feature: promote ProcMountType to GA

Signed-off-by: Peter Hunt <pehunt@redhat.com>

pkg/api/pod/util_test.go

@@ -807,7 +807,10 @@ func TestDropProcMount(t *testing.T) {
 				}
 
 				t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
-					featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, enabled)
+					if !enabled {
+						featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
+						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, enabled)
+					}
 
 					var oldPodSpec *api.PodSpec
 					if oldPod != nil {
@@ -2584,10 +2587,10 @@ func TestDropHostUsers(t *testing.T) {
 				}
 
 				t.Run(fmt.Sprintf("feature enabled=%v, old pod %v, new pod %v", enabled, oldPodInfo.description, newPodInfo.description), func(t *testing.T) {
+					// Set emulation version so that the feature gate can be disabled in the test
 					if !enabled {
-						// Set emulation version so that the feature gate can be disabled in the test
 						featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.35"))
-						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UserNamespacesSupport, false)
+						featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.UserNamespacesSupport, enabled)
 					}
 
 					DropDisabledPodFields(newPod, oldPod)

pkg/features/kube_features.go

@@ -1705,6 +1705,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.12"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Beta},
 		{Version: version.MustParse("1.33"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.36"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.39
 	},
 
 	QOSReserved: {

staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go

@@ -18,7 +18,6 @@ package test
 
 import (
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/component-base/featuregate"
 	"k8s.io/pod-security-admission/api"
 	"k8s.io/utils/ptr"
 )
@@ -38,7 +37,6 @@ func init() {
 				}),
 			}
 		},
-		failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
 		generateFail: func(p *corev1.Pod) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{
@@ -89,8 +87,7 @@ func init() {
 
 			return retval
 		},
-		failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
-		failRequiresError:    true, // the only combination that can fail the 1.35 baseline check also fails validation
+		failRequiresError: true, // the only combination that can fail the 1.35 baseline check also fails validation
 		generateFail: func(p *corev1.Pod) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{
@@ -129,7 +126,6 @@ func init() {
 				}),
 			}
 		},
-		failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
 		generateFail: func(p *corev1.Pod) []*corev1.Pod {
 			p = ensureSecurityContext(p)
 			return []*corev1.Pod{

test/compatibility_lifecycle/reference/feature_list.md

@@ -150,7 +150,7 @@
 | PortForwardWebsockets | :ballot_box_with_check: 1.31+ |  | 1.30 | 1.31– |  |  |  | [code](https://cs.k8s.io/?q=%5CbPortForwardWebsockets%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbPortForwardWebsockets%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
 | PreferSameTrafficDistribution | :ballot_box_with_check: 1.34+ | :closed_lock_with_key: 1.35+ | 1.33 | 1.34 | 1.35– |  |  | [code](https://cs.k8s.io/?q=%5CbPreferSameTrafficDistribution%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbPreferSameTrafficDistribution%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
 | PreventStaticPodAPIReferences | :ballot_box_with_check: 1.34+ |  |  | 1.34– |  |  |  | [code](https://cs.k8s.io/?q=%5CbPreventStaticPodAPIReferences%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbPreventStaticPodAPIReferences%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
-| ProcMountType | :ballot_box_with_check: 1.33+ |  | 1.12–1.30 | 1.31– |  |  | UserNamespacesSupport | [code](https://cs.k8s.io/?q=%5CbProcMountType%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbProcMountType%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
+| ProcMountType | :ballot_box_with_check: 1.33+ | :closed_lock_with_key: 1.36+ | 1.12–1.30 | 1.31–1.35 | 1.36– |  | UserNamespacesSupport | [code](https://cs.k8s.io/?q=%5CbProcMountType%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbProcMountType%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
 | QOSReserved |  |  | 1.11– |  |  |  |  | [code](https://cs.k8s.io/?q=%5CbQOSReserved%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbQOSReserved%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
 | RecoverVolumeExpansionFailure | :ballot_box_with_check: 1.32+ | :closed_lock_with_key: 1.34+ | 1.23–1.31 | 1.32–1.33 | 1.34– |  |  | [code](https://cs.k8s.io/?q=%5CbRecoverVolumeExpansionFailure%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbRecoverVolumeExpansionFailure%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |
 | RecursiveReadOnlyMounts | :ballot_box_with_check: 1.31+ | :closed_lock_with_key: 1.33+ | 1.30 | 1.31–1.32 | 1.33– |  |  | [code](https://cs.k8s.io/?q=%5CbRecursiveReadOnlyMounts%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/kubernetes) [KEPs](https://cs.k8s.io/?q=%5CbRecursiveReadOnlyMounts%5Cb&i=nope&files=&excludeFiles=CHANGELOG&repos=kubernetes/enhancements) |

test/compatibility_lifecycle/reference/versioned_feature_list.yaml

@@ -1485,6 +1485,10 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.33"
+  - default: true
+    lockToDefault: true
+    preRelease: GA
+    version: "1.36"
 - name: QOSReserved
   versionedSpecs:
   - default: false

test/integration/auth/podsecurity_test.go

@@ -42,7 +42,6 @@ import (
 	"k8s.io/component-base/metrics/testutil"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
 	"k8s.io/kubernetes/pkg/capabilities"
-	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/test/integration/framework"
 	utiltest "k8s.io/kubernetes/test/utils"
 	podsecurityconfigloader "k8s.io/pod-security-admission/admission/api/load"
@@ -51,10 +50,6 @@ import (
 )
 
 func TestPodSecurity(t *testing.T) {
-	// Enable all feature gates needed to allow all fields to be exercised
-	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
-		features.ProcMountType: true,
-	})
 	// Start server
 	server := startPodSecurityServer(t)
 	opts := podsecuritytest.Options{
@@ -98,11 +93,6 @@ func TestPodSecurityGAOnly(t *testing.T) {
 }
 
 func TestPodSecurityWebhook(t *testing.T) {
-	// Enable all feature gates needed to allow all fields to be exercised
-	featuregatetesting.SetFeatureGatesDuringTest(t, utilfeature.DefaultFeatureGate, featuregatetesting.FeatureOverrides{
-		features.ProcMountType: true,
-	})
-
 	// Start test API server.
 	capabilities.ResetForTest()
 	capabilities.Initialize(capabilities.Capabilities{AllowPrivileged: true})