From cbf6e38bbda90a87b752f653743a5e3b738babfa Mon Sep 17 00:00:00 2001 From: Shihang Zhang Date: Wed, 13 Jan 2021 11:56:45 -0800 Subject: [PATCH] move RootCAConfigMap to ga --- cmd/kube-controller-manager/app/certificates.go | 6 ------ pkg/features/kube_features.go | 3 ++- pkg/kubeapiserver/options/BUILD | 2 -- pkg/kubeapiserver/options/authentication.go | 8 -------- .../rbac/bootstrappolicy/controller_policy.go | 17 +++++++---------- 5 files changed, 9 insertions(+), 27 deletions(-) diff --git a/cmd/kube-controller-manager/app/certificates.go b/cmd/kube-controller-manager/app/certificates.go index f8768eda4f3..f1c4942a88e 100644 --- a/cmd/kube-controller-manager/app/certificates.go +++ b/cmd/kube-controller-manager/app/certificates.go @@ -25,14 +25,12 @@ import ( "net/http" "k8s.io/apimachinery/pkg/runtime/schema" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/klog/v2" "k8s.io/kubernetes/pkg/controller/certificates/approver" "k8s.io/kubernetes/pkg/controller/certificates/cleaner" "k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher" "k8s.io/kubernetes/pkg/controller/certificates/signer" csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config" - "k8s.io/kubernetes/pkg/features" ) func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error) { @@ -193,10 +191,6 @@ func startCSRCleanerController(ctx ControllerContext) (http.Handler, bool, error } func startRootCACertPublisher(ctx ControllerContext) (http.Handler, bool, error) { - if !utilfeature.DefaultFeatureGate.Enabled(features.RootCAConfigMap) { - return nil, false, nil - } - var ( rootCA []byte err error diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 4f2ce5417e2..72bd109b549 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -600,6 +600,7 @@ const ( // owner: @zshihang // alpha: v1.13 // beta: v1.20 + // ga: v1.21 // // Allows kube-controller-manager to publish kube-root-ca.crt configmap to // every namespace. This feature is a prerequisite of BoundServiceAccountTokenVolume. @@ -751,7 +752,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS WinDSR: {Default: false, PreRelease: featuregate.Alpha}, DisableAcceleratorUsageMetrics: {Default: true, PreRelease: featuregate.Beta}, HPAContainerMetrics: {Default: false, PreRelease: featuregate.Alpha}, - RootCAConfigMap: {Default: true, PreRelease: featuregate.Beta}, + RootCAConfigMap: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.22 SizeMemoryBackedVolumes: {Default: false, PreRelease: featuregate.Alpha}, ExecProbeTimeout: {Default: true, PreRelease: featuregate.GA}, // lock to default in v1.21 and remove in v1.22 KubeletCredentialProviders: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/pkg/kubeapiserver/options/BUILD b/pkg/kubeapiserver/options/BUILD index fe8abc5a4ab..1cb2cab24f5 100644 --- a/pkg/kubeapiserver/options/BUILD +++ b/pkg/kubeapiserver/options/BUILD @@ -15,7 +15,6 @@ go_library( visibility = ["//visibility:public"], deps = [ "//pkg/controller/serviceaccount:go_default_library", - "//pkg/features:go_default_library", "//pkg/kubeapiserver/authenticator:go_default_library", "//pkg/kubeapiserver/authorizer:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", @@ -63,7 +62,6 @@ go_library( "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/egressselector:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/client-go/informers:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/rest:go_default_library", diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 3e01c30fc08..8100a74f2c5 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -32,7 +32,6 @@ import ( genericapiserver "k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server/egressselector" genericoptions "k8s.io/apiserver/pkg/server/options" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" cliflag "k8s.io/component-base/cli/flag" @@ -40,7 +39,6 @@ import ( openapicommon "k8s.io/kube-openapi/pkg/common" serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount" - "k8s.io/kubernetes/pkg/features" kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator" authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap" @@ -199,12 +197,6 @@ func (o *BuiltInAuthenticationOptions) Validate() []error { } } - if o.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { - if !utilfeature.DefaultFeatureGate.Enabled(features.RootCAConfigMap) { - allErrors = append(allErrors, errors.New("BoundServiceAccountTokenVolume feature depends on RootCAConfigMap feature, but RootCAConfigMap features is not enabled")) - } - } - if o.ServiceAccounts != nil { if len(o.ServiceAccounts.Issuer) == 0 { allErrors = append(allErrors, errors.New("service-account-issuer is a required flag")) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 2972b4e8def..e9020fdcb6b 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -402,16 +402,13 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) }, }) } - - if utilfeature.DefaultFeatureGate.Enabled(features.RootCAConfigMap) { - addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"}, - Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule("create", "update").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), - eventsRule(), - }, - }) - } + addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"}, + Rules: []rbacv1.PolicyRule{ + rbacv1helpers.NewRule("create", "update").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), + eventsRule(), + }, + }) if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StorageVersionAPI) && utilfeature.DefaultFeatureGate.Enabled(genericfeatures.APIServerIdentity) { addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{