Rearranged feature flags

pkg/controller/volume/attachdetach/attach_detach_controller.go

@@ -148,8 +148,11 @@ func NewAttachDetachController(
 	}
 
 	// Install required CSI CRDs on API server
-	if utilfeature.DefaultFeatureGate.Enabled(features.CSICRDAutoInstall) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSIDriverRegistry) {
-		adc.installCRDs()
+		adc.installCSIDriverCRD()
+	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
+		adc.installCSINodeInfoCRD()
 	}
 
 	if err := adc.volumePluginMgr.InitPlugins(plugins, prober, adc); err != nil {
@@ -667,8 +670,7 @@ func (adc *attachDetachController) processVolumesInUse(
 	}
 }
 
-// installCRDs creates the specified CustomResourceDefinition for the CSIDrivers object.
+func (adc *attachDetachController) installCSIDriverCRD() error {
-func (adc *attachDetachController) installCRDs() error {
 	crd := &apiextensionsv1beta1.CustomResourceDefinition{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: csiapiv1alpha1.CsiDriverResourcePlural + "." + csiapiv1alpha1.GroupName,
@@ -697,7 +699,12 @@ func (adc *attachDetachController) installCRDs() error {
 		return err
 	}
 
-	crd = &apiextensionsv1beta1.CustomResourceDefinition{
+	return nil
+}
+
+// installCRDs creates the specified CustomResourceDefinition for the CSIDrivers object.
+func (adc *attachDetachController) installCSINodeInfoCRD() error {
+	crd := &apiextensionsv1beta1.CustomResourceDefinition{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: csiapiv1alpha1.CsiNodeInfoResourcePlural + "." + csiapiv1alpha1.GroupName,
 		},
@@ -711,7 +718,7 @@ func (adc *attachDetachController) installCRDs() error {
 			},
 		},
 	}
-	res, err = adc.crdClient.ApiextensionsV1beta1().CustomResourceDefinitions().Create(crd)
+	res, err := adc.crdClient.ApiextensionsV1beta1().CustomResourceDefinitions().Create(crd)
 
 	if err == nil {
 		glog.Infof("CSINodeInfo CRD created successfully: %#v",

pkg/features/kube_features.go

@@ -207,8 +207,13 @@ const (
 
 	// owner: @saad-ali
 	// alpha: v1.12
-	// Enable automatic installation of CRD for csi.storage.k8s.io API objects.
+	// Enable all logic related to the CSIDriver API object in csi.storage.k8s.io
-	CSICRDAutoInstall utilfeature.Feature = "CSICRDAutoInstall"
+	CSIDriverRegistry utilfeature.Feature = "CSIDriverRegistry"
+
+	// owner: @verult
+	// alpha: v1.12
+	// Enable all logic related to the CSINodeInfo API object in csi.storage.k8s.io
+	CSINodeInfo utilfeature.Feature = "CSINodeInfo"
 
 	// owner @MrHohn
 	// beta: v1.10
@@ -434,7 +439,8 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
 	MountContainers:                             {Default: false, PreRelease: utilfeature.Alpha},
 	VolumeScheduling:                            {Default: true, PreRelease: utilfeature.Beta},
 	CSIPersistentVolume:                         {Default: true, PreRelease: utilfeature.Beta},
-	CSICRDAutoInstall:                           {Default: false, PreRelease: utilfeature.Alpha},
+	CSIDriverRegistry:                           {Default: false, PreRelease: utilfeature.Alpha},
+	CSINodeInfo:                                 {Default: false, PreRelease: utilfeature.Alpha},
 	CustomPodDNS:                                {Default: true, PreRelease: utilfeature.Beta},
 	BlockVolume:                                 {Default: false, PreRelease: utilfeature.Alpha},
 	StorageObjectInUseProtection:                {Default: true, PreRelease: utilfeature.GA},

pkg/volume/csi/csi_plugin.go

@@ -142,8 +142,6 @@ func (h *RegistrationHandler) RegisterPlugin(pluginName string, endpoint string)
 		return fmt.Errorf("error during CSI NodeGetInfo() call: %v", err)
 	}
 
