features: set userns related features to have required min kubelet version to 1.30.0

which is the lowest version the kubelet will deny a pod if a userns can't be created

Signed-off-by: Peter Hunt <[email protected]>

Author: haircommander

.golangci.yaml

@@ -23,3 +23,5 @@ issues:
   # Want to make sure that those adding new fields have an
   # opportunity to fix them when running the linter locally.
   max-issues-per-linter: 1000
+  exclude-dirs:
+    - features/

features/features.go

@@ -677,6 +677,7 @@ var (
 						productScope(kubernetes).
 						enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
 						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enableInDefaultWhenRequiredMinimumComponentVersion(configv1.MinimumComponentKubelet, "1.30.0").
 						mustRegister()
 
 	FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards").
@@ -685,6 +686,7 @@ var (
 							productScope(kubernetes).
 							enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
 							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enableInDefaultWhenRequiredMinimumComponentVersion(configv1.MinimumComponentKubelet, "1.30.0").
 							mustRegister()
 
 	FeatureGateProcMountType = newFeatureGate("ProcMountType").
@@ -693,6 +695,7 @@ var (
 					productScope(kubernetes).
 					enhancementPR("https://github.com/kubernetes/enhancements/issues/4265").
 					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enableInDefaultWhenRequiredMinimumComponentVersion(configv1.MinimumComponentKubelet, "1.30.0").
 					mustRegister()
 
 	FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks").

features/util.go

@@ -28,6 +28,11 @@ type FeatureGateDescription struct {
 type FeatureGateEnabledDisabled struct {
 	Enabled  []FeatureGateDescription
 	Disabled []FeatureGateDescription
+	// Map of component -> map of version -> description
+	// It would likely be better as map of component -> map of featureName -> version
+	// but let's revisit that.
+	// TODO FIXME
+	EnabledGivenMinimumVersion map[configv1.MinimumComponent]map[string][]configv1.FeatureGateAttributes
 }
 
 type ClusterProfileName string
@@ -46,11 +51,12 @@ var (
 )
 
 type featureGateBuilder struct {
-	name                string
-	owningJiraComponent string
-	responsiblePerson   string
-	owningProduct       OwningProduct
-	enhancementPRURL    string
+	name                  string
+	owningJiraComponent   string
+	responsiblePerson     string
+	owningProduct         OwningProduct
+	enhancementPRURL      string
+	minimumKubeletVersion string
 
 	statusByClusterProfileByFeatureSet map[ClusterProfileName]map[configv1.FeatureSet]bool
 }
@@ -111,6 +117,11 @@ func (b *featureGateBuilder) enableForClusterProfile(clusterProfile ClusterProfi
 	return b
 }
 
+func (b *featureGateBuilder) enableInDefaultWhenRequiredMinimumComponentVersion(component configv1.MinimumComponent, version string) *featureGateBuilder {
+	b.minimumKubeletVersion = version
+	return b
+}
+
 func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) {
 	if len(b.name) == 0 {
 		return "", fmt.Errorf("missing name")
@@ -142,9 +153,20 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) {
 	}
 
 	featureGateName := configv1.FeatureGateName(b.name)
+	var minComponentVersions []configv1.MinimumComponentVersion
+	if b.minimumKubeletVersion != "" {
+		if minComponentVersions == nil {
+			minComponentVersions = []configv1.MinimumComponentVersion{}
+		}
+		minComponentVersions = append(minComponentVersions, configv1.MinimumComponentVersion{
+			Component: configv1.MinimumComponentKubelet,
+			Version:   b.minimumKubeletVersion,
+		})
+	}
 	description := FeatureGateDescription{
 		FeatureGateAttributes: configv1.FeatureGateAttributes{
-			Name: featureGateName,
+			Name:                             featureGateName,
+			RequiredMinimumComponentVersions: minComponentVersions,
 		},
 		OwningJiraComponent: b.owningJiraComponent,
 		ResponsiblePerson:   b.responsiblePerson,
@@ -167,6 +189,20 @@ func (b *featureGateBuilder) register() (configv1.FeatureGateName, error) {
 			} else {
 				allFeatureGates[clusterProfile][featureSet].Disabled = append(allFeatureGates[clusterProfile][featureSet].Disabled, description)
 			}
+			if b.minimumKubeletVersion != "" {
+				if allFeatureGates[clusterProfile][featureSet].EnabledGivenMinimumVersion == nil {
+					allFeatureGates[clusterProfile][featureSet].EnabledGivenMinimumVersion = map[configv1.MinimumComponent]map[string][]configv1.FeatureGateAttributes{}
+				}
+				if _, ok := allFeatureGates[clusterProfile][featureSet].EnabledGivenMinimumVersion[configv1.MinimumComponentKubelet]; !ok {
+					allFeatureGates[clusterProfile][featureSet].EnabledGivenMinimumVersion[configv1.MinimumComponentKubelet] = map[string][]configv1.FeatureGateAttributes{}
+				}
+				features, ok := allFeatureGates[clusterProfile][featureSet].EnabledGivenMinimumVersion[configv1.MinimumComponentKubelet][b.minimumKubeletVersion]
+				if !ok {
+					features = []configv1.FeatureGateAttributes{}
+				}
+				// TODO FIXME: This is hellish, is there a better way?
+				allFeatureGates[clusterProfile][featureSet].EnabledGivenMinimumVersion[configv1.MinimumComponentKubelet][b.minimumKubeletVersion] = append(features, description.FeatureGateAttributes)
+			}
 		}
 	}
 

