From 71d77b54fd593458993f4521f2f5eba9b94633f5 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Thu, 4 Jun 2020 12:10:39 -0400 Subject: [PATCH] Promote RotateKubeletClientCertificate to GA --- cmd/kubelet/app/server.go | 2 +- pkg/features/kube_features.go | 3 ++- pkg/kubelet/apis/config/types.go | 3 +-- pkg/kubelet/apis/config/validation/validation.go | 3 --- staging/src/k8s.io/kubelet/config/v1beta1/types.go | 3 +-- 5 files changed, 5 insertions(+), 9 deletions(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index ebd220c44e8..fa441a1449e 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -806,7 +806,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.Dependencies, featureGate f // buildKubeletClientConfig constructs the appropriate client config for the kubelet depending on whether // bootstrapping is enabled or client certificate rotation is enabled. func buildKubeletClientConfig(s *options.KubeletServer, nodeName types.NodeName) (*restclient.Config, func(), error) { - if s.RotateCertificates && utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletClientCertificate) { + if s.RotateCertificates { // Rules for client rotation and the handling of kube config files: // // 1. If the client provides only a kubeconfig file, we must use that as the initial client diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index eb909645dfe..4ab105bdaf5 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -78,6 +78,7 @@ const ( // owner: @mikedanese // beta: v1.8 + // ga: v1.19 // // Automatically renews the client certificate used for communicating with // the API server as the certificate approaches expiration. @@ -593,7 +594,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS DevicePlugins: {Default: true, PreRelease: featuregate.Beta}, TaintBasedEvictions: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.19 RotateKubeletServerCertificate: {Default: true, PreRelease: featuregate.Beta}, - RotateKubeletClientCertificate: {Default: true, PreRelease: featuregate.Beta}, + RotateKubeletClientCertificate: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.20 LocalStorageCapacityIsolation: {Default: true, PreRelease: featuregate.Beta}, Sysctls: {Default: true, PreRelease: featuregate.Beta}, EphemeralContainers: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/pkg/kubelet/apis/config/types.go b/pkg/kubelet/apis/config/types.go index bcafb460b50..19c739eada6 100644 --- a/pkg/kubelet/apis/config/types.go +++ b/pkg/kubelet/apis/config/types.go @@ -122,8 +122,7 @@ type KubeletConfiguration struct { TLSMinVersion string // rotateCertificates enables client certificate rotation. The Kubelet will request a // new certificate from the certificates.k8s.io API. This requires an approver to approve the - // certificate signing requests. The RotateKubeletClientCertificate feature - // must be enabled. + // certificate signing requests. RotateCertificates bool // serverTLSBootstrap enables server certificate bootstrap. Instead of self // signing a serving certificate, the Kubelet will request a certificate from diff --git a/pkg/kubelet/apis/config/validation/validation.go b/pkg/kubelet/apis/config/validation/validation.go index 0e87f89aec5..5e4d37f03fa 100644 --- a/pkg/kubelet/apis/config/validation/validation.go +++ b/pkg/kubelet/apis/config/validation/validation.go @@ -110,9 +110,6 @@ func ValidateKubeletConfiguration(kc *kubeletconfig.KubeletConfiguration) error if kc.RegistryPullQPS < 0 { allErrors = append(allErrors, fmt.Errorf("invalid configuration: RegistryPullQPS (--registry-qps) %v must not be a negative number", kc.RegistryPullQPS)) } - if kc.RotateCertificates && !localFeatureGate.Enabled(features.RotateKubeletClientCertificate) { - allErrors = append(allErrors, fmt.Errorf("invalid configuration: RotateCertificates %v requires feature gate RotateKubeletClientCertificate", kc.RotateCertificates)) - } if kc.ServerTLSBootstrap && !localFeatureGate.Enabled(features.RotateKubeletServerCertificate) { allErrors = append(allErrors, fmt.Errorf("invalid configuration: ServerTLSBootstrap %v requires feature gate RotateKubeletServerCertificate", kc.ServerTLSBootstrap)) } diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/types.go b/staging/src/k8s.io/kubelet/config/v1beta1/types.go index 5c61c130dd6..3336821a110 100644 --- a/staging/src/k8s.io/kubelet/config/v1beta1/types.go +++ b/staging/src/k8s.io/kubelet/config/v1beta1/types.go @@ -177,8 +177,7 @@ type KubeletConfiguration struct { TLSMinVersion string `json:"tlsMinVersion,omitempty"` // rotateCertificates enables client certificate rotation. The Kubelet will request a // new certificate from the certificates.k8s.io API. This requires an approver to approve the - // certificate signing requests. The RotateKubeletClientCertificate feature - // must be enabled. + // certificate signing requests. // Dynamic Kubelet Config (beta): If dynamically updating this field, consider that // disabling it may disrupt the Kubelet's ability to authenticate with the API server // after the current certificate expires.