diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index b702b24a68b..98e3a136b7a 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -33,7 +33,6 @@ import ( "k8s.io/kubelet/config/v1beta1" kubeletapis "k8s.io/kubelet/pkg/apis" "k8s.io/kubernetes/pkg/cluster/ports" - "k8s.io/kubernetes/pkg/features" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/config/scheme" kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/config/validation" @@ -135,7 +134,6 @@ type KubeletFlags struct { // This can be useful for debugging volume related issues. KeepTerminatedPodVolumes bool // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads on the node. - // To use this flag, the corresponding SeccompDefault feature gate must be enabled. SeccompDefault bool } @@ -181,10 +179,6 @@ func ValidateKubeletFlags(f *KubeletFlags) error { return fmt.Errorf("invalid node labels: %s", strings.Join(labelErrs, "; ")) } - if f.SeccompDefault && !utilfeature.DefaultFeatureGate.Enabled(features.SeccompDefault) { - return fmt.Errorf("the SeccompDefault feature gate must be enabled in order to use the --seccomp-default flag") - } - if f.ContainerRuntime != kubetypes.RemoteContainerRuntime { return fmt.Errorf("unsupported CRI runtime: %q, only %q is currently supported", f.ContainerRuntime, kubetypes.RemoteContainerRuntime) } @@ -311,13 +305,13 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) { "If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.") fs.StringVar(&f.RootDirectory, "root-dir", f.RootDirectory, "Directory path for managing kubelet files (volume mounts,etc).") + fs.BoolVar(&f.SeccompDefault, "seccomp-default", f.SeccompDefault, "Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads.") // EXPERIMENTAL FLAGS bindableNodeLabels := cliflag.ConfigurationMap(f.NodeLabels) fs.Var(&bindableNodeLabels, "node-labels", fmt.Sprintf(" Labels to add when registering the node in the cluster. Labels must be key=value pairs separated by ','. Labels in the 'kubernetes.io' namespace must begin with an allowed prefix (%s) or be in the specifically allowed set (%s)", strings.Join(kubeletapis.KubeletLabelNamespaces(), ", "), strings.Join(kubeletapis.KubeletLabels(), ", "))) fs.StringVar(&f.LockFilePath, "lock-file", f.LockFilePath, " The path to file for kubelet to use as a lock file.") fs.BoolVar(&f.ExitOnLockContention, "exit-on-lock-contention", f.ExitOnLockContention, "Whether kubelet should exit upon lock-file contention.") - fs.BoolVar(&f.SeccompDefault, "seccomp-default", f.SeccompDefault, " Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads. The SeccompDefault feature gate must be enabled to allow this flag, which is disabled per default.") // DEPRECATED FLAGS fs.DurationVar(&f.MinimumGCAge.Duration, "minimum-container-ttl-duration", f.MinimumGCAge.Duration, "Minimum age for a finished container before it is garbage collected. Examples: '300ms', '10s' or '2h45m'") diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index cf7744dbe19..4dd27a08bf0 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -1150,10 +1150,6 @@ func RunKubelet(kubeServer *options.KubeletServer, kubeDeps *kubelet.Dependencie kubeDeps.OSInterface = kubecontainer.RealOS{} } - if kubeServer.KubeletConfiguration.SeccompDefault && !utilfeature.DefaultFeatureGate.Enabled(features.SeccompDefault) { - return fmt.Errorf("the SeccompDefault feature gate must be enabled in order to use the SeccompDefault configuration") - } - k, err := createAndInitKubelet(kubeServer, kubeDeps, hostname, diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 13496837f5b..59005ffb86e 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -684,6 +684,7 @@ const ( // kep: https://kep.k8s.io/2413 // alpha: v1.22 // beta: v1.25 + // ga: v1.27 // // Enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. SeccompDefault featuregate.Feature = "SeccompDefault" @@ -1017,7 +1018,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS RotateKubeletServerCertificate: {Default: true, PreRelease: featuregate.Beta}, - SeccompDefault: {Default: true, PreRelease: featuregate.Beta}, + SeccompDefault: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29 ServiceIPStaticSubrange: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28 diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 3ffd1e40976..156f285cea4 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -57985,7 +57985,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen }, "seccompDefault": { SchemaProps: spec.SchemaProps{ - Description: "SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. This requires the corresponding SeccompDefault feature gate to be enabled as well. Default: false", + Description: "SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. Default: false", Type: []string{"boolean"}, Format: "", }, diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/types.go b/staging/src/k8s.io/kubelet/config/v1beta1/types.go index b979ef81e7a..231d61da1f9 100644 --- a/staging/src/k8s.io/kubelet/config/v1beta1/types.go +++ b/staging/src/k8s.io/kubelet/config/v1beta1/types.go @@ -764,7 +764,6 @@ type KubeletConfiguration struct { // +optional EnableDebugFlagsHandler *bool `json:"enableDebugFlagsHandler,omitempty"` // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. - // This requires the corresponding SeccompDefault feature gate to be enabled as well. // Default: false // +optional SeccompDefault *bool `json:"seccompDefault,omitempty"`