K8S: little note with node restriction in admission controller

Purpose: Learned it once, write it again to remember longer? xD

• The content comes from: https://killercoda.com/killer-shell-cks .When I get too bored, I need to do something useful rather than play games all day...
• Question: Ok, don't tell shit, what is NodeRestriction?
• Answer: Sure, it is an Admission Plugin in K8s.
• Question: What is the Admission Plugin? Tell everything about it, don't make me type a question again!
• Answer: Admission Plugin is something that intercepts and processes API requests to the Kubernetes API server before they are executed. Read more about it in this link: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
• Question: Okay, but what do you want to write here?
• Answer: Just a little knowledge that i want to save for myself in case i forget in the near future >.>

Ok, no more tasteless jokes... I was trying to close the gap in my knowledge of K8s

What is NodeRestriction?

NodeRestriction is a Kubernetes admission controller that limits what Node and Pod objects a kubelet can modify, preventing privilege escalation attacks.

Security Problem

In Kubernetes 1.33, NodeRestriction is NOT enabled by default, creating a security gap where...

How it works

• Ref: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction
• Prevents kubelets from adding/removing/updating labels with a node-restriction.kubernetes.io/ prefix. This label prefix is reserved for administrators to label their Node objects for workload isolation purposes, and kubelets will not be allowed to modify labels with that prefix. That is the important point, more info will go to kubernetes document.
• Enable it by updating/adding the flag in the kube-apiserver manifest (Ref: https://kubernetes.io/docs/reference/access-authn-authz/node/)

# /etc/kubernetes/manifests/kube-apiserver.yaml
spec:
  containers:
  - command:
    - kube-apiserver
    - --authorization-mode=Node,....
    - --enable-admission-plugins=NodeRestriction,....,....

• Test it by:

# This will be BLOCKED after enabling NodeRestriction:
kubectl label node worker01 node-restriction.kubernetes.io/sensitive=true

# This will be ALLOWED:
kubectl label node worker01 kubernetes.io/hostname=custom-name

What am I missing?

• Probably something with Kubelet's system:node group and system:node:<nodeName> username, but at this time i don't understand it enough to write down here.

How to practice?

• Go to: KillerCoda --> Killer Shell CKS --> Apiserver NodeRestriction
• Perfect place to learn from real scenarios without installing anything, just from your browser!