Rename kubelet CSR admission feature gate

Retitle the feature to the affirmative ("AllowInsecure...=false") instead of a
double-negative ("Disable$NEWTHING...=false") for clarity

Signed-off-by: Micah Hausler <mhausler@amazon.com>
This commit is contained in:
Micah Hausler 2024-07-29 09:58:26 -05:00
parent 7a4c962341
commit a7af830209
3 changed files with 10 additions and 9 deletions

View File

@ -228,9 +228,10 @@ const (
// owner: @micahhausler // owner: @micahhausler
// Deprecated: v1.31 // Deprecated: v1.31
// //
// Disable Node Admission plugin validation of CSRs for kubelet signers where CN=system:node:$nodeName. // Setting AllowInsecureKubeletCertificateSigningRequests to true disables node admission validation of CSRs
// for kubelet signers where CN=system:node:$nodeName.
// Remove in v1.33 // Remove in v1.33
DisableKubeletCSRAdmissionValidation featuregate.Feature = "DisableKubeletCSRAdmissionValidation" AllowInsecureKubeletCertificateSigningRequests featuregate.Feature = "AllowInsecureKubeletCertificateSigningRequests"
// owner: @HirazawaUi // owner: @HirazawaUi
// kep: http://kep.k8s.io/4004 // kep: http://kep.k8s.io/4004
@ -1326,7 +1327,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
// ... // ...
HPAScaleToZero: {Default: false, PreRelease: featuregate.Alpha}, HPAScaleToZero: {Default: false, PreRelease: featuregate.Alpha},
DisableKubeletCSRAdmissionValidation: {Default: false, PreRelease: featuregate.Deprecated}, // remove in 1.33 AllowInsecureKubeletCertificateSigningRequests: {Default: false, PreRelease: featuregate.Deprecated}, // remove in 1.33
StorageNamespaceIndex: {Default: true, PreRelease: featuregate.Beta}, StorageNamespaceIndex: {Default: true, PreRelease: featuregate.Beta},

View File

@ -74,9 +74,9 @@ type Plugin struct {
podsGetter corev1lister.PodLister podsGetter corev1lister.PodLister
nodesGetter corev1lister.NodeLister nodesGetter corev1lister.NodeLister
expansionRecoveryEnabled bool expansionRecoveryEnabled bool
dynamicResourceAllocationEnabled bool dynamicResourceAllocationEnabled bool
kubeletCSRAdmissionValidationDisabled bool allowInsecureKubeletCertificateSigningRequests bool
} }
var ( var (
@ -89,7 +89,7 @@ var (
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) { func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
p.expansionRecoveryEnabled = featureGates.Enabled(features.RecoverVolumeExpansionFailure) p.expansionRecoveryEnabled = featureGates.Enabled(features.RecoverVolumeExpansionFailure)
p.dynamicResourceAllocationEnabled = featureGates.Enabled(features.DynamicResourceAllocation) p.dynamicResourceAllocationEnabled = featureGates.Enabled(features.DynamicResourceAllocation)
p.kubeletCSRAdmissionValidationDisabled = featureGates.Enabled(features.DisableKubeletCSRAdmissionValidation) p.allowInsecureKubeletCertificateSigningRequests = featureGates.Enabled(features.AllowInsecureKubeletCertificateSigningRequests)
} }
// SetExternalKubeInformerFactory registers an informer factory into Plugin // SetExternalKubeInformerFactory registers an informer factory into Plugin
@ -176,7 +176,7 @@ func (p *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
return p.admitResourceSlice(nodeName, a) return p.admitResourceSlice(nodeName, a)
case csrResource: case csrResource:
if p.kubeletCSRAdmissionValidationDisabled { if p.allowInsecureKubeletCertificateSigningRequests {
return nil return nil
} }
return p.admitCSR(nodeName, a) return p.admitCSR(nodeName, a)

View File

@ -1278,7 +1278,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
features: feature.DefaultFeatureGate, features: feature.DefaultFeatureGate,
setupFunc: func(t *testing.T) { setupFunc: func(t *testing.T) {
t.Helper() t.Helper()
featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.DisableKubeletCSRAdmissionValidation, true) featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.AllowInsecureKubeletCertificateSigningRequests, true)
}, },
}, },
{ {