mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-07-18 04:54:54 +00:00
Drop StructuredAuthorizationConfiguration feature gate
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
This commit is contained in:
@@ -2058,12 +2058,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
||||
{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
|
||||
},
|
||||
|
||||
genericfeatures.StructuredAuthorizationConfiguration: {
|
||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||
},
|
||||
|
||||
genericfeatures.TokenRequestServiceAccountUIDValidation: {
|
||||
{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
|
||||
},
|
||||
@@ -2500,8 +2494,6 @@ var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]feature
|
||||
|
||||
genericfeatures.StructuredAuthenticationConfigurationJWKSMetrics: {genericfeatures.StructuredAuthenticationConfiguration},
|
||||
|
||||
genericfeatures.StructuredAuthorizationConfiguration: {},
|
||||
|
||||
genericfeatures.TokenRequestServiceAccountUIDValidation: {},
|
||||
|
||||
genericfeatures.UnauthenticatedHTTP2DOSMitigation: {},
|
||||
|
||||
@@ -22,8 +22,6 @@ import (
|
||||
"time"
|
||||
|
||||
authorizationcel "k8s.io/apiserver/pkg/authorization/cel"
|
||||
genericfeatures "k8s.io/apiserver/pkg/features"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
@@ -108,10 +106,6 @@ func (o *BuiltInAuthorizationOptions) Validate() []error {
|
||||
// - the config file can be loaded
|
||||
// - the config file represents a valid configuration
|
||||
if o.AuthorizationConfigurationFile != "" {
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) {
|
||||
return append(allErrors, fmt.Errorf("--%s cannot be used without enabling StructuredAuthorizationConfiguration feature flag", authorizationConfigFlag))
|
||||
}
|
||||
|
||||
// error out if legacy flags are defined
|
||||
if o.AreLegacyFlagsSet != nil && o.AreLegacyFlagsSet() {
|
||||
return append(allErrors, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag))
|
||||
@@ -193,7 +187,6 @@ func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
|
||||
fs.StringVar(&o.AuthorizationConfigurationFile, authorizationConfigFlag, o.AuthorizationConfigurationFile, ""+
|
||||
"File with Authorization Configuration to configure the authorizer chain. "+
|
||||
"Requires feature gate StructuredAuthorizationConfiguration. "+
|
||||
"This flag is mutually exclusive with the other --authorization-mode and --authorization-webhook-* flags.")
|
||||
|
||||
// preserves compatibility with any method set during initialization
|
||||
@@ -229,9 +222,6 @@ func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFac
|
||||
// else,
|
||||
// - build the AuthorizationConfig from the legacy flags
|
||||
if o.AuthorizationConfigurationFile != "" {
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) {
|
||||
return nil, fmt.Errorf("--%s cannot be used without enabling StructuredAuthorizationConfiguration feature flag", authorizationConfigFlag)
|
||||
}
|
||||
// error out if legacy flags are defined
|
||||
if o.AreLegacyFlagsSet != nil && o.AreLegacyFlagsSet() {
|
||||
return nil, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag)
|
||||
|
||||
@@ -763,7 +763,7 @@ func ValidateWebhookConfiguration(compiler authorizationcel.Compiler, fldPath *f
|
||||
allErrs = append(allErrs, field.NotSupported(fldPath.Child("connectionInfo", "type"), c.ConnectionInfo, []string{api.AuthorizationWebhookConnectionInfoTypeInCluster, api.AuthorizationWebhookConnectionInfoTypeKubeConfigFile}))
|
||||
}
|
||||
|
||||
_, errs := compileMatchConditions(compiler, c.MatchConditions, fldPath, utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthorizationConfiguration))
|
||||
_, errs := compileMatchConditions(compiler, c.MatchConditions, fldPath)
|
||||
allErrs = append(allErrs, errs...)
|
||||
|
||||
return allErrs
|
||||
@@ -772,15 +772,11 @@ func ValidateWebhookConfiguration(compiler authorizationcel.Compiler, fldPath *f
|
||||
// ValidateAndCompileMatchConditions validates a given webhook's matchConditions.
|
||||
// This is exported for use in authz package.
|
||||
func ValidateAndCompileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition) (*authorizationcel.CELMatcher, field.ErrorList) {
|
||||
return compileMatchConditions(compiler, matchConditions, nil, utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthorizationConfiguration))
|
||||
return compileMatchConditions(compiler, matchConditions, nil)
|
||||
}
|
||||
|
||||
func compileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition, fldPath *field.Path, structuredAuthzFeatureEnabled bool) (*authorizationcel.CELMatcher, field.ErrorList) {
|
||||
func compileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition, fldPath *field.Path) (*authorizationcel.CELMatcher, field.ErrorList) {
|
||||
var allErrs field.ErrorList
|
||||
// should fail when match conditions are used without feature enabled
|
||||
if len(matchConditions) > 0 && !structuredAuthzFeatureEnabled {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Child("matchConditions"), "", "not supported when StructuredAuthorizationConfiguration feature gate is disabled"))
|
||||
}
|
||||
if len(matchConditions) > 64 {
|
||||
allErrs = append(allErrs, field.TooMany(fldPath.Child("matchConditions"), len(matchConditions), 64))
|
||||
return nil, allErrs
|
||||
|
||||
@@ -241,12 +241,6 @@ const (
|
||||
// Enables JWKs metrics for Structured Authentication Configuration
|
||||
StructuredAuthenticationConfigurationJWKSMetrics featuregate.Feature = "StructuredAuthenticationConfigurationJWKSMetrics"
|
||||
|
||||
// owner: @palnabarun
|
||||
// kep: https://kep.k8s.io/3221
|
||||
//
|
||||
// Enables Structured Authorization Configuration
|
||||
StructuredAuthorizationConfiguration featuregate.Feature = "StructuredAuthorizationConfiguration"
|
||||
|
||||
// owner: @aramase
|
||||
//
|
||||
// Enables validation of service account UID in TokenRequest API.
