Merge pull request #99658 from deads2k/proxy-skip

promote AllowInsecureBackendProxy to stable

pkg/features/kube_features.go

@@ -496,6 +496,7 @@ const (
 
 	// owner: @deads2k
 	// beta: v1.17
+	// GA: v1.21
 	//
 	// Enables the users to skip TLS verification of kubelets on pod logs requests
 	AllowInsecureBackendProxy featuregate.Feature = "AllowInsecureBackendProxy"
@@ -783,7 +784,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	EndpointSliceNodeName:                          {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, //remove in 1.25
 	WindowsEndpointSliceProxying:                   {Default: true, PreRelease: featuregate.Beta},
 	StartupProbe:                                   {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.23
-	AllowInsecureBackendProxy:                      {Default: true, PreRelease: featuregate.Beta},
+	AllowInsecureBackendProxy:                      {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.23
 	PodDisruptionBudget:                            {Default: true, PreRelease: featuregate.Beta},
 	CronJobControllerV2:                            {Default: true, PreRelease: featuregate.Beta},
 	DaemonSetUpdateSurge:                           {Default: false, PreRelease: featuregate.Alpha},

pkg/registry/core/pod/rest/log.go

@@ -27,10 +27,8 @@ import (
 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
 	genericrest "k8s.io/apiserver/pkg/registry/generic/rest"
 	"k8s.io/apiserver/pkg/registry/rest"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/client"
 	"k8s.io/kubernetes/pkg/registry/core/pod"
 
@@ -80,11 +78,7 @@ func (r *LogREST) Get(ctx context.Context, name string, opts runtime.Object) (ru
 		return nil, fmt.Errorf("invalid options object: %#v", opts)
 	}
 
-	// we must do this before forcing the insecure flag if the feature is disabled
 	countSkipTLSMetric(logOpts.InsecureSkipTLSVerifyBackend)
-	if !utilfeature.DefaultFeatureGate.Enabled(features.AllowInsecureBackendProxy) {
-		logOpts.InsecureSkipTLSVerifyBackend = false
-	}
 
 	if errs := validation.ValidatePodLogOptions(logOpts); len(errs) > 0 {
 		return nil, errors.NewInvalid(api.Kind("PodLogOptions"), name, errs)
@@ -107,11 +101,7 @@ func (r *LogREST) Get(ctx context.Context, name string, opts runtime.Object) (ru
 func countSkipTLSMetric(insecureSkipTLSVerifyBackend bool) {
 	usageType := usageEnforce
 	if insecureSkipTLSVerifyBackend {
-		if utilfeature.DefaultFeatureGate.Enabled(features.AllowInsecureBackendProxy) {
+		usageType = usageSkipAllowed
-			usageType = usageSkipAllowed
-		} else {
-			usageType = usageSkipDenied
-		}
 	}
 
 	counter, err := podLogsUsage.GetMetricWithLabelValues(usageType)

pkg/registry/core/pod/strategy.go

@@ -46,7 +46,6 @@ import (
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/helper/qos"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/client"
 	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 )
@@ -386,7 +385,7 @@ func LogLocation(
 		RawQuery: params.Encode(),
 	}
 
-	if opts.InsecureSkipTLSVerifyBackend && utilfeature.DefaultFeatureGate.Enabled(features.AllowInsecureBackendProxy) {
+	if opts.InsecureSkipTLSVerifyBackend {
 		return loc, nodeInfo.InsecureSkipTLSVerifyTransport, nil
 	}
 	return loc, nodeInfo.Transport, nil