Skip to content

chore: Deprecate the Shoot field .kubeAPIServer.enableAnonymousAuthentication #11984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 2, 2025
Merged

chore: Deprecate the Shoot field .kubeAPIServer.enableAnonymousAuthentication #11984

merged 5 commits into from
May 2, 2025

Conversation

marc1404
Copy link
Member

@marc1404 marc1404 commented Apr 30, 2025
edited
Loading

How to categorize this PR?

/area control-plane
/area robustness
/kind task
/kind api-change

What this PR does / why we need it:

This PR deprecates the Shoot field spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication.
It adds validation that prevents users from configuring the legacy setting in the Shoot spec at the same time as the preferred anonymous authentication configuration.

Once the Kubernetes feature gate AnonymousAuthConfigurableEndpoints graduates, we should forbid setting .kubeAPIServer.enableAnonymousAuthentication in the Shoot spec (it remains in Beta state with Kubernetes v1.33).
Finally, further out in the future, when Gardener only supports Kubernetes versions with the stable AnonymousAuthConfigurableEndpoints feature, we should drop the legacy field altogether.

Which issue(s) this PR fixes:

Fixes #11657

Special notes for your reviewer:

Reviewing the individual commits is easier.

/cc @LucaBernstein @dimityrmirchev

I used #10666 as a reference. Thanks for the well-structured PR @AleksandarSavchev!

Release note:

The `spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication` field in the `Shoot` API is deprecated and will be removed in a future release. Before removal, it will be forbidden to set the field when using a future Kubernetes version that graduates the feature gate `AnonymousAuthConfigurableEndpoints`.

@gardener-prow gardener-prow bot added area/control-plane Control plane related area/robustness Robustness, reliability, resilience related kind/task General task kind/api-change API change with impact on API users cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 30, 2025
@marc1404
Copy link
Member Author

Test Integration Operator Garden Garden Suite: [It] Garden controller tests should successfully reconcile and delete a Garden

[FAILED] Timed out after 10.061s.
Expected
    <[]string | len:0, cap:0>: []
to consist of
    <[]string | len:2, cap:2>: [
        "virtual-garden-etcd-main",
        "virtual-garden-etcd-events",
    ]
the missing elements were
    <[]string | len:2, cap:2>: [
        "virtual-garden-etcd-main",
        "virtual-garden-etcd-events",
    ]
In [It] at: /home/prow/go/src/github.com/gardener/gardener/test/integration/operator/garden/garden/garden_test.go:551 @ 04/30/25 14:40:59.34

/test pull-gardener-integration

LucaBernstein
LucaBernstein reviewed Apr 30, 2025
View reviewed changes
Copy link
Member

@LucaBernstein LucaBernstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thank you for this PR!
/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 30, 2025
rfranzke
rfranzke previously requested changes May 2, 2025
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also send a warning when a Shoot specifies this field? https://github.com/gardener/gardener/blob/master/pkg/api/core/shoot/warnings.go

@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label May 2, 2025
@gardener-prow gardener-prow bot requested a review from LucaBernstein May 2, 2025 06:50
@marc1404 marc1404 force-pushed the chore/11657-deprecate-kapi-enable-anonymous-auth branch from d75fb5d to 79eba6d Compare May 2, 2025 07:56
@marc1404 marc1404 force-pushed the chore/11657-deprecate-kapi-enable-anonymous-auth branch from 79eba6d to 9e8c9b7 Compare May 2, 2025 07:57
@marc1404
Copy link
Member Author

marc1404 commented May 2, 2025

Can you also send a warning when a Shoot specifies this field? master/pkg/api/core/shoot/warnings.go

Good idea! Fixed via: 9e8c9b7 (#11984)

@marc1404 marc1404 requested a review from rfranzke May 2, 2025 07:57
rfranzke
rfranzke reviewed May 2, 2025
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 2, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented May 2, 2025

LGTM label has been added.

Git tree hash: 66fb23aea2881cbb2430b8e17837fec9bf3e4f8d

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented May 2, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 2, 2025
@marc1404
Copy link
Member Author

marc1404 commented May 2, 2025

Test E2E Gardener Suite: [It] Shoot Tests Create Shoot, Rotate Credentials and Delete Shoot Shoot with workers with workers rollout, in-place update strategy Wait for Shoot to be reconciled [Shoot, default, credentials-rotation, basic, with-workers-rollout, in-place]

A spec timeout occurred timedout [TIMEDOUT] A spec timeout occurred
In [It] at: /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/create_rotate_delete.go:103 @ 05/02/25 13:20:48.532

This is the Progress Report generated when the spec timeout occurred:
  Shoot Tests Create Shoot, Rotate Credentials and Delete Shoot Shoot with workers with workers rollout, in-place update strategy Wait for Shoot to be reconciled (Spec Runtime: 30m0s)
    /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/create_rotate_delete.go:103
    In [It] (Node Runtime: 30m0s)
      /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/create_rotate_delete.go:103

