Merge pull request #113476 from marosset/hpc-to-stable

Promoting WindowsHostProcessContainers to stable

pkg/kubelet/kubelet_pods.go

@@ -148,7 +148,7 @@ func (kl *Kubelet) makeBlockVolumes(pod *v1.Pod, container *v1.Container, podVol
 // - Windows pod contains a hostProcess container
 func shouldMountHostsFile(pod *v1.Pod, podIPs []string) bool {
 	shouldMount := len(podIPs) > 0
-	if runtime.GOOS == "windows" && utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) {
+	if runtime.GOOS == "windows" {
 		return shouldMount && !kubecontainer.HasWindowsHostProcessContainer(pod)
 	}
 	return shouldMount

pkg/kubelet/kuberuntime/kuberuntime_container_windows.go

@@ -20,14 +20,11 @@ limitations under the License.
 package kuberuntime
 
 import (
-	"fmt"
 	"runtime"
 
 	v1 "k8s.io/api/core/v1"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/securitycontext"
 )
@@ -126,9 +123,6 @@ func (m *kubeGenericRuntimeManager) generateWindowsContainerConfig(container *v1
 	}
 
 	if securitycontext.HasWindowsHostProcessRequest(pod, container) {
-		if !utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) {
-			return nil, fmt.Errorf("pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled")
-		}
 		wc.SecurityContext.HostProcess = true
 	}
 

pkg/kubelet/kuberuntime/kuberuntime_container_windows_test.go

@@ -100,12 +100,4 @@ func TestApplyPlatformSpecificContainerConfig(t *testing.T) {
 		},
 	}
 	assert.Equal(t, expectedWindowsConfig, containerConfig.Windows)
-
-	// Check if it fails if we require HostProcess but the feature is not enabled.
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, false)()
-	err = fakeRuntimeSvc.applyPlatformSpecificContainerConfig(containerConfig, &pod.Spec.Containers[0], pod, new(int64), "foo", nil)
-	expectedErrMsg := "pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled"
-	if err == nil || err.Error() != expectedErrMsg {
-		t.Errorf("expected error message `%s` but got `%v`", expectedErrMsg, err)
-	}
 }

pkg/kubelet/kuberuntime/kuberuntime_sandbox.go

@@ -25,10 +25,8 @@ import (
 
 	v1 "k8s.io/api/core/v1"
 	kubetypes "k8s.io/apimachinery/pkg/types"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
 	"k8s.io/klog/v2"
-	"k8s.io/kubernetes/pkg/features"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	runtimeutil "k8s.io/kubernetes/pkg/kubelet/kuberuntime/util"
 	"k8s.io/kubernetes/pkg/kubelet/types"
@@ -237,13 +235,6 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxWindowsConfig(pod *v1.Pod)
 	// If all of the containers in a pod are HostProcess containers, set the pod's HostProcess field
 	// explicitly because the container runtime requires this information at sandbox creation time.
 	if kubecontainer.HasWindowsHostProcessContainer(pod) {
-		// Pods containing HostProcess containers should fail to schedule if feature is not
-		// enabled instead of trying to schedule containers as regular containers as stated in
-		// PRR review.
-		if !utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) {
-			return nil, fmt.Errorf("pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled")
-		}
-
 		// At present Windows all containers in a Windows pod must be HostProcess containers
 		// and HostNetwork is required to be set.
 		if !kubecontainer.AllContainersAreWindowsHostProcess(pod) {

pkg/kubelet/kuberuntime/kuberuntime_sandbox_test.go

@@ -27,10 +27,7 @@ import (
 	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
-	"k8s.io/kubernetes/pkg/features"
 	containertest "k8s.io/kubernetes/pkg/kubelet/container/testing"
 	"k8s.io/kubernetes/pkg/kubelet/runtimeclass"
 	rctest "k8s.io/kubernetes/pkg/kubelet/runtimeclass/testing"
@@ -185,15 +182,13 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 	falseVar := false
 
