diff --git a/cmd/kube-apiserver/app/options/validation.go b/cmd/kube-apiserver/app/options/validation.go index d0b1bd0ada..579bcf3dc4 100644 --- a/cmd/kube-apiserver/app/options/validation.go +++ b/cmd/kube-apiserver/app/options/validation.go @@ -68,14 +68,6 @@ func validateTokenRequest(options *ServerRunOptions) []error { errs = append(errs, errors.New("the TokenRequest feature is not enabled but --service-account-signing-key-file, --service-account-issuer and/or --api-audiences flags were passed")) } - if utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) && !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { - errs = append(errs, errors.New("the BoundServiceAccountTokenVolume feature depends on the TokenRequest feature, but the TokenRequest features is not enabled")) - } - - if !enableAttempted && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { - errs = append(errs, errors.New("--service-account-signing-key-file and --service-account-issuer are required flags")) - } - if enableAttempted && !enableSucceeded { errs = append(errs, errors.New("--service-account-signing-key-file, --service-account-issuer, and --api-audiences should be specified together")) } diff --git a/cmd/kube-controller-manager/app/certificates.go b/cmd/kube-controller-manager/app/certificates.go index 752e2c5a1b..22f331c8c2 100644 --- a/cmd/kube-controller-manager/app/certificates.go +++ b/cmd/kube-controller-manager/app/certificates.go @@ -29,13 +29,10 @@ import ( "net/http" "k8s.io/apimachinery/pkg/runtime/schema" - utilfeature "k8s.io/apiserver/pkg/util/feature" kubeoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options" "k8s.io/kubernetes/pkg/controller/certificates/approver" "k8s.io/kubernetes/pkg/controller/certificates/cleaner" - "k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher" "k8s.io/kubernetes/pkg/controller/certificates/signer" - "k8s.io/kubernetes/pkg/features" ) func startCSRSigningController(ctx ControllerContext) (http.Handler, bool, error) { @@ -125,31 +122,5 @@ func startCSRCleanerController(ctx ControllerContext) (http.Handler, bool, error } func startRootCACertPublisher(ctx ControllerContext) (http.Handler, bool, error) { - if !utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { - return nil, false, nil - } - - var ( - rootCA []byte - err error - ) - if ctx.ComponentConfig.SAController.RootCAFile != "" { - if rootCA, err = readCA(ctx.ComponentConfig.SAController.RootCAFile); err != nil { - return nil, true, fmt.Errorf("error parsing root-ca-file at %s: %v", ctx.ComponentConfig.SAController.RootCAFile, err) - } - } else { - rootCA = ctx.ClientBuilder.ConfigOrDie("root-ca-cert-publisher").CAData - } - - sac, err := rootcacertpublisher.NewPublisher( - ctx.InformerFactory.Core().V1().ConfigMaps(), - ctx.InformerFactory.Core().V1().Namespaces(), - ctx.ClientBuilder.ClientOrDie("root-ca-cert-publisher"), - rootCA, - ) - if err != nil { - return nil, true, fmt.Errorf("error creating root CA certificate publisher: %v", err) - } - go sac.Run(1, ctx.Stop) - return nil, true, nil + return nil, false, nil } diff --git a/pkg/controller/certificates/rootcacertpublisher/BUILD b/pkg/controller/certificates/rootcacertpublisher/BUILD deleted file mode 100644 index 343843a7e6..0000000000 --- a/pkg/controller/certificates/rootcacertpublisher/BUILD +++ /dev/null @@ -1,51 +0,0 @@ -load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") - -go_library( - name = "go_default_library", - srcs = ["publisher.go"], - importpath = "k8s.io/kubernetes/pkg/controller/certificates/rootcacertpublisher", - visibility = ["//visibility:public"], - deps = [ - "//pkg/controller:go_default_library", - "//pkg/util/metrics:go_default_library", - "//staging/src/k8s.io/api/core/v1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", - "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes:go_default_library", - "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library", - "//staging/src/k8s.io/client-go/tools/cache:go_default_library", - "//staging/src/k8s.io/client-go/util/workqueue:go_default_library", - "//vendor/k8s.io/klog:go_default_library", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], - visibility = ["//visibility:public"], -) - -go_test( - name = "go_default_test", - srcs = ["publisher_test.go"], - embed = [":go_default_library"], - deps = [ - "//pkg/controller:go_default_library", - "//staging/src/k8s.io/api/core/v1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", - "//staging/src/k8s.io/client-go/informers:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library", - ], -) diff --git a/pkg/controller/certificates/rootcacertpublisher/publisher.go b/pkg/controller/certificates/rootcacertpublisher/publisher.go deleted file mode 100644 index a0cde41e7a..0000000000 --- a/pkg/controller/certificates/rootcacertpublisher/publisher.go +++ /dev/null @@ -1,222 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package rootcacertpublisher - -import ( - "fmt" - "reflect" - "time" - - "k8s.io/api/core/v1" - apierrs "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/apimachinery/pkg/util/wait" - coreinformers "k8s.io/client-go/informers/core/v1" - clientset "k8s.io/client-go/kubernetes" - corelisters "k8s.io/client-go/listers/core/v1" - "k8s.io/client-go/tools/cache" - "k8s.io/client-go/util/workqueue" - "k8s.io/klog" - "k8s.io/kubernetes/pkg/controller" - "k8s.io/kubernetes/pkg/util/metrics" -) - -// RootCACertConfigMapName is name of the configmap which stores certificates -// to access api-server -const RootCACertConfigMapName = "kube-root-ca.crt" - -// NewPublisher construct a new controller which would manage the configmap -// which stores certificates in each namespace. It will make sure certificate -// configmap exists in each namespace. -func NewPublisher(cmInformer coreinformers.ConfigMapInformer, nsInformer coreinformers.NamespaceInformer, cl clientset.Interface, rootCA []byte) (*Publisher, error) { - e := &Publisher{ - client: cl, - rootCA: rootCA, - queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "root_ca_cert_publisher"), - } - if cl.CoreV1().RESTClient().GetRateLimiter() != nil { - if err := metrics.RegisterMetricAndTrackRateLimiterUsage("root_ca_cert_publisher", cl.CoreV1().RESTClient().GetRateLimiter()); err != nil { - return nil, err - } - } - - cmInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ - DeleteFunc: e.configMapDeleted, - UpdateFunc: e.configMapUpdated, - }) - e.cmLister = cmInformer.Lister() - e.cmListerSynced = cmInformer.Informer().HasSynced - - nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ - AddFunc: e.namespaceAdded, - UpdateFunc: e.namespaceUpdated, - }) - e.nsListerSynced = nsInformer.Informer().HasSynced - - e.syncHandler = e.syncNamespace - - return e, nil - -} - -// Publisher manages certificate ConfigMap objects inside Namespaces -type Publisher struct { - client clientset.Interface - rootCA []byte - - // To allow injection for testing. - syncHandler func(key string) error - - cmLister corelisters.ConfigMapLister - cmListerSynced cache.InformerSynced - - nsListerSynced cache.InformerSynced - - queue workqueue.RateLimitingInterface -} - -// Run starts process -func (c *Publisher) Run(workers int, stopCh <-chan struct{}) { - defer utilruntime.HandleCrash() - defer c.queue.ShutDown() - - klog.Infof("Starting root CA certificate configmap publisher") - defer klog.Infof("Shutting down root CA certificate configmap publisher") - - if !controller.WaitForCacheSync("crt configmap", stopCh, c.cmListerSynced) { - return - } - - for i := 0; i < workers; i++ { - go wait.Until(c.runWorker, time.Second, stopCh) - } - - <-stopCh -} - -func (c *Publisher) configMapDeleted(obj interface{}) { - cm, err := convertToCM(obj) - if err != nil { - utilruntime.HandleError(err) - return - } - if cm.Name != RootCACertConfigMapName { - return - } - c.queue.Add(cm.Namespace) -} - -func (c *Publisher) configMapUpdated(_, newObj interface{}) { - cm, err := convertToCM(newObj) - if err != nil { - utilruntime.HandleError(err) - return - } - if cm.Name != RootCACertConfigMapName { - return - } - c.queue.Add(cm.Namespace) -} - -func (c *Publisher) namespaceAdded(obj interface{}) { - namespace := obj.(*v1.Namespace) - c.queue.Add(namespace.Name) -} - -func (c *Publisher) namespaceUpdated(oldObj interface{}, newObj interface{}) { - newNamespace := newObj.(*v1.Namespace) - if newNamespace.Status.Phase != v1.NamespaceActive { - return - } - c.queue.Add(newNamespace.Name) -} - -func (c *Publisher) runWorker() { - for c.processNextWorkItem() { - } -} - -// processNextWorkItem deals with one key off the queue. It returns false when -// it's time to quit. -func (c *Publisher) processNextWorkItem() bool { - key, quit := c.queue.Get() - if quit { - return false - } - defer c.queue.Done(key) - - if err := c.syncHandler(key.