Topic 1 Question 52
For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on "in-scope" Nodes only. These Nodes can only contain the "in-scope" Pods. How should the organization achieve this objective?
Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
Run all in-scope Pods in the namespace "in-scope-pci".
コメント(13)
A(nodeSelector) is hard and stronger than C (Taints, which only repels) for k8s scheduling. so A.
👍 6pythonrocks2021/07/07Answer is C, as Taint helps to repel unwanted pods and tolerance on specific pod helps to schedule a specific pod on tainted node.
👍 4Akku16142020/09/14C seems to be best because you add the control on the node level, this way you make sure that it cannot be overridden, by a pod configuration. "Taints and tolerations are a flexible way to steer pods away from nodes or evict pods that shouldn't be running." from https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
👍 4keresh2021/05/16
シャッフルモード