 	testCases := []struct {
-		name                      string
-		hostProcessFeatureEnabled bool
-		podSpec                   *v1.PodSpec
-		expectedWindowsConfig     *runtimeapi.WindowsPodSandboxConfig
-		expectedError             error
+		name                  string
+		podSpec               *v1.PodSpec
+		expectedWindowsConfig *runtimeapi.WindowsPodSandboxConfig
+		expectedError         error
 	}{
 		{
-			name:                      "Empty PodSecurityContext",
-			hostProcessFeatureEnabled: false,
+			name: "Empty PodSecurityContext",
 			podSpec: &v1.PodSpec{
 				Containers: []v1.Container{{
 					Name: containerName,
@@ -205,8 +200,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 			expectedError: nil,
 		},
 		{
-			name:                      "GMSACredentialSpec in PodSecurityContext",
-			hostProcessFeatureEnabled: false,
+			name: "GMSACredentialSpec in PodSecurityContext",
 			podSpec: &v1.PodSpec{
 				SecurityContext: &v1.PodSecurityContext{
 					WindowsOptions: &v1.WindowsSecurityContextOptions{
@@ -225,8 +219,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 			expectedError: nil,
 		},
 		{
-			name:                      "RunAsUserName in PodSecurityContext",
-			hostProcessFeatureEnabled: false,
+			name: "RunAsUserName in PodSecurityContext",
 			podSpec: &v1.PodSpec{
 				SecurityContext: &v1.PodSecurityContext{
 					WindowsOptions: &v1.WindowsSecurityContextOptions{
@@ -245,24 +238,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 			expectedError: nil,
 		},
 		{
-			name:                      "Pod with HostProcess containers and feature gate disabled",
-			hostProcessFeatureEnabled: false,
-			podSpec: &v1.PodSpec{
-				SecurityContext: &v1.PodSecurityContext{
-					WindowsOptions: &v1.WindowsSecurityContextOptions{
-						HostProcess: &trueVar,
-					},
-				},
-				Containers: []v1.Container{{
-					Name: containerName,
-				}},
-			},
-			expectedWindowsConfig: nil,
-			expectedError:         fmt.Errorf("pod contains HostProcess containers but feature 'WindowsHostProcessContainers' is not enabled"),
-		},
-		{
-			name:                      "Pod with HostProcess containers and non-HostProcess containers",
-			hostProcessFeatureEnabled: true,
+			name: "Pod with HostProcess containers and non-HostProcess containers",
 			podSpec: &v1.PodSpec{
 				SecurityContext: &v1.PodSecurityContext{
 					WindowsOptions: &v1.WindowsSecurityContextOptions{
@@ -284,8 +260,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 			expectedError:         fmt.Errorf("pod must not contain both HostProcess and non-HostProcess containers"),
 		},
 		{
-			name:                      "Pod with HostProcess containers and HostNetwork not set",
-			hostProcessFeatureEnabled: true,
+			name: "Pod with HostProcess containers and HostNetwork not set",
 			podSpec: &v1.PodSpec{
 				SecurityContext: &v1.PodSecurityContext{
 					WindowsOptions: &v1.WindowsSecurityContextOptions{
@@ -300,8 +275,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 			expectedError:         fmt.Errorf("hostNetwork is required if Pod contains HostProcess containers"),
 		},
 		{
-			name:                      "Pod with HostProcess containers and HostNetwork set",
-			hostProcessFeatureEnabled: true,
+			name: "Pod with HostProcess containers and HostNetwork set",
 			podSpec: &v1.PodSpec{
 				HostNetwork: true,
 				SecurityContext: &v1.PodSecurityContext{
@@ -321,8 +295,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 			expectedError: nil,
 		},
 		{
-			name:                      "Pod's WindowsOptions.HostProcess set to false and pod has HostProcess containers",
-			hostProcessFeatureEnabled: true,
+			name: "Pod's WindowsOptions.HostProcess set to false and pod has HostProcess containers",
 			podSpec: &v1.PodSpec{
 				HostNetwork: true,
 				SecurityContext: &v1.PodSecurityContext{
@@ -343,8 +316,7 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 			expectedError:         fmt.Errorf("pod must not contain any HostProcess containers if Pod's WindowsOptions.HostProcess is set to false"),
 		},
 		{
-			name:                      "Pod's security context doesn't specify HostProcess containers but Container's security context does",
-			hostProcessFeatureEnabled: true,
+			name: "Pod's security context doesn't specify HostProcess containers but Container's security context does",
 			podSpec: &v1.PodSpec{
 				HostNetwork: true,
 				Containers: []v1.Container{{
@@ -367,7 +339,6 @@ func TestGeneratePodSandboxWindowsConfig(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, testCase.hostProcessFeatureEnabled)()
 			pod := &v1.Pod{}
 			pod.Spec = *testCase.podSpec
 

pkg/kubelet/metrics/metrics.go

@@ -574,10 +574,8 @@ func Register(collectors ...metrics.StableCollector) {
 		legacyregistry.MustRegister(StartedPodsErrorsTotal)
 		legacyregistry.MustRegister(StartedContainersTotal)
 		legacyregistry.MustRegister(StartedContainersErrorsTotal)
-		if utilfeature.DefaultFeatureGate.Enabled(features.WindowsHostProcessContainers) {
-			legacyregistry.MustRegister(StartedHostProcessContainersTotal)
-			legacyregistry.MustRegister(StartedHostProcessContainersErrorsTotal)
-		}
+		legacyregistry.MustRegister(StartedHostProcessContainersTotal)
+		legacyregistry.MustRegister(StartedHostProcessContainersErrorsTotal)
 		legacyregistry.MustRegister(RunPodSandboxDuration)
 		legacyregistry.MustRegister(RunPodSandboxErrors)