mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-10 04:27:54 +00:00
Merge pull request #129591 from liggitt/node-binding-ga
KEP-4193: Promote ServiceAccountTokenNodeBinding to GA
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
c9f695138b
@ -694,24 +694,25 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
|||||||
ServiceAccountTokenJTI: {
|
ServiceAccountTokenJTI: {
|
||||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
|
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||||
},
|
},
|
||||||
|
|
||||||
ServiceAccountTokenNodeBinding: {
|
ServiceAccountTokenNodeBinding: {
|
||||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||||
{Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta},
|
{Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta},
|
||||||
|
{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||||
},
|
},
|
||||||
|
|
||||||
ServiceAccountTokenNodeBindingValidation: {
|
ServiceAccountTokenNodeBindingValidation: {
|
||||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
|
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||||
},
|
},
|
||||||
|
|
||||||
ServiceAccountTokenPodNodeInfo: {
|
ServiceAccountTokenPodNodeInfo: {
|
||||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
|
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||||
},
|
},
|
||||||
|
|
||||||
ServiceTrafficDistribution: {
|
ServiceTrafficDistribution: {
|
||||||
|
|||||||
@ -29,10 +29,7 @@ import (
|
|||||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
|
||||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
|
||||||
"k8s.io/kubernetes/pkg/apis/core"
|
"k8s.io/kubernetes/pkg/apis/core"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
@ -88,8 +85,6 @@ func TestClaims(t *testing.T) {
|
|||||||
// desired
|
// desired
|
||||||
sc *jwt.Claims
|
sc *jwt.Claims
|
||||||
pc *privateClaims
|
pc *privateClaims
|
||||||
|
|
||||||
featureNodeBinding bool
|
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
// pod and secret
|
// pod and secret
|
||||||
@ -196,22 +191,10 @@ func TestClaims(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
// node with feature gate disabled
|
|
||||||
sa: sa,
|
|
||||||
node: node,
|
|
||||||
// really fast
|
|
||||||
exp: 0,
|
|
||||||
// nil audience
|
|
||||||
aud: nil,
|
|
||||||
err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
// node alone
|
// node alone
|
||||||
sa: sa,
|
sa: sa,
|
||||||
node: node,
|
node: node,
|
||||||
// enable node binding feature
|
|
||||||
featureNodeBinding: true,
|
|
||||||
// really fast
|
// really fast
|
||||||
exp: 0,
|
exp: 0,
|
||||||
// nil audience
|
// nil audience
|
||||||
@ -263,8 +246,6 @@ func TestClaims(t *testing.T) {
|
|||||||
sa: sa,
|
sa: sa,
|
||||||
sec: sec,
|
sec: sec,
|
||||||
node: node,
|
node: node,
|
||||||
// enable embedding node info feature
|
|
||||||
featureNodeBinding: true,
|
|
||||||
// really fast
|
// really fast
|
||||||
exp: 0,
|
exp: 0,
|
||||||
// nil audience
|
// nil audience
|
||||||
@ -293,18 +274,6 @@ func TestClaims(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
// ensure it fails if node binding gate is disabled
|
|
||||||
sa: sa,
|
|
||||||
node: node,
|
|
||||||
featureNodeBinding: false,
|
|
||||||
// really fast
|
|
||||||
exp: 0,
|
|
||||||
// nil audience
|
|
||||||
aud: nil,
|
|
||||||
|
|
||||||
err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled",
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
for i, c := range cs {
|
for i, c := range cs {
|
||||||
t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
|
t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
|
||||||
@ -319,9 +288,6 @@ func TestClaims(t *testing.T) {
|
|||||||
return string(b)
|
return string(b)
|
||||||
}
|
}
|
||||||
|
|
||||||
// set feature flags for the duration of the test case
|
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, c.featureNodeBinding)
|
|
||||||
|
|
||||||
sc, pc, err := Claims(c.sa, c.pod, c.sec, c.node, c.exp, c.warnafter, c.aud)
|
sc, pc, err := Claims(c.sa, c.pod, c.sec, c.node, c.exp, c.warnafter, c.aud)
|
||||||
if err != nil && err.Error() != c.err {
|
if err != nil && err.Error() != c.err {
|
||||||
t.Errorf("expected error %q but got: %v", c.err, err)
|
t.Errorf("expected error %q but got: %v", c.err, err)
|
||||||
|
|||||||
@ -1206,6 +1206,10 @@
|
|||||||
lockToDefault: false
|
lockToDefault: false
|
||||||
preRelease: Beta
|
preRelease: Beta
|
||||||
version: "1.31"
|
version: "1.31"
|
||||||
|
- default: true
|
||||||
|
lockToDefault: true
|
||||||
|
preRelease: GA
|
||||||
|
version: "1.33"
|
||||||
- name: ServiceAccountTokenNodeBindingValidation
|
- name: ServiceAccountTokenNodeBindingValidation
|
||||||
versionedSpecs:
|
versionedSpecs:
|
||||||
- default: false
|
- default: false
|
||||||
|
|||||||
@ -40,6 +40,7 @@ import (
|
|||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
|
"k8s.io/apimachinery/pkg/util/version"
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
|
apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
@ -136,12 +137,6 @@ func TestServiceAccountTokenCreate(t *testing.T) {
|
|||||||
|
|
||||||
tCtx := ktesting.Init(t)
|
tCtx := ktesting.Init(t)
|
||||||
|
|
||||||
// Enable the node token improvements feature gates prior to starting the apiserver, as the node getter is
|
|
||||||
// conditionally passed to the service account token generator based on feature enablement.
|
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, true)
|
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenPodNodeInfo, true)
|
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBindingValidation, true)
|
|
||||||
|
|
||||||
// Start the server
|
// Start the server
|
||||||
var serverAddress string
|
var serverAddress string
|
||||||
kubeClient, kubeConfig, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
|
kubeClient, kubeConfig, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
|
||||||
@ -475,7 +470,8 @@ func TestServiceAccountTokenCreate(t *testing.T) {
|
|||||||
t.Run("bound to service account and a pod with an assigned nodeName", testPodWithAssignedNode(node))
|
t.Run("bound to service account and a pod with an assigned nodeName", testPodWithAssignedNode(node))
|
||||||
|
|
||||||
t.Run("fails to bind to a Node if the feature gate is disabled", func(t *testing.T) {
|
t.Run("fails to bind to a Node if the feature gate is disabled", func(t *testing.T) {
|
||||||
// Disable node binding
|
// Disable node binding, emulating 1.32
|
||||||
|
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParseMajorMinor("1.32"))
|
||||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, false)
|
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, false)
|
||||||
|
|
||||||
// Create ServiceAccount and Node objects
|
// Create ServiceAccount and Node objects
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user