NodeRestriction Admission Controller Plugin: Update and Patch Pod Permissions

[valafon]

Hello, community! We've encountered the following issue: in our Kubernetes cluster, there was a need to grant certain plugin the same rights as kubelet to add specific annotations to a pod, depending on which node it has been scheduled to. The plugin works if we create a cluster role and a service account with rights to update/patch a pod. However, the problem is that, in such a case, it has the ability to modify pods across the entire cluster, which is unsafe. To solve this problem, so that annotations could be changed only on the node where it is running, we decided to use the NodeRestriction plugin, just as it works out of the box for kubelet (using a certificate in the system:nodes group and common name system:node:node_name). The issue is that, out of the box, the system:node only has rights to create/delete pods. But even if I add the system:nodes group rights on update/patch verbs, the NodeRestriction admission controller still intervenes and forbids pod updates, with this error:
Failed due to pods "pod-name" is forbidden: unexpected operation "UPDATE", node "node123" can only create and delete mirror pods.
I looked into the documentation and also studied the source code, and it seems that NodeRestriction lacks ways to add additional allowed verbs for pod modifications. Dear community, has anyone solved this problem? Is there a way to deal with this issue out of the box, without rewriting the NodeRestriction code?

[valafon]

/sig auth
/sig node

[aramase]

/assign

(comment on using VAP)

[enj]

xref: openshift/origin#28673

[enj]

@valafon the approach described in kubevirt/kubevirt#9109 (comment) should handle your use case.

[stlaz]

/triage accepted