Restrict control plane scheduling

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-controlplane-scheduling
 5  annotations:
 6    policies.kyverno.io/title: Restrict control plane scheduling
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      Scheduling non-system Pods to control plane nodes (which run kubelet) is often undesirable
12      because it takes away resources from the control plane components and can represent
13      a possible security threat vector. This policy prevents users from setting a toleration
14      in a Pod spec which allows running on control plane nodes
15      with the taint key `node-role.kubernetes.io/master`.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20  - name: restrict-controlplane-scheduling-master
21    match:
22      any:
23      - resources:
24          kinds:
25          - Pod
26    validate:
27      message: Pods may not use tolerations which schedule on control plane nodes.
28      pattern:
29        spec:
30          =(tolerations):
31            - key: "!node-role.kubernetes.io/master"
32  - name: restrict-controlplane-scheduling-control-plane
33    match:
34      any:
35      - resources:
36          kinds:
37          - Pod
38    validate:
39      message: Pods may not use tolerations which schedule on control plane nodes.
40      pattern:
41        spec:
42          =(tolerations):
43            - key: "!node-role.kubernetes.io/control-plane"