(string)); err != nil { - utilruntime.HandleError(fmt.Errorf("syncing %q failed: %v", key, err)) - c.queue.AddRateLimited(key) - return true - } - - c.queue.Forget(key) - return true -} - -func (c *Publisher) syncNamespace(ns string) error { - startTime := time.Now() - defer func() { - klog.V(4).Infof("Finished syncing namespace %q (%v)", ns, time.Since(startTime)) - }() - - cm, err := c.cmLister.ConfigMaps(ns).Get(RootCACertConfigMapName) - switch { - case apierrs.IsNotFound(err): - _, err := c.client.CoreV1().ConfigMaps(ns).Create(&v1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: RootCACertConfigMapName, - }, - Data: map[string]string{ - "ca.crt": string(c.rootCA), - }, - }) - return err - case err != nil: - return err - } - - data := map[string]string{ - "ca.crt": string(c.rootCA), - } - - if reflect.DeepEqual(cm.Data, data) { - return nil - } - - cm.Data = data - - _, err = c.client.CoreV1().ConfigMaps(ns).Update(cm) - return err -} - -func convertToCM(obj interface{}) (*v1.ConfigMap, error) { - cm, ok := obj.(*v1.ConfigMap) - if !ok { - tombstone, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - return nil, fmt.Errorf("Couldn't get object from tombstone %#v", obj) - } - cm, ok = tombstone.Obj.(*v1.ConfigMap) - if !ok { - return nil, fmt.Errorf("Tombstone contained object that is not a ConfigMap %#v", obj) - } - } - return cm, nil -} diff --git a/pkg/controller/certificates/rootcacertpublisher/publisher_test.go b/pkg/controller/certificates/rootcacertpublisher/publisher_test.go deleted file mode 100644 index c38a4be40d..0000000000 --- a/pkg/controller/certificates/rootcacertpublisher/publisher_test.go +++ /dev/null @@ -1,177 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package rootcacertpublisher - -import ( - "reflect" - "testing" - - "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/diff" - "k8s.io/client-go/informers" - "k8s.io/client-go/kubernetes/fake" - "k8s.io/kubernetes/pkg/controller" -) - -func TestConfigMapCreation(t *testing.T) { - ns := metav1.NamespaceDefault - fakeRootCA := []byte("fake-root-ca") - - caConfigMap := defaultCrtConfigMapPtr(fakeRootCA) - addFieldCM := defaultCrtConfigMapPtr(fakeRootCA) - addFieldCM.Data["test"] = "test" - modifyFieldCM := defaultCrtConfigMapPtr([]byte("abc")) - otherConfigMap := &v1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "other", - Namespace: ns, - ResourceVersion: "1", - }, - } - updateOtherConfigMap := &v1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "other", - Namespace: ns, - ResourceVersion: "1", - }, - Data: map[string]string{"aa": "bb"}, - } - - existNS := &v1.Namespace{ - ObjectMeta: metav1.ObjectMeta{Name: ns}, - Status: v1.NamespaceStatus{ - Phase: v1.NamespaceActive, - }, - } - newNs := &v1.Namespace{ - ObjectMeta: metav1.ObjectMeta{Name: "new"}, - Status: v1.NamespaceStatus{ - Phase: v1.NamespaceActive, - }, - } - terminatingNS := &v1.Namespace{ - ObjectMeta: metav1.ObjectMeta{Name: ns}, - Status: v1.NamespaceStatus{ - Phase: v1.NamespaceTerminating, - }, - } - - type action struct { - verb string - name string - } - testcases := map[string]struct { - ExistingConfigMaps []*v1.ConfigMap - AddedNamespace *v1.Namespace - UpdatedNamespace *v1.Namespace - DeletedConfigMap *v1.ConfigMap - UpdatedConfigMap *v1.ConfigMap - ExpectActions []action - }{ - "create new namesapce": { - AddedNamespace: newNs, - ExpectActions: []action{{verb: "create", name: RootCACertConfigMapName}}, - }, - "delete other configmap": { - ExistingConfigMaps: []*v1.ConfigMap{otherConfigMap, caConfigMap}, - DeletedConfigMap: otherConfigMap, - }, - "delete ca configmap": { - ExistingConfigMaps: []*v1.ConfigMap{otherConfigMap, caConfigMap}, - DeletedConfigMap: caConfigMap, - ExpectActions: []action{{verb: "create", name: RootCACertConfigMapName}}, - }, - "update ca configmap with adding field": { - ExistingConfigMaps: []*v1.ConfigMap{caConfigMap}, - UpdatedConfigMap: addFieldCM, - ExpectActions: []action{{verb: "update", name: RootCACertConfigMapName}}, - }, - "update ca configmap with modifying field": { - ExistingConfigMaps: []*v1.ConfigMap{caConfigMap}, - UpdatedConfigMap: modifyFieldCM, - ExpectActions: []action{{verb: "update", name: RootCACertConfigMapName}}, - }, - "update with other configmap": { - ExistingConfigMaps: []*v1.ConfigMap{caConfigMap, otherConfigMap}, - UpdatedConfigMap: updateOtherConfigMap, - }, - "update namespace with terminating state": { - UpdatedNamespace: terminatingNS, - }, - } - - for k, tc := range testcases { - t.Run(k, func(t *testing.T) { - client := fake.NewSimpleClientset(caConfigMap, existNS) - informers := informers.NewSharedInformerFactory(fake.NewSimpleClientset(), controller.NoResyncPeriodFunc()) - cmInformer := informers.Core().V1().ConfigMaps() - nsInformer := informers.Core().V1().Namespaces() - controller, err := NewPublisher(cmInformer, nsInformer, client, fakeRootCA) - if err != nil { - t.Fatalf("error creating ServiceAccounts controller: %v", err) - } - - cmStore := cmInformer.Informer().GetStore() - - controller.syncHandler = controller.syncNamespace - - for _, s := range tc.ExistingConfigMaps { - cmStore.Add(s) - } - - if tc.AddedNamespace != nil { - controller.namespaceAdded(tc.AddedNamespace) - } - if tc.UpdatedNamespace != nil { - controller.namespaceUpdated(nil, tc.UpdatedNamespace) - } - - if tc.DeletedConfigMap != nil { - cmStore.Delete(tc.DeletedConfigMap) - controller.configMapDeleted(tc.DeletedConfigMap) - } - - if tc.UpdatedConfigMap != nil { - cmStore.Add(tc.UpdatedConfigMap) - controller.configMapUpdated(nil, tc.UpdatedConfigMap) - } - - for controller.queue.Len() != 0 { - controller.processNextWorkItem() - } - - actions := client.Actions() - if reflect.DeepEqual(actions, tc.ExpectActions) { - t.Errorf("Unexpected actions:\n%s", diff.ObjectGoPrintDiff(actions, tc.ExpectActions)) - } - }) - } -} - -func defaultCrtConfigMapPtr(rootCA []byte) *v1.ConfigMap { - tmp := v1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: RootCACertConfigMapName, - }, - Data: map[string]string{ - "ca.crt": string(rootCA), - }, - } - tmp.Namespace = metav1.NamespaceDefault - return &tmp -} diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 31f3939c50..8d7f9d07f3 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -215,14 +215,6 @@ const ( // Enable ServiceAccountTokenVolumeProjection support in ProjectedVolumes. TokenRequestProjection utilfeature.Feature = "TokenRequestProjection" - // owner: @mikedanese - // alpha: v1.13 - // - // Migrate ServiceAccount volumes to use a projected volume consisting of a - // ServiceAccountTokenVolumeProjection. This feature adds new required flags - // to the API server. - BoundServiceAccountTokenVolume utilfeature.Feature = "BoundServiceAccountTokenVolume" - // owner: @Random-Liu // beta: v1.11 // @@ -378,7 +370,6 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS ScheduleDaemonSetPods: {Default: true, PreRelease: utilfeature.Beta}, TokenRequest: {Default: true, PreRelease: utilfeature.Beta}, TokenRequestProjection: {Default: true, PreRelease: utilfeature.Beta}, - BoundServiceAccountTokenVolume: {Default: false, PreRelease: utilfeature.Alpha}, CRIContainerLogRotation: {Default: true, PreRelease: utilfeature.Beta}, cloudfeatures.GCERegionalPersistentDisk: {Default: true, PreRelease: utilfeature.GA}, CSIMigration: {Default: false, PreRelease: utilfeature.Alpha}, diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 383717487a..deafb231f3 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -17,7 +17,6 @@ limitations under the License. package options import ( - "errors" "fmt" "net/url" "strings" @@ -30,9 +29,7 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" - utilfeature "k8s.io/apiserver/pkg/util/feature" cliflag "k8s.io/component-base/cli/flag" - "k8s.io/kubernetes/pkg/features" kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator" authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" ) @@ -173,18 +170,6 @@ func (s *BuiltInAuthenticationOptions) Validate() []error { allErrors = append(allErrors, fmt.Errorf("service-account-issuer contained a ':' but was not a valid URL: %v", err)) } } - if s.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { - if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) || !