From a04e7cf5eb842754ccf1f340792e2d92c694af72 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 1 Jul 2025 12:11:54 -0400 Subject: [PATCH] KEP-4601: Graduate selector authorization to stable --- pkg/apis/authorization/types.go | 6 --- pkg/features/kube_features.go | 2 + .../subjectaccessreview/rest_test.go | 5 --- .../authorization/util/helpers_test.go | 6 ++- .../authorizer/node/node_authorizer_test.go | 39 ++++++++++++------- .../src/k8s.io/api/authorization/v1/types.go | 6 --- .../authorizer/caching_authorizer_test.go | 5 --- .../admission/plugin/cel/condition_test.go | 5 ++- .../pkg/authorization/cel/compile_test.go | 7 +++- .../endpoints/filters/authorization_test.go | 18 ++------- .../pkg/endpoints/request/requestinfo_test.go | 5 --- .../apiserver/pkg/features/kube_features.go | 1 + .../pkg/authorizer/webhook/webhook_test.go | 6 ++- .../pkg/authorizer/webhook/webhook_v1_test.go | 6 ++- .../reference/versioned_feature_list.yaml | 8 ++++ .../cel/authorizerselector/helper.go | 7 ++++ test/integration/auth/authz_config_test.go | 4 -- 17 files changed, 71 insertions(+), 65 deletions(-) diff --git a/pkg/apis/authorization/types.go b/pkg/apis/authorization/types.go index 1480359f515..997cd3879f7 100644 --- a/pkg/apis/authorization/types.go +++ b/pkg/apis/authorization/types.go @@ -88,15 +88,9 @@ type ResourceAttributes struct { // Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all. Name string // fieldSelector describes the limitation on access based on field. It can only limit access, not broaden it. - // - // This field is alpha-level. To use this field, you must enable the - // `AuthorizeWithSelectors` feature gate (disabled by default). // +optional FieldSelector *FieldSelectorAttributes // labelSelector describes the limitation on access based on labels. It can only limit access, not broaden it. - // - // This field is alpha-level. To use this field, you must enable the - // `AuthorizeWithSelectors` feature gate (disabled by default). // +optional LabelSelector *LabelSelectorAttributes } diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 259be4e9b49..1f22a334500 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -1029,6 +1029,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate AuthorizeNodeWithSelectors: { {Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.37 }, CPUCFSQuotaPeriod: { @@ -1753,6 +1754,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate genericfeatures.AuthorizeWithSelectors: { {Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.37 }, genericfeatures.BtreeWatchCache: { diff --git a/pkg/registry/authorization/subjectaccessreview/rest_test.go b/pkg/registry/authorization/subjectaccessreview/rest_test.go index 7816093c7c5..adb0b01a064 100644 --- a/pkg/registry/authorization/subjectaccessreview/rest_test.go +++ b/pkg/registry/authorization/subjectaccessreview/rest_test.go @@ -29,10 +29,7 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" genericapirequest "k8s.io/apiserver/pkg/endpoints/request" - genericfeatures "k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/registry/rest" - utilfeature "k8s.io/apiserver/pkg/util/feature" - featuregatetesting "k8s.io/component-base/featuregate/testing" authorizationapi "k8s.io/kubernetes/pkg/apis/authorization" ) @@ -236,8 +233,6 @@ func TestCreate(t *testing.T) { }, } - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true) - for k, tc := range testcases { auth := &fakeAuthorizer{ decision: tc.decision, diff --git a/pkg/registry/authorization/util/helpers_test.go b/pkg/registry/authorization/util/helpers_test.go index b0c376d639b..6bc0fe25127 100644 --- a/pkg/registry/authorization/util/helpers_test.go +++ b/pkg/registry/authorization/util/helpers_test.go @@ -27,6 +27,7 @@ import ( "k8s.io/apimachinery/pkg/selection" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/version" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" genericfeatures "k8s.io/apiserver/pkg/features" @@ -636,7 +637,10 @@ func TestAuthorizationAttributesFrom(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tt.enableAuthorizationSelector) + if !tt.enableAuthorizationSelector { + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33")) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, false) + } if got := AuthorizationAttributesFrom(tt.args.spec); !reflect.DeepEqual(got, tt.want) { if got.LabelSelectorParsingErr != nil { diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go index d8495f4c0c4..60c1a00a032 100644 --- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go +++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go @@ -32,6 +32,7 @@ import ( storagev1 "k8s.io/api/storage/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" + "k8s.io/apimachinery/pkg/util/version" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" genericfeatures "k8s.io/apiserver/pkg/features" @@ -72,23 +73,33 @@ func TestNodeAuthorizer(t *testing.T) { nodeunregistered := &user.DefaultInfo{Name: "system:node:nodeunregistered", Groups: []string{"system:nodes"}} - selectorAuthzDisabled := utilfeature.DefaultFeatureGate.DeepCopy() - featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, genericfeatures.AuthorizeWithSelectors, false) - featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, features.AuthorizeNodeWithSelectors, false) + selectorAuthzDisabled := func(t testing.TB) featuregate.FeatureGate { + f := utilfeature.DefaultFeatureGate.DeepCopy() + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, f, version.MustParse("1.33")) + featuregatetesting.SetFeatureGateDuringTest(t, f, genericfeatures.AuthorizeWithSelectors, false) + featuregatetesting.SetFeatureGateDuringTest(t, f, features.AuthorizeNodeWithSelectors, false) + return f + } - selectorAuthzEnabled := utilfeature.DefaultFeatureGate.DeepCopy() - featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzEnabled, genericfeatures.AuthorizeWithSelectors, true) - featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzEnabled, features.AuthorizeNodeWithSelectors, true) + selectorAuthzEnabled := func(t testing.TB) featuregate.FeatureGate { + return utilfeature.DefaultFeatureGate + } - serviceAccountTokenForCredentialProvidersDisabled := utilfeature.DefaultFeatureGate.DeepCopy() - featuregatetesting.SetFeatureGateDuringTest(t, serviceAccountTokenForCredentialProvidersDisabled, features.KubeletServiceAccountTokenForCredentialProviders, false) + serviceAccountTokenForCredentialProvidersDisabled := func(t testing.TB) featuregate.FeatureGate { + f := utilfeature.DefaultFeatureGate.DeepCopy() + featuregatetesting.SetFeatureGateDuringTest(t, f, features.KubeletServiceAccountTokenForCredentialProviders, false) + return f + } - serviceAccountTokenForCredentialProvidersEnabled := utilfeature.DefaultFeatureGate.DeepCopy() - featuregatetesting.SetFeatureGateDuringTest(t, serviceAccountTokenForCredentialProvidersEnabled, features.KubeletServiceAccountTokenForCredentialProviders, true) + serviceAccountTokenForCredentialProvidersEnabled := func(t testing.TB) featuregate.FeatureGate { + f := utilfeature.DefaultFeatureGate.DeepCopy() + featuregatetesting.SetFeatureGateDuringTest(t, f, features.KubeletServiceAccountTokenForCredentialProviders, true) + return f + } featureVariants := []struct { suffix string - features featuregate.FeatureGate + features func(t testing.TB) featuregate.FeatureGate }{ {suffix: "selector_disabled", features: selectorAuthzDisabled}, {suffix: "selector_enabled", features: selectorAuthzEnabled}, @@ -99,7 +110,7 @@ func TestNodeAuthorizer(t *testing.T) { attrs authorizer.AttributesRecord expect authorizer.Decision expectReason string - features featuregate.FeatureGate + features func(t testing.TB) featuregate.FeatureGate }{ { name: "allowed configmap", @@ -770,7 +781,7 @@ func TestNodeAuthorizer(t *testing.T) { if tc.features == nil { for _, variant := range featureVariants { t.Run(tc.name+"_"+variant.suffix, func(t *testing.T) { - authz.features = variant.features + authz.features = variant.features(t) decision, reason, _ := authz.Authorize(context.Background(), tc.attrs) if decision != tc.expect { t.Errorf("expected %v, got %v (%s)", tc.expect, decision, reason) @@ -779,7 +790,7 @@ func TestNodeAuthorizer(t *testing.T) { } } else { t.Run(tc.name, func(t *testing.T) { - authz.features = tc.features + authz.features = tc.features(t) decision, reason, _ := authz.Authorize(context.Background(), tc.attrs) if decision != tc.expect { t.Errorf("expected %v, got %v (%s)", tc.expect, decision, reason) diff --git a/staging/src/k8s.io/api/authorization/v1/types.go b/staging/src/k8s.io/api/authorization/v1/types.go index 36f5fa41078..251e776b024 100644 --- a/staging/src/k8s.io/api/authorization/v1/types.go +++ b/staging/src/k8s.io/api/authorization/v1/types.go @@ -119,15 +119,9 @@ type ResourceAttributes struct { // +optional Name string `json:"name,omitempty" protobuf:"bytes,7,opt,name=name"` // fieldSelector describes the limitation on access based on field. It can only limit access, not broaden it. - // - // This field is alpha-level. To use this field, you must enable the - // `AuthorizeWithSelectors` feature gate (disabled by default). // +optional FieldSelector *FieldSelectorAttributes `json:"fieldSelector,omitempty" protobuf:"bytes,8,opt,name=fieldSelector"` // labelSelector describes the limitation on access based on labels. It can only limit access, not broaden it. - // - // This field is alpha-level. To use this field, you must enable the - // `AuthorizeWithSelectors` feature gate (disabled by default). // +optional LabelSelector *LabelSelectorAttributes `json:"labelSelector,omitempty" protobuf:"bytes,9,opt,name=labelSelector"` } diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/authorizer/caching_authorizer_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/authorizer/caching_authorizer_test.go index 78779c7aa69..d18615a302e 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/authorizer/caching_authorizer_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/authorizer/caching_authorizer_test.go @@ -26,9 +26,6 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" - genericfeatures "k8s.io/apiserver/pkg/features" - utilfeature "k8s.io/apiserver/pkg/util/feature" - featuregatetesting "k8s.io/component-base/featuregate/testing" ) func mustParseLabelSelector(str string) labels.Requirements { @@ -41,8 +38,6 @@ func mustParseLabelSelector(str string) labels.Requirements { } func TestCachingAuthorizer(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true) - type result struct { decision authorizer.Decision reason string diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go index 83329040f6e..046a0db3806 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/condition_test.go @@ -920,7 +920,10 @@ func TestCondition(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { environment.DisableBaseEnvSetCachingForTests() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tc.enableSelectors) + if !tc.enableSelectors { + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33")) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, false) + } if tc.testPerCallLimit == 0 { tc.testPerCallLimit = celconfig.PerCallLimit diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile_test.go b/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile_test.go index f1ee258e7a8..231f4906fcc 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile_test.go @@ -24,6 +24,7 @@ import ( v1 "k8s.io/api/authorization/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/version" apiservercel "k8s.io/apiserver/pkg/cel" genericfeatures "k8s.io/apiserver/pkg/features" utilfeature "k8s.io/apiserver/pkg/util/feature" @@ -98,7 +99,10 @@ func TestCompileCELExpression(t *testing.T) { for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tc.authorizeWithSelectorsEnabled) + if !tc.authorizeWithSelectorsEnabled { + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33")) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, false) + } // create new compiler because it depends on the feature gate compiler := NewDefaultCompiler() @@ -117,7 +121,6 @@ func TestCompileCELExpression(t *testing.T) { } func TestBuildRequestType(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true) f := func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField { return apiservercel.NewDeclField(name, declType, required, nil, nil) } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization_test.go index 49b93e7d8ca..06dc3fcbd88 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization_test.go @@ -27,11 +27,9 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" - genericfeatures "k8s.io/apiserver/pkg/features" - utilfeature "k8s.io/apiserver/pkg/util/feature" - featuregatetesting "k8s.io/component-base/featuregate/testing" "github.com/stretchr/testify/assert" + batch "k8s.io/api/batch/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" @@ -47,10 +45,9 @@ func TestGetAuthorizerAttributes(t *testing.T) { } testcases := map[string]struct { - Verb string - Path string - ExpectedAttributes *authorizer.AttributesRecord - EnableAuthorizationSelector bool + Verb string + Path string + ExpectedAttributes *authorizer.AttributesRecord }{ "non-resource root": { Verb: http.MethodPost, @@ -143,7 +140,6 @@ func TestGetAuthorizerAttributes(t *testing.T) { fields.OneTermEqualSelector("foo", "bar").Requirements()[0], }, }, - EnableAuthorizationSelector: true, }, "enabled, bad field selector": { Verb: http.MethodGet, @@ -158,7 +154,6 @@ func TestGetAuthorizerAttributes(t *testing.T) { Resource: "jobs", FieldSelectorParsingErr: errors.New("invalid selector: '*bar'; can't understand '*bar'"), }, - EnableAuthorizationSelector: true, }, "disabled, ignore good label selector": { Verb: http.MethodGet, @@ -188,7 +183,6 @@ func TestGetAuthorizerAttributes(t *testing.T) { *basicLabelRequirement, }, }, - EnableAuthorizationSelector: true, }, "enabled, bad label selector": { Verb: http.MethodGet, @@ -203,16 +197,12 @@ func TestGetAuthorizerAttributes(t *testing.T) { Resource: "jobs", LabelSelectorParsingErr: errors.New("unable to parse requirement: : Invalid value: \"*bar\": name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')"), }, - EnableAuthorizationSelector: true, }, } for k, tc := range testcases { t.Run(k, func(t *testing.T) { ctx := t.Context() - if tc.EnableAuthorizationSelector { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true) - } req, _ := http.NewRequestWithContext(ctx, tc.Verb, tc.Path, nil) req.RemoteAddr = "127.0.0.1" diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/request/requestinfo_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/request/requestinfo_test.go index ec40c26864e..375e4b2b95e 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/request/requestinfo_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/request/requestinfo_test.go @@ -25,9 +25,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" - genericfeatures "k8s.io/apiserver/pkg/features" - utilfeature "k8s.io/apiserver/pkg/util/feature" - featuregatetesting "k8s.io/component-base/featuregate/testing" ) func TestGetAPIRequestInfo(t *testing.T) { @@ -315,8 +312,6 @@ func TestSelectorParsing(t *testing.T) { resolver := newTestRequestInfoResolver() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, true) - for _, tc := range tests { ctx := t.Context() req, _ := http.NewRequestWithContext(ctx, tc.method, tc.url, nil) diff --git a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go index 60b45e63a24..84400b0a0e1 100644 --- a/staging/src/k8s.io/apiserver/pkg/features/kube_features.go +++ b/staging/src/k8s.io/apiserver/pkg/features/kube_features.go @@ -301,6 +301,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate AuthorizeWithSelectors: { {Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta}, + {Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.37 }, BtreeWatchCache: { diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go index 7ad34fa1420..ecb912f78cf 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go @@ -26,6 +26,7 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" + "k8s.io/apimachinery/pkg/util/version" "k8s.io/apiserver/pkg/authorization/authorizer" genericfeatures "k8s.io/apiserver/pkg/features" utilfeature "k8s.io/apiserver/pkg/util/feature" @@ -322,7 +323,10 @@ func Test_resourceAttributesFrom(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, tt.enableAuthorizationSelector) + if !tt.enableAuthorizationSelector { + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33")) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, genericfeatures.AuthorizeWithSelectors, false) + } if got := resourceAttributesFrom(tt.args.attr); !reflect.DeepEqual(got, tt.want) { t.Errorf("resourceAttributesFrom() = %v, want %v", got, tt.want) diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_v1_test.