-	// Calling nodeLabelManager to update annotations and labels for newly registered CSI driver
-	// err = nodeUpdater.AddLabelsAndLimits(pluginName, driverNodeID, maxVolumePerNode) // TODO (verult) merge
 	err = nim.AddNodeInfo(pluginName, driverNodeID, maxVolumePerNode, accessibleTopology)
 	if err != nil {
 		unregisterDriver(pluginName)

pkg/volume/csi/nodeinfomanager/BUILD

@@ -44,11 +44,13 @@ go_test(
     embed = [":go_default_library"],
     deps = [
         "//pkg/apis/core/helper:go_default_library",
+        "//pkg/features:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library",
         "//staging/src/k8s.io/csi-api/pkg/apis/csi/v1alpha1:go_default_library",
         "//staging/src/k8s.io/csi-api/pkg/client/clientset/versioned/fake:go_default_library",

pkg/volume/csi/nodeinfomanager/nodeinfomanager.go

@@ -91,24 +91,23 @@ func (nim *nodeInfoManager) AddNodeInfo(driverName string, driverNodeID string,
 		return fmt.Errorf("error adding CSI driver node info: driverNodeID must not be empty")
 	}
 
-	err := nim.updateNode(
+	nodeUpdateFuncs := []nodeUpdateFunc{
 		updateNodeIDInNode(driverName, driverNodeID),
 		updateMaxAttachLimit(driverName, maxAttachLimit),
-		updateTopologyLabels(topology),
+	}
-	)
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
+		nodeUpdateFuncs = append(nodeUpdateFuncs, updateTopologyLabels(topology))
+	}
+	err := nim.updateNode(nodeUpdateFuncs...)
 	if err != nil {
 		return fmt.Errorf("error updating Node object with CSI driver node info: %v", err)
 	}
 
-	err = nim.updateCSINodeInfo(driverName, driverNodeID, topology)
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
-	if err != nil {
+		err = nim.updateCSINodeInfo(driverName, driverNodeID, topology)
-		if utilfeature.DefaultFeatureGate.Enabled(features.CSICRDAutoInstall) {
+		if err != nil {
 			return fmt.Errorf("error updating CSINodeInfo object with CSI driver node info: %v", err)
 		}
-
-		// CSINodeInfo CRD doesn't exist. Log the error instead of triggering driver unregistration
-		// by returning the error.
-		glog.Errorf("Error updating CSINodeInfo object with CSI driver node info: %v", err)
 	}
 	return nil
 }

pkg/volume/csi/nodeinfomanager/nodeinfomanager_test.go

@@ -18,16 +18,19 @@ package nodeinfomanager
 
 import (
 	"encoding/json"
+	"fmt"
 	"github.com/container-storage-interface/spec/lib/go/csi/v0"
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/sets"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes/fake"
 	csiv1alpha1 "k8s.io/csi-api/pkg/apis/csi/v1alpha1"
 	csifake "k8s.io/csi-api/pkg/client/clientset/versioned/fake"
 	"k8s.io/kubernetes/pkg/apis/core/helper"
+	"k8s.io/kubernetes/pkg/features"
 	"testing"
 )
 
