Kubernetes v1.36 announces the graduation of fine-grained kubelet API authorization to General Availability.
- •Feature graduated from alpha (v1.32) through beta (v1.33) to GA with feature gate locked to enabled
- •Enables precise least-privilege access control over kubelet HTTPS API, replacing overly broad nodes/proxy permission
- •Addresses WebSocket RCE vulnerability where nodes/proxy GET permission alone could execute commands in any container
- •Kubelet performs dual authorization checks: fine-grained subresources first, fallback to nodes/proxy for backward compatibility
- •Monitoring agents can now use restricted permissions like nodes/metrics and nodes/stats instead of nodes/proxy
This summary was automatically generated by AI based on the original article and may not be fully accurate.
Kubernetes
The Hacker News