|
||||
@@ -467,12 +461,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
||||
{Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta},
|
||||
},
|
||||
|
||||
StructuredAuthorizationConfiguration: {
|
||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||
},
|
||||
|
||||
TokenRequestServiceAccountUIDValidation: {
|
||||
{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
|
||||
},
|
||||
|
||||
@@ -204,21 +204,18 @@ func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attri
|
||||
Verb: attr.GetVerb(),
|
||||
}
|
||||
}
|
||||
// skipping match when feature is not enabled
|
||||
if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) {
|
||||
// Process Match Conditions before calling the webhook
|
||||
matches, err := w.match(ctx, r)
|
||||
// If at least one matchCondition evaluates to an error (but none are FALSE):
|
||||
// If failurePolicy=Deny, then the webhook rejects the request
|
||||
// If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
|
||||
if err != nil {
|
||||
return w.decisionOnError, "", err
|
||||
}
|
||||
// If at least one matchCondition successfully evaluates to FALSE,
|
||||
// then the webhook is skipped.
|
||||
if !matches {
|
||||
return authorizer.DecisionNoOpinion, "", nil
|
||||
}
|
||||
// Process Match Conditions before calling the webhook
|
||||
matches, err := w.match(ctx, r)
|
||||
// If at least one matchCondition evaluates to an error (but none are FALSE):
|
||||
// If failurePolicy=Deny, then the webhook rejects the request
|
||||
// If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
|
||||
if err != nil {
|
||||
return w.decisionOnError, "", err
|
||||
}
|
||||
// If at least one matchCondition successfully evaluates to FALSE,
|
||||
// then the webhook is skipped.
|
||||
if !matches {
|
||||
return authorizer.DecisionNoOpinion, "", nil
|
||||
}
|
||||
// If all evaluated successfully and ALL matchConditions evaluate to TRUE,
|
||||
// then the webhook is called.
|
||||
|
||||
@@ -191,7 +191,6 @@
|
||||
| StructuredAuthenticationConfiguration | :ballot_box_with_check: 1.30+ | :closed_lock_with_key: 1.34+ | 1.29 | 1.30–1.33 | 1.34– | | | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| StructuredAuthenticationConfigurationEgressSelector | :ballot_box_with_check: 1.34+ | | | 1.34– | | | StructuredAuthenticationConfiguration | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationEgressSelector%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationEgressSelector%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| StructuredAuthenticationConfigurationJWKSMetrics | :ballot_box_with_check: 1.35+ | | | 1.35– | | | StructuredAuthenticationConfiguration | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationJWKSMetrics%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationJWKSMetrics%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| StructuredAuthorizationConfiguration | :ballot_box_with_check: 1.30+ | :closed_lock_with_key: 1.32+ | 1.29 | 1.30–1.31 | 1.32– | | | [code](https://cs.k8s.io/?q=%5CbStructuredAuthorizationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthorizationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SupplementalGroupsPolicy | :ballot_box_with_check: 1.33+ | :closed_lock_with_key: 1.35+ | 1.31–1.32 | 1.33–1.34 | 1.35– | | | [code](https://cs.k8s.io/?q=%5CbSupplementalGroupsPolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSupplementalGroupsPolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| SystemdWatchdog | :ballot_box_with_check: 1.32+ | :closed_lock_with_key: 1.35+ | | 1.32–1.34 | 1.35– | | | [code](https://cs.k8s.io/?q=%5CbSystemdWatchdog%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSystemdWatchdog%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
| TaintTolerationComparisonOperators | | | 1.35– | | | | | [code](https://cs.k8s.io/?q=%5CbTaintTolerationComparisonOperators%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbTaintTolerationComparisonOperators%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
|
||||
|
||||
@@ -1791,20 +1791,6 @@
|
||||
lockToDefault: false
|
||||
preRelease: Beta
|
||||
version: "1.35"
|
||||
- name: StructuredAuthorizationConfiguration
|
||||
versionedSpecs:
|
||||
- default: false
|
||||
lockToDefault: false
|
||||
preRelease: Alpha
|
||||
version: "1.29"
|
||||
- default: true
|
||||
lockToDefault: false
|
||||
preRelease: Beta
|
||||
version: "1.30"
|
||||
- default: true
|
||||
lockToDefault: true
|
||||
preRelease: GA
|
||||
version: "1.32"
|
||||
- name: SupplementalGroupsPolicy
|
||||
versionedSpecs:
|
||||
- default: false
|
||||
|
||||
Reference in New Issue
Block a user