@@ -318,7 +321,52 @@ func TestAddNodeInfo(t *testing.T) {
 		},
 	}
 
-	test(t, true /* addNodeInfo */, testcases)
+	test(t, true /* addNodeInfo */, true /* csiNodeInfoEnabled */, testcases)
+}
+
+// TestAddNodeInfo_CSINodeInfoDisabled tests AddNodeInfo with various existing Node annotations
+// and CSINodeInfo feature gate disabled.
+func TestAddNodeInfo_CSINodeInfoDisabled(t *testing.T) {
+	testcases := []testcase{
+		{
+			name:         "empty node",
+			driverName:   "com.example.csi/driver1",
+			existingNode: generateNode(nil /* nodeIDs */, nil /* labels */),
+			inputNodeID:  "com.example.csi/csi-node1",
+			expectedNodeIDMap: map[string]string{
+				"com.example.csi/driver1": "com.example.csi/csi-node1",
+			},
+		},
+		{
+			name:       "pre-existing node info from the same driver",
+			driverName: "com.example.csi/driver1",
+			existingNode: generateNode(
+				nodeIDMap{
+					"com.example.csi/driver1": "com.example.csi/csi-node1",
+				},
+				nil /* labels */),
+			inputNodeID: "com.example.csi/csi-node1",
+			expectedNodeIDMap: map[string]string{
+				"com.example.csi/driver1": "com.example.csi/csi-node1",
+			},
+		},
+		{
+			name:       "pre-existing node info from different driver",
+			driverName: "com.example.csi/driver1",
+			existingNode: generateNode(
+				nodeIDMap{
+					"net.example.storage/other-driver": "net.example.storage/test-node",
+				},
+				nil /* labels */),
+			inputNodeID: "com.example.csi/csi-node1",
+			expectedNodeIDMap: map[string]string{
+				"com.example.csi/driver1":          "com.example.csi/csi-node1",
+				"net.example.storage/other-driver": "net.example.storage/test-node",
+			},
+		},
+	}
+
+	test(t, true /* addNodeInfo */, false /* csiNodeInfoEnabled */, testcases)
 }
 
 // TestRemoveNodeInfo tests RemoveNodeInfo with various existing Node and/or CSINodeInfo objects.
@@ -407,10 +455,51 @@ func TestRemoveNodeInfo(t *testing.T) {
 		},
 	}
 
-	test(t, false /* addNodeInfo */, testcases)
+	test(t, false /* addNodeInfo */, true /* csiNodeInfoEnabled */, testcases)
+}
+
+// TestRemoveNodeInfo tests RemoveNodeInfo with various existing Node objects and CSINodeInfo
+// feature disabled.
+func TestRemoveNodeInfo_CSINodeInfoDisabled(t *testing.T) {
+	testcases := []testcase{
+		{
+			name:              "empty node",
+			driverName:        "com.example.csi/driver1",
+			existingNode:      generateNode(nil /* nodeIDs */, nil /* labels */),
+			expectedNodeIDMap: nil,
+		},
+		{
+			name:       "pre-existing node info from the same driver",
+			driverName: "com.example.csi/driver1",
+			existingNode: generateNode(
+				nodeIDMap{
+					"com.example.csi/driver1": "com.example.csi/csi-node1",
+				},
+				nil /* labels */),
+			expectedNodeIDMap: nil,
+		},
+		{
+			name:       "pre-existing node info from different driver",
+			driverName: "com.example.csi/driver1",
+			existingNode: generateNode(
+				nodeIDMap{
+					"net.example.storage/other-driver": "net.example.storage/csi-node1",
+				},
+				nil /* labels */),
+			expectedNodeIDMap: map[string]string{
+				"net.example.storage/other-driver": "net.example.storage/csi-node1",
+			},
+		},
+	}
+
+	test(t, false /* addNodeInfo */, false /* csiNodeInfoEnabled */, testcases)
 }
 
 func TestAddNodeInfoExistingAnnotation(t *testing.T) {
+	csiNodeInfoEnabled := utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo)
+	utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=true", features.CSINodeInfo))
+	defer utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=%t", features.CSINodeInfo, csiNodeInfoEnabled))
+
 	driverName := "com.example.csi/driver1"
 	nodeID := "com.example.csi/some-node"
 
@@ -471,7 +560,11 @@ func TestAddNodeInfoExistingAnnotation(t *testing.T) {
 	}
 }
 
