Answer-first summary for fast verification
Answer: Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
The question requires ensuring that PCI-compliant Pods run only on designated 'in-scope' Nodes AND that these Nodes cannot run any non-compliant Pods. Option C (using taints and tolerations) is optimal because applying a taint with NoSchedule effect on 'in-scope' Nodes repels all Pods without a matching toleration, while adding the toleration to 'in-scope' Pods allows only them to be scheduled. This enforces bidirectional isolation. Option A (nodeSelector) only ensures 'in-scope' Pods target the Nodes but doesn't prevent other Pods from being scheduled there, violating the requirement. Option B uses deprecated Pod Security Policies and doesn't guarantee node exclusivity. Option D (namespaces) provides logical separation but no node-level enforcement. The community discussion shows strong consensus for C, with high upvotes on comments explaining that taints/tolerations provide the necessary exclusivity, while nodeSelector fails to prevent other Pods from using the Nodes.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
An organization must ensure that Kubernetes Pods subject to PCI compliance are scheduled only on designated in-scope Nodes, and that these in-scope Nodes cannot run any Pods that are not in-scope. How can this be implemented?
A
Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
B
Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
C
Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
D
Run all in-scope Pods in the namespace ג€in-scope-pciג€.
No comments yet.