diff --git a/pkg/api/pod/util_test.go b/pkg/api/pod/util_test.go index e2c350d76df..5a831a36cd5 100644 --- a/pkg/api/pod/util_test.go +++ b/pkg/api/pod/util_test.go @@ -3844,8 +3844,12 @@ func TestDropSELinuxChangePolicy(t *testing.T) { for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - for _, gate := range tc.gates { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, gate, true) + // Set feature gates for the test. *Disable* those that are not in tc.gates. + allGates := []featuregate.Feature{features.SELinuxChangePolicy, features.SELinuxMount} + enabledGates := sets.New(tc.gates...) + for _, gate := range allGates { + enable := enabledGates.Has(gate) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, gate, enable) } oldPod := tc.oldPod.DeepCopy() diff --git a/pkg/features/versioned_kube_features.go b/pkg/features/versioned_kube_features.go index 134b8c98c11..29579b2ccb5 100644 --- a/pkg/features/versioned_kube_features.go +++ b/pkg/features/versioned_kube_features.go @@ -660,10 +660,12 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate SELinuxChangePolicy: { {Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta}, }, SELinuxMount: { {Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Alpha}, + {Version: version.MustParse("1.33"), Default: false, PreRelease: featuregate.Beta}, }, SELinuxMountReadWriteOncePod: { diff --git a/pkg/volume/util/selinux_test.go b/pkg/volume/util/selinux_test.go index 1e9a389805c..6e744e8a62a 100644 --- a/pkg/volume/util/selinux_test.go +++ b/pkg/volume/util/selinux_test.go @@ -20,6 +20,7 @@ import ( "testing" v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/sets" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/component-base/featuregate" featuregatetesting "k8s.io/component-base/featuregate/testing" @@ -303,8 +304,12 @@ func TestGetMountSELinuxLabel(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { // Arrange - for _, fg := range tt.featureGates { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, fg, true) + // Set feature gates for the test. *Disable* those that are not in tt.featureGates. + allGates := []featuregate.Feature{features.SELinuxChangePolicy, features.SELinuxMount} + enabledGates := sets.New(tt.featureGates...) + for _, fg := range allGates { + enable := enabledGates.Has(fg) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, fg, enable) } seLinuxTranslator := NewFakeSELinuxLabelTranslator() pluginMgr, plugin := volumetesting.GetTestKubeletVolumePluginMgr(t) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index 5eb82584c9e..e5987b40a58 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -459,6 +459,23 @@ items: - kind: ServiceAccount name: route-controller namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:selinux-warning-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:selinux-warning-controller + subjects: + - kind: ServiceAccount + name: selinux-warning-controller + namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index ab5e6152d94..e00024f4da6 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -1314,6 +1314,57 @@ items: - create - patch - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:selinux-warning-controller + rules: + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/test/featuregates_linter/test_data/versioned_feature_list.yaml b/test/featuregates_linter/test_data/versioned_feature_list.yaml index 370e36395cf..56de7c0ce60 100644 --- a/test/featuregates_linter/test_data/versioned_feature_list.yaml +++ b/test/featuregates_linter/test_data/versioned_feature_list.yaml @@ -1144,12 +1144,20 @@ lockToDefault: false preRelease: Alpha version: "1.32" + - default: true + lockToDefault: false + preRelease: Beta + version: "1.33" - name: SELinuxMount versionedSpecs: - default: false lockToDefault: false preRelease: Alpha version: "1.30" + - default: false + lockToDefault: false + preRelease: Beta + version: "1.33" - name: SELinuxMountReadWriteOncePod versionedSpecs: - default: false