mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
move RootCAConfigMap to ga
This commit is contained in:
parent
186f934e4c
commit
cbf6e38bbd
@ -25,14 +25,12 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
"k8s.io/kubernetes/pkg/controller/certificates/approver"
|
"k8s.io/kubernetes/pkg/controller/certificates/approver"
|
||||||
"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
|
"k8s.io/kubernetes/pkg/controller/certificates/cleaner"
|
||||||
"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
|
"k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher"
|
||||||
"k8s.io/kubernetes/pkg/controller/certificates/signer"
|
"k8s.io/kubernetes/pkg/controller/certificates/signer"
|
||||||
csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config"
|
csrsigningconfig "k8s.io/kubernetes/pkg/controller/certificates/signer/config"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error) {
|
func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error) {
|
||||||
@ -193,10 +191,6 @@ func startCSRCleanerController(ctx ControllerContext) (http.Handler, bool, error
|
|||||||
}
|
}
|
||||||
|
|
||||||
func startRootCACertPublisher(ctx ControllerContext) (http.Handler, bool, error) {
|
func startRootCACertPublisher(ctx ControllerContext) (http.Handler, bool, error) {
|
||||||
if !utilfeature.DefaultFeatureGate.Enabled(features.RootCAConfigMap) {
|
|
||||||
return nil, false, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
rootCA []byte
|
rootCA []byte
|
||||||
err error
|
err error
|
||||||
|
@ -600,6 +600,7 @@ const (
|
|||||||
// owner: @zshihang
|
// owner: @zshihang
|
||||||
// alpha: v1.13
|
// alpha: v1.13
|
||||||
// beta: v1.20
|
// beta: v1.20
|
||||||
|
// ga: v1.21
|
||||||
//
|
//
|
||||||
// Allows kube-controller-manager to publish kube-root-ca.crt configmap to
|
// Allows kube-controller-manager to publish kube-root-ca.crt configmap to
|
||||||
// every namespace. This feature is a prerequisite of BoundServiceAccountTokenVolume.
|
// every namespace. This feature is a prerequisite of BoundServiceAccountTokenVolume.
|
||||||
@ -751,7 +752,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
|||||||
WinDSR: {Default: false, PreRelease: featuregate.Alpha},
|
WinDSR: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
DisableAcceleratorUsageMetrics: {Default: true, PreRelease: featuregate.Beta},
|
DisableAcceleratorUsageMetrics: {Default: true, PreRelease: featuregate.Beta},
|
||||||
HPAContainerMetrics: {Default: false, PreRelease: featuregate.Alpha},
|
HPAContainerMetrics: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
RootCAConfigMap: {Default: true, PreRelease: featuregate.Beta},
|
RootCAConfigMap: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.22
|
||||||
SizeMemoryBackedVolumes: {Default: false, PreRelease: featuregate.Alpha},
|
SizeMemoryBackedVolumes: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
ExecProbeTimeout: {Default: true, PreRelease: featuregate.GA}, // lock to default in v1.21 and remove in v1.22
|
ExecProbeTimeout: {Default: true, PreRelease: featuregate.GA}, // lock to default in v1.21 and remove in v1.22
|
||||||
KubeletCredentialProviders: {Default: false, PreRelease: featuregate.Alpha},
|
KubeletCredentialProviders: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
|
@ -15,7 +15,6 @@ go_library(
|
|||||||
visibility = ["//visibility:public"],
|
visibility = ["//visibility:public"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/controller/serviceaccount:go_default_library",
|
"//pkg/controller/serviceaccount:go_default_library",
|
||||||
"//pkg/features:go_default_library",
|
|
||||||
"//pkg/kubeapiserver/authenticator:go_default_library",
|
"//pkg/kubeapiserver/authenticator:go_default_library",
|
||||||
"//pkg/kubeapiserver/authorizer:go_default_library",
|
"//pkg/kubeapiserver/authorizer:go_default_library",
|
||||||
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||||
@ -63,7 +62,6 @@ go_library(
|
|||||||
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/server/egressselector:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/server/egressselector:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
|
||||||
"//staging/src/k8s.io/client-go/informers:go_default_library",
|
"//staging/src/k8s.io/client-go/informers:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/rest:go_default_library",
|
"//staging/src/k8s.io/client-go/rest:go_default_library",
|
||||||
|
@ -32,7 +32,6 @@ import (
|
|||||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||||
"k8s.io/apiserver/pkg/server/egressselector"
|
"k8s.io/apiserver/pkg/server/egressselector"
|
||||||
genericoptions "k8s.io/apiserver/pkg/server/options"
|
genericoptions "k8s.io/apiserver/pkg/server/options"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
|
||||||
"k8s.io/client-go/informers"
|
"k8s.io/client-go/informers"
|
||||||
"k8s.io/client-go/kubernetes"
|
"k8s.io/client-go/kubernetes"
|
||||||
cliflag "k8s.io/component-base/cli/flag"
|
cliflag "k8s.io/component-base/cli/flag"
|
||||||
@ -40,7 +39,6 @@ import (
|
|||||||
openapicommon "k8s.io/kube-openapi/pkg/common"
|
openapicommon "k8s.io/kube-openapi/pkg/common"
|
||||||
|
|
||||||
serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
|
serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
|
||||||
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
||||||
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
||||||
@ -199,12 +197,6 @@ func (o *BuiltInAuthenticationOptions) Validate() []error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if o.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
|
|
||||||
if !utilfeature.DefaultFeatureGate.Enabled(features.RootCAConfigMap) {
|
|
||||||
allErrors = append(allErrors, errors.New("BoundServiceAccountTokenVolume feature depends on RootCAConfigMap feature, but RootCAConfigMap features is not enabled"))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if o.ServiceAccounts != nil {
|
if o.ServiceAccounts != nil {
|
||||||
if len(o.ServiceAccounts.Issuer) == 0 {
|
if len(o.ServiceAccounts.Issuer) == 0 {
|
||||||
allErrors = append(allErrors, errors.New("service-account-issuer is a required flag"))
|
allErrors = append(allErrors, errors.New("service-account-issuer is a required flag"))
|
||||||
|
@ -402,16 +402,13 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
|
|||||||
},
|
},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.RootCAConfigMap) {
|
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"},
|
||||||
addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
|
Rules: []rbacv1.PolicyRule{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"},
|
rbacv1helpers.NewRule("create", "update").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
|
||||||
Rules: []rbacv1.PolicyRule{
|
eventsRule(),
|
||||||
rbacv1helpers.NewRule("create", "update").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
|
},
|
||||||
eventsRule(),
|
})
|
||||||
},
|
|
||||||
})
|
|
||||||
}
|
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StorageVersionAPI) &&
|
if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StorageVersionAPI) &&
|
||||||
utilfeature.DefaultFeatureGate.Enabled(genericfeatures.APIServerIdentity) {
|
utilfeature.DefaultFeatureGate.Enabled(genericfeatures.APIServerIdentity) {
|
||||||
addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
|
addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
|
||||||
|
Loading…
Reference in New Issue
Block a user