Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Remove self-deletion permissions from kubelets #71021
What type of PR is this?
What this PR does / why we need it:
Removes the ability of kubelets to delete their own Node API objects. Kubelets stopped doing this in 1.11, which means a 1.13 API server no longer needs to grant them this permission.
This closes a method by which a kubelet on a compromised node could delete and recreate its Node object, effectively removing any taints the cluster administrator had added to the Node object.
Which issue(s) this PR fixes (optional, in
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: liggitt
The full list of commands accepted by this bot can be found here.
The pull request process is described here