An organization must ensure that Kubernetes Pods subject to PCI compliance are scheduled only on designated `in-scope` Nodes, and that these `in-scope` Nodes cannot run any Pods that are not `in-scope`. How can this be implemented?

Exam-Like

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace ג€in-scope-pciג€.

Google Professional Cloud Security Engineer