From 9142511e6b1337c6a173f223f97ed137260b5d78 Mon Sep 17 00:00:00 2001
From: Karol Szwaj <karol.szwaj@gmail.com>
Date: Wed, 12 Mar 2025 12:23:29 +0100
Subject: [PATCH] add kube feature gate for global service account

Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

On-behalf-of: @SAP karol.szwaj@sap.com
---
 pkg/features/kube_features.go       | 8 ++++++++
 pkg/registry/rbac/validation/kcp.go | 5 ++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
index 519d448dd5760..6f137f8233448 100644
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -987,6 +987,13 @@ const (
 	//
 	// Enables the image volume source.
 	ImageVolume featuregate.Feature = "ImageVolume"
+
+	// TODO(cnvergence): Remove when not applicable
+	// owner: @cnvergence
+	// alpha: v1.31
+	//
+	// GlobalServiceAccount is a feature gate that enables the cross-workspace service accounts feature.
+	GlobalServiceAccount featuregate.Feature = "GlobalServiceAccount"
 )
 
 func init() {
@@ -1333,4 +1340,5 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	StorageNamespaceIndex: {Default: true, PreRelease: featuregate.Beta},
 
 	RecursiveReadOnlyMounts: {Default: true, PreRelease: featuregate.Beta},
+	GlobalServiceAccount:    {Default: false, PreRelease: featuregate.Alpha},
 }
diff --git a/pkg/registry/rbac/validation/kcp.go b/pkg/registry/rbac/validation/kcp.go
index b31c2e7f3a9a7..967f671c90b80 100644
--- a/pkg/registry/rbac/validation/kcp.go
+++ b/pkg/registry/rbac/validation/kcp.go
@@ -12,6 +12,8 @@ import (
 	authserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 const (
@@ -88,6 +90,7 @@ func EffectiveUsers(clusterName logicalcluster.Name, u user.Info) []user.Info {
 
 	var wantAuthenticated bool
 	var wantUnauthenticated bool
+	globalsa := utilfeature.DefaultFeatureGate.Enabled(features.GlobalServiceAccount)
 
 	var recursive func(u user.Info)
 	recursive = func(u user.Info) {
@@ -105,7 +108,7 @@ func EffectiveUsers(clusterName logicalcluster.Name, u user.Info) []user.Info {
 			wantUnauthenticated = wantUnauthenticated || !found
 		}
 
-		if IsServiceAccount(u) {
+		if IsServiceAccount(u) && globalsa {
 			if clusters := u.GetExtra()[authserviceaccount.ClusterNameKey]; len(clusters) == 1 {
 				nsNameSuffix := strings.TrimPrefix(u.GetName(), "system:serviceaccount:")
 				rewritten := &user.DefaultInfo{