Add a SecurityContextDeny feature gate disabled by default

Put plugin registration behind the feature gate.

pkg/features/kube_features.go

@@ -691,6 +691,14 @@ const (
 	// Enables the use of `RuntimeDefault` as the default seccomp profile for all workloads.
 	SeccompDefault featuregate.Feature = "SeccompDefault"
 
+	// owner: @mtardy
+	// alpha: v1.0
+	//
+	// Putting this admission plugin behind a feature gate is part of the
+	// deprecation process. For details about the removal see:
+	// https://github.com/kubernetes/kubernetes/issues/111516
+	SecurityContextDeny featuregate.Feature = "SecurityContextDeny"
+
 	// owner: @maplain @andrewsykim
 	// kep: https://kep.k8s.io/2086
 	// alpha: v1.21
@@ -1022,6 +1030,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	SeccompDefault: {Default: true, PreRelease: featuregate.Beta},
 
+	SecurityContextDeny: {Default: false, PreRelease: featuregate.Alpha},
+
 	ServiceIPStaticSubrange: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
 
 	ServiceInternalTrafficPolicy: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28

plugin/pkg/admission/securitycontext/scdeny/admission.go

@@ -23,17 +23,25 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apiserver/pkg/admission"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 // PluginName indicates name of admission plugin.
 const PluginName = "SecurityContextDeny"
 
+const docLink = "https://k8s.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny"
+
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+		if utilfeature.DefaultFeatureGate.Enabled(features.SecurityContextDeny) {
 			return NewSecurityContextDeny(), nil
+		} else {
+			return nil, fmt.Errorf("%s admission controller is an alpha feature, planned to be removed, and requires the SecurityContextDeny feature gate to be enabled, see %s for more information", PluginName, docLink)
+		}
 	})
 }
 
@@ -49,8 +57,8 @@ func NewSecurityContextDeny() *Plugin {
 	// DEPRECATED: SecurityContextDeny will be removed in favor of PodSecurity admission.
 	klog.Warningf("%s admission controller is deprecated. "+
 		"Please remove this controller from your configuration files and scripts. "+
-		"See https://k8s.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny for more information.",
+		"See %s for more information.",
-		PluginName)
+		PluginName, docLink)
 	return &Plugin{
 		Handler: admission.NewHandler(admission.Create, admission.Update),
 	}