    Spec Goroutine
    goroutine 1197 [select]
      github.com/onsi/gomega/internal.(*AsyncAssertion).match(0xc00027dd50, {0x2d1e648, 0xc0008d8920}, 0x1, {0x0, 0x0, 0x0})
        /home/prow/go/pkg/mod/github.com/onsi/gomega@v1.37.0/internal/async_assertion.go:558
      github.com/onsi/gomega/internal.(*AsyncAssertion).Should(0xc00027dd50, {0x2d1e648, 0xc0008d8920}, {0x0, 0x0, 0x0})
        /home/prow/go/pkg/mod/github.com/onsi/gomega@v1.37.0/internal/async_assertion.go:145
    > github.com/gardener/gardener/test/e2e/gardener/shoot.ItShouldWaitForShootToBeReconciledAndHealthy.func1({0x2d375d0, 0xc003f365d0})
        /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/shoot.go:165
          | 	}
          | 	return completed
          > }).WithPolling(30 * time.Second).Should(BeTrue())
          | 
          | s.Log.Info("Shoot has been reconciled and is healthy")
      github.com/onsi/ginkgo/v2/internal.(*Suite).runNode.func3()
        /home/prow/go/pkg/mod/github.com/onsi/ginkgo/v2@v2.23.3/internal/suite.go:894
      github.com/onsi/ginkgo/v2/internal.(*Suite).runNode in goroutine 92
        /home/prow/go/pkg/mod/github.com/onsi/ginkgo/v2@v2.23.3/internal/suite.go:881

    Begin Additional Progress Reports >>
      Expected
          <bool>: false
      to be true
    << End Additional Progress Reports

[FAILED] A spec timeout occurred and then the following failure was recorded in the timedout node before it exited:
Context was cancelled (cause: spec timeout occurred) after 1800.001s.
Expected
    <bool>: false
to be true
In [It] at: /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/shoot.go:165 @ 05/02/25 13:20:48.533

/test pull-gardener-e2e-kind-ipv6

@marc1404 marc1404 dismissed rfranzke’s stale review May 2, 2025 13:26

The requested change has been addressed

@marc1404
Copy link
Member Author

marc1404 commented May 2, 2025
edited
Loading

Test E2E Gardener Suite: [It] Shoot Tests Create Shoot, Rotate Credentials and Delete Shoot Shoot with workers with workers rollout, in-place update strategy Wait for Shoot to be reconciled [Shoot, default, credentials-rotation, basic, with-workers-rollout, in-place]

A spec timeout occurred timedout [TIMEDOUT] A spec timeout occurred
In [It] at: /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/create_rotate_delete.go:103 @ 05/02/25 14:22:38.577

This is the Progress Report generated when the spec timeout occurred:
  Shoot Tests Create Shoot, Rotate Credentials and Delete Shoot Shoot with workers with workers rollout, in-place update strategy Wait for Shoot to be reconciled (Spec Runtime: 30m0.001s)
    /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/create_rotate_delete.go:103
    In [It] (Node Runtime: 30m0s)
      /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/create_rotate_delete.go:103

    Spec Goroutine
    goroutine 831 [select]
      github.com/onsi/gomega/internal.(*AsyncAssertion).match(0xc000268690, {0x2d1e648, 0xc0004101f0}, 0x1, {0x0, 0x0, 0x0})
        /home/prow/go/pkg/mod/github.com/onsi/gomega@v1.37.0/internal/async_assertion.go:558
      github.com/onsi/gomega/internal.(*AsyncAssertion).Should(0xc000268690, {0x2d1e648, 0xc0004101f0}, {0x0, 0x0, 0x0})
        /home/prow/go/pkg/mod/github.com/onsi/gomega@v1.37.0/internal/async_assertion.go:145
    > github.com/gardener/gardener/test/e2e/gardener/shoot.ItShouldWaitForShootToBeReconciledAndHealthy.func1({0x2d375d0, 0xc0031fc210})
        /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/shoot.go:165
          | 	}
          | 	return completed
          > }).WithPolling(30 * time.Second).Should(BeTrue())
          | 
          | s.Log.Info("Shoot has been reconciled and is healthy")
      github.com/onsi/ginkgo/v2/internal.(*Suite).runNode.func3()
        /home/prow/go/pkg/mod/github.com/onsi/ginkgo/v2@v2.23.3/internal/suite.go:894
      github.com/onsi/ginkgo/v2/internal.(*Suite).runNode in goroutine 84
        /home/prow/go/pkg/mod/github.com/onsi/ginkgo/v2@v2.23.3/internal/suite.go:881

    Begin Additional Progress Reports >>
      Expected
          <bool>: false
      to be true
    << End Additional Progress Reports

[FAILED] A spec timeout occurred and then the following failure was recorded in the timedout node before it exited:
Context was cancelled (cause: spec timeout occurred) after 1800.002s.
Expected
    <bool>: false
to be true
In [It] at: /home/prow/go/src/github.com/gardener/gardener/test/e2e/gardener/shoot/shoot.go:165 @ 05/02/25 14:22:38.579

/test pull-gardener-e2e-kind-ipv6

@gardener-prow gardener-prow bot merged commit 5e3c211 into gardener:master May 2, 2025
19 checks passed
@marc1404 marc1404 deleted the chore/11657-deprecate-kapi-enable-anonymous-auth branch May 5, 2025 06:51
@dimityrmirchev dimityrmirchev mentioned this pull request May 28, 2025
Merged
@AleksandarSavchev AleksandarSavchev mentioned this pull request Jun 4, 2025
Merged
@ialidzhikov ialidzhikov mentioned this pull request Jun 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke rfranzke left review comments

@dimityrmirchev dimityrmirchev Awaiting requested review from dimityrmirchev

@LucaBernstein LucaBernstein Awaiting requested review from LucaBernstein

Assignees

@LucaBernstein LucaBernstein

@rfranzke rfranzke

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane Control plane related area/robustness Robustness, reliability, resilience related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/api-change API change with impact on API users kind/task General task lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Deprecate shoot.spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication in favour of AnonymousAuthConfigurableEndpoints
3 participants
@marc1404 @LucaBernstein @rfranzke