyncPool(t *testing.T) {
 				}},
 			}},
 		}
+		timeAdded      = metav1.Now()
+		timeAddedLater = metav1.Time{Time: timeAdded.Add(time.Minute)}
 	)
 
 	testCases := map[string]struct {
@@ -143,6 +145,118 @@ func TestControllerSyncPool(t *testing.T) {
 					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).Obj(),
 			},
 		},
+		"keep-taint-unchanged": {
+			nodeUID: nodeUID,
+			initialObjects: []runtime.Object{
+				MakeResourceSlice().Name(generatedName1).GenerateName(generateName).
+					NodeOwnerReferences(ownerName, string(nodeUID)).NodeName(ownerName).
+					Driver(driverName).Devices([]resourceapi.Device{{
+					Name: deviceName,
+					Basic: &resourceapi.BasicDevice{
+						Taints: []resourceapi.DeviceTaint{{
+							Effect:    resourceapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &timeAdded,
+						}},
+					}}}).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
+					Obj(),
+			},
+			inputDriverResources: &DriverResources{
+				Pools: map[string]Pool{
+					poolName: {
+						Generation: 1,
+						Slices: []Slice{{Devices: []resourceapi.Device{{
+							Name: deviceName,
+							Basic: &resourceapi.BasicDevice{
+								Taints: []resourceapi.DeviceTaint{{
+									Effect: resourceapi.DeviceTaintEffectNoExecute,
+									// No time added here! No need to update the slice.
+								}},
+							}}},
+						}},
+					},
+				},
+			},
+			expectedResourceSlices: []resourceapi.ResourceSlice{
+				*MakeResourceSlice().Name(generatedName1).GenerateName(generateName).
+					NodeOwnerReferences(ownerName, string(nodeUID)).NodeName(ownerName).
+					Driver(driverName).Devices([]resourceapi.Device{{
+					Name: deviceName,
+					Basic: &resourceapi.BasicDevice{
+						Taints: []resourceapi.DeviceTaint{{
+							Effect:    resourceapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &timeAdded,
+						}},
+					}}}).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
+					Obj(),
+			},
+		},
+		"add-taint": {
+			nodeUID: nodeUID,
+			initialObjects: []runtime.Object{
+				MakeResourceSlice().Name(generatedName1).GenerateName(generateName).
+					NodeOwnerReferences(ownerName, string(nodeUID)).NodeName(ownerName).
+					Driver(driverName).Devices([]resourceapi.Device{{
+					Name: deviceName,
+					Basic: &resourceapi.BasicDevice{
+						Taints: []resourceapi.DeviceTaint{{
+							Effect:    resourceapi.DeviceTaintEffectNoExecute,
+							TimeAdded: &timeAdded,
+						}},
+					}}}).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
+					Obj(),
+			},
+			inputDriverResources: &DriverResources{
+				Pools: map[string]Pool{
+					poolName: {
+						Generation: 1,
+						Slices: []Slice{{Devices: []resourceapi.Device{{
+							Name: deviceName,
+							Basic: &resourceapi.BasicDevice{
+								Taints: []resourceapi.DeviceTaint{
+									{
+										Effect: resourceapi.DeviceTaintEffectNoExecute,
+										// No time added here! Time from existing slice must get copied during update.
+									},
+									{
+										Key:       "example.com/tainted",
+										Effect:    resourceapi.DeviceTaintEffectNoSchedule,
+										TimeAdded: &timeAddedLater,
+									},
+								},
+							}}},
+						}},
+					},
+				},
+			},
+			expectedStats: Stats{
+				NumUpdates: 1,
+			},
+			expectedResourceSlices: []resourceapi.ResourceSlice{
+				*MakeResourceSlice().Name(generatedName1).GenerateName(generateName).
+					ResourceVersion("1").
+					NodeOwnerReferences(ownerName, string(nodeUID)).NodeName(ownerName).
+					Driver(driverName).Devices([]resourceapi.Device{{
+					Name: deviceName,
+					Basic: &resourceapi.BasicDevice{
+						Taints: []resourceapi.DeviceTaint{
+							{
+								Effect:    resourceapi.DeviceTaintEffectNoExecute,
+								TimeAdded: &timeAdded,
+							},
+							{
+								Key:       "example.com/tainted",
+								Effect:    resourceapi.DeviceTaintEffectNoSchedule,
+								TimeAdded: &timeAddedLater,
+							},
+						},
+					}}}).
+					Pool(resourceapi.ResourcePool{Name: poolName, Generation: 1, ResourceSliceCount: 1}).
+					Obj(),
+			},
+		},
 		"remove-pool": {
 			nodeUID:   nodeUID,
