Drop StructuredAuthorizationConfiguration feature gate

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
This commit is contained in:
Anish Ramasekar
2026-01-26 11:35:03 -06:00
parent efc15394a1
commit a1478c7730
7 changed files with 15 additions and 67 deletions

View File

@@ -2058,12 +2058,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
},
genericfeatures.StructuredAuthorizationConfiguration: {
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
},
genericfeatures.TokenRequestServiceAccountUIDValidation: {
{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
},
@@ -2500,8 +2494,6 @@ var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]feature
genericfeatures.StructuredAuthenticationConfigurationJWKSMetrics: {genericfeatures.StructuredAuthenticationConfiguration},
genericfeatures.StructuredAuthorizationConfiguration: {},
genericfeatures.TokenRequestServiceAccountUIDValidation: {},
genericfeatures.UnauthenticatedHTTP2DOSMitigation: {},

View File

@@ -22,8 +22,6 @@ import (
"time"
authorizationcel "k8s.io/apiserver/pkg/authorization/cel"
genericfeatures "k8s.io/apiserver/pkg/features"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"github.com/spf13/pflag"
@@ -108,10 +106,6 @@ func (o *BuiltInAuthorizationOptions) Validate() []error {
// - the config file can be loaded
// - the config file represents a valid configuration
if o.AuthorizationConfigurationFile != "" {
if !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) {
return append(allErrors, fmt.Errorf("--%s cannot be used without enabling StructuredAuthorizationConfiguration feature flag", authorizationConfigFlag))
}
// error out if legacy flags are defined
if o.AreLegacyFlagsSet != nil && o.AreLegacyFlagsSet() {
return append(allErrors, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag))
@@ -193,7 +187,6 @@ func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.AuthorizationConfigurationFile, authorizationConfigFlag, o.AuthorizationConfigurationFile, ""+
"File with Authorization Configuration to configure the authorizer chain. "+
"Requires feature gate StructuredAuthorizationConfiguration. "+
"This flag is mutually exclusive with the other --authorization-mode and --authorization-webhook-* flags.")
// preserves compatibility with any method set during initialization
@@ -229,9 +222,6 @@ func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFac
// else,
// - build the AuthorizationConfig from the legacy flags
if o.AuthorizationConfigurationFile != "" {
if !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) {
return nil, fmt.Errorf("--%s cannot be used without enabling StructuredAuthorizationConfiguration feature flag", authorizationConfigFlag)
}
// error out if legacy flags are defined
if o.AreLegacyFlagsSet != nil && o.AreLegacyFlagsSet() {
return nil, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag)

View File

@@ -763,7 +763,7 @@ func ValidateWebhookConfiguration(compiler authorizationcel.Compiler, fldPath *f
allErrs = append(allErrs, field.NotSupported(fldPath.Child("connectionInfo", "type"), c.ConnectionInfo, []string{api.AuthorizationWebhookConnectionInfoTypeInCluster, api.AuthorizationWebhookConnectionInfoTypeKubeConfigFile}))
}
_, errs := compileMatchConditions(compiler, c.MatchConditions, fldPath, utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthorizationConfiguration))
_, errs := compileMatchConditions(compiler, c.MatchConditions, fldPath)
allErrs = append(allErrs, errs...)
return allErrs
@@ -772,15 +772,11 @@ func ValidateWebhookConfiguration(compiler authorizationcel.Compiler, fldPath *f
// ValidateAndCompileMatchConditions validates a given webhook's matchConditions.
// This is exported for use in authz package.
func ValidateAndCompileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition) (*authorizationcel.CELMatcher, field.ErrorList) {
return compileMatchConditions(compiler, matchConditions, nil, utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthorizationConfiguration))
return compileMatchConditions(compiler, matchConditions, nil)
}
func compileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition, fldPath *field.Path, structuredAuthzFeatureEnabled bool) (*authorizationcel.CELMatcher, field.ErrorList) {
func compileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition, fldPath *field.Path) (*authorizationcel.CELMatcher, field.ErrorList) {
var allErrs field.ErrorList
// should fail when match conditions are used without feature enabled
if len(matchConditions) > 0 && !structuredAuthzFeatureEnabled {
allErrs = append(allErrs, field.Invalid(fldPath.Child("matchConditions"), "", "not supported when StructuredAuthorizationConfiguration feature gate is disabled"))
}
if len(matchConditions) > 64 {
allErrs = append(allErrs, field.TooMany(fldPath.Child("matchConditions"), len(matchConditions), 64))
return nil, allErrs

