Kubernetes v1.36: Fine-Grained... Note

Kubernetes v1.36: Fine-Grained Kubelet API Authorization Graduates to GA

Fine-grained kubelet API authorization has reached General Availability in Kubernetes v1.36. This feature replaces the overly broad nodes/proxy permission for accessing the kubelet's HTTPS API, improving security. The initiative addresses the security risk of granting excessive permissions to monitoring tools. Prior to this, nodes/proxy was often used, which allowed command execution. Fine-grained authorization maps specific kubelet API paths to more dedicated subresources. The system performs a dual authorization check for backward compatibility. Existing workloads with nodes/proxy permissions will keep working as before. The built-in system:kubelet-api-admin ClusterRole is updated automatically. Monitoring tools can now utilize specific resources like nodes/metrics, enhancing least-privilege access. The upgrade requires no changes for most clusters. To verify the feature, you can run a pod verifying the feature flag using curl. The next steps involve more ecosystem adaption; also, deprecation of nodes/proxy may occur.