I’m wondering if there is a way to constrain containers that are execute on the host from the host side.
I know using labels, I can restrict a service to execute on certain hosts, but what I’m looking for is a way to say that a host only accepts containers with a certain label. This would allow me to do some scheduling without having to add a specific label to each and every service definition.
The use case here is that I want to deploy a new host into my cluster, let’s say it’s a machine in AWS that I am providing a specific IAM profile to to allow access to certain resources.
I then want to specify a label on this host that would prevent any containers from running on it unless the the service had the matching label. This would prevent other services expect those explicitly whitelisted from being executed on the host and thus gaining the elevated IAM permissions from the host.