From 5049382a818d92074c1531583a29005d1d53300b Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Sun, 19 Feb 2023 13:04:45 +0100
Subject: [PATCH 1/2] Scdeny admission plugin: add warning on register

---
 plugin/pkg/admission/securitycontext/scdeny/admission.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/plugin/pkg/admission/securitycontext/scdeny/admission.go b/plugin/pkg/admission/securitycontext/scdeny/admission.go
index c5da558c7bf..9924b5e91b5 100644
--- a/plugin/pkg/admission/securitycontext/scdeny/admission.go
+++ b/plugin/pkg/admission/securitycontext/scdeny/admission.go
@@ -23,6 +23,7 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/klog/v2"
 	api "k8s.io/kubernetes/pkg/apis/core"
 )
 
@@ -45,6 +46,11 @@ var _ admission.ValidationInterface = &Plugin{}
 
 // NewSecurityContextDeny creates a new instance of the SecurityContextDeny admission controller
 func NewSecurityContextDeny() *Plugin {
+	// DEPRECATED: SecurityContextDeny will be removed in favor of PodSecurity admission.
+	klog.Warningf("%s admission controller is deprecated. "+
+		"Please remove this controller from your configuration files and scripts. "+
+		"See https://k8s.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny for more information.",
+		PluginName)
 	return &Plugin{
 		Handler: admission.NewHandler(admission.Create, admission.Update),
 	}

From 36a215603321a1cd4fb09017dd9c6cc697cb7184 Mon Sep 17 00:00:00 2001
From: mtardy <mahe5397@hotmail.fr>
Date: Fri, 10 Mar 2023 18:01:48 +0100
Subject: [PATCH 2/2] Add a SecurityContextDeny feature gate disabled by
 default

Put plugin registration behind the feature gate.
---
 pkg/features/kube_features.go                      | 10 ++++++++++
 .../admission/securitycontext/scdeny/admission.go  | 14 +++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
index 5a9ef0ce375..c4de2181bf3 100644
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -691,6 +691,14 @@ const (
 	// Enables the use of `RuntimeDefault` as the default seccomp profile for all workloads.
 	SeccompDefault featuregate.Feature = "SeccompDefault"
 
+	// owner: @mtardy
+	// alpha: v1.0
+	//
+	// Putting this admission plugin behind a feature gate is part of the
+	// deprecation process. For details about the removal see:
+	// https://github.com/kubernetes/kubernetes/issues/111516
+	SecurityContextDeny featuregate.Feature = "SecurityContextDeny"
+
 	// owner: @maplain @andrewsykim
 	// kep: https://kep.k8s.io/2086
 	// alpha: v1.21
@@ -1022,6 +1030,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	SeccompDefault: {Default: true, PreRelease: featuregate.Beta},
 
+	SecurityContextDeny: {Default: false, PreRelease: featuregate.Alpha},
+
 	ServiceIPStaticSubrange: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
 
 	ServiceInternalTrafficPolicy: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
diff --git a/plugin/pkg/admission/securitycontext/scdeny/admission.go b/plugin/pkg/admission/securitycontext/scdeny/admission.go
index 9924b5e91b5..160724f7649 100644
--- a/plugin/pkg/admission/securitycontext/scdeny/admission.go
+++ b/plugin/pkg/admission/securitycontext/scdeny/admission.go
@@ -23,17 +23,25 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apiserver/pkg/admission"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 	api "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 // PluginName indicates name of admission plugin.
 const PluginName = "SecurityContextDeny"
 
+const docLink = "https://k8s.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny"
+
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
-		return NewSecurityContextDeny(), nil
+		if utilfeature.DefaultFeatureGate.Enabled(features.SecurityContextDeny) {
+			return NewSecurityContextDeny(), nil
+		} else {
+			return nil, fmt.Errorf("%s admission controller is an alpha feature, planned to be removed, and requires the SecurityContextDeny feature gate to be enabled, see %s for more information", PluginName, docLink)
+		}
 	})
 }
 
@@ -49,8 +57,8 @@ func NewSecurityContextDeny() *Plugin {
 	// DEPRECATED: SecurityContextDeny will be removed in favor of PodSecurity admission.
 	klog.Warningf("%s admission controller is deprecated. "+
 		"Please remove this controller from your configuration files and scripts. "+
-		"See https://k8s.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny for more information.",
-		PluginName)
+		"See %s for more information.",
+		PluginName, docLink)
 	return &Plugin{
 		Handler: admission.NewHandler(admission.Create, admission.Update),
 	}