This repository has been archived by the owner on Jan 12, 2023. It is now read-only.
[Question] Is there a way to enforce only matching resources on a set of nodes? #85
Comments
|
I've thought about deploying OPA Gatekeeper and scribing up some rego, but I'd like to extend k-rail where it makes sense to do so and contribute back to the community that uses it :) |
|
This does not currently exist but would be a welcome feature addition. Here are a few things to look at to enable it:
|
|
👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward. Thanks for your contribution(s) to the project! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
OK, the question isn't the greatest 😬 - I'll try to explain a bit more:
We have a separate set of "build" nodes for CI/CD, but this could be applied to any scenario where you have a separate set of tainted nodes.
These nodes are typically short-lived and are used to allow docker-in-docker reducing the risk that a malicious app or user could run containers that potentially compromise or cause issues for other containers running on the host's Docker daemon.
We use
nodeSelector,taintsandtolerationsto ensure that build agents run on build nodes and no other workloads get scheduled there.It'd be nice if we could specifically deny (or allow) resources to run on these nodes with k-rail, and allow docker socket mounts on these nodes only based on label or taint. I'm not sure if this ability exists already or if it's a feature that others. would be interested in?
I can write a policy up for this and submit a PR?
The text was updated successfully, but these errors were encountered: