Merge pull request #115879 from mtardy/scdeny-warning

`SecurityContextDeny` admission plugin: add warning on creation
2025-07-19 18:02:01 +00:00 · 2023-03-13 07:02:48 -07:00 · 2023-03-13 07:02:48 -07:00 · 9c5eebaf3f
commit 9c5eebaf3f
parent 85524e7da6 36a2156033
2 changed files with 25 additions and 1 deletions
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@ -708,6 +708,14 @@ const (
 	// Enables the use of `RuntimeDefault` as the default seccomp profile for all workloads.
 	SeccompDefault featuregate.Feature = "SeccompDefault"
 	// owner: @mtardy
 	// alpha: v1.0
 	//
 	// Putting this admission plugin behind a feature gate is part of the
 	// deprecation process. For details about the removal see:
 	// https://github.com/kubernetes/kubernetes/issues/111516
 	SecurityContextDeny featuregate.Feature = "SecurityContextDeny"
 	// owner: @maplain @andrewsykim
 	// kep: https://kep.k8s.io/2086
 	// alpha: v1.21
@ -1058,6 +1066,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	SeccompDefault: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29
 	SecurityContextDeny: {Default: false, PreRelease: featuregate.Alpha},
 	ServiceIPStaticSubrange: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
 	ServiceInternalTrafficPolicy: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28
--- a/plugin/pkg/admission/securitycontext/scdeny/admission.go
+++ b/plugin/pkg/admission/securitycontext/scdeny/admission.go
@ -23,16 +23,25 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apiserver/pkg/admission"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/klog/v2"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/features"
 )
 // PluginName indicates name of admission plugin.
 const PluginName = "SecurityContextDeny"
 const docLink = "https://k8s.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny"
 // Register registers a plugin
 func Register(plugins *admission.Plugins) {
 	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
-		return NewSecurityContextDeny(), nil
+		if utilfeature.DefaultFeatureGate.Enabled(features.SecurityContextDeny) {
 			return NewSecurityContextDeny(), nil
 		} else {
 			return nil, fmt.Errorf("%s admission controller is an alpha feature, planned to be removed, and requires the SecurityContextDeny feature gate to be enabled, see %s for more information", PluginName, docLink)
 		}
 	})
 }
@ -45,6 +54,11 @@ var _ admission.ValidationInterface = &Plugin{}
 // NewSecurityContextDeny creates a new instance of the SecurityContextDeny admission controller
 func NewSecurityContextDeny() *Plugin {
 	// DEPRECATED: SecurityContextDeny will be removed in favor of PodSecurity admission.
 	klog.Warningf("%s admission controller is deprecated. "+
 		"Please remove this controller from your configuration files and scripts. "+
 		"See %s for more information.",
 		PluginName, docLink)
 	return &Plugin{
 		Handler: admission.NewHandler(admission.Create, admission.Update),
 	}