[EKS] Kubernetes Restricted Label support for Managed Node Groups

[TBBle]

Please ignore this, I opened the issue in the wrong repo. You're looking for aws/containers-roadmap#1451.

[EKS] Kubernetes Restricted Label support for Managed Node Groups

What would you like to be added:

The Managed Node Groups API current rejects labels with prefixes containing kubernetes.io/, k8s.io/, eks.amazonaws.com/. I haven't checked, but I assume this is actually matching the behaviour of the NodeRestriction Admission Controller with the addition of eks.amazonaws.com/ as a further restricted domain, as motivated by the Bounding Self-Labeling Kubelets KEP.

This restriction is not mentioned in the Cloud Formation Managed Node Group API documentation.

Why is this needed:

Although this problem has been known for a while with, e.g., eksctl and unmanaged node groups (see eksctl-io/eksctl#2363), the only current solution on the table for that is #110 which hasn't advanced in a while, sadly.

Managed Node Groups may want to implement the feature differently, or formalise/document the restrictions as "working as designed", or block the resolution on #110 (or another solution) being implemented, and eksctl has a different bug tracking this use-case for Managed Node Groups, eksctl-io/eksctl#4007.

This is different from #854 and #733, which was a request to implicitly apply the Managed Node Group's name as the node-role.kubernetes.io/-prefixed label. This feature request is for general support of otherwise-restricted label prefixes (including node-role.kubernetes.io) in the Labels field of the Managed Node Group API.

/kind feature