All Policies

Restrict node selection

The Kubernetes scheduler uses complex logic to determine the optimal placement for new Pods. Users who have access to set certain fields in a Pod spec may sidestep this logic which in many cases is undesirable. This policy prevents users from targeting specific Nodes for scheduling of Pods by prohibiting the use of the `nodeSelector` and `nodeName` fields.

Policy Definition

/other/restrict_node_selection.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-node-selection
 5  annotations:
 6    policies.kyverno.io/title: Restrict node selection
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      The Kubernetes scheduler uses complex logic to determine the optimal placement
11      for new Pods. Users who have access to set certain fields in a Pod spec
12      may sidestep this logic which in many cases is undesirable. This policy
13      prevents users from targeting specific Nodes for scheduling of Pods by
14      prohibiting the use of the `nodeSelector` and `nodeName` fields.           
15spec:
16  validationFailureAction: audit
17  background: false
18  rules:
19  - name: restrict-nodeselector
20    match:
21      resources:
22        kinds:
23        - Pod
24    validate:
25      message: Setting the nodeSelector field is prohibited.
26      pattern:
27        spec:
28          X(nodeSelector): "null"
29  - name: restrict-nodename
30    match:
31      resources:
32        kinds:
33        - Pod
34    validate:
35      message: Setting the nodeName field is prohibited.
36      pattern:
37        spec:
38          X(nodeName): "null"
Create policy issue