Merge pull request #126441 from micahhausler/kubelet-cert-feature-gate-rename

Rename kubelet CSR admission feature gate
2024-07-29 09:39:34 -07:00
parent 7a4c962341 a7af830209
commit aab56e9b70
3 changed files with 10 additions and 9 deletions
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -228,9 +228,10 @@ const (
 	// owner: @micahhausler
 	// Deprecated: v1.31
 	//
-	// Disable Node Admission plugin validation of CSRs for kubelet signers where CN=system:node:$nodeName.
+	// Setting AllowInsecureKubeletCertificateSigningRequests to true disables node admission validation of CSRs
 	// for kubelet signers where CN=system:node:$nodeName.
 	// Remove in v1.33
-	DisableKubeletCSRAdmissionValidation featuregate.Feature = "DisableKubeletCSRAdmissionValidation"
+	AllowInsecureKubeletCertificateSigningRequests featuregate.Feature = "AllowInsecureKubeletCertificateSigningRequests"
 	// owner: @HirazawaUi
 	// kep: http://kep.k8s.io/4004
@@ -1326,7 +1327,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	// ...
 	HPAScaleToZero: {Default: false, PreRelease: featuregate.Alpha},
-	DisableKubeletCSRAdmissionValidation: {Default: false, PreRelease: featuregate.Deprecated}, // remove in 1.33
+	AllowInsecureKubeletCertificateSigningRequests: {Default: false, PreRelease: featuregate.Deprecated}, // remove in 1.33
 	StorageNamespaceIndex: {Default: true, PreRelease: featuregate.Beta},
--- a/plugin/pkg/admission/noderestriction/admission.go
+++ b/plugin/pkg/admission/noderestriction/admission.go
@@ -76,7 +76,7 @@ type Plugin struct {
 	expansionRecoveryEnabled                       bool
 	dynamicResourceAllocationEnabled               bool
-	kubeletCSRAdmissionValidationDisabled bool
+	allowInsecureKubeletCertificateSigningRequests bool
 }
 var (
@@ -89,7 +89,7 @@ var (
 func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
 	p.expansionRecoveryEnabled = featureGates.Enabled(features.RecoverVolumeExpansionFailure)
 	p.dynamicResourceAllocationEnabled = featureGates.Enabled(features.DynamicResourceAllocation)
-	p.kubeletCSRAdmissionValidationDisabled = featureGates.Enabled(features.DisableKubeletCSRAdmissionValidation)
+	p.allowInsecureKubeletCertificateSigningRequests = featureGates.Enabled(features.AllowInsecureKubeletCertificateSigningRequests)
 }
 // SetExternalKubeInformerFactory registers an informer factory into Plugin
@@ -176,7 +176,7 @@ func (p *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
 		return p.admitResourceSlice(nodeName, a)
 	case csrResource:
-		if p.kubeletCSRAdmissionValidationDisabled {
+		if p.allowInsecureKubeletCertificateSigningRequests {
 			return nil
 		}
 		return p.admitCSR(nodeName, a)
--- a/plugin/pkg/admission/noderestriction/admission_test.go
+++ b/plugin/pkg/admission/noderestriction/admission_test.go
@@ -1278,7 +1278,7 @@ func Test_nodePlugin_Admit(t *testing.T) {
 			features:   feature.DefaultFeatureGate,
 			setupFunc: func(t *testing.T) {
 				t.Helper()
-				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.DisableKubeletCSRAdmissionValidation, true)
+				featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, features.AllowInsecureKubeletCertificateSigningRequests, true)
 			},
 		},
 		{