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_v1_test.go index 379cad48632..8b5283cca78 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_v1_test.go +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_v1_test.go @@ -41,6 +41,7 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/selection" + "k8s.io/apimachinery/pkg/util/version" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/apis/apiserver" "k8s.io/apiserver/pkg/authentication/user" @@ -783,7 +784,10 @@ func TestStructuredAuthzConfigFeatureEnablement(t *testing.T) { for i, test := range tests { t.Run(test.name, func(t *testing.T) { - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AuthorizeWithSelectors, test.selectorEnabled) + if !test.selectorEnabled { + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33")) + featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AuthorizeWithSelectors, false) + } // create new compiler because it depends on the feature gate compiler := authorizationcel.NewDefaultCompiler() diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml index 4ab412e079f..6c45bcbf34e 100644 --- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml +++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml @@ -141,6 +141,10 @@ lockToDefault: false preRelease: Beta version: "1.32" + - default: true + lockToDefault: true + preRelease: GA + version: "1.34" - name: AuthorizeWithSelectors versionedSpecs: - default: false @@ -151,6 +155,10 @@ lockToDefault: false preRelease: Beta version: "1.32" + - default: true + lockToDefault: true + preRelease: GA + version: "1.34" - name: BtreeWatchCache versionedSpecs: - default: true diff --git a/test/integration/apiserver/cel/authorizerselector/helper.go b/test/integration/apiserver/cel/authorizerselector/helper.go index eba8109bb0d..881afd1d6fa 100644 --- a/test/integration/apiserver/cel/authorizerselector/helper.go +++ b/test/integration/apiserver/cel/authorizerselector/helper.go @@ -30,8 +30,11 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/version" "k8s.io/apiserver/pkg/cel/environment" + utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/kubernetes" + featuregatetesting "k8s.io/component-base/featuregate/testing" apiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" "k8s.io/kubernetes/test/integration/framework" "k8s.io/utils/ptr" @@ -46,6 +49,10 @@ func RunAuthzSelectorsLibraryTests(t *testing.T, featureEnabled bool) { t.Fatalf("authz selector library was initialized before feature gates were finalized (possibly from an init() or package variable)") } + if !featureEnabled { + featuregatetesting.SetFeatureGateEmulationVersionDuringTest(t, utilfeature.DefaultFeatureGate, version.MustParse("1.33")) + } + // Start the server with the desired feature enablement server, err := apiservertesting.StartTestServer(t, nil, []string{ fmt.Sprintf("--feature-gates=AuthorizeNodeWithSelectors=%v,AuthorizeWithSelectors=%v", featureEnabled, featureEnabled), diff --git a/test/integration/auth/authz_config_test.go b/test/integration/auth/authz_config_test.go index ef4ff057721..0dd2d75183b 100644 --- a/test/integration/auth/authz_config_test.go +++ b/test/integration/auth/authz_config_test.go @@ -41,13 +41,10 @@ import ( "k8s.io/apimachinery/pkg/util/wait" celmetrics "k8s.io/apiserver/pkg/authorization/cel" authorizationmetrics "k8s.io/apiserver/pkg/authorization/metrics" - "k8s.io/apiserver/pkg/features" authzmetrics "k8s.io/apiserver/pkg/server/options/authorizationconfig/metrics" - utilfeature "k8s.io/apiserver/pkg/util/feature" webhookmetrics "k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" - featuregatetesting "k8s.io/component-base/featuregate/testing" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" "k8s.io/kubernetes/test/integration/authutil" "k8s.io/kubernetes/test/integration/framework" @@ -124,7 +121,6 @@ authorizers: func TestMultiWebhookAuthzConfig(t *testing.T) { authzmetrics.ResetMetricsForTest() defer authzmetrics.ResetMetricsForTest() - featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AuthorizeWithSelectors, true) dir := t.TempDir()