Skip to content

Commit 2cb951d

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#91921 from mtaufen/said-beta
Graduate ServiceAccountIssuerDiscovery to beta
2 parents a33f6b4 + 4f850f9 commit 2cb951d

File tree

3 files changed

+34
-1
lines changed

3 files changed

+34
-1
lines changed

pkg/features/kube_features.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -230,6 +230,7 @@ const (
230230

231231
// owner: @mtaufen
232232
// alpha: v1.18
233+
// beta: v1.20
233234
//
234235
// Enable OIDC discovery endpoints (issuer and JWKS URLs) for the service
235236
// account issuer in the API server.
@@ -682,7 +683,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
682683
TokenRequest: {Default: true, PreRelease: featuregate.Beta},
683684
TokenRequestProjection: {Default: true, PreRelease: featuregate.Beta},
684685
BoundServiceAccountTokenVolume: {Default: false, PreRelease: featuregate.Alpha},
685-
ServiceAccountIssuerDiscovery: {Default: false, PreRelease: featuregate.Alpha},
686+
ServiceAccountIssuerDiscovery: {Default: true, PreRelease: featuregate.Beta},
686687
CRIContainerLogRotation: {Default: true, PreRelease: featuregate.Beta},
687688
CSIMigration: {Default: true, PreRelease: featuregate.Beta},
688689
CSIMigrationGCE: {Default: false, PreRelease: featuregate.Beta}, // Off by default (requires GCE PD CSI Driver)

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,23 @@ items:
169169
- apiGroup: rbac.authorization.k8s.io
170170
kind: Group
171171
name: system:unauthenticated
172+
- apiVersion: rbac.authorization.k8s.io/v1
173+
kind: ClusterRoleBinding
174+
metadata:
175+
annotations:
176+
rbac.authorization.kubernetes.io/autoupdate: "true"
177+
creationTimestamp: null
178+
labels:
179+
kubernetes.io/bootstrapping: rbac-defaults
180+
name: system:service-account-issuer-discovery
181+
roleRef:
182+
apiGroup: rbac.authorization.k8s.io
183+
kind: ClusterRole
184+
name: system:service-account-issuer-discovery
185+
subjects:
186+
- apiGroup: rbac.authorization.k8s.io
187+
kind: Group
188+
name: system:serviceaccounts
172189
- apiVersion: rbac.authorization.k8s.io/v1
173190
kind: ClusterRoleBinding
174191
metadata:

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1220,6 +1220,21 @@ items:
12201220
- /version/
12211221
verbs:
12221222
- get
1223+
- apiVersion: rbac.authorization.k8s.io/v1
1224+
kind: ClusterRole
1225+
metadata:
1226+
annotations:
1227+
rbac.authorization.kubernetes.io/autoupdate: "true"
1228+
creationTimestamp: null
1229+
labels:
1230+
kubernetes.io/bootstrapping: rbac-defaults
1231+
name: system:service-account-issuer-discovery
1232+
rules:
1233+
- nonResourceURLs:
1234+
- /.well-known/openid-configuration
1235+
- /openid/v1/jwks
1236+
verbs:
1237+
- get
12231238
- apiVersion: rbac.authorization.k8s.io/v1
12241239
kind: ClusterRole
12251240
metadata:

0 commit comments

Comments
 (0)