Information
Limit the 'Node' and 'Pod' objects that a kubelet could modify.
Rationale:
Using the 'NodeRestriction' plug-in ensures that the kubelet is restricted to the 'Node' and 'Pod' objects that it could modify as defined. Such kubelets will only be allowed to modify their own 'Node' API object, and only modify 'Pod' API objects that are bound to their node.
Solution
Follow the Kubernetes documentation and configure 'NodeRestriction' plug-in on kubelets. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--enable-admission-plugins' parameter to a value that includes 'NodeRestriction'.
--enable-admission-plugins=...,NodeRestriction,...