diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index 552cb7a40e3..fe5467d65c2 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -33,7 +33,6 @@ import ( "k8s.io/kubelet/config/v1beta1" kubeletapis "k8s.io/kubelet/pkg/apis" "k8s.io/kubernetes/pkg/cluster/ports" - "k8s.io/kubernetes/pkg/features" kubeletconfig "k8s.io/kubernetes/pkg/kubelet/apis/config" kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/config/scheme" kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/config/validation" @@ -135,7 +134,6 @@ type KubeletFlags struct { // This can be useful for debugging volume related issues. KeepTerminatedPodVolumes bool // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads on the node. - // To use this flag, the corresponding SeccompDefault feature gate must be enabled. SeccompDefault bool } @@ -181,10 +179,6 @@ func ValidateKubeletFlags(f *KubeletFlags) error { return fmt.Errorf("invalid node labels: %s", strings.Join(labelErrs, "; ")) } - if f.SeccompDefault && !utilfeature.DefaultFeatureGate.Enabled(features.SeccompDefault) { - return fmt.Errorf("the SeccompDefault feature gate must be enabled in order to use the --seccomp-default flag") - } - if f.ContainerRuntime != kubetypes.RemoteContainerRuntime { return fmt.Errorf("unsupported CRI runtime: %q, only %q is currently supported", f.ContainerRuntime, kubetypes.RemoteContainerRuntime) } @@ -311,13 +305,13 @@ func (f *KubeletFlags) AddFlags(mainfs *pflag.FlagSet) { "If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored.") fs.StringVar(&f.RootDirectory, "root-dir", f.RootDirectory, "Directory path for managing kubelet files (volume mounts,etc).") + fs.BoolVar(&f.SeccompDefault, "seccomp-default", f.SeccompDefault, "Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads.") // EXPERIMENTAL FLAGS bindableNodeLabels := cliflag.ConfigurationMap(f.NodeLabels) fs.Var(&bindableNodeLabels, "node-labels", fmt.Sprintf(" Labels to add when registering the node in the cluster. Labels must be key=value pairs separated by ','. Labels in the 'kubernetes.io' namespace must begin with an allowed prefix (%s) or be in the specifically allowed set (%s)", strings.Join(kubeletapis.KubeletLabelNamespaces(), ", "), strings.Join(kubeletapis.KubeletLabels(), ", "))) fs.StringVar(&f.LockFilePath, "lock-file", f.LockFilePath, " The path to file for kubelet to use as a lock file.") fs.BoolVar(&f.ExitOnLockContention, "exit-on-lock-contention", f.ExitOnLockContention, "Whether kubelet should exit upon lock-file contention.") - fs.BoolVar(&f.SeccompDefault, "seccomp-default", f.SeccompDefault, " Enable the use of `RuntimeDefault` as the default seccomp profile for all workloads. The SeccompDefault feature gate must be enabled to allow this flag, which is disabled per default.") // DEPRECATED FLAGS fs.DurationVar(&f.MinimumGCAge.Duration, "minimum-container-ttl-duration", f.MinimumGCAge.Duration, "Minimum age for a finished container before it is garbage collected. Examples: '300ms', '10s' or '2h45m'") diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index cf7744dbe19..4dd27a08bf0 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -1150,10 +1150,6 @@ func RunKubelet(kubeServer *options.KubeletServer, kubeDeps *kubelet.Dependencie kubeDeps.OSInterface = kubecontainer.RealOS{} } - if kubeServer.KubeletConfiguration.SeccompDefault && !utilfeature.DefaultFeatureGate.Enabled(features.SeccompDefault) { - return fmt.Errorf("the SeccompDefault feature gate must be enabled in order to use the SeccompDefault configuration") - } - k, err := createAndInitKubelet(kubeServer, kubeDeps, hostname, diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 5a9ef0ce375..c705f949d30 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -687,6 +687,7 @@ const ( // kep: https://kep.k8s.io/2413 // alpha: v1.22 // beta: v1.25 + // ga: v1.27 // // Enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. SeccompDefault featuregate.Feature = "SeccompDefault" @@ -1020,7 +1021,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS RotateKubeletServerCertificate: {Default: true, PreRelease: featuregate.Beta}, - SeccompDefault: {Default: true, PreRelease: featuregate.Beta}, + SeccompDefault: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29 ServiceIPStaticSubrange: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28 diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 79631291d07..1fb6906bb93 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -57985,7 +57985,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen }, "seccompDefault": { SchemaProps: spec.SchemaProps{ - Description: "SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. This requires the corresponding SeccompDefault feature gate to be enabled as well. Default: false", + Description: "SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. Default: false", Type: []string{"boolean"}, Format: "", }, diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/types.go b/staging/src/k8s.io/kubelet/config/v1beta1/types.go index 60011c28827..b8ef28d3484 100644 --- a/staging/src/k8s.io/kubelet/config/v1beta1/types.go +++ b/staging/src/k8s.io/kubelet/config/v1beta1/types.go @@ -764,7 +764,6 @@ type KubeletConfiguration struct { // +optional EnableDebugFlagsHandler *bool `json:"enableDebugFlagsHandler,omitempty"` // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. - // This requires the corresponding SeccompDefault feature gate to be enabled as well. // Default: false // +optional SeccompDefault *bool `json:"seccompDefault,omitempty"`