1. Proposed title of this feature request

Enforce node scheduling based on user or group membership

3. What is the nature and description of the request?

Customer is running a centralized, multi-tenant oepnshift environment whereby each of their own customers has dedicated nodes within a specific dedicated subnet. 

It should be possible for users to self-provision projects and for these to be only scheduled within their dedicated nodes. As such, it would be useful to be able to specify default node selectors for a project based on a user or group. 

This is not currently possible when using identity providers other than LDAP, for which they have a workaround in place at the moment.

4. Why does the customer need this? (List the business requirements here)

Currently, they are labeling customer nodes with e.g username=allowed for each of that customers users. Then. in the project request template, they add the annotaion for node-selector to be {PROJECT-REQUESTING-USER}=allowed. That way, even as a self-provisioned project, users will always schedule pods on the right nodes. 

While this works for LDAP, when using Azure Active Directory, the usernames contain "@" which is an invalid character for labelling nodes.

Unless the customer restricts themselves to using LDAP, there's no good way for them to enable users to self-provision projects and guarantee that these will be scheduled on the correct nodes. In order to make their service more user friendly they would like to use different identity providers other than LDAP.

5. How would the customer like to achieve this? (List the functional requirements here)

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

No

10. List any affected packages or components.

node