 			syncDelay: ptr.To(time.Duration(0)), // Ensure that the initial object causes an immediate sync of the pool.
diff --git a/test/integration/dra/dra_test.go b/test/integration/dra/dra_test.go
index eea35f5a620..638beb923c9 100644
--- a/test/integration/dra/dra_test.go
+++ b/test/integration/dra/dra_test.go
@@ -40,6 +40,7 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/component-base/featuregate"
 	featuregatetesting "k8s.io/component-base/featuregate/testing"
+	"k8s.io/dynamic-resource-allocation/resourceslice"
 	"k8s.io/klog/v2"
 	kubeschedulerconfigv1 "k8s.io/kube-scheduler/config/v1"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
@@ -129,6 +130,7 @@ func TestDRA(t *testing.T) {
 				tCtx.Run("AdminAccess", func(tCtx ktesting.TContext) { testAdminAccess(tCtx, false) })
 				tCtx.Run("PrioritizedList", func(tCtx ktesting.TContext) { testPrioritizedList(tCtx, false) })
 				tCtx.Run("Pod", func(tCtx ktesting.TContext) { testPod(tCtx, true) })
+				tCtx.Run("PublishResourceSlices", func(tCtx ktesting.TContext) { testPublishResourceSlices(tCtx) })
 			},
 		},
 		"all": {
@@ -148,6 +150,7 @@ func TestDRA(t *testing.T) {
 				tCtx.Run("AdminAccess", func(tCtx ktesting.TContext) { testAdminAccess(tCtx, true) })
 				tCtx.Run("Convert", testConvert)
 				tCtx.Run("PrioritizedList", func(tCtx ktesting.TContext) { testPrioritizedList(tCtx, true) })
+				tCtx.Run("PublishResourceSlices", func(tCtx ktesting.TContext) { testPublishResourceSlices(tCtx) })
 			},
 		},
 	} {
@@ -308,3 +311,71 @@ func testPrioritizedList(tCtx ktesting.TContext, enabled bool) {
 		}).WithTimeout(time.Minute).WithPolling(time.Second).Should(schedulingAttempted)
 	})
 }
+
+func testPublishResourceSlices(tCtx ktesting.TContext) {
+	tCtx.Parallel()
+
+	driverName := "dra.example.com"
+	poolName := "global"
+	resources := &resourceslice.DriverResources{
+		Pools: map[string]resourceslice.Pool{
+			poolName: {
+				Slices: []resourceslice.Slice{
+					{
+						Devices: []resourceapi.Device{
+							{
+								Name:  "device-simple",
+								Basic: &resourceapi.BasicDevice{},
+							},
+							// TODO: once https://github.com/kubernetes/kubernetes/pull/130764 is merged,
+							// add tests which detect dropped fields related to it.
+						},
+					},
+					{
+						Devices: []resourceapi.Device{
+							{
+								Name: "device-tainted-default",
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Effect: resourceapi.DeviceTaintEffectNoExecute,
+										// TimeAdded is added by apiserver.
+									}},
+								},
+							},
+							{
+								Name: "device-tainted-time-added",
+								Basic: &resourceapi.BasicDevice{
+									Taints: []resourceapi.DeviceTaint{{
+										Effect:    resourceapi.DeviceTaintEffectNoExecute,
+										TimeAdded: ptr.To(metav1.Now()),
+									}},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	opts := resourceslice.Options{
+		DriverName: driverName,
+		KubeClient: tCtx.Client(),
+		SyncDelay:  ptr.To(0 * time.Second),
+		Resources:  resources,
+	}
+	controller, err := resourceslice.StartController(tCtx, opts)
+	tCtx.ExpectNoError(err, "start controller")
+	defer controller.Stop()
+
+	// Two create calls should be all that are needed.
+	expectedStats := resourceslice.Stats{
+		NumCreates: 2,
+	}
+	getStats := func(tCtx ktesting.TContext) resourceslice.Stats {
+		return controller.GetStats()
+	}
+	ktesting.Eventually(tCtx, getStats).WithTimeout(10 * time.Second).Should(gomega.Equal(expectedStats))
+
+	// No further changes necessary.
+	ktesting.Consistently(tCtx, getStats).WithTimeout(10 * time.Second).Should(gomega.Equal(expectedStats))
+}

From 9f161590bee774e9aefb0ca89442fe9993cbee87 Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Tue, 18 Mar 2025 08:56:53 +0100
Subject: [PATCH 11/11] metrics testing: add type aliases to avoid direct
 prometheus imports

In tests it is sometimes unavoidable to use the Prometheus types directly,
for example when writing a custom gatherer which needs to normalize data
before testing it. device_taint_eviction_test.go does this to strip
out unpredictable data in a histogram.

