Merge pull request #122635 from carlory/KEP-2799

Promote LegacyServiceAccountTokenCleanUp to GA
2025-07-31 07:20:13 +00:00 · 2024-02-02 12:47:23 -08:00 · 2024-02-02 12:47:23 -08:00 · 42941cb88a
commit 42941cb88a
parent 77566f2486 0fc1b9c9aa
5 changed files with 13 additions and 20 deletions
--- a/cmd/kube-controller-manager/app/controllermanager_test.go
+++ b/cmd/kube-controller-manager/app/controllermanager_test.go
@ -146,8 +146,8 @@ func TestFeatureGatedControllersShouldNotDefineAliases(t *testing.T) {
 			continue
 		}

-		// DO NOT ADD any new controllers here. These two controllers are an exception, because they were added before this test was introduced
-		if name == names.LegacyServiceAccountTokenCleanerController || name == names.ResourceClaimController {
+		// DO NOT ADD any new controllers here. one controller is an exception, because it was added before this test was introduced
+		if name == names.ResourceClaimController {
 			continue
 		}

--- a/cmd/kube-controller-manager/app/core.go
+++ b/cmd/kube-controller-manager/app/core.go
@ -768,9 +768,6 @@ func newLegacyServiceAccountTokenCleanerControllerDescriptor() *ControllerDescri
 		name:     names.LegacyServiceAccountTokenCleanerController,
 		aliases:  []string{"legacy-service-account-token-cleaner"},
 		initFunc: startLegacyServiceAccountTokenCleanerController,
-		requiredFeatureGates: []featuregate.Feature{
-			features.LegacyServiceAccountTokenCleanUp, // TODO update app.TestFeatureGatedControllersShouldNotDefineAliases when removing this feature
-		},
 	}
 }

--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@ -428,9 +428,10 @@ const (
 	KubeProxyDrainingTerminatingNodes featuregate.Feature = "KubeProxyDrainingTerminatingNodes"

 	// owner: @yt2985
-	// kep: http://kep.k8s.io/2800
+	// kep: http://kep.k8s.io/2799
 	// alpha: v1.28
 	// beta: v1.29
+	// GA: v1.30
 	//
 	// Enables cleaning up of secret-based service account tokens.
 	LegacyServiceAccountTokenCleanUp featuregate.Feature = "LegacyServiceAccountTokenCleanUp"
@ -1032,7 +1033,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS

 	KubeProxyDrainingTerminatingNodes: {Default: true, PreRelease: featuregate.Beta},

-	LegacyServiceAccountTokenCleanUp: {Default: true, PreRelease: featuregate.Beta},
+	LegacyServiceAccountTokenCleanUp: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.30; remove in 1.32

 	LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha},

--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@ -478,15 +478,14 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 			},
 		})
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.LegacyServiceAccountTokenCleanUp) {
-		addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "legacy-service-account-token-cleaner"},
-			Rules: []rbacv1.PolicyRule{
-				rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("configmaps").Names(legacytokentracking.ConfigMapName).RuleOrDie(),
-				rbacv1helpers.NewRule("patch", "delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
-			},
-		})
-	}
+
+	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "legacy-service-account-token-cleaner"},
+		Rules: []rbacv1.PolicyRule{
+			rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("configmaps").Names(legacytokentracking.ConfigMapName).RuleOrDie(),
+			rbacv1helpers.NewRule("patch", "delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
+		},
+	})

 	return controllerRoles, controllerRoleBindings
 }
--- a/test/integration/serviceaccount/legacy_service_account_token_clean_up_test.go
+++ b/test/integration/serviceaccount/legacy_service_account_token_clean_up_test.go
@ -30,15 +30,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	applyv1 "k8s.io/client-go/applyconfigurations/core/v1"
 	clientinformers "k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
 	listersv1 "k8s.io/client-go/listers/core/v1"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
 	"k8s.io/kubernetes/pkg/controlplane/controller/legacytokentracking"
-	kubefeatures "k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 	"k8s.io/utils/clock"
 	testingclock "k8s.io/utils/clock/testing"
@ -53,7 +50,6 @@ const (
 )

 func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, kubefeatures.LegacyServiceAccountTokenCleanUp, true)()
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	c, config, stopFunc, informers, err := startServiceAccountTestServerAndWaitForCaches(ctx, t)