Merge pull request #31986 from PriyanshuAhlawat/noteForNodeRestriction

Added note about noderestriction labels issue-#31972

Author: k8s-ci-robot

content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md

@@ -284,6 +284,15 @@ If your network is not working or CoreDNS is not in the `Running` state, check o
 [troubleshooting guide](/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/)
 for `kubeadm`.
 
+### Managed node labels
+
+By default, kubeadm enables the [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
+admission controller that restricts what labels can be self-applied by kubelets on node registration.
+The admission controller documentation covers what labels are permitted to be used with the kubelet `--node-labels` option.
+The `node-role.kubernetes.io/control-plane` label is such a restricted label and kubeadm manually applies it using
+a privileged client after a node has been created. To do that manually you can do the same by using `kubectl label`
+and ensure it is using a privileged kubeconfig such as the kubeadm managed `/etc/kubernetes/admin.conf`.
+
 ### Control plane node isolation
 
 By default, your cluster will not schedule Pods on the control-plane node for security