add node-role.kubernetes.io/worker=true labels on agents nodes

[poblin-orange]

By default, k3s wont add this label on agents.

The k3s bosh release wrapper could set it

See https://docs.k3s.io/advanced?_highlight=role#node-labels-and-taints

All current versions of Kubernetes restrict nodes from registering with most labels with kubernetes.io and k8s.io prefixes, specifically including the kubernetes.io/role label. If you attempt to start a node with a disallowed label, K3s will fail to start. As stated by the Kubernetes authors:

Nodes are not permitted to assert their own role labels. Node roles are typically used to identify privileged or control plane types of nodes, and allowing nodes to label themselves into that pool allows a compromised node to trivially attract workloads (like control plane daemonsets) that confer access to higher privilege credentials.

See SIG-Auth KEP 279 for more information.

If you want to change node labels and taints after node registration, or add reserved labels, you should use kubectl. Refer to the official Kubernetes documentation for details on how to add taints and node labels.

See older background rationale for k3s not initially assigning roles by default in the past

• https://github.com/rancher/rke2/issues/505 Default node label for role worker is missing for agent
  • https://github.com/rancher/rke2/issues/508 aint server nodes by default (with easy toggle)

    This behavior of not-tainting was inherited from k3s, where not-tainting server nodes is the desired default, because small clusters made up entirely of all-in-one nodes is the assumed default use-case.

[gberche-orange]

@poblin-orange FYI updated the issue with related k3s docs