From 0852a490204f66142ac52411cec775c65a584c64 Mon Sep 17 00:00:00 2001
From: Shihang Zhang <zshihang@google.com>
Date: Thu, 15 Dec 2022 14:49:03 -0800
Subject: [PATCH 1/2] graduate LegacyServiceAccountTokenTracking to beta

---
 pkg/features/kube_features.go             |  3 ++-
 pkg/kubeapiserver/authenticator/config.go |  7 ++++++-
 pkg/serviceaccount/jwt_test.go            | 11 ++++++++++-
 pkg/serviceaccount/legacy.go              | 10 ++++++++--
 4 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
index 1de2193da44..596c08f22d1 100644
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -478,6 +478,7 @@ const (
 	// owner: @zshihang
 	// kep: http://kep.k8s.io/2800
 	// alpha: v1.26
+	// beta: v1.27
 	//
 	// Enables tracking of secret-based service account tokens usage.
 	LegacyServiceAccountTokenTracking featuregate.Feature = "LegacyServiceAccountTokenTracking"
@@ -958,7 +959,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	LegacyServiceAccountTokenNoAutoGeneration: {Default: true, PreRelease: featuregate.GA},
 
-	LegacyServiceAccountTokenTracking: {Default: false, PreRelease: featuregate.Alpha},
+	LegacyServiceAccountTokenTracking: {Default: true, PreRelease: featuregate.Beta},
 
 	LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha},
 
diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go
index e10c76384f9..52715eb3087 100644
--- a/pkg/kubeapiserver/authenticator/config.go
+++ b/pkg/kubeapiserver/authenticator/config.go
@@ -18,6 +18,7 @@ package authenticator
 
 import (
 	"errors"
+	"fmt"
 	"time"
 
 	utilnet "k8s.io/apimachinery/pkg/util/net"
@@ -277,8 +278,12 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud
 		}
 		allPublicKeys = append(allPublicKeys, publicKeys...)
 	}
+	validator, err := serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter)
+	if err != nil {
+		return nil, fmt.Errorf("while creating legacy validator, err: %w", err)
+	}
 
-	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter))
+	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, validator)
 	return tokenAuthenticator, nil
 }
 
diff --git a/pkg/serviceaccount/jwt_test.go b/pkg/serviceaccount/jwt_test.go
index 675e43cf3a9..ade7924aa71 100644
--- a/pkg/serviceaccount/jwt_test.go
+++ b/pkg/serviceaccount/jwt_test.go
@@ -30,6 +30,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
+	typedv1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	v1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/keyutil"
@@ -342,7 +343,15 @@ func TestTokenGenerateAndValidate(t *testing.T) {
 				return tc.Client.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{})
 			})),
 		)
-		authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, serviceaccount.NewLegacyValidator(tc.Client != nil, getter, nil))
+		var secretsWriter typedv1core.SecretsGetter
+		if tc.Client != nil {
+			secretsWriter = tc.Client.CoreV1()
+		}
+		validator, err := serviceaccount.NewLegacyValidator(tc.Client != nil, getter, secretsWriter)
+		if err != nil {
+			t.Fatalf("While creating legacy validator, err: %v", err)
+		}
+		authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, validator)
 
 		// An invalid, non-JWT token should always fail
 		ctx := authenticator.WithAudiences(context.Background(), auds)
diff --git a/pkg/serviceaccount/legacy.go b/pkg/serviceaccount/legacy.go
index 8ebdbabe898..9e178da6beb 100644
--- a/pkg/serviceaccount/legacy.go
+++ b/pkg/serviceaccount/legacy.go
@@ -60,12 +60,18 @@ type legacyPrivateClaims struct {
 	Namespace          string `json:"kubernetes.io/serviceaccount/namespace"`
 }
 
-func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) Validator {
+func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator, error) {
+	if lookup && getter == nil {
+		return nil, errors.New("ServiceAccountTokenGetter must be provided")
+	}
+	if lookup && secretsWriter == nil {
+		return nil, errors.New("SecretsWriter must be provided")
+	}
 	return &legacyValidator{
 		lookup:        lookup,
 		getter:        getter,
 		secretsWriter: secretsWriter,
-	}
+	}, nil
 }
 
 type legacyValidator struct {

From e878bc17e652337535f688175ad31bd87ba13d2f Mon Sep 17 00:00:00 2001
From: Shihang Zhang <zhshihang@gmail.com>
Date: Fri, 16 Dec 2022 12:54:52 -0800
Subject: [PATCH 2/2] Update pkg/serviceaccount/legacy.go

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
---
 pkg/serviceaccount/legacy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/serviceaccount/legacy.go b/pkg/serviceaccount/legacy.go
index 9e178da6beb..9657f95c351 100644
--- a/pkg/serviceaccount/legacy.go
+++ b/pkg/serviceaccount/legacy.go
@@ -64,7 +64,7 @@ func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWr
 	if lookup && getter == nil {
 		return nil, errors.New("ServiceAccountTokenGetter must be provided")
 	}
-	if lookup && secretsWriter == nil {
+	if lookup && secretsWriter == nil && utilfeature.DefaultFeatureGate.Enabled(kubefeatures.LegacyServiceAccountTokenTracking) {
 		return nil, errors.New("SecretsWriter must be provided")
 	}
 	return &legacyValidator{