UPSTREAM: <carry>: Add kube feature gate for global service account

cnvergence · gman0 · commit 953e38d2355a · 2025-04-24T09:06:55.000+02:00
TODO: this commit may be dropped once kcp-dev/kcp#3274 and related issues are done Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> On-behalf-of: @SAP karol.szwaj@sap.com
diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
@@ -875,6 +875,13 @@ const (
 	//
 	// Enables specifying resources at pod-level.
 	PodLevelResources featuregate.Feature = "PodLevelResources"
+
+	// TODO(cnvergence): Remove when not applicable
+	// owner: @cnvergence
+	// alpha: v1.31
+	//
+	// GlobalServiceAccount is a feature gate that enables the cross-workspace service accounts feature.
+	GlobalServiceAccount featuregate.Feature = "GlobalServiceAccount"
 )
 
 func init() {
diff --git a/pkg/features/versioned_kube_features.go b/pkg/features/versioned_kube_features.go
@@ -838,4 +838,8 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	zpagesfeatures.ComponentStatusz: {
 		{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
 	},
+
+	GlobalServiceAccount: {
+		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},
+	},
 }
diff --git a/pkg/registry/rbac/validation/kcp.go b/pkg/registry/rbac/validation/kcp.go
@@ -12,6 +12,8 @@ import (
 	authserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 const (
@@ -88,6 +90,7 @@ func EffectiveUsers(clusterName logicalcluster.Name, u user.Info) []user.Info {
 
 	var wantAuthenticated bool
 	var wantUnauthenticated bool
+	globalsa := utilfeature.DefaultFeatureGate.Enabled(features.GlobalServiceAccount)
 
 	var recursive func(u user.Info)
 	recursive = func(u user.Info) {
@@ -105,7 +108,7 @@ func EffectiveUsers(clusterName logicalcluster.Name, u user.Info) []user.Info {
 			wantUnauthenticated = wantUnauthenticated || !found
 		}
 
-		if IsServiceAccount(u) {
+		if IsServiceAccount(u) && globalsa {
 			if clusters := u.GetExtra()[authserviceaccount.ClusterNameKey]; len(clusters) == 1 {
 				nsNameSuffix := strings.TrimPrefix(u.GetName(), "system:serviceaccount:")
 				rewritten := &user.DefaultInfo{

Original file line number	Diff line number	Diff line change
`@@ -838,4 +838,8 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate`
`838`	`838`	`zpagesfeatures.ComponentStatusz: {`
`839`	`839`	`{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},`
`840`	`840`	`},`
	`841`	`+`
	`842`	`+ GlobalServiceAccount: {`
	`843`	`+ {Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Alpha},`
	`844`	`+ },`
`841`	`845`	`}`