-func test(t *testing.T, addNodeInfo bool, testcases []testcase) {
+func test(t *testing.T, addNodeInfo bool, csiNodeInfoEnabled bool, testcases []testcase) {
+	wasEnabled := utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo)
+	utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=%t", features.CSINodeInfo, csiNodeInfoEnabled))
+	defer utilfeature.DefaultFeatureGate.Set(fmt.Sprintf("%s=%t", features.CSINodeInfo, wasEnabled))
+
 	for _, tc := range testcases {
 		t.Logf("test case: %q", tc.name)
 
@@ -534,39 +627,39 @@ func test(t *testing.T, addNodeInfo bool, testcases []testcase) {
 			}
 		}
 
-		// Topology labels
+		if csiNodeInfoEnabled {
-		if !helper.Semantic.DeepEqual(node.Labels, tc.expectedLabels) {
+			// Topology labels
-			t.Errorf("expected topology labels to be %v; got: %v", tc.expectedLabels, node.Labels)
+			if !helper.Semantic.DeepEqual(node.Labels, tc.expectedLabels) {
-		}
+				t.Errorf("expected topology labels to be %v; got: %v", tc.expectedLabels, node.Labels)
-		/* End Node Validation */
+			}
 
-		/* CSINodeInfo validation */
+			/* CSINodeInfo validation */
-		nodeInfo, err := csiClient.Csi().CSINodeInfos().Get(nodeName, metav1.GetOptions{})
+			nodeInfo, err := csiClient.Csi().CSINodeInfos().Get(nodeName, metav1.GetOptions{})
-		if tc.expectNoNodeInfo && errors.IsNotFound(err) {
+			if tc.expectNoNodeInfo && errors.IsNotFound(err) {
-			continue
+				continue
-		} else if err != nil {
+			} else if err != nil {
-			t.Errorf("error getting CSINodeInfo: %v", err)
+				t.Errorf("error getting CSINodeInfo: %v", err)
-			continue
+				continue
-		}
+			}
 
-		// Extract node IDs and topology keys
+			// Extract node IDs and topology keys
-		actualNodeIDs := make(map[string]string)
+			actualNodeIDs := make(map[string]string)
-		actualTopologyKeys := make(map[string]sets.String)
+			actualTopologyKeys := make(map[string]sets.String)
-		for _, driver := range nodeInfo.CSIDrivers {
+			for _, driver := range nodeInfo.CSIDrivers {
-			actualNodeIDs[driver.Driver] = driver.NodeID
+				actualNodeIDs[driver.Driver] = driver.NodeID
-			actualTopologyKeys[driver.Driver] = sets.NewString(driver.TopologyKeys...)
+				actualTopologyKeys[driver.Driver] = sets.NewString(driver.TopologyKeys...)
-		}
+			}
 
-		// Node IDs
+			// Node IDs
-		if !helper.Semantic.DeepEqual(actualNodeIDs, tc.expectedNodeIDMap) {
+			if !helper.Semantic.DeepEqual(actualNodeIDs, tc.expectedNodeIDMap) {
-			t.Errorf("expected node IDs %v from CSINodeInfo; got: %v", tc.expectedNodeIDMap, actualNodeIDs)
+				t.Errorf("expected node IDs %v from CSINodeInfo; got: %v", tc.expectedNodeIDMap, actualNodeIDs)
-		}
+			}
 
-		// Topology keys
+			// Topology keys
-		if !helper.Semantic.DeepEqual(actualTopologyKeys, tc.expectedTopologyMap) {
+			if !helper.Semantic.DeepEqual(actualTopologyKeys, tc.expectedTopologyMap) {
-			t.Errorf("expected topology keys %v from CSINodeInfo; got: %v", tc.expectedTopologyMap, actualTopologyKeys)
+				t.Errorf("expected topology keys %v from CSINodeInfo; got: %v", tc.expectedTopologyMap, actualTopologyKeys)
+			}
 		}
-		/* End CSINodeInfo validation */
 	}
 }
 

