UPSTREAM: <carry>: Add kube feature gate for global service account

cnvergence · SimonTheLeg · commit 6a465295ce3e · 2025-11-12T10:59:40.000+01:00
TODO: this commit may be dropped once kcp-dev/kcp#3274 and related issues are done Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> On-behalf-of: @SAP karol.szwaj@sap.com Signed-off-by: Nelo-T. Wallus <n.wallus@sap.com>
diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
@@ -990,6 +990,13 @@ const (
 	// operation when scheduling a Pod by setting the `metadata.labels` field on the submitted Binding,
 	// similar to how `metadata.annotations` behaves.
 	PodTopologyLabelsAdmission featuregate.Feature = "PodTopologyLabelsAdmission"
+
+	// TODO(cnvergence): Remove when not applicable
+	// owner: @cnvergence
+	// alpha: v1.31
+	//
+	// GlobalServiceAccount is a feature gate that enables the cross-workspace service accounts feature.
+	GlobalServiceAccount featuregate.Feature = "GlobalServiceAccount"
 )
 
 // defaultVersionedKubernetesFeatureGates consists of all known Kubernetes-specific feature keys with VersionedSpecs.
@@ -1877,6 +1884,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	DisableCPUQuotaWithExclusiveCPUs: {
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
 	},
+
+	GlobalServiceAccount: {
+		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
+	},
 }
 
 func init() {
diff --git a/pkg/registry/rbac/validation/kcp.go b/pkg/registry/rbac/validation/kcp.go
@@ -12,6 +12,8 @@ import (
 	authserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 const (
@@ -88,6 +90,7 @@ func EffectiveUsers(clusterName logicalcluster.Name, u user.Info) []user.Info {
 
 	var wantAuthenticated bool
 	var wantUnauthenticated bool
+	globalsa := utilfeature.DefaultFeatureGate.Enabled(features.GlobalServiceAccount)
 
 	var recursive func(u user.Info)
 	recursive = func(u user.Info) {
@@ -105,7 +108,7 @@ func EffectiveUsers(clusterName logicalcluster.Name, u user.Info) []user.Info {
 			wantUnauthenticated = wantUnauthenticated || !found
 		}
 
-		if IsServiceAccount(u) {
+		if IsServiceAccount(u) && globalsa {
 			if clusters := u.GetExtra()[authserviceaccount.ClusterNameKey]; len(clusters) == 1 {
 				nsNameSuffix := strings.TrimPrefix(u.GetName(), "system:serviceaccount:")
 				rewritten := &user.DefaultInfo{
