Origin project node selector allows an admin to:

• guarantee non cluster-admin upods can NOT land on a subset of nodes unless the admin wishes it
• ensure a namespace is forced to land pods on a default set of nodes

Until initializers are possible, or LimitRange is more flexible #17097, admins cannot isolate pods away from infra by default.

Add an optional admission controller that uses a cluster default node selector, or looks for a namespace specific annotation, as the base node selector, and appends (or fails when conflicting) the pods selector onto that set. Allows Origin to run on Kube

Example:

• admin wants to run cluster infra on the cluster. They set cluster default to infra: false
• all namespaces now append infra: false to any pod node selector, or fail if the user sets infra: true
• admin sets annotation infra: true on default namespace, and creates pods that target infra: true automatically
• regular users still cannot target infra: true

Other examples include dev node labels, prod node labels, etc.

@derekwaynecarr discussed as a tactical path before initializers.