openshift-docs/modules/nodes-scheduler-node-projects-about.adoc

// Module included in the following assemblies:
//
// * nodes/nodes-scheduler-node-projects.adoc

[id="nodes-scheduler-node-projects-about_{context}"]
= Understanding how to constrain pods by project name

The Pod Node Selector admission controller determines where a pod can be placed using labels on projects and node selectors specified in pods. A new pod will be placed on a node associated with a project only if the node selectors in the pod match the labels in the project.

After the pod is created, the node selectors are merged into the pod so that the pod specification includes the labels originally included in the specification and any new labels from the node selectors. The example below illustrates the merging effect.

The Pod Node Selector admission controller also allows you to create a list of labels that are permitted in a specific project. This list acts as a whitelist that lets developers know what labels are acceptable to use in a project and gives administrators greater control over labeling in a cluster.

The Pod Node Selector uses the annotation key `scheduler.alpha.kubernetes.io/node-selector` to assign node selectors to namespaces.

[source,yaml]
----
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/node-selector: name-of-node-selector
  name: namespace3
----

This admission controller has the following behavior:

. If the Namespace has an annotation with a key scheduler.alpha.kubernetes.io/node-selector, use its value as the node selector.
. If the namespace lacks such an annotation, use the clusterDefaultNodeSelector defined in the PodNodeSelector plugin configuration file as the node selector.
. Evaluate the pod’s node selector against the namespace node selector for conflicts. Conflicts result in rejection.
. Evaluate the pod’s node selector against the namespace-specific whitelist defined the plugin configuration file. Conflicts result in rejection.