From ab1eb8ff244a066ef9827a74cee0693bf34e4702 Mon Sep 17 00:00:00 2001
From: Michael Taufen <mtaufen@google.com>
Date: Mon, 6 Nov 2023 18:04:10 +0000
Subject: [PATCH] Add comment in noderestriction on Node-bound-tokens

Explains why we don't explicitly prevent cross-node bindings in noderestriction (it's already implicitly enforced).
---
 plugin/pkg/admission/noderestriction/admission.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
index fca23475120..dc8ac71dcde 100644
--- a/plugin/pkg/admission/noderestriction/admission.go
+++ b/plugin/pkg/admission/noderestriction/admission.go
@@ -577,6 +577,12 @@ func (p *Plugin) admitServiceAccount(nodeName string, a admission.Attributes) er
 		return admission.NewForbidden(a, fmt.Errorf("node requested token bound to a pod scheduled on a different node"))
 	}
 
+	// Note: A token may only be bound to one object at a time. By requiring
+	// the Pod binding, noderestriction eliminates the opportunity to spoof
+	// a Node binding. Instead, kube-apiserver automatically infers and sets
+	// the Node binding when it receives a Pod binding. See:
+	// https://github.com/kubernetes/kubernetes/issues/121723 for more info.
+
 	return nil
 }