With type aliases in a package that is explicitly meant for tests we
can avoid adding exceptions for such tests to the global exception list.
---
 hack/verify-prometheus-imports.sh                      |  1 -
 .../devicetainteviction/device_taint_eviction_test.go  |  6 ++----
 .../k8s.io/component-base/metrics/testutil/testutil.go | 10 ++++++++++
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/hack/verify-prometheus-imports.sh b/hack/verify-prometheus-imports.sh
index 18a67e77922..ba1321e1e41 100755
--- a/hack/verify-prometheus-imports.sh
+++ b/hack/verify-prometheus-imports.sh
@@ -37,7 +37,6 @@ source "${KUBE_ROOT}/hack/lib/util.sh"
 # See: https://github.com/kubernetes/kubernetes/issues/89267
 allowed_prometheus_importers=(
   ./cluster/images/etcd-version-monitor/etcd-version-monitor.go
-  ./pkg/controller/devicetainteviction/device_taint_eviction_test.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram_test.go
   ./staging/src/k8s.io/component-base/metrics/prometheusextension/timing_histogram_vec.go
diff --git a/pkg/controller/devicetainteviction/device_taint_eviction_test.go b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
index 74afd0e9c66..ee1b5439fc5 100644
--- a/pkg/controller/devicetainteviction/device_taint_eviction_test.go
+++ b/pkg/controller/devicetainteviction/device_taint_eviction_test.go
@@ -32,8 +32,6 @@ import (
 	"github.com/onsi/gomega"
 	"github.com/onsi/gomega/gstruct"
 	gomegatypes "github.com/onsi/gomega/types"
-	"github.com/prometheus/client_golang/prometheus"
-	dto "github.com/prometheus/client_model/go"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -1205,7 +1203,7 @@ device_taint_eviction_controller_pod_deletions_total %[1]d
 		controller.metrics.PodDeletionsTotal.FQName(),
 		controller.metrics.PodDeletionsLatency.FQName(),
 	}
-	gather := func() ([]*dto.MetricFamily, error) {
+	gather := func() ([]*metricstestutil.MetricFamily, error) {
 		got, err := controller.metrics.Gather()
 		for _, mf := range got {
 			for _, m := range mf.Metric {
@@ -1218,7 +1216,7 @@ device_taint_eviction_controller_pod_deletions_total %[1]d
 		return got, err
 	}
 
-	return metricstestutil.GatherAndCompare(prometheus.GathererFunc(gather), strings.NewReader(expectedMetric), names...)
+	return metricstestutil.GatherAndCompare(metricstestutil.GathererFunc(gather), strings.NewReader(expectedMetric), names...)
 }
 
 // TestEviction runs through the full flow of starting the controller and evicting one pod.
diff --git a/staging/src/k8s.io/component-base/metrics/testutil/testutil.go b/staging/src/k8s.io/component-base/metrics/testutil/testutil.go
index b00f949c376..d023a0dea8e 100644
--- a/staging/src/k8s.io/component-base/metrics/testutil/testutil.go
+++ b/staging/src/k8s.io/component-base/metrics/testutil/testutil.go
@@ -20,7 +20,9 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/testutil"
+	dto "github.com/prometheus/client_model/go"
 
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	"k8s.io/component-base/metrics"
@@ -33,6 +35,14 @@ type TB interface {
 	Fatalf(format string, args ...any)
 }
 
+// MetricFamily is a type alias which enables writing gatherers in tests
+// without importing prometheus directly (https://github.com/kubernetes/kubernetes/issues/99876).
+type MetricFamily = dto.MetricFamily
+
+// GathererFunc is a type alias which enables writing gatherers as a function in tests
+// without importing prometheus directly (https://github.com/kubernetes/kubernetes/issues/99876).
+type GathererFunc = prometheus.GathererFunc
+
 // CollectAndCompare registers the provided Collector with a newly created
 // pedantic Registry. It then does the same as GatherAndCompare, gathering the
 // metrics from the pedantic Registry.