From d2d1242815ab093a756bdb87cffbdc2998d78d48 Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Thu, 4 May 2023 11:15:45 +0200 Subject: [PATCH 1/3] KEP-3325: Promote SelfSubjectReview to GA Signed-off-by: m.nabokikh --- .../access-authn-authz/authentication.md | 16 ++++++++-------- .../feature-gates.md | 5 +++-- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md index ed0c8ef5cfa5f..2ee21013c3445 100644 --- a/content/en/docs/reference/access-authn-authz/authentication.md +++ b/content/en/docs/reference/access-authn-authz/authentication.md @@ -1221,7 +1221,7 @@ The following `ExecCredential` manifest describes a cluster information sample. ## API access to authentication information for a client {#self-subject-review} -{{< feature-state for_k8s_version="v1.27" state="beta" >}} +{{< feature-state for_k8s_version="v1.28" state="stable" >}} If your cluster has the API enabled, you can use the `SelfSubjectReview` API to find out how your Kubernetes cluster maps your authentication information to identify you as a client. This works whether you are authenticating as a user (typically representing @@ -1231,11 +1231,11 @@ a real person) or as a ServiceAccount. Request example (the body would be a `SelfSubjectReview`): ``` -POST /apis/authentication.k8s.io/v1beta1/selfsubjectreviews +POST /apis/authentication.k8s.io/v1/selfsubjectreviews ``` ```json { - "apiVersion": "authentication.k8s.io/v1beta1", + "apiVersion": "authentication.k8s.io/v1", "kind": "SelfSubjectReview" } ``` @@ -1243,7 +1243,7 @@ Response example: ```json { - "apiVersion": "authentication.k8s.io/v1beta1", + "apiVersion": "authentication.k8s.io/v1", "kind": "SelfSubjectReview", "status": { "userInfo": { @@ -1286,7 +1286,7 @@ By providing the output flag, it is also possible to print the JSON or YAML repr {{% tab name="JSON" %}} ```json { - "apiVersion": "authentication.k8s.io/v1alpha1", + "apiVersion": "authentication.k8s.io/v1", "kind": "SelfSubjectReview", "status": { "userInfo": { @@ -1315,7 +1315,7 @@ By providing the output flag, it is also possible to print the JSON or YAML repr {{% tab name="YAML" %}} ```yaml -apiVersion: authentication.k8s.io/v1alpha1 +apiVersion: authentication.k8s.io/v1 kind: SelfSubjectReview status: userInfo: @@ -1352,8 +1352,8 @@ By default, all authenticated users can create `SelfSubjectReview` objects when You can only make `SelfSubjectReview` requests if: * the `APISelfSubjectReview` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) - is enabled for your cluster (enabled by default after reaching Beta) -* the API server for your cluster has the `authentication.k8s.io/v1alpha1` or `authentication.k8s.io/v1beta1` + is enabled for your cluster (enabled by default after reaching Beta and will be removed in Kubernetes v1.30) +* the API server for your cluster has the `authentication.k8s.io/v1alpha1`, `authentication.k8s.io/v1beta1`, or `authentication.k8s.io/v1` {{< glossary_tooltip term_id="api-group" text="API group" >}} enabled. {{< /note >}} diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 8441f0bc1860e..02a873d0ad28d 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -63,8 +63,6 @@ For a reference to old feature gates that are removed, please refer to | `APIPriorityAndFairness` | `true` | Beta | 1.20 | | | `APIResponseCompression` | `false` | Alpha | 1.7 | 1.15 | | `APIResponseCompression` | `true` | Beta | 1.16 | | -| `APISelfSubjectReview` | `false` | Alpha | 1.26 | 1.26 | -| `APISelfSubjectReview` | `true` | Beta | 1.27 | | | `APIServerIdentity` | `false` | Alpha | 1.20 | 1.25 | | `APIServerIdentity` | `true` | Beta | 1.26 | | | `APIServerTracing` | `false` | Alpha | 1.22 | 1.26 | @@ -228,6 +226,9 @@ For a reference to old feature gates that are removed, please refer to | `AdvancedAuditing` | `false` | Alpha | 1.7 | 1.7 | | `AdvancedAuditing` | `true` | Beta | 1.8 | 1.11 | | `AdvancedAuditing` | `true` | GA | 1.12 | - | +| `APISelfSubjectReview` | `false` | Alpha | 1.26 | 1.26 | +| `APISelfSubjectReview` | `true` | Beta | 1.27 | 1.27 | +| `APISelfSubjectReview` | `true` | GA | 1.28 | - | | `CPUManager` | `false` | Alpha | 1.8 | 1.9 | | `CPUManager` | `true` | Beta | 1.10 | 1.25 | | `CPUManager` | `true` | GA | 1.26 | - | From 30841950a6e4204d4fb18809a1b4177dcf198fe9 Mon Sep 17 00:00:00 2001 From: Maksim Nabokikh Date: Thu, 4 May 2023 22:25:45 +0200 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Tim Bannister --- .../en/docs/reference/access-authn-authz/authentication.