Explanation:
The question requires ensuring that PCI-compliant Pods run only on designated 'in-scope' Nodes AND that these Nodes cannot run any non-compliant Pods. Option C (using taints and tolerations) is optimal because applying a taint with NoSchedule effect on 'in-scope' Nodes repels all Pods without a matching toleration, while adding the toleration to 'in-scope' Pods allows only them to be scheduled. This enforces bidirectional isolation. Option A (nodeSelector) only ensures 'in-scope' Pods target the Nodes but doesn't prevent other Pods from being scheduled there, violating the requirement. Option B uses deprecated Pod Security Policies and doesn't guarantee node exclusivity. Option D (namespaces) provides logical separation but no node-level enforcement. The community discussion shows strong consensus for C, with high upvotes on comments explaining that taints/tolerations provide the necessary exclusivity, while nodeSelector fails to prevent other Pods from using the Nodes.
Ultimate access to all questions.
An organization must ensure that Kubernetes Pods subject to PCI compliance are scheduled only on designated in-scope Nodes, and that these in-scope Nodes cannot run any Pods that are not in-scope. How can this be implemented?
A
Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
B
Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
C
Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
D
Run all in-scope Pods in the namespace ג€in-scope-pciג€.
No comments yet.