node_authorization_config.yaml

# KOPS Cluster Spec

# enable the node authorization service
nodeAuthorization:
    nodeAuthorizer: {}
    
# technically only the above is required as everything else gets defaulted. 
# But given how kops works if you specify the sections below, the defaults 
# don't get carried through, thus you need to apply these below.

# enable bootstrap token on the kube-apiserver
kubeAPIServer:
  enableBootstrapTokenAuth: true
  enableAdmissionPlugins:
  - Initializers
  - NodeRestriction # <-- this is the one you want
  - MutatingAdmissionWebhook
  - NamespaceLifecycle
  - LimitRanger
  - ServiceAccount
  - PersistentVolumeLabel
  - DefaultStorageClass
  - ResourceQuota
  - DefaultTolerationSeconds
  - ValidatingAdmissionWebhook

# enable the tokencleaner controller on the kube-controller-manager.
# this is used to clean up expired bootstrap token 
# PLEASE NOTE - as for writing this (02/10/18) the `controllers` flag only exists on
# the master branch and hasn't been cut into a release yet.
kubeControllerManager:
  controllers:
  - "*"
  - tokencleaner