set the skip flag boolean based on feature flag

cnvergence · cnvergence · commit df90ed9eb3df · 2025-03-17T13:12:35.000+01:00
On-behalf-of: @SAP karol.szwaj@sap.com Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>
diff --git a/go.sum b/go.sum
@@ -146,6 +146,8 @@ github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250223115924-431177b024f3 h1:YwNX7
 github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250223115924-431177b024f3/go.mod h1:n0+EV+LGKl1MXXqGbGcn0AaBv7hdKsdazSYuq8nM8Us=
 github.com/kcp-dev/client-go v0.0.0-20250223133118-3dea338dc267 h1:Ec2/Mh7mVvboBFol0S8u30arfA7oyk/VtHL9Xojjvfs=
 github.com/kcp-dev/client-go v0.0.0-20250223133118-3dea338dc267/go.mod h1:1lEs8b8BYzGrMr7Q8Fs7cNVaDAWogu5lLkz5t6HtRLI=
+github.com/kcp-dev/embeddedetcd v1.0.2 h1:9vhU1EgVrnb+mLgvEa1IoJZn00U1ZuQ+OBVIkU11yQ4=
+github.com/kcp-dev/embeddedetcd v1.0.2/go.mod h1:3+1niAxAa83FemGgZ/MGrcsKWXa6987GADsnUne3Uck=
 github.com/kcp-dev/kubernetes v0.0.0-20250313100806-0011b8c72acd h1:ia871gMMDg+TCWIBxFK7sUC5jFGZ4XAWJfEWZvh2nO8=
 github.com/kcp-dev/kubernetes v0.0.0-20250313100806-0011b8c72acd/go.mod h1:XYYDf1DiwQxjQVmfn0VY4xULAogCt/wxQtTzgQjZ4OY=
 github.com/kcp-dev/kubernetes/staging/src/k8s.io/api v0.0.0-20250313100806-0011b8c72acd h1:HZ9tCxzLuyjgaZLqLmnecO4lUqGwSBm38Pjl/8ZGyvQ=
diff --git a/pkg/authorization/resolver_test.go b/pkg/authorization/resolver_test.go
@@ -30,6 +30,9 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/endpoints/request"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
+
 	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
 )
@@ -64,11 +67,10 @@ func TestResolverWithWarrants(t *testing.T) {
 		Verbs:           []string{"get"},
 		NonResourceURLs: []string{"/readyz"},
 	}
-	// TODO(cnvergence): restore the commented lines once we drop the global service account feature flag
-	/* 	getMetrics := &authorizer.DefaultNonResourceRuleInfo{
+	getMetrics := &authorizer.DefaultNonResourceRuleInfo{
 		Verbs:           []string{"get"},
 		NonResourceURLs: []string{"/metrics"},
-	} */
+	}
 	getRoot := &authorizer.DefaultNonResourceRuleInfo{
 		Verbs:           []string{"get"},
 		NonResourceURLs: []string{"/"},
@@ -80,6 +82,7 @@ func TestResolverWithWarrants(t *testing.T) {
 		wantResourceRules    []authorizer.ResourceRuleInfo
 		wantNonResourceRules []authorizer.NonResourceRuleInfo
 		wantError            bool
+		skip                 bool
 	}{
 		{
 			name:                 "base without warrants",
@@ -129,19 +132,19 @@ func TestResolverWithWarrants(t *testing.T) {
 			wantResourceRules:    []authorizer.ResourceRuleInfo{getServices},
 			wantNonResourceRules: nil, // global service accounts do no work without a cluster.
 		},
-		// TODO(cnvergence): restore the commented lines once we drop the global service account feature flag
+		// TODO(cnvergence): restore the skip field once we drop the global service account feature flag
 		{
-			name:              "service account with this cluster",
-			user:              &user.DefaultInfo{Name: "system:serviceaccount:default:sa", Groups: []string{"system:serviceaccounts", user.AllAuthenticated}, Extra: map[string][]string{authserviceaccount.ClusterNameKey: {"this"}}},
-			wantResourceRules: []authorizer.ResourceRuleInfo{getServices},
-			//wantNonResourceRules: []authorizer.NonResourceRuleInfo{getReadyz},
-			wantNonResourceRules: nil,
+			name:                 "service account with this cluster",
+			user:                 &user.DefaultInfo{Name: "system:serviceaccount:default:sa", Groups: []string{"system:serviceaccounts", user.AllAuthenticated}, Extra: map[string][]string{authserviceaccount.ClusterNameKey: {"this"}}},
+			wantResourceRules:    []authorizer.ResourceRuleInfo{getServices},
+			wantNonResourceRules: []authorizer.NonResourceRuleInfo{getReadyz},
+			skip:                 !utilfeature.DefaultFeatureGate.Enabled(features.GlobalServiceAccount),
 		},
 		{
-			name: "service account with other cluster",
-			user: &user.DefaultInfo{Name: "system:serviceaccount:default:sa", Groups: []string{"system:serviceaccounts", user.AllAuthenticated}, Extra: map[string][]string{authserviceaccount.ClusterNameKey: {"other"}}},
-			//wantNonResourceRules: []authorizer.NonResourceRuleInfo{getMetrics},
-			wantNonResourceRules: nil,
+			name:                 "service account with other cluster",
+			user:                 &user.DefaultInfo{Name: "system:serviceaccount:default:sa", Groups: []string{"system:serviceaccounts", user.AllAuthenticated}, Extra: map[string][]string{authserviceaccount.ClusterNameKey: {"other"}}},
+			wantNonResourceRules: []authorizer.NonResourceRuleInfo{getMetrics},
+			skip:                 !utilfeature.DefaultFeatureGate.Enabled(features.GlobalServiceAccount),
 		},
 		{
 			name:                 "base with service account warrant without cluster, ignored",
@@ -281,7 +284,7 @@ func TestResolverWithWarrants(t *testing.T) {
 			sort.Sort(sortedResourceRules(resourceRules))
 			sort.Sort(sortedNonResourceRules(nonResourceRules))
 
-			if !tt.wantError {
+			if !tt.wantError && !tt.skip {
 				if diff := cmp.Diff(resourceRules, tt.wantResourceRules); diff != "" {
 					t.Errorf("resourceRules differs: +want -got:\n%s", diff)
 				}
