Merge pull request #128168 from liggitt/4601-beta

KEP-4601: AuthorizeNodeWithSelectors / AuthorizeWithSelectors to beta
2025-07-28 14:07:14 +00:00 · 2024-10-18 17:39:03 +01:00 · 2024-10-18 17:39:03 +01:00 · d7bd728403
commit d7bd728403
parent 0daa75b972 9caca73126
7 changed files with 15 additions and 10 deletions
--- a/pkg/features/versioned_kube_features.go
+++ b/pkg/features/versioned_kube_features.go
@ -63,6 +63,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate

 	AuthorizeNodeWithSelectors: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta},
 	},

 	kcmfeatures.CloudControllerManagerWebhook: {
@ -226,6 +227,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate

 	genericfeatures.AuthorizeWithSelectors: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta},
 	},

 	genericfeatures.ConcurrentWatchObjectDecode: {
--- a/pkg/registry/authorization/util/helpers_test.go
+++ b/pkg/registry/authorization/util/helpers_test.go
@ -636,9 +636,7 @@ func TestAuthorizationAttributesFrom(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.enableAuthorizationSelector {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true)
-			}
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tt.enableAuthorizationSelector)

 			if got := AuthorizationAttributesFrom(tt.args.spec); !reflect.DeepEqual(got, tt.want) {
 				if got.LabelSelectorParsingErr != nil {
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go
@ -873,9 +873,7 @@ func TestFilter(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			environment.DisableBaseEnvSetCachingForTests()
-			if tc.enableSelectors {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true)
-			}
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tc.enableSelectors)

 			if tc.testPerCallLimit == 0 {
 				tc.testPerCallLimit = celconfig.PerCallLimit
--- a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go
+++ b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go
@ -291,6 +291,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate

 	AuthorizeWithSelectors: {
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta},
 	},

 	ConcurrentWatchObjectDecode: {
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go
@ -322,9 +322,7 @@ func Test_resourceAttributesFrom(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.enableAuthorizationSelector {
-				featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true)
-			}
+			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tt.enableAuthorizationSelector)

 			if got := resourceAttributesFrom(tt.args.attr); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("resourceAttributesFrom() = %v, want %v", got, tt.want)
--- a/test/featuregates_linter/test_data/versioned_feature_list.yaml
+++ b/test/featuregates_linter/test_data/versioned_feature_list.yaml
@ -140,12 +140,20 @@
    lockToDefault: false
    preRelease: Alpha
    version: "1.31"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.32"
 - name: AuthorizeWithSelectors
  versionedSpecs:
  - default: false
    lockToDefault: false
    preRelease: Alpha
    version: "1.31"
+  - default: true
+    lockToDefault: false
+    preRelease: Beta
+    version: "1.32"
 - name: CloudControllerManagerWebhook
  versionedSpecs:
  - default: false
--- a/test/integration/apiserver/cel/authorizerselector/helper.go
+++ b/test/integration/apiserver/cel/authorizerselector/helper.go
@ -48,7 +48,7 @@ func RunAuthzSelectorsLibraryTests(t *testing.T, featureEnabled bool) {

 	// Start the server with the desired feature enablement
 	server, err := apiservertesting.StartTestServer(t, nil, []string{
-		fmt.Sprintf("--feature-gates=AuthorizeWithSelectors=%v", featureEnabled),
+		fmt.Sprintf("--feature-gates=AuthorizeNodeWithSelectors=%v,AuthorizeWithSelectors=%v", featureEnabled, featureEnabled),
 		"--runtime-config=resource.k8s.io/v1alpha3=true",
 	}, framework.SharedEtcd())
 	if err != nil {