Skip to content

Commit

Permalink
NodeRestriction admission prevents kubelet taint removal
Browse files Browse the repository at this point in the history
  • Loading branch information
liggitt committed Jun 5, 2018
1 parent ef11602 commit cc7230a
Showing 1 changed file with 1 addition and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,7 @@ namespace. In order to enforce integrity of that process, we strongly recommend
This admission controller limits the `Node` and `Pod` objects a kubelet can modify. In order to be limited by this admission controller,
kubelets must use credentials in the `system:nodes` group, with a username in the form `system:node:<nodeName>`.
Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
In Kubernetes 1.11+, Kubelets are not allowed to update or remove taints from their `Node` API object.
Future versions may add additional restrictions to ensure kubelets have the minimal set of permissions required to operate correctly.

### OwnerReferencesPermissionEnforcement
Expand Down

0 comments on commit cc7230a

Please sign in to comment.