Set --service-account-issuer for k8s 1.20+

kubernetes · Nov 21, 2020 · 9607b99 · 9607b99
1 parent bdfa785
commit 9607b99
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 19 deletions.
diff --git a/pkg/model/components/discovery.go b/pkg/model/components/discovery.go
@@ -36,7 +36,7 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o interface{}) error {
 	clusterSpec := o.(*kops.ClusterSpec)
 
 	useJWKS := featureflag.PublicJWKS.Enabled()
-	if !useJWKS {
+	if !useJWKS && b.IsKubernetesLT("1.20") {
 		return nil
 	}
 
@@ -46,11 +46,6 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o interface{}) error {
 
 	kubeAPIServer := clusterSpec.KubeAPIServer
 
-	if kubeAPIServer.FeatureGates == nil {
-		kubeAPIServer.FeatureGates = make(map[string]string)
-	}
-	kubeAPIServer.FeatureGates["ServiceAccountIssuerDiscovery"] = "true"
-
 	if len(kubeAPIServer.APIAudiences) == 0 {
 		kubeAPIServer.APIAudiences = []string{"kubernetes.svc.default"}
 	}
@@ -63,14 +58,21 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o interface{}) error {
 		kubeAPIServer.ServiceAccountIssuer = &serviceAccountIssuer
 	}
 
-	if kubeAPIServer.ServiceAccountJWKSURI == nil {
-		jwksURL := *kubeAPIServer.ServiceAccountIssuer
-		jwksURL = strings.TrimSuffix(jwksURL, "/") + "/openid/v1/jwks"
+	// We set apiserver ServiceAccountKey and ServiceAccountSigningKeyFile in nodeup
 
-		kubeAPIServer.ServiceAccountJWKSURI = &jwksURL
-	}
+	if useJWKS {
+		if kubeAPIServer.FeatureGates == nil {
+			kubeAPIServer.FeatureGates = make(map[string]string)
+		}
+		kubeAPIServer.FeatureGates["ServiceAccountIssuerDiscovery"] = "true"
 
-	// We set apiserver ServiceAccountKey and ServiceAccountSigningKeyFile in nodeup
+		if kubeAPIServer.ServiceAccountJWKSURI == nil {
+			jwksURL := *kubeAPIServer.ServiceAccountIssuer
+			jwksURL = strings.TrimSuffix(jwksURL, "/") + "/openid/v1/jwks"
+
+			kubeAPIServer.ServiceAccountJWKSURI = &jwksURL
+		}
+	}
 
 	return nil
 }
diff --git a/pkg/model/iam/BUILD.bazel b/pkg/model/iam/BUILD.bazel
@@ -12,7 +12,6 @@ go_library(
     deps = [
         "//pkg/apis/kops:go_default_library",
         "//pkg/apis/kops/model:go_default_library",
-        "//pkg/featureflag:go_default_library",
         "//pkg/util/stringorslice:go_default_library",
         "//pkg/wellknownusers:go_default_library",
         "//upup/pkg/fi:go_default_library",

diff --git a/pkg/model/iam/subject.go b/pkg/model/iam/subject.go
@@ -22,7 +22,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/kops/pkg/apis/kops"
-	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/wellknownusers"
 )
 
@@ -83,11 +82,7 @@ func BuildNodeRoleSubject(igRole kops.InstanceGroupRole) (Subject, error) {
 
 // ServiceAccountIssuer determines the issuer in the ServiceAccount JWTs
 func ServiceAccountIssuer(clusterName string, clusterSpec *kops.ClusterSpec) (string, error) {
-	if featureflag.PublicJWKS.Enabled() {
-		return "https://api." + clusterName, nil
-	}
-
-	return "", fmt.Errorf("ServiceAcccountIssuer not (currently) supported without PublicJWKS")
+	return "https://api." + clusterName, nil
 }
 
 // AddServiceAccountRole adds the appropriate mounts / env vars to enable a pod to use a service-account role