[Question] Is there a way to enforce only matching resources on a set of nodes? #85
Description
OK, the question isn't the greatest 😬 - I'll try to explain a bit more:
We have a separate set of "build" nodes for CI/CD, but this could be applied to any scenario where you have a separate set of tainted nodes.
These nodes are typically short-lived and are used to allow docker-in-docker reducing the risk that a malicious app or user could run containers that potentially compromise or cause issues for other containers running on the host's Docker daemon.
We use nodeSelector, taints and tolerations to ensure that build agents run on build nodes and no other workloads get scheduled there.
It'd be nice if we could specifically deny (or allow) resources to run on these nodes with k-rail, and allow docker socket mounts on these nodes only based on label or taint. I'm not sure if this ability exists already or if it's a feature that others. would be interested in?
I can write a policy up for this and submit a PR?