All Policies
Restrict control plane scheduling
Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable because it takes away resources from the control plane components and can represent a possible security threat vector. This policy prevents users from setting a toleration in a Pod spec which allows running on control plane nodes with the taint key `node-role.kubernetes.io/master`.
Policy Definition
/other/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-controlplane-scheduling
5 annotations:
6 policies.kyverno.io/title: Restrict control plane scheduling
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/minversion: 1.6.0
10 policies.kyverno.io/description: >-
11 Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable
12 because it takes away resources from the control plane components and can represent
13 a possible security threat vector. This policy prevents users from setting a toleration
14 in a Pod spec which allows running on control plane nodes
15 with the taint key `node-role.kubernetes.io/master`.
16spec:
17 validationFailureAction: Audit
18 background: true
19 rules:
20 - name: restrict-controlplane-scheduling-master
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 validate:
27 message: Pods may not use tolerations which schedule on control plane nodes.
28 pattern:
29 spec:
30 =(tolerations):
31 - key: "!node-role.kubernetes.io/master"
32 - name: restrict-controlplane-scheduling-control-plane
33 match:
34 any:
35 - resources:
36 kinds:
37 - Pod
38 validate:
39 message: Pods may not use tolerations which schedule on control plane nodes.
40 pattern:
41 spec:
42 =(tolerations):
43 - key: "!node-role.kubernetes.io/control-plane"