Limit node access to API

[saad-ali]

Limit node access to API

• One-line feature description (can be used as a release note):
  • A new Node authorization mode and NodeRestriction admission plugin, when used in combination, limit nodes' access to specific APIs, so that they may only modify their own Node API object, only modify Pod objects bound to themselves, and only retrieve secrets and configmaps referenced by pods bound to themselves.
• Primary contact (assignee):
  • @liggitt, @saad-ali
• Responsible SIGs:
  • sig/auth
• KEP: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/0000-20170814-bounding-self-labeling-kubelets.md
• Design proposal link (community repo):
  • Scoped Kubelet API Access community#585
  • design: reduce scope of node on node object community#911
• Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred:
  • @deads2k
  • @timstclair
  • @ericchiang
• Approver (likely from SIG/area to which feature belongs):
  • @smarterclayton
• Feature target (which target equals to which milestone):
  • 1.7
    • node authorizer and noderestriction admission beta release
  • 1.13
    • continued beta work
    • restrict node label addition (design: reduce scope of node on node object community#911)
  • 1.14
    • restrict node address self-modification
    • stable release

[liggitt]

c.f. kubernetes/kubernetes#40476

[liggitt]

c.f. kubernetes/community#585