From a1478c77301cb7fe17e5369eae9aeaa943b10155 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 26 Jan 2026 11:35:03 -0600 Subject: [PATCH] Drop StructuredAuthorizationConfiguration feature gate Signed-off-by: Anish Ramasekar --- pkg/features/kube_features.go | 8 ------ pkg/kubeapiserver/options/authorization.go | 10 ------- .../apis/apiserver/validation/validation.go | 10 +++---- .../apiserver/pkg/features/kube_features.go | 12 --------- .../plugin/pkg/authorizer/webhook/webhook.go | 27 +++++++++---------- .../reference/feature_list.md | 1 - .../reference/versioned_feature_list.yaml | 14 ---------- 7 files changed, 15 insertions(+), 67 deletions(-) diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 91e565414ac..eab82f9d0b6 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -2058,12 +2058,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta}, }, - genericfeatures.StructuredAuthorizationConfiguration: { - {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, - {Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta}, - {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, - }, - genericfeatures.TokenRequestServiceAccountUIDValidation: { {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, }, @@ -2500,8 +2494,6 @@ var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]feature genericfeatures.StructuredAuthenticationConfigurationJWKSMetrics: {genericfeatures.StructuredAuthenticationConfiguration}, - genericfeatures.StructuredAuthorizationConfiguration: {}, - genericfeatures.TokenRequestServiceAccountUIDValidation: {}, genericfeatures.UnauthenticatedHTTP2DOSMitigation: {}, diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go index 2edfa11309d..b1e8272dd57 100644 --- a/pkg/kubeapiserver/options/authorization.go +++ b/pkg/kubeapiserver/options/authorization.go @@ -22,8 +22,6 @@ import ( "time" authorizationcel "k8s.io/apiserver/pkg/authorization/cel" - genericfeatures "k8s.io/apiserver/pkg/features" - utilfeature "k8s.io/apiserver/pkg/util/feature" "github.com/spf13/pflag" @@ -108,10 +106,6 @@ func (o *BuiltInAuthorizationOptions) Validate() []error { // - the config file can be loaded // - the config file represents a valid configuration if o.AuthorizationConfigurationFile != "" { - if !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) { - return append(allErrors, fmt.Errorf("--%s cannot be used without enabling StructuredAuthorizationConfiguration feature flag", authorizationConfigFlag)) - } - // error out if legacy flags are defined if o.AreLegacyFlagsSet != nil && o.AreLegacyFlagsSet() { return append(allErrors, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag)) @@ -193,7 +187,6 @@ func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&o.AuthorizationConfigurationFile, authorizationConfigFlag, o.AuthorizationConfigurationFile, ""+ "File with Authorization Configuration to configure the authorizer chain. "+ - "Requires feature gate StructuredAuthorizationConfiguration. "+ "This flag is mutually exclusive with the other --authorization-mode and --authorization-webhook-* flags.") // preserves compatibility with any method set during initialization @@ -229,9 +222,6 @@ func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFac // else, // - build the AuthorizationConfig from the legacy flags if o.AuthorizationConfigurationFile != "" { - if !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) { - return nil, fmt.Errorf("--%s cannot be used without enabling StructuredAuthorizationConfiguration feature flag", authorizationConfigFlag) - } // error out if legacy flags are defined if o.AreLegacyFlagsSet != nil && o.AreLegacyFlagsSet() { return nil, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag) diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go index be85d4f3d71..a5eeaef60f3 100644 --- a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go +++ b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go @@ -763,7 +763,7 @@ func ValidateWebhookConfiguration(compiler authorizationcel.Compiler, fldPath *f allErrs = append(allErrs, field.NotSupported(fldPath.Child("connectionInfo", "type"), c.ConnectionInfo, []string{api.AuthorizationWebhookConnectionInfoTypeInCluster, api.AuthorizationWebhookConnectionInfoTypeKubeConfigFile})) } - _, errs := compileMatchConditions(compiler, c.MatchConditions, fldPath, utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthorizationConfiguration)) + _, errs := compileMatchConditions(compiler, c.MatchConditions, fldPath) allErrs = append(allErrs, errs...) return allErrs @@ -772,15 +772,11 @@ func ValidateWebhookConfiguration(compiler authorizationcel.Compiler, fldPath *f // ValidateAndCompileMatchConditions validates a given webhook's matchConditions. // This is exported for use in authz package. func ValidateAndCompileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition) (*authorizationcel.CELMatcher, field.ErrorList) { - return compileMatchConditions(compiler, matchConditions, nil, utilfeature.DefaultFeatureGate.Enabled(features.StructuredAuthorizationConfiguration)) + return compileMatchConditions(compiler, matchConditions, nil) } -func compileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition, fldPath *field.Path, structuredAuthzFeatureEnabled bool) (*authorizationcel.CELMatcher, field.ErrorList) { +func compileMatchConditions(compiler authorizationcel.Compiler, matchConditions []api.WebhookMatchCondition, fldPath *field.Path) (*authorizationcel.CELMatcher, field.ErrorList) { var allErrs field.ErrorList - // should fail when match conditions are used without feature enabled - if len(matchConditions) > 0 && !structuredAuthzFeatureEnabled { - allErrs = append(allErrs, field.Invalid(fldPath.Child("matchConditions"), "", "not supported when StructuredAuthorizationConfiguration feature gate is disabled")) - } if len(matchConditions) > 64 { allErrs = append(allErrs, field.TooMany(fldPath.Child("matchConditions"), len(matchConditions), 64)) return nil, allErrs diff --git a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go index d839203a0d2..c9239068330 100644 --- a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go +++ b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go @@ -241,12 +241,6 @@ const ( // Enables JWKs metrics for Structured Authentication Configuration StructuredAuthenticationConfigurationJWKSMetrics featuregate.Feature = "StructuredAuthenticationConfigurationJWKSMetrics" - // owner: @palnabarun - // kep: https://kep.k8s.io/3221 - // - // Enables Structured Authorization Configuration - StructuredAuthorizationConfiguration featuregate.Feature = "StructuredAuthorizationConfiguration" - // owner: @aramase // // Enables validation of service account UID in TokenRequest API. @@ -467,12 +461,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.35"), Default: true, PreRelease: featuregate.Beta}, }, - StructuredAuthorizationConfiguration: { - {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, - {Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta}, - {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, - }, - TokenRequestServiceAccountUIDValidation: { {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta}, }, diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go index 3df8e580e44..65bf08ee59a 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go @@ -204,21 +204,18 @@ func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attri Verb: attr.GetVerb(), } } - // skipping match when feature is not enabled - if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) { - // Process Match Conditions before calling the webhook - matches, err := w.match(ctx, r) - // If at least one matchCondition evaluates to an error (but none are FALSE): - // If failurePolicy=Deny, then the webhook rejects the request - // If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped - if err != nil { - return w.decisionOnError, "", err - } - // If at least one matchCondition successfully evaluates to FALSE, - // then the webhook is skipped. - if !matches { - return authorizer.DecisionNoOpinion, "", nil - } + // Process Match Conditions before calling the webhook + matches, err := w.match(ctx, r) + // If at least one matchCondition evaluates to an error (but none are FALSE): + // If failurePolicy=Deny, then the webhook rejects the request + // If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped + if err != nil { + return w.decisionOnError, "", err + } + // If at least one matchCondition successfully evaluates to FALSE, + // then the webhook is skipped. + if !matches { + return authorizer.DecisionNoOpinion, "", nil } // If all evaluated successfully and ALL matchConditions evaluate to TRUE, // then the webhook is called. diff --git a/test/compatibility_lifecycle/reference/feature_list.md b/test/compatibility_lifecycle/reference/feature_list.md index b6aebdea610..075ed8e282a 100644 --- a/test/compatibility_lifecycle/reference/feature_list.md +++ b/test/compatibility_lifecycle/reference/feature_list.md @@ -191,7 +191,6 @@ | StructuredAuthenticationConfiguration | :ballot_box_with_check: 1.30+ | :closed_lock_with_key: 1.34+ | 1.29 | 1.30–1.33 | 1.34– | | | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) | | StructuredAuthenticationConfigurationEgressSelector | :ballot_box_with_check: 1.34+ | | | 1.34– | | | StructuredAuthenticationConfiguration | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationEgressSelector%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationEgressSelector%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) | | StructuredAuthenticationConfigurationJWKSMetrics | :ballot_box_with_check: 1.35+ | | | 1.35– | | | StructuredAuthenticationConfiguration | [code](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationJWKSMetrics%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthenticationConfigurationJWKSMetrics%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) | -| StructuredAuthorizationConfiguration | :ballot_box_with_check: 1.30+ | :closed_lock_with_key: 1.32+ | 1.29 | 1.30–1.31 | 1.32– | | | [code](https://cs.k8s.io/?q=%5CbStructuredAuthorizationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbStructuredAuthorizationConfiguration%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) | | SupplementalGroupsPolicy | :ballot_box_with_check: 1.33+ | :closed_lock_with_key: 1.35+ | 1.31–1.32 | 1.33–1.34 | 1.35– | | | [code](https://cs.k8s.io/?q=%5CbSupplementalGroupsPolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSupplementalGroupsPolicy%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) | | SystemdWatchdog | :ballot_box_with_check: 1.32+ | :closed_lock_with_key: 1.35+ | | 1.32–1.34 | 1.35– | | | [code](https://cs.k8s.io/?q=%5CbSystemdWatchdog%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbSystemdWatchdog%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) | | TaintTolerationComparisonOperators | | | 1.35– | | | | | [code](https://cs.k8s.io/?q=%5CbTaintTolerationComparisonOperators%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbTaintTolerationComparisonOperators%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) | diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml index f9a26101ad8..ccee2feba3c 100644 --- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml +++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml @@ -1791,20 +1791,6 @@ lockToDefault: false preRelease: Beta version: "1.35" -- name: StructuredAuthorizationConfiguration - versionedSpecs: - - default: false - lockToDefault: false - preRelease: Alpha - version: "1.29" - - default: true - lockToDefault: false - preRelease: Beta - version: "1.30" - - default: true - lockToDefault: true - preRelease: GA - version: "1.32" - name: SupplementalGroupsPolicy versionedSpecs: - default: false