github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-10 12:32:03 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #121767 from mtaufen/noderestriction-comment

Browse Source 
Add comment in noderestriction on Node-bound-tokens
This commit is contained in:
Kubernetes Prow Robot 2023-12-13 23:54:25 +01:00 committed by GitHub
commit 06d559018c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
plugin/pkg/admission/noderestriction/admission.go
View File

@ -577,6 +577,12 @@ func (p *Plugin) admitServiceAccount(nodeName string, a admission.Attributes) er
return admission.NewForbidden(a, fmt.Errorf("node requested token bound to a pod scheduled on a different node"))
}
// Note: A token may only be bound to one object at a time. By requiring
// the Pod binding, noderestriction eliminates the opportunity to spoof
// a Node binding. Instead, kube-apiserver automatically infers and sets
// the Node binding when it receives a Pod binding. See:
// https://github.com/kubernetes/kubernetes/issues/121723 for more info.
return nil
}