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/authentication.md b/content/en/docs/reference/access-authn-authz/authentication.md index 2ee21013c3445..c3bbed6f88ea8 100644 --- a/content/en/docs/reference/access-authn-authz/authentication.md +++ b/content/en/docs/reference/access-authn-authz/authentication.md @@ -1352,8 +1352,10 @@ By default, all authenticated users can create `SelfSubjectReview` objects when You can only make `SelfSubjectReview` requests if: * the `APISelfSubjectReview` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) - is enabled for your cluster (enabled by default after reaching Beta and will be removed in Kubernetes v1.30) -* the API server for your cluster has the `authentication.k8s.io/v1alpha1`, `authentication.k8s.io/v1beta1`, or `authentication.k8s.io/v1` + is enabled for your cluster (not needed for Kubernetes {{< skew currentVersion >}}, but older + Kubernetes versions might not offer this feature gate, or might default it to be off) +* (if you are running a version of Kubernetes older than v1.28) the API server for your + cluster has the `authentication.k8s.io/v1alpha1` or `authentication.k8s.io/v1beta1` {{< glossary_tooltip term_id="api-group" text="API group" >}} enabled. {{< /note >}} From c75d30872ae489cbb353593e9fd44b9c6bf5858e Mon Sep 17 00:00:00 2001 From: carlory Date: Mon, 8 May 2023 17:39:23 +0800 Subject: [PATCH 3/3] move DelegateFSGroupToCSIDriver featuregate --- .../command-line-tools-reference/feature-gates-removed.md | 7 +++++++ .../command-line-tools-reference/feature-gates.md | 6 ------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md index 50d1dd29bfc9a..734acc74db072 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates-removed.md @@ -117,6 +117,9 @@ In the following table: | `DefaultPodTopologySpread` | `false` | Alpha | 1.19 | 1.19 | | `DefaultPodTopologySpread` | `true` | Beta | 1.20 | 1.23 | | `DefaultPodTopologySpread` | `true` | GA | 1.24 | 1.25 | +| `DelegateFSGroupToCSIDriver` | `false` | Alpha | 1.22 | 1.22 | +| `DelegateFSGroupToCSIDriver` | `true` | Beta | 1.23 | 1.25 | +| `DelegateFSGroupToCSIDriver` | `true` | GA | 1.26 | 1.27 | | `DynamicAuditing` | `false` | Alpha | 1.13 | 1.18 | | `DynamicAuditing` | - | Deprecated | 1.19 | 1.19 | | `DynamicKubeletConfig` | `false` | Alpha | 1.4 | 1.10 | @@ -511,6 +514,10 @@ In the following table: - `DefaultPodTopologySpread`: Enables the use of `PodTopologySpread` scheduling plugin to do [default spreading](/docs/concepts/scheduling-eviction/topology-spread-constraints/#internal-default-constraints). +- `DelegateFSGroupToCSIDriver`: If supported by the CSI driver, delegates the + role of applying `fsGroup` from a Pod's `securityContext` to the driver by + passing `fsGroup` through the NodeStageVolume and NodePublishVolume CSI calls. + - `DynamicAuditing`: Used to enable dynamic auditing before v1.19. - `DynamicKubeletConfig`: Enable the dynamic configuration of kubelet. The diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md index 02a873d0ad28d..388bb46b4186c 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md @@ -268,9 +268,6 @@ For a reference to old feature gates that are removed, please refer to | `DaemonSetUpdateSurge` | `false` | Alpha | 1.21 | 1.21 | | `DaemonSetUpdateSurge` | `true` | Beta | 1.22 | 1.24 | | `DaemonSetUpdateSurge` | `true` | GA | 1.25 | - | -| `DelegateFSGroupToCSIDriver` | `false` | Alpha | 1.22 | 1.22 | -| `DelegateFSGroupToCSIDriver` | `true` | Beta | 1.23 | 1.25 | -| `DelegateFSGroupToCSIDriver` | `true` | GA | 1.26 |-| | `DevicePlugins` | `false` | Alpha | 1.8 | 1.9 | | `DevicePlugins` | `true` | Beta | 1.10 | 1.25 | | `DevicePlugins` | `true` | GA | 1.26 | - | @@ -509,9 +506,6 @@ Each feature gate is designed for enabling/disabling a specific feature: - `DaemonSetUpdateSurge`: Enables the DaemonSet workloads to maintain availability during update per node. See [Perform a Rolling Update on a DaemonSet](/docs/tasks/manage-daemon/update-daemon-set/). -- `DelegateFSGroupToCSIDriver`: If supported by the CSI driver, delegates the - role of applying `fsGroup` from a Pod's `securityContext` to the driver by - passing `fsGroup` through the NodeStageVolume and NodePublishVolume CSI calls. - `DevicePlugins`: Enable the [device-plugins](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/) based resource provisioning on nodes. - `DisableAcceleratorUsageMetrics`: