UPSTREAM: <carry>: noderestrictions: add node-role.kubernetes.io/* to allowed node labels

sttts · bertinatto · commit 669d3aecec70 · 2025-10-08T11:47:50.000-03:00
Server side validation of node labels was added in kubernetes#90307. We only disabled kubelet-side validation before to make our node role labels work. UPSTREAM: <carry>: add control plane to allow roles OpenShift-Rebase-Source: 38bfed3 OpenShift-Rebase-Source: aff4434 UPSTREAM: <carry>: Do not allow nodes to set forbidden openshift labels Signed-off-by: Harshal Patil <harpatil@redhat.com>
diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go
@@ -150,6 +150,9 @@ func ValidateKubeletFlags(f *KubeletFlags) error {
 	invalidLabelErrs := make(map[string][]string)
 	for k, v := range f.NodeLabels {
 		if isKubernetesLabel(k) && !kubeletapis.IsKubeletLabel(k) {
+			if kubeletapis.IsForbiddenOpenshiftLabel(k) {
+				continue
+			}
 			unknownLabels.Insert(k)
 		}
 
diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
@@ -520,7 +520,7 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
 		// Don't allow a node to register with labels outside the allowed set.
 		// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
 		modifiedLabels := getModifiedLabels(node.Labels, nil)
-		if forbiddenLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenLabels) > 0 {
+		if forbiddenLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenLabels) > 0 {
 			return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to set the following labels: %s", nodeName, strings.Join(forbiddenLabels.List(), ", ")))
 		}
 	}
@@ -556,9 +556,10 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
 		// Don't allow a node to update labels outside the allowed set.
 		// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
 		modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)
-		if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenUpdateLabels) > 0 {
+		if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenUpdateLabels) > 0 {
 			return admission.NewForbidden(a, fmt.Errorf("is not allowed to modify labels: %s", strings.Join(forbiddenUpdateLabels.List(), ", ")))
 		}
+
 	}
 
 	return nil
@@ -599,7 +600,7 @@ func getLabelNamespace(key string) string {
 }
 
 // getForbiddenLabels returns the set of labels that may not be added, removed, or modified by the node on create or update.
-func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {
+func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String, admissionOpn admission.Operation) sets.String {
 	if len(modifiedLabels) == 0 {
 		return nil
 	}
@@ -614,6 +615,11 @@ func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {
 		// forbid kubelets from setting unknown kubernetes.io and k8s.io labels on update
 		if isKubernetesLabel(label) && !kubeletapis.IsKubeletLabel(label) {
 			// TODO: defer to label policy once available
+			if admissionOpn == admission.Create {
+				if kubeletapis.IsForbiddenOpenshiftLabel(label) {
+					continue
+				}
+			}
 			forbiddenLabels.Insert(label)
 		}
 	}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/well_known_openshift_labels.go b/staging/src/k8s.io/kubelet/pkg/apis/well_known_openshift_labels.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apis
+
+import (
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+const (
+	NodeLabelControlPlane = "node-role.kubernetes.io/control-plane"
+	NodeLabelMaster       = "node-role.kubernetes.io/master"
+	NodeLabelWorker       = "node-role.kubernetes.io/worker"
+	NodeLabelEtcd         = "node-role.kubernetes.io/etcd"
+)
+
+var openshiftNodeLabels = sets.NewString(
+	NodeLabelControlPlane,
+	NodeLabelMaster,
+	NodeLabelWorker,
+	NodeLabelEtcd,
+)
+
+func OpenShiftNodeLabels() []string {
+	return openshiftNodeLabels.List()
+}
+
+func IsForbiddenOpenshiftLabel(label string) bool {
+	return openshiftNodeLabels.Has(label)
+}

Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,9 @@ func ValidateKubeletFlags(f *KubeletFlags) error {`
`150`	`150`	`invalidLabelErrs := make(map[string][]string)`
`151`	`151`	`for k, v := range f.NodeLabels {`
`152`	`152`	`if isKubernetesLabel(k) && !kubeletapis.IsKubeletLabel(k) {`
	`153`	`+ if kubeletapis.IsForbiddenOpenshiftLabel(k) {`
	`154`	`+ continue`
	`155`	`+ }`
`153`	`156`	`unknownLabels.Insert(k)`
`154`	`157`	`}`
`155`	`158`
Original file line number	Diff line number	Diff line change
`@@ -520,7 +520,7 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {`
`520`	`520`	`// Don't allow a node to register with labels outside the allowed set.`
`521`	`521`	`// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.`
`522`	`522`	`modifiedLabels := getModifiedLabels(node.Labels, nil)`
`523`		`- if forbiddenLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenLabels) > 0 {`
	`523`	`+ if forbiddenLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenLabels) > 0 {`
`524`	`524`	`return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to set the following labels: %s", nodeName, strings.Join(forbiddenLabels.List(), ", ")))`
`525`	`525`	`}`
`526`	`526`	`}`
`@@ -556,9 +556,10 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {`
`556`	`556`	`// Don't allow a node to update labels outside the allowed set.`
`557`	`557`	`// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.`
`558`	`558`	`modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)`
`559`		`- if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenUpdateLabels) > 0 {`
	`559`	`+ if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenUpdateLabels) > 0 {`
`560`	`560`	`return admission.NewForbidden(a, fmt.Errorf("is not allowed to modify labels: %s", strings.Join(forbiddenUpdateLabels.List(), ", ")))`
`561`	`561`	`}`
	`562`	`+`
`562`	`563`	`}`
`563`	`564`
`564`	`565`	`return nil`
`@@ -599,7 +600,7 @@ func getLabelNamespace(key string) string {`
`599`	`600`	`}`
`600`	`601`
`601`	`602`	`// getForbiddenLabels returns the set of labels that may not be added, removed, or modified by the node on create or update.`
`602`		`-func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {`
	`603`	`+func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String, admissionOpn admission.Operation) sets.String {`
`603`	`604`	`if len(modifiedLabels) == 0 {`
`604`	`605`	`return nil`
`605`	`606`	`}`
`@@ -614,6 +615,11 @@ func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {`
`614`	`615`	`// forbid kubelets from setting unknown kubernetes.io and k8s.io labels on update`
`615`	`616`	`if isKubernetesLabel(label) && !kubeletapis.IsKubeletLabel(label) {`
`616`	`617`	`// TODO: defer to label policy once available`
	`618`	`+ if admissionOpn == admission.Create {`
	`619`	`+ if kubeletapis.IsForbiddenOpenshiftLabel(label) {`
	`620`	`+ continue`
	`621`	`+ }`
	`622`	`+ }`
`617`	`623`	`forbiddenLabels.Insert(label)`
`618`	`624`	`}`
`619`	`625`	`}`