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml

@@ -152,7 +152,13 @@
                         "name": "PlatformOperators"
                     },
                     {
-                        "name": "ProcMountType"
+                        "name": "ProcMountType",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "RouteAdvertisements"
@@ -188,10 +194,22 @@
                         "name": "UpgradeStatus"
                     },
                     {
-                        "name": "UserNamespacesPodSecurityStandards"
+                        "name": "UserNamespacesPodSecurityStandards",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
-                        "name": "UserNamespacesSupport"
+                        "name": "UserNamespacesSupport",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"

payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml

@@ -234,7 +234,13 @@
                         "name": "PrivateHostedZoneAWS"
                     },
                     {
-                        "name": "ProcMountType"
+                        "name": "ProcMountType",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "RouteAdvertisements"
@@ -273,10 +279,22 @@
                         "name": "UpgradeStatus"
                     },
                     {
-                        "name": "UserNamespacesPodSecurityStandards"
+                        "name": "UserNamespacesPodSecurityStandards",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
-                        "name": "UserNamespacesSupport"
+                        "name": "UserNamespacesSupport",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"

payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml

@@ -246,7 +246,13 @@
                         "name": "PrivateHostedZoneAWS"
                     },
                     {
-                        "name": "ProcMountType"
+                        "name": "ProcMountType",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "RouteAdvertisements"
@@ -273,10 +279,22 @@
                         "name": "UpgradeStatus"
                     },
                     {
-                        "name": "UserNamespacesPodSecurityStandards"
+                        "name": "UserNamespacesPodSecurityStandards",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
-                        "name": "UserNamespacesSupport"
+                        "name": "UserNamespacesSupport",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml

@@ -152,7 +152,13 @@
                         "name": "PlatformOperators"
                     },
                     {
-                        "name": "ProcMountType"
+                        "name": "ProcMountType",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "RouteAdvertisements"
@@ -188,10 +194,22 @@
                         "name": "UpgradeStatus"
                     },
                     {
-                        "name": "UserNamespacesPodSecurityStandards"
+                        "name": "UserNamespacesPodSecurityStandards",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
-                        "name": "UserNamespacesSupport"
+                        "name": "UserNamespacesSupport",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"

payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml

@@ -234,7 +234,13 @@
                         "name": "PrivateHostedZoneAWS"
                     },
                     {
-                        "name": "ProcMountType"
+                        "name": "ProcMountType",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "RouteAdvertisements"
@@ -273,10 +279,22 @@
                         "name": "UpgradeStatus"
                     },
                     {
-                        "name": "UserNamespacesPodSecurityStandards"
+                        "name": "UserNamespacesPodSecurityStandards",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
-                        "name": "UserNamespacesSupport"
+                        "name": "UserNamespacesSupport",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"

payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml

@@ -246,7 +246,13 @@
                         "name": "PrivateHostedZoneAWS"
                     },
                     {
-                        "name": "ProcMountType"
+                        "name": "ProcMountType",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "RouteAdvertisements"
@@ -273,10 +279,22 @@
                         "name": "UpgradeStatus"
                     },
                     {
-                        "name": "UserNamespacesPodSecurityStandards"
+                        "name": "UserNamespacesPodSecurityStandards",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
-                        "name": "UserNamespacesSupport"
+                        "name": "UserNamespacesSupport",
+                        "requiredMinimumComponentVersions": [
+                            {
+                                "component": "Kubelet",
+                                "version": "1.30.0"
+                            }
+                        ]
                     },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"