mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Rename kubelet CSR admission feature gate
Retitle the feature to the affirmative ("AllowInsecure...=false") instead of a double-negative ("Disable$NEWTHING...=false") for clarity Signed-off-by: Micah Hausler <mhausler@amazon.com>
This commit is contained in:
parent
7a4c962341
commit
a7af830209
@ -228,9 +228,10 @@ const (
|
|||||||
// owner: @micahhausler
|
// owner: @micahhausler
|
||||||
// Deprecated: v1.31
|
// Deprecated: v1.31
|
||||||
//
|
//
|
||||||
// Disable Node Admission plugin validation of CSRs for kubelet signers where CN=system:node:$nodeName.
|
// Setting AllowInsecureKubeletCertificateSigningRequests to true disables node admission validation of CSRs
|
||||||
|
// for kubelet signers where CN=system:node:$nodeName.
|
||||||
// Remove in v1.33
|
// Remove in v1.33
|
||||||
DisableKubeletCSRAdmissionValidation featuregate.Feature = "DisableKubeletCSRAdmissionValidation"
|
AllowInsecureKubeletCertificateSigningRequests featuregate.Feature = "AllowInsecureKubeletCertificateSigningRequests"
|
||||||
|
|
||||||
// owner: @HirazawaUi
|
// owner: @HirazawaUi
|
||||||
// kep: http://kep.k8s.io/4004
|
// kep: http://kep.k8s.io/4004
|
||||||
@ -1326,7 +1327,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
|||||||
// ...
|
// ...
|
||||||
HPAScaleToZero: {Default: false, PreRelease: featuregate.Alpha},
|
HPAScaleToZero: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
|
|
||||||
DisableKubeletCSRAdmissionValidation: {Default: false, PreRelease: featuregate.Deprecated}, // remove in 1.33
|
AllowInsecureKubeletCertificateSigningRequests: {Default: false, PreRelease: featuregate.Deprecated}, // remove in 1.33
|
||||||
|
|
||||||
StorageNamespaceIndex: {Default: true, PreRelease: featuregate.Beta},
|
StorageNamespaceIndex: {Default: true, PreRelease: featuregate.Beta},
|
||||||
|
|
||||||
|
@ -74,9 +74,9 @@ type Plugin struct {
|
|||||||
podsGetter corev1lister.PodLister
|
podsGetter corev1lister.PodLister
|
||||||
nodesGetter corev1lister.NodeLister
|
nodesGetter corev1lister.NodeLister
|
||||||
|
|
||||||
expansionRecoveryEnabled bool
|
expansionRecoveryEnabled bool
|
||||||
dynamicResourceAllocationEnabled bool
|
dynamicResourceAllocationEnabled bool
|
||||||
kubeletCSRAdmissionValidationDisabled bool
|
allowInsecureKubeletCertificateSigningRequests bool
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -89,7 +89,7 @@ var (
|
|||||||
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
|
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
|
||||||
p.expansionRecoveryEnabled = featureGates.Enabled(features.RecoverVolumeExpansionFailure)
|
p.expansionRecoveryEnabled = featureGates.Enabled(features.RecoverVolumeExpansionFailure)
|
||||||
p.dynamicResourceAllocationEnabled = featureGates.Enabled(features.DynamicResourceAllocation)
|
p.dynamicResourceAllocationEnabled = featureGates.Enabled(features.DynamicResourceAllocation)
|
||||||
p.kubeletCSRAdmissionValidationDisabled = featureGates.Enabled(features.DisableKubeletCSRAdmissionValidation)
|
p.allowInsecureKubeletCertificateSigningRequests = featureGates.Enabled(features.AllowInsecureKubeletCertificateSigningRequests)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetExternalKubeInformerFactory registers an informer factory into Plugin
|
// SetExternalKubeInformerFactory registers an informer factory into Plugin
|
||||||
@ -176,7 +176,7 @@ func (p *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
|
|||||||
return p.admitResourceSlice(nodeName, a)
|
return p.admitResourceSlice(nodeName, a)
|
||||||
|
|
||||||
case csrResource:
|
case csrResource:
|
||||||
if p.kubeletCSRAdmissionValidationDisabled {
|
if p.allowInsecureKubeletCertificateSigningRequests {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
return p.admitCSR(nodeName, a)
|
return p.admitCSR(nodeName, a)
|
||||||
|
@ -1278,7 +1278,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||||||
features: feature.DefaultFeatureGate,
|
features: feature.DefaultFeatureGate,
|
||||||
setupFunc: func(t *testing.T) {
|
setupFunc: func(t *testing.T) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.DisableKubeletCSRAdmissionValidation, true)
|
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.AllowInsecureKubeletCertificateSigningRequests, true)
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user