diff --git a/pkg/features/versioned_kube_features.go b/pkg/features/versioned_kube_features.go index d8330c6a8d4..5f49f6b3f47 100644 --- a/pkg/features/versioned_kube_features.go +++ b/pkg/features/versioned_kube_features.go @@ -694,24 +694,25 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate ServiceAccountTokenJTI: { {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta}, - {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34 + {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, ServiceAccountTokenNodeBinding: { {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, ServiceAccountTokenNodeBindingValidation: { {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta}, - {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34 + {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, ServiceAccountTokenPodNodeInfo: { {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta}, - {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34 + {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, }, ServiceTrafficDistribution: { diff --git a/pkg/serviceaccount/claims_test.go b/pkg/serviceaccount/claims_test.go index 3cc869f4ff0..7347c123c91 100644 --- a/pkg/serviceaccount/claims_test.go +++ b/pkg/serviceaccount/claims_test.go @@ -29,10 +29,7 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" - utilfeature "k8s.io/apiserver/pkg/util/feature" - featuregatetesting "k8s.io/component-base/featuregate/testing" "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/features" ) func init() { @@ -88,8 +85,6 @@ func TestClaims(t *testing.T) { // desired sc *jwt.Claims pc *privateClaims - - featureNodeBinding bool }{ { // pod and secret @@ -196,22 +191,10 @@ func TestClaims(t *testing.T) { }, }, }, - { - // node with feature gate disabled - sa: sa, - node: node, - // really fast - exp: 0, - // nil audience - aud: nil, - err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled", - }, { // node alone sa: sa, node: node, - // enable node binding feature - featureNodeBinding: true, // really fast exp: 0, // nil audience @@ -263,8 +246,6 @@ func TestClaims(t *testing.T) { sa: sa, sec: sec, node: node, - // enable embedding node info feature - featureNodeBinding: true, // really fast exp: 0, // nil audience @@ -293,18 +274,6 @@ func TestClaims(t *testing.T) { }, }, }, - { - // ensure it fails if node binding gate is disabled - sa: sa, - node: node, - featureNodeBinding: false, - // really fast - exp: 0, - // nil audience - aud: nil, - - err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled", - }, } for i, c := range cs { t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) { @@ -319,9 +288,6 @@ func TestClaims(t *testing.T) { return string(b) } - // set feature flags for the duration of the test case - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, c.featureNodeBinding) - sc, pc, err := Claims(c.sa, c.pod, c.sec, c.node, c.exp, c.warnafter, c.aud) if err != nil && err.Error() != c.err { t.Errorf("expected error %q but got: %v", c.err, err) diff --git a/test/featuregates_linter/test_data/versioned_feature_list.yaml b/test/featuregates_linter/test_data/versioned_feature_list.yaml index 3256e19b642..33f350f70d6 100644 --- a/test/featuregates_linter/test_data/versioned_feature_list.yaml +++ b/test/featuregates_linter/test_data/versioned_feature_list.yaml @@ -1206,6 +1206,10 @@ lockToDefault: false preRelease: Beta version: "1.31" + - default: true + lockToDefault: true + preRelease: GA + version: "1.33" - name: ServiceAccountTokenNodeBindingValidation versionedSpecs: - default: false diff --git a/test/integration/auth/svcaccttoken_test.go b/test/integration/auth/svcaccttoken_test.go index 656f3708115..9845ae6c831 100644 --- a/test/integration/auth/svcaccttoken_test.go +++ b/test/integration/auth/svcaccttoken_test.go @@ -40,6 +40,7 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/version" "k8s.io/apiserver/pkg/authentication/authenticator" apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/authentication/user" @@ -136,12 +137,6 @@ func TestServiceAccountTokenCreate(t *testing.T) { tCtx := ktesting.Init(t) - // Enable the node token improvements feature gates prior to starting the apiserver, as the node getter is - // conditionally passed to the service account token generator based on feature enablement. - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, true) - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenPodNodeInfo, true) - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBindingValidation, true) - // Start the server var serverAddress string kubeClient, kubeConfig, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{ @@ -475,7 +470,8 @@ func TestServiceAccountTokenCreate(t *testing.T) { t.Run("bound to service account and a pod with an assigned nodeName", testPodWithAssignedNode(node)) t.Run("fails to bind to a Node if the feature gate is disabled", func(t *testing.T) { - // Disable node binding + // Disable node binding, emulating 1.32 + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParseMajorMinor("1.32")) featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, false) // Create ServiceAccount and Node objects