plugin/pkg/admission/noderestriction/admission.go

@@ -147,10 +147,10 @@ func (c *nodePlugin) Admit(a admission.Attributes) error {
 		return admission.NewForbidden(a, fmt.Errorf("disabled by feature gate %s", features.NodeLease))
 
 	case csiNodeInfoResource:
-		if c.features.Enabled(features.KubeletPluginsWatcher) {
+		if c.features.Enabled(features.KubeletPluginsWatcher) && c.features.Enabled(features.CSINodeInfo) {
 			return c.admitCSINodeInfo(nodeName, a)
 		}
-		return admission.NewForbidden(a, fmt.Errorf("disabled by feature gate %s", features.KubeletPluginsWatcher))
+		return admission.NewForbidden(a, fmt.Errorf("disabled by feature gates %s and %s", features.KubeletPluginsWatcher, features.CSINodeInfo))
 
 	default:
 		return nil

plugin/pkg/admission/noderestriction/admission_test.go

@@ -21,6 +21,7 @@ import (
 	"testing"
 	"time"
 
+	"fmt"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -41,12 +42,12 @@ import (
 )
 
 var (
-	trEnabledFeature              = utilfeature.NewFeatureGate()
+	trEnabledFeature           = utilfeature.NewFeatureGate()
-	trDisabledFeature             = utilfeature.NewFeatureGate()
+	trDisabledFeature          = utilfeature.NewFeatureGate()
-	leaseEnabledFeature           = utilfeature.NewFeatureGate()
+	leaseEnabledFeature        = utilfeature.NewFeatureGate()
-	leaseDisabledFeature          = utilfeature.NewFeatureGate()
+	leaseDisabledFeature       = utilfeature.NewFeatureGate()
-	pluginsWatcherEnabledFeature  = utilfeature.NewFeatureGate()
+	csiNodeInfoEnabledFeature  = utilfeature.NewFeatureGate()
-	pluginsWatcherDisabledFeature = utilfeature.NewFeatureGate()
+	csiNodeInfoDisabledFeature = utilfeature.NewFeatureGate()
 )
 
 func init() {
@@ -62,10 +63,16 @@ func init() {
 	if err := leaseDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.NodeLease: {Default: false}}); err != nil {
 		panic(err)
 	}
-	if err := pluginsWatcherEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
+	if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
 		panic(err)
 	}
-	if err := pluginsWatcherDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
+	if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
+		panic(err)
+	}
+	if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
+		panic(err)
+	}
+	if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: false}}); err != nil {
 		panic(err)
 	}
 }
@@ -996,43 +1003,43 @@ func Test_nodePlugin_Admit(t *testing.T) {
 		{
 			name:       "disallowed create CSINodeInfo - feature disabled",
 			attributes: admission.NewAttributesRecord(nodeInfo, nil, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Create, false, mynode),
-			features:   pluginsWatcherDisabledFeature,
+			features:   csiNodeInfoDisabledFeature,
-			err:        "forbidden: disabled by feature gate KubeletPluginsWatcher",
+			err:        fmt.Sprintf("forbidden: disabled by feature gates %s and %s", features.KubeletPluginsWatcher, features.CSINodeInfo),
 		},
 		{
 			name:       "disallowed create another node's CSINodeInfo - feature enabled",
 			attributes: admission.NewAttributesRecord(nodeInfoWrongName, nil, csiNodeInfoKind, nodeInfoWrongName.Namespace, nodeInfoWrongName.Name, csiNodeInfoResource, "", admission.Create, false, mynode),
-			features:   pluginsWatcherEnabledFeature,
+			features:   csiNodeInfoEnabledFeature,
 			err:        "forbidden: ",
 		},
 		{
 			name:       "disallowed update another node's CSINodeInfo - feature enabled",
 			attributes: admission.NewAttributesRecord(nodeInfoWrongName, nodeInfoWrongName, csiNodeInfoKind, nodeInfoWrongName.Namespace, nodeInfoWrongName.Name, csiNodeInfoResource, "", admission.Update, false, mynode),
-			features:   pluginsWatcherEnabledFeature,
+			features:   csiNodeInfoEnabledFeature,
 			err:        "forbidden: ",
 		},
 		{
 			name:       "disallowed delete another node's CSINodeInfo - feature enabled",
 			attributes: admission.NewAttributesRecord(nil, nil, csiNodeInfoKind, nodeInfoWrongName.Namespace, nodeInfoWrongName.Name, csiNodeInfoResource, "", admission.Delete, false, mynode),
-			features:   pluginsWatcherEnabledFeature,
+			features:   csiNodeInfoEnabledFeature,
 			err:        "forbidden: ",
 		},
 		{
 			name:       "allowed create node CSINodeInfo - feature enabled",
 			attributes: admission.NewAttributesRecord(nodeInfo, nil, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Create, false, mynode),
-			features:   pluginsWatcherEnabledFeature,
+			features:   csiNodeInfoEnabledFeature,
 			err:        "",
 		},
 		{
 			name:       "allowed update node CSINodeInfo - feature enabled",
 			attributes: admission.NewAttributesRecord(nodeInfo, nodeInfo, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Update, false, mynode),
-			features:   pluginsWatcherEnabledFeature,
+			features:   csiNodeInfoEnabledFeature,
 			err:        "",
 		},
 		{
 			name:       "allowed delete node CSINodeInfo - feature enabled",
 			attributes: admission.NewAttributesRecord(nil, nil, csiNodeInfoKind, nodeInfo.Namespace, nodeInfo.Name, csiNodeInfoResource, "", admission.Delete, false, mynode),
-			features:   pluginsWatcherEnabledFeature,
+			features:   csiNodeInfoEnabledFeature,
 			err:        "",
 		},
 	}

