authz: nodes should not be able to delete themselves

[mikedanese]

@kubernetes/sig-auth-pr-reviews

legacy release note (removed because this was reverted in #63712):

kubelets are no longer allowed to delete their own Node API object. Prior to 1.11, in rare circumstances related to cloudprovider node ID changes, kubelets would attempt to delete/recreate their Node object at startup. If a legacy kubelet encounters this situation, a cluster admin can remove the Node object:
* `kubectl delete node/<nodeName>`
or grant self-deletion permission explicitly:
* `kubectl create clusterrole self-deleting-nodes --verb=delete --resource=nodes`
* `kubectl create clusterrolebinding self-deleting-nodes --clusterrole=self-deleting-nodes --group=system:nodes`

NONE

[liggitt]

TestNodeAuthorizer tests need updating

[liggitt]

updated release note, PTAL

[liggitt]

/retest

[liggitt]

cc @kubernetes/sig-node-pr-reviews

[liggitt]

for reference, the node self-deletion case that required this permission was removed in #61877

@mikedanese can you summarize your findings on when that scenario was exercised (which cloudproviders, which circumstances)?

[liggitt]

/lgtm
/hold
will hold for comments from @kubernetes/sig-node-pr-reviews

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, mikedanese

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• plugin/pkg/auth/OWNERS [liggitt]
• test/OWNERS [liggitt,mikedanese]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mikedanese]

/retest

[mikedanese]

can you summarize your findings on when that scenario was exercised (which cloudproviders, which circumstances)?

ExternalID was immutable but we changed the format of the feature between releases for some of the cloud providers. Thus kubelet's had to delete and recreate their node object when it changed. We no longer update that field so nodes don't need the delete permission anymore.

[liggitt]

thanks for the explanation. will hold through tomorrow for comments, then tag.

[liggitt]

/hold cancel

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 62590, 62818, 63015, 62922, 63000). If you want to cherry-pick this change to another branch, please follow the instructions here.