Promote ServiceAccountTokenNodeBinding to GA

liggitt · liggitt · commit 59850b582301 · 2025-01-14T09:48:35.000-05:00
diff --git a/pkg/features/versioned_kube_features.go b/pkg/features/versioned_kube_features.go
@@ -700,24 +700,25 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	ServiceAccountTokenJTI: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
 	ServiceAccountTokenNodeBinding: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
 	ServiceAccountTokenNodeBindingValidation: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
 	ServiceAccountTokenPodNodeInfo: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
-		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.34
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
 	ServiceTrafficDistribution: {
diff --git a/pkg/serviceaccount/claims_test.go b/pkg/serviceaccount/claims_test.go
@@ -29,10 +29,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/features"
 )
 
 func init() {
@@ -88,8 +85,6 @@ func TestClaims(t *testing.T) {
 		// desired
 		sc *jwt.Claims
 		pc *privateClaims
-
-		featureNodeBinding bool
 	}{
 		{
 			// pod and secret
@@ -196,22 +191,10 @@ func TestClaims(t *testing.T) {
 				},
 			},
 		},
-		{
-			// node with feature gate disabled
-			sa:   sa,
-			node: node,
-			// really fast
-			exp: 0,
-			// nil audience
-			aud: nil,
-			err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled",
-		},
 		{
 			// node alone
 			sa:   sa,
 			node: node,
-			// enable node binding feature
-			featureNodeBinding: true,
 			// really fast
 			exp: 0,
 			// nil audience
@@ -263,8 +246,6 @@ func TestClaims(t *testing.T) {
 			sa:   sa,
 			sec:  sec,
 			node: node,
-			// enable embedding node info feature
-			featureNodeBinding: true,
 			// really fast
 			exp: 0,
 			// nil audience
@@ -293,18 +274,6 @@ func TestClaims(t *testing.T) {
 				},
 			},
 		},
-		{
-			// ensure it fails if node binding gate is disabled
-			sa:                 sa,
-			node:               node,
-			featureNodeBinding: false,
-			// really fast
-			exp: 0,
-			// nil audience
-			aud: nil,
-
-			err: "token bound to Node object requested, but \"ServiceAccountTokenNodeBinding\" feature gate is disabled",
-		},
 	}
 	for i, c := range cs {
 		t.Run(fmt.Sprintf("case %d", i), func(t *testing.T) {
@@ -319,9 +288,6 @@ func TestClaims(t *testing.T) {
 				return string(b)
 			}
 
-			// set feature flags for the duration of the test case
-			featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, c.featureNodeBinding)
-
 			sc, pc, err := Claims(c.sa, c.pod, c.sec, c.node, c.exp, c.warnafter, c.aud)
 			if err != nil && err.Error() != c.err {
 				t.Errorf("expected error %q but got: %v", c.err, err)
diff --git a/test/featuregates_linter/test_data/versioned_feature_list.yaml b/test/featuregates_linter/test_data/versioned_feature_list.yaml
@@ -1206,6 +1206,10 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.31"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.33"
 - name: ServiceAccountTokenNodeBindingValidation
   versionedSpecs:
   - default: false
diff --git a/test/integration/auth/svcaccttoken_test.go b/test/integration/auth/svcaccttoken_test.go
@@ -40,6 +40,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -136,12 +137,6 @@ func TestServiceAccountTokenCreate(t *testing.T) {
 
 	tCtx := ktesting.Init(t)
 
-	// Enable the node token improvements feature gates prior to starting the apiserver, as the node getter is
-	// conditionally passed to the service account token generator based on feature enablement.
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenPodNodeInfo, true)
-	featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBindingValidation, true)
-
 	// Start the server
 	var serverAddress string
 	kubeClient, kubeConfig, tearDownFn := framework.StartTestServer(tCtx, t, framework.TestServerSetup{
@@ -475,7 +470,8 @@ func TestServiceAccountTokenCreate(t *testing.T) {
 	t.Run("bound to service account and a pod with an assigned nodeName", testPodWithAssignedNode(node))
 
 	t.Run("fails to bind to a Node if the feature gate is disabled", func(t *testing.T) {
-		// Disable node binding
+		// Disable node binding, emulating 1.32
+		featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParseMajorMinor("1.32"))
 		featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ServiceAccountTokenNodeBinding, false)
 
 		// Create ServiceAccount and Node objects
