VeilNet
Login

Taint

Control which Conflux nodes can talk using taints. Set at registration or at runtime via CLI—Docker and Kubernetes examples.

Introduction

Taints are labels you attach to a VeilNet Conflux node. They control which nodes can talk to each other: two Conflux nodes can communicate only if they share the same registration context and their taints are compatible (one node’s taints are a superset or subset of the other’s).

Taints are simple labels only; you cannot use = in a taint. Typical uses:

  • Environment: prod, staging — restrict traffic to nodes in the same environment.
  • Role: web, api, database — align with application roles.
  • Region or mesh: us-east, mesh-prod — multi-host or multi-region groupings.

Setting taints at registration

When you register a Conflux (CLI, system service, Docker, or Kubernetes), you can set initial taints so the node is created with the right affinity.

CLI (system service)

Use repeatable --taints or the env var VEILNET_CONFLUX_TAINTS.

Flags (repeatable):

sudo veilnet-conflux register \
  -t "$VEILNET_REGISTRATION_TOKEN" \
  --tag "edge-1" \
  --taints "prod" \
  --taints "us-east"

Environment variable:

VEILNET_CONFLUX_TAINTS is a single string. The CLI accepts a comma-separated list of taint values:

export VEILNET_REGISTRATION_TOKEN="..."
export VEILNET_CONFLUX_TAINTS="prod,us-east"

sudo -E veilnet-conflux register

Reference: System Service — register.

Docker

Set VEILNET_CONFLUX_TAINTS in your env file (comma-separated). The Conflux container uses this when it registers or starts:

# .env
VEILNET_REGISTRATION_TOKEN=...
VEILNET_GUARDIAN=https://guardian.veilnet.app
VEILNET_CONFLUX_TAG=host-a
VEILNET_CONFLUX_IP=10.128.0.5
VEILNET_CONFLUX_TAINTS=mesh-prod,prod

For multi-host setups, ensure all hosts that must talk to each other share at least one taint (e.g. mesh-prod). See Docker — multi-host service mesh.

Kubernetes

Put taints in the same Secret you use for Conflux (e.g. sidecar or DaemonSet). Use VEILNET_CONFLUX_TAINTS as a comma-separated string:

apiVersion: v1
kind: Secret
metadata:
  name: veilnet-conflux-secret
  namespace: default
type: Opaque
stringData:
  VEILNET_REGISTRATION_TOKEN: "<YOUR_REGISTRATION_TOKEN>"
  VEILNET_GUARDIAN: "https://guardian.veilnet.app"
  VEILNET_CONFLUX_TAG: "pod-mesh-1"
  VEILNET_CONFLUX_IP: "10.128.0.10"
  VEILNET_CONFLUX_TAINTS: "prod,k8s-mesh"
  # Optional: VEILNET_CONFLUX_PORTAL, etc.

Containers that use envFrom (or env) with this Secret will pass these taints to the Conflux process at startup/registration.

Managing taints at runtime (CLI)

After the Conflux (and Anchor) is running, you can add or remove taints live. The CLI updates the running node via gRPC and persists the change to conflux.json, so it survives restarts.

Add a taint:

sudo veilnet-conflux taint add prod

Remove a taint:

sudo veilnet-conflux taint remove prod

OAuth

JWT and identity provider for Conflux registration

Rift and Portal

Full-tunnel (rift) and SD-WAN–style (portal) Conflux modes

VeilNet • © 2026 All rights reserved