Exam Professional Cloud Security Engineer topic 1 question 63 discussion

[A] Correct answer. This is a typical use case for node selector. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector [B] The Pod Security Policy is designed to block the creation of misconfigured pods on certain clusters. This does not meet the requirements. [C] Taint will no longer place pods without the "inscope" label on that node, but it does not guarantee that pods with the "inscope" label will be placed on that node. [D] Placing the "in scope" node in the namespace "in-scope-pci" may meet the requirement, but [A] takes precedence.

C is the ans as per chatgpt

Using a node selector does not prevent other pods from being scheduled in the pci-scope nodes. However a taint and toleration would ensure that only the pods with the toleration can be scheduled in the pci-scope nodes.

why the other options are less suitable: A. nodeSelector: While nodeSelector can help target pods to specific nodes, it doesn't prevent other pods from being scheduled on those nodes if they fit the node's resources. B. Node pool and Pod Security Policy: Pod Security Policies are deprecated in newer Kubernetes versions, and node pools alone won't guarantee the required isolation. D. Namespace: Namespaces provide logical separation but don't inherently enforce node-level restrictions.

A https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration: This is the best solution. Taints and tolerations work together to ensure that Pods are not scheduled onto inappropriate nodes. By placing a taint on the Nodes, you are essentially marking them so that they repel all Pods that don't have a matching toleration. With this method, only Pods with the correct toleration can be scheduled on in-scope Nodes, ensuring compliance.

A nodeselector configuration is from a pod template perspective. This question ask to PRESERVE some nodes for specific pods, so this is the main utilization for TAINT. This is a conceptual question and the answer is C

A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

nodeSelector is the simplest recommended form of node selection constraint. You can add the nodeSelector field to your Pod specification and specify the node labels you want the target node to have. Kubernetes only schedules the Pod onto nodes that have each of the labels you specify. => https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling: the scheduler also evaluates other parameters as part of its function. => https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

Basic K8s principles of scheduling workloads. Taints and tolerations make perfect sense for this use case. Therefore C.

https://redhat-scholars.github.io/kubernetes-tutorial/kubernetes-tutorial/taints-affinity.html A Taint is applied to a Kubernetes Node that signals the scheduler to avoid or not schedule certain Pods. A Toleration is applied to a Pod definition and provides an exception to the taint. https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ Node affinity is a property of Pods that attracts them to a set of nodes (either as a preference or a **hard requirement**). Taints are the opposite -- they allow a node to repel a set of pods.

Answer should be C. "These Nodes can only contain the ג€in-scopeג€ Pods." - this can only be achieved by taints and tolerations.