View File

@@ -241,12 +241,6 @@ const (
// Enables JWKs metrics for Structured Authentication Configuration
StructuredAuthenticationConfigurationJWKSMetrics featuregate.Feature = "StructuredAuthenticationConfigurationJWKSMetrics"
// owner: @palnabarun
// kep: https://kep.k8s.io/3221
//
// Enables Structured Authorization Configuration
StructuredAuthorizationConfiguration featuregate.Feature = "StructuredAuthorizationConfiguration"
// owner: @aramase
//
// Enables validation of service account UID in TokenRequest API.
@@ -467,12 +461,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
},
StructuredAuthorizationConfiguration: {
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
},
TokenRequestServiceAccountUIDValidation: {
{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
},

View File

@@ -204,21 +204,18 @@ func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attri
Verb: attr.GetVerb(),
}
}
// skipping match when feature is not enabled
if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) {
// Process Match Conditions before calling the webhook
matches, err := w.match(ctx, r)
// If at least one matchCondition evaluates to an error (but none are FALSE):
// If failurePolicy=Deny, then the webhook rejects the request
// If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
if err != nil {
return w.decisionOnError, "", err
}
// If at least one matchCondition successfully evaluates to FALSE,
// then the webhook is skipped.
if !matches {
return authorizer.DecisionNoOpinion, "", nil
}
// Process Match Conditions before calling the webhook
matches, err := w.match(ctx, r)
// If at least one matchCondition evaluates to an error (but none are FALSE):
// If failurePolicy=Deny, then the webhook rejects the request
// If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
if err != nil {
return w.decisionOnError, "", err
}
// If at least one matchCondition successfully evaluates to FALSE,
// then the webhook is skipped.
if !matches {
return authorizer.DecisionNoOpinion, "", nil
}
// If all evaluated successfully and ALL matchConditions evaluate to TRUE,
// then the webhook is called.

View File

@@ -191,7 +191,6 @@
| StructuredAuthenticationConfiguration | :ballot_box_with_check:&nbsp;1.30+ | :closed_lock_with_key:&nbsp;1.34+ | 1.29 | 1.301.33 | 1.34 | | | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| StructuredAuthenticationConfigurationEgressSelector | :ballot_box_with_check:&nbsp;1.34+ | | | 1.34 | | | StructuredAuthenticationConfiguration | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationEgressSelector%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationEgressSelector%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| StructuredAuthenticationConfigurationJWKSMetrics | :ballot_box_with_check:&nbsp;1.35+ | | | 1.35 | | | StructuredAuthenticationConfiguration | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationJWKSMetrics%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationJWKSMetrics%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| StructuredAuthorizationConfiguration | :ballot_box_with_check:&nbsp;1.30+ | :closed_lock_with_key:&nbsp;1.32+ | 1.29 | 1.301.31 | 1.32 | | | [code](https://cs.k8s.io/?q=%5CbStructuredAuthorizationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthorizationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| SupplementalGroupsPolicy | :ballot_box_with_check:&nbsp;1.33+ | :closed_lock_with_key:&nbsp;1.35+ | 1.311.32 | 1.331.34 | 1.35 | | | [code](https://cs.k8s.io/?q=%5CbSupplementalGroupsPolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSupplementalGroupsPolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| SystemdWatchdog | :ballot_box_with_check:&nbsp;1.32+ | :closed_lock_with_key:&nbsp;1.35+ | | 1.321.34 | 1.35 | | | [code](https://cs.k8s.io/?q=%5CbSystemdWatchdog%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSystemdWatchdog%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
| TaintTolerationComparisonOperators | | | 1.35 | | | | | [code](https://cs.k8s.io/?q=%5CbTaintTolerationComparisonOperators%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbTaintTolerationComparisonOperators%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |

View File

@@ -1791,20 +1791,6 @@
lockToDefault: false
preRelease: Beta
version: "1.35"
- name: StructuredAuthorizationConfiguration
versionedSpecs:
- default: false
lockToDefault: false
preRelease: Alpha
version: "1.29"
- default: true
lockToDefault: false
preRelease: Beta
version: "1.30"
- default: true
lockToDefault: true
preRelease: GA
version: "1.32"
- name: SupplementalGroupsPolicy
versionedSpecs:
- default: false