mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-12-26 13:22:55 +00:00
a9fbeef694
Automatic merge from submit-queue (batch tested with PRs 41535, 45985, 45929, 45948, 46056) NodeRestriction admission plugin Adds an optional `NodeRestriction` admission plugin that limits identifiable kubelets to mutating their own Node object, and Pod objects bound to their node. This is the admission portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279 ```release-note The `NodeRestriction` admission plugin limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission plugin, kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`. Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node. ```