diff --git a/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml b/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
index 4eeb7672871..b19dd0d1e7e 100644
--- a/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
+++ b/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
@@ -13,6 +13,5 @@ rules:
   - nodes/log
   - nodes/stats
   - nodes/metrics
-  - nodes/spec
   verbs:
   - "*"
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 85ef7b414f0..9302c0182bd 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -384,7 +384,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 				// Allow all API calls to the nodes
 				rbacv1helpers.NewRule("proxy").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
-				rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/metrics", "nodes/spec", "nodes/stats", "nodes/log").RuleOrDie(),
+				rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/metrics", "nodes/stats", "nodes/log").RuleOrDie(),
 			},
 		},
 		{
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index e8d002b873b..0de6b3d58e7 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -914,7 +914,6 @@ items:
     - nodes/log
     - nodes/metrics
     - nodes/proxy
-    - nodes/spec
     - nodes/stats
     verbs:
     - '*'