Validating webhook for pods on specific nodes only


I’d like to write a validating webhook (gatekeeper policy) that applies only to pods on specific nodes. To do that, I wanted to use spec.nodeName to filter out the pods that I want to consider. This works when if I manually schedule the pod on a node by specifying spec.nodeName in its manifest. When the scheduler schedules the pods though, the request seems to not hit the webhook. I see no UPDATE request coming from the scheduler either in the audit logs.

Is this a valid approach at all? How is the scheduling decision written to the Pod object?

Cluster information:

Kubernetes version: v1.21.0
Cloud being used: aws
Installation method: kops
Host OS: ubuntu
CNI and version: calico
CRI and version: docker