plugin/pkg/auth/authorizer/node/node_authorizer.go

@@ -123,10 +123,10 @@ func (r *NodeAuthorizer) Authorize(attrs authorizer.Attributes) (authorizer.Deci
 			}
 			return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.NodeLease), nil
 		case csiNodeInfoResource:
-			if r.features.Enabled(features.KubeletPluginsWatcher) {
+			if r.features.Enabled(features.KubeletPluginsWatcher) && r.features.Enabled(features.CSINodeInfo) {
 				return r.authorizeCSINodeInfo(nodeName, attrs)
 			}
-			return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.KubeletPluginsWatcher), nil
+			return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gates %s and %s", features.KubeletPluginsWatcher, features.CSINodeInfo), nil
 		}
 
 	}

plugin/pkg/auth/authorizer/node/node_authorizer_test.go

@@ -39,14 +39,14 @@ import (
 )
 
 var (
-	csiEnabledFeature             = utilfeature.NewFeatureGate()
+	csiEnabledFeature          = utilfeature.NewFeatureGate()
-	csiDisabledFeature            = utilfeature.NewFeatureGate()
+	csiDisabledFeature         = utilfeature.NewFeatureGate()
-	trEnabledFeature              = utilfeature.NewFeatureGate()
+	trEnabledFeature           = utilfeature.NewFeatureGate()
-	trDisabledFeature             = utilfeature.NewFeatureGate()
+	trDisabledFeature          = utilfeature.NewFeatureGate()
-	leaseEnabledFeature           = utilfeature.NewFeatureGate()
+	leaseEnabledFeature        = utilfeature.NewFeatureGate()
-	leaseDisabledFeature          = utilfeature.NewFeatureGate()
+	leaseDisabledFeature       = utilfeature.NewFeatureGate()
-	pluginsWatcherEnabledFeature  = utilfeature.NewFeatureGate()
+	csiNodeInfoEnabledFeature  = utilfeature.NewFeatureGate()
-	pluginsWatcherDisabledFeature = utilfeature.NewFeatureGate()
+	csiNodeInfoDisabledFeature = utilfeature.NewFeatureGate()
 )
 
