UPSTREAM: <carry>: noderestrictions: add node-role.kubernetes.io/* to allowed node labels

sttts · bertinatto · commit 0bb57feea8e4 · 2025-04-03T13:09:11.000-03:00
Server side validation of node labels was added in kubernetes#90307. We only disabled kubelet-side validation before to make our node role labels work. UPSTREAM: <carry>: add control plane to allow roles OpenShift-Rebase-Source: 38bfed3 OpenShift-Rebase-Source: aff4434 UPSTREAM: <carry>: Do not allow nodes to set forbidden openshift labels Signed-off-by: Harshal Patil <harpatil@redhat.com>
diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go
@@ -155,6 +155,9 @@ func ValidateKubeletFlags(f *KubeletFlags) error {
 	invalidLabelErrs := make(map[string][]string)
 	for k, v := range f.NodeLabels {
 		if isKubernetesLabel(k) && !kubeletapis.IsKubeletLabel(k) {
+			if kubeletapis.IsForbiddenOpenshiftLabel(k) {
+				continue
+			}
 			unknownLabels.Insert(k)
 		}
 
diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
@@ -504,7 +504,7 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
 		// Don't allow a node to register with labels outside the allowed set.
 		// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
 		modifiedLabels := getModifiedLabels(node.Labels, nil)
-		if forbiddenLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenLabels) > 0 {
+		if forbiddenLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenLabels) > 0 {
 			return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to set the following labels: %s", nodeName, strings.Join(forbiddenLabels.List(), ", ")))
 		}
 	}
@@ -535,9 +535,10 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
 		// Don't allow a node to update labels outside the allowed set.
 		// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
 		modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)
-		if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenUpdateLabels) > 0 {
+		if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenUpdateLabels) > 0 {
 			return admission.NewForbidden(a, fmt.Errorf("is not allowed to modify labels: %s", strings.Join(forbiddenUpdateLabels.List(), ", ")))
 		}
+
 	}
 
 	return nil
@@ -578,7 +579,7 @@ func getLabelNamespace(key string) string {
 }
 
 // getForbiddenLabels returns the set of labels that may not be added, removed, or modified by the node on create or update.
-func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {
+func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String, admissionOpn admission.Operation) sets.String {
 	if len(modifiedLabels) == 0 {
 		return nil
 	}
@@ -593,6 +594,11 @@ func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {
 		// forbid kubelets from setting unknown kubernetes.io and k8s.io labels on update
 		if isKubernetesLabel(label) && !kubeletapis.IsKubeletLabel(label) {
 			// TODO: defer to label policy once available
+			if admissionOpn == admission.Create {
+				if kubeletapis.IsForbiddenOpenshiftLabel(label) {
+					continue
+				}
+			}
 			forbiddenLabels.Insert(label)
 		}
 	}
diff --git a/staging/src/k8s.io/kubelet/pkg/apis/well_known_openshift_labels.go b/staging/src/k8s.io/kubelet/pkg/apis/well_known_openshift_labels.go
@@ -0,0 +1,43 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package apis
+
+import (
+	"k8s.io/apimachinery/pkg/util/sets"
+)
+
+const (
+	NodeLabelControlPlane = "node-role.kubernetes.io/control-plane"
+	NodeLabelMaster       = "node-role.kubernetes.io/master"
+	NodeLabelWorker       = "node-role.kubernetes.io/worker"
+	NodeLabelEtcd         = "node-role.kubernetes.io/etcd"
+)
+
+var openshiftNodeLabels = sets.NewString(
+	NodeLabelControlPlane,
+	NodeLabelMaster,
+	NodeLabelWorker,
+	NodeLabelEtcd,
+)
+
+func OpenShiftNodeLabels() []string {
+	return openshiftNodeLabels.List()
+}
+
+func IsForbiddenOpenshiftLabel(label string) bool {
+	return openshiftNodeLabels.Has(label)
+}

Original file line number	Diff line number	Diff line change
`@@ -155,6 +155,9 @@ func ValidateKubeletFlags(f *KubeletFlags) error {`
`155`	`155`	`invalidLabelErrs := make(map[string][]string)`
`156`	`156`	`for k, v := range f.NodeLabels {`
`157`	`157`	`if isKubernetesLabel(k) && !kubeletapis.IsKubeletLabel(k) {`
	`158`	`+ if kubeletapis.IsForbiddenOpenshiftLabel(k) {`
	`159`	`+ continue`
	`160`	`+ }`
`158`	`161`	`unknownLabels.Insert(k)`
`159`	`162`	`}`
`160`	`163`
Original file line number	Diff line number	Diff line change
`@@ -504,7 +504,7 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {`
`504`	`504`	`// Don't allow a node to register with labels outside the allowed set.`
`505`	`505`	`// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.`
`506`	`506`	`modifiedLabels := getModifiedLabels(node.Labels, nil)`
`507`		`- if forbiddenLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenLabels) > 0 {`
	`507`	`+ if forbiddenLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenLabels) > 0 {`
`508`	`508`	`return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to set the following labels: %s", nodeName, strings.Join(forbiddenLabels.List(), ", ")))`
`509`	`509`	`}`
`510`	`510`	`}`
`@@ -535,9 +535,10 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {`
`535`	`535`	`// Don't allow a node to update labels outside the allowed set.`
`536`	`536`	`// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.`
`537`	`537`	`modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)`
`538`		`- if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels); len(forbiddenUpdateLabels) > 0 {`
	`538`	`+ if forbiddenUpdateLabels := p.getForbiddenLabels(modifiedLabels, a.GetOperation()); len(forbiddenUpdateLabels) > 0 {`
`539`	`539`	`return admission.NewForbidden(a, fmt.Errorf("is not allowed to modify labels: %s", strings.Join(forbiddenUpdateLabels.List(), ", ")))`
`540`	`540`	`}`
	`541`	`+`
`541`	`542`	`}`
`542`	`543`
`543`	`544`	`return nil`
`@@ -578,7 +579,7 @@ func getLabelNamespace(key string) string {`
`578`	`579`	`}`
`579`	`580`
`580`	`581`	`// getForbiddenLabels returns the set of labels that may not be added, removed, or modified by the node on create or update.`
`581`		`-func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {`
	`582`	`+func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String, admissionOpn admission.Operation) sets.String {`
`582`	`583`	`if len(modifiedLabels) == 0 {`
`583`	`584`	`return nil`
`584`	`585`	`}`
`@@ -593,6 +594,11 @@ func (p *Plugin) getForbiddenLabels(modifiedLabels sets.String) sets.String {`
`593`	`594`	`// forbid kubelets from setting unknown kubernetes.io and k8s.io labels on update`
`594`	`595`	`if isKubernetesLabel(label) && !kubeletapis.IsKubeletLabel(label) {`
`595`	`596`	`// TODO: defer to label policy once available`
	`597`	`+ if admissionOpn == admission.Create {`
	`598`	`+ if kubeletapis.IsForbiddenOpenshiftLabel(label) {`
	`599`	`+ continue`
	`600`	`+ }`
	`601`	`+ }`
`596`	`602`	`forbiddenLabels.Insert(label)`
`597`	`603`	`}`
`598`	`604`	`}`