Comments (7)
They let you per namespace:
set a default set of tolerations / nodeSelectors to always add to pods if not already there. This lets you easily target pods automatically to pools of nodes. (Mutating webhook style)
Set an allowed set of tolerations / nodeSelectors that can be used. If others are used, they are denied. This prevents a user from using pools of nodes they don't have permissions to. (validating webhook style)
Both are listed here:
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
from gatekeeper-library.
What alpha admission controller are you referencing? Can you expand on what PodTolerationRestriction
and PodNodeSelector
do/did?
from gatekeeper-library.
The mutating webhooks in gatekeeper don't seem to have the nice librarization that the validating ones do. So for each pool, you'd need a complicated set of rules to make it work.
Probably need to add some kind of liberalization for mutating webhooks as well.
from gatekeeper-library.
As a workaround, until librarization of mutating webhooks is possible, using a RuntimeClass for that seems to work ok:
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: foo
handler: default
scheduling:
nodeSelector:
pool: foo
tolerations:
- key: "pool"
operator: "Equal"
value: "foo"
effect: "NoSchedule"
---
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
name: foo-pool-assignment
spec:
match:
scope: Namespaced
kinds:
- apiGroups: ["*"]
kinds: ["Pod"]
namespaceSelector:
matchExpressions:
- key: pool
operator: In
values: [foo]
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
location: "spec.runtimeClassName"
parameters:
assign:
value: userv1
Then you label nodes as pool=foo and namespaces as pool=foo
Still need a way to limit which nodeSelectors and tolerations are valid.
from gatekeeper-library.
We are trying to achieve something that can remove the nodeSelector itself to have more scope for the pod placement based on the existing nodes(resources)
from gatekeeper-library.
Sorry, been a while since I've responded, so this will be in response to a few posts...
Set an allowed set of tolerations / nodeSelectors that can be used. If others are used, they are denied. This prevents a user from using pools of nodes they don't have permissions to. (validating webhook style)
Still need a way to limit which nodeSelectors and tolerations are valid.
Anything where there is a "deny if this happens" behavior should be done via validation/constraints, per:
so a constraint template would need to be written for that.
set a default set of tolerations / nodeSelectors to always add to pods if not already there. This lets you easily target pods automatically to pools of nodes. (Mutating webhook style)
Setting node selectors should be possible. Defaulting can be done via pathTests
to run the check "only apply the nodeSelector mutator if nodeSelector is undefined". Or, you can set individual selectors within the node selector itself.
tolerations
is harder because it is a non-keyed list. The ModifySet
mutator, which is added in open-policy-agent/gatekeeper#1508 should be able to handle the addition/removal of tolerations.
We are trying to achieve something that can remove the nodeSelector itself to have more scope for the pod placement based on the existing nodes(resources)
What happens if you use the Assign
mutator to assign an empty object {}
to spec.nodeSelector
?
from gatekeeper-library.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper-library.
Related Issues (20)
- Update Privileged Container Policy HOT 3
- Host networking constraint template does not respect exempt images HOT 2
- Refresh the content in Artifact-hub whenever any of the files within the policy are modified HOT 2
- docs: explicitly call out samples are provided as an example
- add cel-based policies HOT 4
- Match everything in a constraint HOT 2
- Docs exclude kind: AdmissionReview
- Problem with creating a mutation for deployments HOT 4
- replicalimits unit tests do not include checks for Scale resources HOT 4
- Consider validating pod generic ephemerals in K8sStorageClass HOT 2
- Consolidating Kubernetes PSP-related ConstraintTemplates into a Single Template for Streamlined Migration HOT 1
- bump mutate assign api version from alpha to v1
- Website generator appears to only retain the final mutation sample per directory HOT 2
- Any interest in policies/constraints that apply to custom resources? HOT 3
- Workflow Upload artifacts: overwrites the matrixed job logs HOT 1
- k8spsphostnetworkingports exemptImages does not allow hostNetwork HOT 4
- automount-serviceaccount-token ConstraintTemplate does not reflect ServiceAccount settings HOT 1
- Not able to create statefulset without storageclass with policy k8sallowedstorageclas is used HOT 1
- Should apparmor always view unconfined as complaint? HOT 3
- The example of disallowed/allowed ingress resources in the unique ingress host example has incorrect hostnames HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.