PodNodeSelector / PodTolerationRestriction

Jan 1, 0001

Definition

PodNodeSelector and PodTolerationRestriction are Kubernetes admission controllers that help manage pod scheduling constraints. PodNodeSelector enforces default node selectors for pods in a namespace, ensuring they are scheduled on appropriate nodes. PodTolerationRestriction controls which tolerations can be added to pods, preventing them from being scheduled on nodes with specific taints unless explicitly allowed.

Secure Settings Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: pod-node-selector
  namespace: kube-system
data:
  clusterDefaultNodeSelector: "environment=production"

apiVersion: v1
kind: PodTolerationRestriction
metadata:
  name: restrict-tolerations
  namespace: kube-system
spec:
  tolerations:
    - key: "dedicated"
      operator: "Equal"
      value: "production"
      effect: "NoSchedule"

Insecure Settings Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: pod-node-selector
  namespace: kube-system
data:
  clusterDefaultNodeSelector: ""

apiVersion: v1
kind: PodTolerationRestriction
metadata:
  name: allow-all-tolerations
  namespace: kube-system
spec:
  tolerations:
    - operator: "Exists"

PodNodeSelector / PodTolerationRestriction

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter