Labeling nodes with reserved labels such as fails with kubeadm error during bootstrap

Self-assigning Node labels such as using the kubelet --node-labels flag (see kubeletExtraArgs in the CABPK examples) is not possible due to a security measure imposed by the NodeRestriction admission controller that kubeadm enables by default.

Assigning such labels to Nodes must be done after the bootstrap process has completed:

kubectl label nodes <name>""

For convenience, here is an example one-liner to do this post installation

kubectl get nodes --no-headers -l '!' -o jsonpath='{range .items[*]}{}{"\n"}' | xargs -I{} kubectl label node {}''