From 2198d0f5199fe9d33e63691d03349793ef4b2e2b Mon Sep 17 00:00:00 2001 From: PriyanshuAhlawat Date: Tue, 1 Mar 2022 18:46:53 +0530 Subject: [PATCH] Update create-cluster-kubeadm.md --- .../tools/kubeadm/create-cluster-kubeadm.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md b/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md index e8b0a6d1a7..aa6f99d69c 100644 --- a/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md +++ b/content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md @@ -284,6 +284,15 @@ If your network is not working or CoreDNS is not in the `Running` state, check o [troubleshooting guide](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/) for `kubeadm`. +### Managed node labels + +By default, kubeadm enables the [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers/#noderestriction) +admission controller that restricts what labels can be self-applied by kubelets on node registration. +The admission controller documentation covers what labels are permitted to be used with the kubelet `--node-labels` option. +The `node-role.kubernetes.io/control-plane` label is such a restricted label and kubeadm manually applies it using +a privileged client after a node has been created. To do that manually you can do the same by using `kubectl label` +and ensure it is using a privileged kubeconfig such as the kubeadm managed `/etc/kubernetes/admin.conf`. + ### Control plane node isolation By default, your cluster will not schedule Pods on the control-plane node for security