 func init() {
@@ -68,10 +68,16 @@ func init() {
 	if err := leaseDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.NodeLease: {Default: false}}); err != nil {
 		panic(err)
 	}
-	if err := pluginsWatcherEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
+	if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: true}}); err != nil {
 		panic(err)
 	}
-	if err := pluginsWatcherDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
+	if err := csiNodeInfoEnabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
+		panic(err)
+	}
+	if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.KubeletPluginsWatcher: {Default: false}}); err != nil {
+		panic(err)
+	}
+	if err := csiNodeInfoDisabledFeature.Add(map[utilfeature.Feature]utilfeature.FeatureSpec{features.CSINodeInfo: {Default: false}}); err != nil {
 		panic(err)
 	}
 }
@@ -350,79 +356,79 @@ func TestAuthorizer(t *testing.T) {
 		{
 			name:     "disallowed CSINodeInfo - feature disabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
-			features: pluginsWatcherDisabledFeature,
+			features: csiNodeInfoDisabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "disallowed CSINodeInfo with subresource - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", Subresource: "csiDrivers", APIGroup: "csi.storage.k8s.io", Name: "node0"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "disallowed get another node's CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "disallowed update another node's CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "disallowed patch another node's CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "disallowed delete another node's CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node1"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "disallowed list CSINodeInfos - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "list", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "disallowed watch CSINodeInfos - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "watch", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionNoOpinion,
 		},
 		{
 			name:     "allowed get CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionAllow,
 		},
 		{
 			name:     "allowed create CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionAllow,
 		},
 		{
 			name:     "allowed update CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionAllow,
 		},
 		{
 			name:     "allowed patch CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionAllow,
 		},
 		{
 			name:     "allowed delete CSINodeInfo - feature enabled",
 			attrs:    authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "csinodeinfos", APIGroup: "csi.storage.k8s.io", Name: "node0"},
-			features: pluginsWatcherEnabledFeature,
+			features: csiNodeInfoEnabledFeature,
 			expect:   authorizer.DecisionAllow,
 		},
 	}

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -164,7 +164,8 @@ func NodeRules() []rbacv1.PolicyRule {
 			nodePolicyRules = append(nodePolicyRules, csiDriverRule)
 		}
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) &&
+		utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
 		csiNodeInfoRule := rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups("csi.storage.k8s.io").Resources("csinodeinfos").RuleOrDie()
 		nodePolicyRules = append(nodePolicyRules, csiNodeInfoRule)
 	}
@@ -507,7 +508,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 		rbacv1helpers.NewRule("get", "list", "watch", "create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
 		rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletPluginsWatcher) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) {
 		externalProvisionerRules = append(externalProvisionerRules, rbacv1helpers.NewRule("get", "watch", "list").Groups("csi.storage.k8s.io").Resources("csinodeinfos").RuleOrDie())
 	}
 	roles = append(roles, rbacv1.ClusterRole{

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml

@@ -531,14 +531,6 @@ items:
     - get
     - list
     - watch
-  - apiGroups:
-    - csi.storage.k8s.io
-    resources:
-    - csinodeinfos
-    verbs:
-    - get
-    - list
-    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
@@ -978,16 +970,6 @@ items:
     - volumeattachments
     verbs:
     - get
-  - apiGroups:
-    - csi.storage.k8s.io
-    resources:
-    - csinodeinfos
-    verbs:
-    - create
-    - delete
-    - get
-    - patch
-    - update
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:

test/e2e/storage/csi_objects.go

@@ -38,7 +38,7 @@ import (
 )
 
 var csiImageVersions = map[string]string{
-	"hostpathplugin":   "v0.2.0",
+	"hostpathplugin":   "canary", // TODO (verult) update tag once new hostpathplugin release is cut
 	"csi-attacher":     "v0.2.0",
 	"csi-provisioner":  "v0.2.1",
 	"driver-registrar": "v0.3.0",