Graduate ServiceAccountIssuerDiscovery to GA

Waiting on KEP updates first: https://github.com/kubernetes/enhancements/pull/2363
2025-07-24 12:15:52 +00:00 · 2021-01-28 17:03:34 -08:00 · 2021-01-28 17:03:34 -08:00 · 6aa80d9172
commit 6aa80d9172
parent f384925847
7 changed files with 68 additions and 85 deletions
--- a/cmd/kube-apiserver/app/BUILD
+++ b/cmd/kube-apiserver/app/BUILD
@ -17,7 +17,6 @@ go_library(
        "//pkg/controlplane/controller/crdregistration:go_default_library",
        "//pkg/controlplane/reconcilers:go_default_library",
        "//pkg/controlplane/tunneler:go_default_library",
-        "//pkg/features:go_default_library",
        "//pkg/generated/openapi:go_default_library",
        "//pkg/kubeapiserver:go_default_library",
        "//pkg/kubeapiserver/admission:go_default_library",
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -73,7 +73,6 @@ import (
 	"k8s.io/kubernetes/pkg/controlplane"
 	"k8s.io/kubernetes/pkg/controlplane/reconcilers"
 	"k8s.io/kubernetes/pkg/controlplane/tunneler"
-	"k8s.io/kubernetes/pkg/features"
 	generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
 	"k8s.io/kubernetes/pkg/kubeapiserver"
 	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
@ -422,7 +421,6 @@ func CreateKubeAPIServerConfig(
 		config.ExtraConfig.ProxyTransport = c
 	}

-	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
 	// Load the public keys.
 	var pubKeys []interface{}
 	for _, f := range s.Authentication.ServiceAccounts.KeyFiles {
@ -436,7 +434,6 @@ func CreateKubeAPIServerConfig(
 	config.ExtraConfig.ServiceAccountIssuerURL = s.Authentication.ServiceAccounts.Issuer
 	config.ExtraConfig.ServiceAccountJWKSURI = s.Authentication.ServiceAccounts.JWKSURI
 	config.ExtraConfig.ServiceAccountPublicKeys = pubKeys
-	}

 	return config, serviceResolver, pluginInitializers, nil
 }
--- a/pkg/controlplane/instance.go
+++ b/pkg/controlplane/instance.go
@ -366,7 +366,6 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 		routes.Logs{}.Install(s.Handler.GoRestfulContainer)
 	}

-	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
 	// Metadata and keys are expected to only change across restarts at present,
 	// so we just marshal immediately and serve the cached JSON bytes.
 	md, err := serviceaccount.NewOpenIDMetadata(
@ -397,7 +396,6 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 		routes.NewOpenIDMetadataServer(md.ConfigJSON, md.PublicKeysetJSON).
 			Install(s.Handler.GoRestfulContainer)
 	}
-	}

 	m := &Instance{
 		GenericAPIServer:          s,
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@ -194,6 +194,7 @@ const (
 	// owner: @mtaufen
 	// alpha: v1.18
 	// beta: v1.20
+	// stable: v1.21
 	//
 	// Enable OIDC discovery endpoints (issuer and JWKS URLs) for the service
 	// account issuer in the API server.
@ -699,7 +700,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	SupportPodPidsLimit:                            {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.23
 	SupportNodePidsLimit:                           {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.23
 	BoundServiceAccountTokenVolume:                 {Default: false, PreRelease: featuregate.Alpha},
-	ServiceAccountIssuerDiscovery:                  {Default: true, PreRelease: featuregate.Beta},
+	ServiceAccountIssuerDiscovery:                  {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.22
 	CRIContainerLogRotation:                        {Default: true, PreRelease: featuregate.Beta},
 	CSIMigration:                                   {Default: true, PreRelease: featuregate.Beta},
 	CSIMigrationGCE:                                {Default: false, PreRelease: featuregate.Beta}, // Off by default (requires GCE PD CSI Driver)
--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@ -213,7 +213,6 @@ func (o *BuiltInAuthenticationOptions) Validate() []error {
 			allErrors = append(allErrors, errors.New("service-account-key-file is a required flag"))
 		}

-		if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
 		// Validate the JWKS URI when it is explicitly set.
 		// When unset, it is later derived from ExternalHost.
 		if o.ServiceAccounts.JWKSURI != "" {
@ -223,9 +222,6 @@ func (o *BuiltInAuthenticationOptions) Validate() []error {
 				allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri requires https scheme, parsed as: %v", u.String()))
 			}
 		}
-		} else if len(o.ServiceAccounts.JWKSURI) > 0 {
-			allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri may only be set when the ServiceAccountIssuerDiscovery feature gate is enabled"))
-		}
 	}

 	if o.WebHook != nil {
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -494,7 +494,6 @@ func ClusterRoles() []rbacv1.ClusterRole {
 		},
 	}

-	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
 	// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
 	roles = append(roles, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
@ -505,7 +504,6 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			).RuleOrDie(),
 		},
 	})
-	}

 	// node-proxier role is used by kube-proxy.
 	nodeProxierRules := []rbacv1.PolicyRule{
@ -590,7 +588,6 @@ func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
 		},
 	}

-	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
 	// Allow all in-cluster workloads (via their service accounts) to read the OIDC discovery endpoints.
 	// Users with certain forms of write access (create pods, create secrets, create service accounts, etc)
 	// can gain access to a service account identity which would allow them to access this information.
@ -602,7 +599,6 @@ func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
 	rolebindings = append(rolebindings,
 		rbacv1helpers.NewClusterBinding("system:service-account-issuer-discovery").Groups(serviceaccount.AllServiceAccountsGroup).BindingOrDie(),
 	)
-	}

 	addClusterRoleBindingLabel(rolebindings)

--- a/test/integration/auth/svcaccttoken_test.go
+++ b/test/integration/auth/svcaccttoken_test.go
@ -43,16 +43,13 @@ import (
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	clientset "k8s.io/client-go/kubernetes"
 	v1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/keyutil"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/apis/core"
 	serviceaccountgetter "k8s.io/kubernetes/pkg/controller/serviceaccount"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 	"k8s.io/kubernetes/test/integration/framework"
 )
@ -64,7 +61,6 @@ AwEHoUQDQgAEH6cuzP8XuD5wal6wf9M6xDljTOPLX2i8uIp/C/ASqiIGUeeKQtX0
 -----END EC PRIVATE KEY-----`

 func TestServiceAccountTokenCreate(t *testing.T) {
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountIssuerDiscovery, true)()

 	// Build client config, clientset, and informers
 	sk, err := keyutil.ParsePrivateKeyPEM([]byte(ecdsaPrivateKey))