Merge pull request #125238 from munnerz/kep-4193-nodebinding-beta

KEP-4193: promote ServiceAccountTokenNodeBinding feature to beta
2024-05-31 12:27:18 -07:00
parent 723c269641 5481e630de
commit 790dfdbe38
3 changed files with 12 additions and 22 deletions
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -699,6 +699,7 @@ const (
 	// owner: @munnerz
 	// kep: http://kep.k8s.io/4193
 	// alpha: v1.29
+	// beta: v1.31
 	//
 	// Controls whether the apiserver supports binding service account tokens to Node objects.
 	ServiceAccountTokenNodeBinding featuregate.Feature = "ServiceAccountTokenNodeBinding"
@@ -1139,7 +1140,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS

 	ServiceAccountTokenPodNodeInfo: {Default: true, PreRelease: featuregate.Beta},

-	ServiceAccountTokenNodeBinding: {Default: false, PreRelease: featuregate.Alpha},
+	ServiceAccountTokenNodeBinding: {Default: true, PreRelease: featuregate.Beta},

 	ServiceAccountTokenNodeBindingValidation: {Default: true, PreRelease: featuregate.Beta},

--- a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token.go
@@ -19,7 +19,6 @@ package create
 import (
 	"context"
 	"fmt"
-	"os"
 	"strings"
 	"time"

@@ -103,10 +102,9 @@ func boundObjectKindToAPIVersions() map[string]string {
 	kinds := map[string]string{
 		"Pod":    "v1",
 		"Secret": "v1",
+		"Node":   "v1",
 	}
-	if os.Getenv("KUBECTL_NODE_BOUND_TOKENS") == "true" {
-		kinds["Node"] = "v1"
-	}
+
 	return kinds
 }

--- a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token_test.go
@@ -21,7 +21,6 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
-	"os"
 	"reflect"
 	"testing"
 	"time"
@@ -54,8 +53,6 @@ func TestCreateToken(t *testing.T) {
 		audiences       []string
 		duration        time.Duration

-		enableNodeBindingFeature bool
-
 		serverResponseToken string
 		serverResponseError string

@@ -118,14 +115,13 @@ status:
 			test:            "bad bound object kind",
 			name:            "mysa",
 			boundObjectKind: "Foo",
-			expectStderr:    `error: supported --bound-object-kind values are Pod, Secret`,
+			expectStderr:    `error: supported --bound-object-kind values are Node, Pod, Secret`,
 		},
 		{
-			test:                     "bad bound object kind (node feature enabled)",
-			name:                     "mysa",
-			enableNodeBindingFeature: true,
-			boundObjectKind:          "Foo",
-			expectStderr:             `error: supported --bound-object-kind values are Node, Pod, Secret`,
+			test:            "bad bound object kind (node feature enabled)",
+			name:            "mysa",
+			boundObjectKind: "Foo",
+			expectStderr:    `error: supported --bound-object-kind values are Node, Pod, Secret`,
 		},
 		{
 			test:            "missing bound object name",
@@ -172,10 +168,9 @@ status:
 			test: "valid bound object (Node)",
 			name: "mysa",

-			enableNodeBindingFeature: true,
-			boundObjectKind:          "Node",
-			boundObjectName:          "mynode",
-			boundObjectUID:           "myuid",
+			boundObjectKind: "Node",
+			boundObjectName: "mynode",
+			boundObjectUID:  "myuid",

 			expectRequestPath: "/api/v1/namespaces/test/serviceaccounts/mysa/token",
 			expectTokenRequest: &authenticationv1.TokenRequest{
@@ -367,10 +362,6 @@ status:
 			if test.duration != 0 {
 				cmd.Flags().Set("duration", test.duration.String())
 			}
-			if test.enableNodeBindingFeature {
-				os.Setenv("KUBECTL_NODE_BOUND_TOKENS", "true")
-				defer os.Unsetenv("KUBECTL_NODE_BOUND_TOKENS")
-			}
 			cmd.Run(cmd, []string{test.name})

 			if !reflect.DeepEqual(tokenRequest, test.expectTokenRequest) {