mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-08 11:38:15 +00:00
Merge pull request #129591 from liggitt/node-binding-ga
KEP-4193: Promote ServiceAccountTokenNodeBinding to GA
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
c9f695138b
@ -694,24 +694,25 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
||||
ServiceAccountTokenJTI: {
|
||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||
},
|
||||
|
||||
ServiceAccountTokenNodeBinding: {
|
||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||
},
|
||||
|
||||
ServiceAccountTokenNodeBindingValidation: {
|
||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||
},
|
||||
|
||||
ServiceAccountTokenPodNodeInfo: {
|
||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
|
||||
{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||
},
|
||||
|
||||
ServiceTrafficDistribution: {
|
||||
|
||||
@ -29,10 +29,7 @@ import (
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
||||
"k8s.io/kubernetes/pkg/apis/core"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
)
|
||||
|
||||
func init() {
|
||||
@ -88,8 +85,6 @@ func TestClaims(t *testing.T) {
|
||||
// desired
|
||||
sc *jwt.Claims
|
||||
pc *privateClaims
|
||||
|
||||
featureNodeBinding bool
|
||||
}{
|
||||
{
|
||||
// pod and secret
|
||||
@ -196,22 +191,10 @@ func TestClaims(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
// node with feature gate disabled
|
||||
sa: sa,
|
||||
node: node,
|
||||
// really fast
|
||||
exp: 0,
|
||||
// nil audience
|
||||
aud: nil,
|
||||
err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled",
|
||||
},
|
||||
{
|
||||
// node alone
|
||||
sa: sa,
|
||||
node: node,
|
||||
// enable node binding feature
|
||||
featureNodeBinding: true,
|
||||
// really fast
|
||||
exp: 0,
|
||||
// nil audience
|
||||
@ -263,8 +246,6 @@ func TestClaims(t *testing.T) {
|
||||
sa: sa,
|
||||
sec: sec,
|
||||
node: node,
|
||||
// enable embedding node info feature
|
||||
featureNodeBinding: true,
|
||||
// really fast
|
||||
exp: 0,
|
||||
// nil audience
|
||||
@ -293,18 +274,6 @@ func TestClaims(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
// ensure it fails if node binding gate is disabled
|
||||
sa: sa,
|
||||
node: node,
|
||||
featureNodeBinding: false,
|
||||
// really fast
|
||||
exp: 0,
|
||||
// nil audience
|
||||
aud: nil,
|
||||
|
||||
err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled",
|
||||
},
|
||||
}
|
||||
for i, c := range cs {
|
||||
t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
|
||||
@ -319,9 +288,6 @@ func TestClaims(t *testing.T) {
|
||||
return string(b)
|
||||
}
|
||||
|
||||
// set feature flags for the duration of the test case
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, c.featureNodeBinding)
|
||||
|
||||
sc, pc, err := Claims(c.sa, c.pod, c.sec, c.node, c.exp, c.warnafter, c.aud)
|
||||
if err != nil && err.Error() != c.err {
|
||||
t.Errorf("expected error %q but got: %v", c.err, err)
|
||||
|
||||
@ -1206,6 +1206,10 @@
|
||||
lockToDefault: false
|
||||
preRelease: Beta
|
||||
version: "1.31"
|
||||
- default: true
|
||||
lockToDefault: true
|
||||
preRelease: GA
|
||||
version: "1.33"
|
||||
- name: ServiceAccountTokenNodeBindingValidation
|
||||
versionedSpecs:
|
||||
- default: false
|
||||
|
||||
@ -40,6 +40,7 @@ import (
|
||||
v1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/version"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
@ -136,12 +137,6 @@ func TestServiceAccountTokenCreate(t *testing.T) {
|
||||
|
||||
tCtx := ktesting.Init(t)
|
||||
|
||||
// Enable the node token improvements feature gates prior to starting the apiserver, as the node getter is
|
||||
// conditionally passed to the service account token generator based on feature enablement.
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, true)
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenPodNodeInfo, true)
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBindingValidation, true)
|
||||
|
||||
// Start the server
|
||||
var serverAddress string
|
||||
kubeClient, kubeConfig, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
|
||||
@ -475,7 +470,8 @@ func TestServiceAccountTokenCreate(t *testing.T) {
|
||||
t.Run("bound to service account and a pod with an assigned nodeName", testPodWithAssignedNode(node))
|
||||
|
||||
t.Run("fails to bind to a Node if the feature gate is disabled", func(t *testing.T) {
|
||||
// Disable node binding
|
||||
// Disable node binding, emulating 1.32
|
||||
featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParseMajorMinor("1.32"))
|
||||
featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, false)
|
||||
|
||||
// Create ServiceAccount and Node objects
|
||||
|
||||
Loading…
Reference in New Issue
Block a user