Merge pull request kubernetes#128396 from ritazh/deprecate-EnforceMountableSecretsAnnotation

deprecate EnforceMountableSecretsAnnotation in 1.32

Author: k8s-ci-robot

api/openapi-spec/swagger.json

@@ -4822,6 +4822,8 @@ type ServiceAccount struct {
 
 	// Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use.
 	// Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true".
+	// The "kubernetes.io/enforce-mountable-secrets" annotation is deprecated since v1.32.
+	// Prefer separate namespaces to isolate access to mounted secrets.
 	// This field should not be used to find auto-generated service account token secrets for use outside of pods.
 	// Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created.
 	Secrets []ObjectReference

api/openapi-spec/v3/api__v1_openapi.json

@@ -18,13 +18,15 @@ package serviceaccount
 
 import (
 	"context"
+	"fmt"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/storage/names"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
+	sa "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
 )
 
 // strategy implements behavior for ServiceAccount objects
@@ -50,7 +52,9 @@ func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorLis
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
-func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string { return nil }
+func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
+	return warnIfHasEnforceMountableSecretsAnnotation(obj.(*api.ServiceAccount), nil)
+}
 
 // Canonicalize normalizes the object after validation.
 func (strategy) Canonicalize(obj runtime.Object) {
@@ -76,9 +80,24 @@ func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) fie
 
 // WarningsOnUpdate returns warnings for the given update.
 func (strategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
-	return nil
+	return warnIfHasEnforceMountableSecretsAnnotation(obj.(*api.ServiceAccount), old.(*api.ServiceAccount))
 }
 
 func (strategy) AllowUnconditionalUpdate() bool {
 	return true
 }
+
+func warnIfHasEnforceMountableSecretsAnnotation(serviceAccount, oldServiceAccount *api.ServiceAccount) []string {
+	if oldServiceAccount != nil {
+		_, ok := oldServiceAccount.Annotations[sa.EnforceMountableSecretsAnnotation]
+		if ok {
+			// skip warning if request isn't newly setting the annotation
+			return nil
+		}
+	}
+	_, ok := serviceAccount.Annotations[sa.EnforceMountableSecretsAnnotation]
+	if ok {
+		return []string{fmt.Sprintf("metadata.annotations[%s]: deprecated in v1.32+; prefer separate namespaces to isolate access to mounted secrets", sa.EnforceMountableSecretsAnnotation)}
+	}
+	return nil
+}

pkg/apis/core/types.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	api "k8s.io/kubernetes/pkg/apis/core"
+	sa "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
+)
+
+func TestWarningsOnCreate(t *testing.T) {
+	ctx := context.TODO()
+	serviceAccount := &api.ServiceAccount{}
+
+	warnings := Strategy.WarningsOnCreate(ctx, serviceAccount)
+	if len(warnings) != 0 {
+		t.Errorf("expected no warnings, got %v", warnings)
+	}
+	serviceAccount.Annotations = map[string]string{sa.EnforceMountableSecretsAnnotation: "true"}
+	warnings = Strategy.WarningsOnCreate(ctx, serviceAccount)
+	if len(warnings) != 1 || warnings[0] != fmt.Sprintf("metadata.annotations[%s]: deprecated in v1.32+; prefer separate namespaces to isolate access to mounted secrets", sa.EnforceMountableSecretsAnnotation) {
+		t.Errorf("expected warnings, got %v", warnings)
+	}
+}
+
+func TestWarningsOnUpdate(t *testing.T) {
+	ctx := context.TODO()
+	serviceAccount := &api.ServiceAccount{}
+	oldServiceAccount := &api.ServiceAccount{}
+
+	warnings := Strategy.WarningsOnUpdate(ctx, serviceAccount, oldServiceAccount)
+	if len(warnings) != 0 {
+		t.Errorf("expected no warnings, got %v", warnings)
+	}
+	serviceAccount.Annotations = map[string]string{sa.EnforceMountableSecretsAnnotation: "true"}
+	warnings = Strategy.WarningsOnUpdate(ctx, serviceAccount, oldServiceAccount)
+	if len(warnings) != 1 || warnings[0] != fmt.Sprintf("metadata.annotations[%s]: deprecated in v1.32+; prefer separate namespaces to isolate access to mounted secrets", sa.EnforceMountableSecretsAnnotation) {
+		t.Errorf("expected warnings, got %v", warnings)
+	}
+
+	oldServiceAccount.Annotations = map[string]string{sa.EnforceMountableSecretsAnnotation: "true"}
+	warnings = Strategy.WarningsOnUpdate(ctx, serviceAccount, oldServiceAccount)
+	if len(warnings) != 0 {
+		t.Errorf("expected no warnings if request isn't newly setting the annotation, got %v", warnings)
+	}
+}

pkg/generated/openapi/zz_generated.openapi.go

@@ -5736,6 +5736,8 @@ type ServiceAccount struct {
 
 	// Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use.
 	// Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true".
+	// The "kubernetes.io/enforce-mountable-secrets" annotation is deprecated since v1.32.
+	// Prefer separate namespaces to isolate access to mounted secrets.
 	// This field should not be used to find auto-generated service account token secrets for use outside of pods.
 	// Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created.
 	// More info: https://kubernetes.io/docs/concepts/configuration/secret

pkg/registry/core/serviceaccount/strategy.go

@@ -9630,7 +9630,7 @@
           "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
         },
         "secrets": {
-          "description": "Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a \"kubernetes.io/enforce-mountable-secrets\" annotation set to \"true\". This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret",
+          "description": "Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a \"kubernetes.io/enforce-mountable-secrets\" annotation set to \"true\". The \"kubernetes.io/enforce-mountable-secrets\" annotation is deprecated since v1.32. Prefer separate namespaces to isolate access to mounted secrets. This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret",
           "items": {
             "$ref": "#/definitions/io.k8s.api.core.v1.ObjectReference"
           },