Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use node-restriction.kubernetes.io/ labels #1

Closed
AkihiroSuda opened this issue Sep 6, 2019 · 3 comments
Closed

use node-restriction.kubernetes.io/ labels #1

AkihiroSuda opened this issue Sep 6, 2019 · 3 comments
Labels
enhancement New feature or request

Comments

@AkihiroSuda
Copy link
Owner

https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-isolation-restriction
@AkihiroSuda AkihiroSuda added the enhancement New feature or request label Sep 6, 2019
@AkihiroSuda
Copy link
Owner Author

Seems not supported by GKE as of writing.

Node pool with node-restriction.kubernetes.io/-prefixed labels can't be added successfully to the cluster.

@AkihiroSuda
Copy link
Owner Author

Maybe we don't need this, we can just validate requests from system:node in our own webhook.

@AkihiroSuda
Copy link
Owner Author

This is not needed for ipp=true node label (v0.1.1).

Even if a compromised node modifies the label, the node can't get unexpected pods to be scheduled, because the node is still tainted with ipp=true:NoSchedule, and the node can't modify the taint since Kubernetes v1.11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AkihiroSuda