From ad4d8f3e40e83a6c00fecd5bf0c1e7cda1b266b8 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jordan@liggitt.net>
Date: Mon, 11 Jun 2018 20:35:26 -0400
Subject: [PATCH] NodeRestriction admission prevents kubelet taint removal
 (#8911)

---
 .../docs/reference/access-authn-authz/admission-controllers.md   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/content/en/docs/reference/access-authn-authz/admission-controllers.md b/content/en/docs/reference/access-authn-authz/admission-controllers.md
index 1dd0b6313ea7d..467d7be69c93b 100644
--- a/content/en/docs/reference/access-authn-authz/admission-controllers.md
+++ b/content/en/docs/reference/access-authn-authz/admission-controllers.md
@@ -396,6 +396,7 @@ namespace.  In order to enforce integrity of that process, we strongly recommend
 This admission controller limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission controller,
 kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`.
 Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
+In Kubernetes 1.11+, kubelets are not allowed to update or remove taints from their `Node` API object.
 Future versions may add additional restrictions to ensure kubelets have the minimal set of permissions required to operate correctly.
 
 ### OwnerReferencesPermissionEnforcement