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) { - allErrors = append(allErrors, errors.New("If the BoundServiceAccountTokenVolume feature is enabled,"+ - " the TokenRequest and TokenRequestProjection features must also be enabled")) - } - if len(s.ServiceAccounts.Issuer) == 0 { - allErrors = append(allErrors, errors.New("service-account-issuer is a required flag when BoundServiceAccountTokenVolume is enabled")) - } - if len(s.ServiceAccounts.KeyFiles) == 0 { - allErrors = append(allErrors, errors.New("service-account-key-file is a required flag when BoundServiceAccountTokenVolume is enabled")) - } - } return allErrors } diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go index 17496491b5..ce2e4dd7d4 100644 --- a/plugin/pkg/admission/serviceaccount/admission.go +++ b/plugin/pkg/admission/serviceaccount/admission.go @@ -21,7 +21,6 @@ import ( "io" "math/rand" "strconv" - "strings" "time" corev1 "k8s.io/api/core/v1" @@ -39,7 +38,6 @@ import ( corev1listers "k8s.io/client-go/listers/core/v1" podutil "k8s.io/kubernetes/pkg/api/pod" api "k8s.io/kubernetes/pkg/apis/core" - kubefeatures "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/serviceaccount" ) @@ -431,28 +429,21 @@ func (s *serviceAccount) mountServiceAccountToken(serviceAccount *corev1.Service // Find the volume and volume name for the ServiceAccountTokenSecret if it already exists tokenVolumeName := "" - hasTokenVolume := false allVolumeNames := sets.NewString() for _, volume := range pod.Spec.Volumes { allVolumeNames.Insert(volume.Name) - if (!s.featureGate.Enabled(kubefeatures.BoundServiceAccountTokenVolume) && volume.Secret != nil && volume.Secret.SecretName == serviceAccountToken) || - (s.featureGate.Enabled(kubefeatures.BoundServiceAccountTokenVolume) && strings.HasPrefix(volume.Name, ServiceAccountVolumeName+"-")) { + if volume.Secret != nil && volume.Secret.SecretName == serviceAccountToken { tokenVolumeName = volume.Name - hasTokenVolume = true break } } // Determine a volume name for the ServiceAccountTokenSecret in case we need it if len(tokenVolumeName) == 0 { - if s.featureGate.Enabled(kubefeatures.BoundServiceAccountTokenVolume) { - tokenVolumeName = s.generateName(ServiceAccountVolumeName + "-") - } else { - // Try naming the volume the same as the serviceAccountToken, and uniquify if needed - tokenVolumeName = serviceAccountToken - if allVolumeNames.Has(tokenVolumeName) { - tokenVolumeName = s.generateName(fmt.Sprintf("%s-", serviceAccountToken)) - } + // Try naming the volume the same as the serviceAccountToken, and uniquify if needed + tokenVolumeName = serviceAccountToken + if allVolumeNames.Has(tokenVolumeName) { + tokenVolumeName = s.generateName(fmt.Sprintf("%s-", serviceAccountToken)) } } @@ -495,56 +486,13 @@ func (s *serviceAccount) mountServiceAccountToken(serviceAccount *corev1.Service } // Add the volume if a container needs it - if !hasTokenVolume && needsTokenVolume { + if needsTokenVolume { pod.Spec.Volumes = append(pod.Spec.Volumes, s.createVolume(tokenVolumeName, serviceAccountToken)) } return nil } func (s *serviceAccount) createVolume(tokenVolumeName, secretName string) api.Volume { - if s.featureGate.Enabled(kubefeatures.BoundServiceAccountTokenVolume) { - return api.Volume{ - Name: tokenVolumeName, - VolumeSource: api.VolumeSource{ - Projected: &api.ProjectedVolumeSource{ - Sources: []api.VolumeProjection{ - { - ServiceAccountToken: &api.ServiceAccountTokenProjection{ - Path: "token", - ExpirationSeconds: 60 * 60, - }, - }, - { - ConfigMap: &api.ConfigMapProjection{ - LocalObjectReference: api.LocalObjectReference{ - Name: "kube-root-ca.crt", - }, - Items: []api.KeyToPath{ - { - Key: "ca.crt", - Path: "ca.crt", - }, - }, - }, - }, - { - DownwardAPI: &api.DownwardAPIProjection{ - Items: []api.DownwardAPIVolumeFile{ - { - Path: "namespace", - FieldRef: &api.ObjectFieldSelector{ - APIVersion: "v1", - FieldPath: "metadata.namespace", - }, - }, - }, - }, - }, - }, - }, - }, - } - } return api.Volume{ Name: tokenVolumeName, VolumeSource: api.VolumeSource{ diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 8bc92748e0..c8aea053ad 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -347,16 +347,6 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) }, }) - if utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { - addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"}, - Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule("create", "update").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), - eventsRule(), - }, - }) - } - return controllerRoles, controllerRoleBindings }