I came across this issue where I can’t seem to taint a node while on the node itself. I was running:
[ec2-user@ip-... ~]$ kubectl taint node $(hostname) state=goodbye:NoExecute
Error from server (Forbidden): nodes "ip-....us-west-2.compute.internal" is forbidden: cannot modify taints
Is this intended behavior or am I missing something perhaps RBAC related? I was able to taint the node when on my local machine via kubectl though.
Any help would be appreciated! Thanks! 
Might be auth related. You can run kubectl auth can-i edit nodes or kubectl auth can-i taint nodes for example to find out if you have access.
Ah, so both of those are “no” when I run it on the node.
Do you have pointers on how to give permissions to nodes to edit themselves (I believe I am using RBAC but I’m pretty new) or is that a bad idea in terms of security?
I would be hesitant to having a full user on any of the Nodes, I would limit even having kubectl on a node if possible. I would stick to running kubectl on a non-node machine.
Gotcha. Thanks!