Restrict node selection

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-node-selection
 5  annotations:
 6    policies.kyverno.io/title: Restrict node selection
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      The Kubernetes scheduler uses complex logic to determine the optimal placement
12      for new Pods. Users who have access to set certain fields in a Pod spec
13      may sidestep this logic which in many cases is undesirable. This policy
14      prevents users from targeting specific Nodes for scheduling of Pods by
15      prohibiting the use of the `nodeSelector` and `nodeName` fields. Note that
16      this policy is only designed to work on initial creation and not in background
17      mode.
18spec:
19  validationFailureAction: Audit
20  background: false
21  rules:
22  - name: restrict-nodeselector
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    preconditions:
29      all:
30      - key: "{{request.operation || 'BACKGROUND'}}"
31        operator: Equals
32        value: CREATE
33    validate:
34      message: Setting the nodeSelector field is prohibited.
35      pattern:
36        spec:
37          X(nodeSelector): "null"
38  - name: restrict-nodename
39    match:
40      any:
41      - resources:
42          kinds:
43          - Pod
44    preconditions:
45      all:
46      - key: "{{request.operation || 'BACKGROUND'}}"
47        operator: Equals
48        value: CREATE
49    validate:
50      message: Setting the nodeName field is prohibited.
51      pattern:
52        spec:
53          X(nodeName): "null"