feat: graduate ResourceQuotaScopeSelectors to GA - part2

pkg/BUILD

@@ -17,7 +17,6 @@ filegroup(
         "//pkg/api/persistentvolumeclaim:all-srcs",
         "//pkg/api/pod:all-srcs",
         "//pkg/api/podsecuritypolicy:all-srcs",
-        "//pkg/api/resourcequota:all-srcs",
         "//pkg/api/service:all-srcs",
         "//pkg/api/testapi:all-srcs",
         "//pkg/api/testing:all-srcs",

pkg/features/kube_features.go

@@ -308,7 +308,7 @@ const (
 
 	// owner: @vikaschoudhary16
 	// beta: v1.12
-	//
+	// ga: v1.17
 	//
 	// Enable resource quota scope selectors
 	ResourceQuotaScopeSelectors featuregate.Feature = "ResourceQuotaScopeSelectors"
@@ -556,7 +556,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	VolumeSubpath:                  {Default: true, PreRelease: featuregate.GA},
 	BalanceAttachedNodeVolumes:     {Default: false, PreRelease: featuregate.Alpha},
 	VolumeSubpathEnvExpansion:      {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.19,
-	ResourceQuotaScopeSelectors:    {Default: true, PreRelease: featuregate.Beta},
+	ResourceQuotaScopeSelectors:    {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.18
 	CSIBlockVolume:                 {Default: true, PreRelease: featuregate.Beta},
 	CSIInlineVolume:                {Default: true, PreRelease: featuregate.Beta},
 	RuntimeClass:                   {Default: true, PreRelease: featuregate.Beta},

pkg/registry/core/resourcequota/BUILD

@@ -15,7 +15,6 @@ go_library(
     importpath = "k8s.io/kubernetes/pkg/registry/core/resourcequota",
     deps = [
         "//pkg/api/legacyscheme:go_default_library",
-        "//pkg/api/resourcequota:go_default_library",
         "//pkg/apis/core:go_default_library",
         "//pkg/apis/core/validation:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",

pkg/registry/core/resourcequota/strategy.go

@@ -23,7 +23,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/storage/names"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
-	resourcequotautil "k8s.io/kubernetes/pkg/api/resourcequota"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
 )
@@ -47,15 +46,13 @@ func (resourcequotaStrategy) NamespaceScoped() bool {
 func (resourcequotaStrategy) PrepareForCreate(ctx context.Context, obj runtime.Object) {
 	resourcequota := obj.(*api.ResourceQuota)
 	resourcequota.Status = api.ResourceQuotaStatus{}
-	resourcequotautil.DropDisabledFields(&resourcequota.Spec, nil)
 }
 
 // PrepareForUpdate clears fields that are not allowed to be set by end users on update.
 func (resourcequotaStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
 	newResourcequota := obj.(*api.ResourceQuota)
 	oldResourcequota := old.(*api.ResourceQuota)
 	newResourcequota.Status = oldResourcequota.Status
-	resourcequotautil.DropDisabledFields(&newResourcequota.Spec, &oldResourcequota.Spec)
 }
 
 // Validate validates a new resourcequota.

plugin/pkg/admission/priority/BUILD

@@ -35,12 +35,10 @@ go_library(
     deps = [
         "//pkg/apis/core:go_default_library",
         "//pkg/apis/scheduling:go_default_library",
-        "//pkg/apis/scheduling/v1:go_default_library",
         "//pkg/features:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/api/scheduling/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library",

plugin/pkg/admission/priority/admission.go

@@ -24,7 +24,6 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 	schedulingv1 "k8s.io/api/scheduling/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apiserver/pkg/admission"
 	genericadmissioninitializers "k8s.io/apiserver/pkg/admission/initializer"
@@ -35,7 +34,6 @@ import (
 	"k8s.io/kubernetes/pkg/apis/core"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/scheduling"
-	schedulingapiv1 "k8s.io/kubernetes/pkg/apis/scheduling/v1"
 	"k8s.io/kubernetes/pkg/features"
 )
 
@@ -54,10 +52,9 @@ func Register(plugins *admission.Plugins) {
 // Plugin is an implementation of admission.Interface.
 type Plugin struct {
 	*admission.Handler
-	client                          kubernetes.Interface
-	lister                          schedulingv1listers.PriorityClassLister
-	resourceQuotaFeatureGateEnabled bool
-	nonPreemptingPriority           bool
+	client                kubernetes.Interface
+	lister                schedulingv1listers.PriorityClassLister
+	nonPreemptingPriority bool
 }
 
 var _ admission.MutationInterface = &Plugin{}
@@ -87,7 +84,6 @@ func (p *Plugin) ValidateInitialization() error {
 // InspectFeatureGates allows setting bools without taking a dep on a global variable
 func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
 	p.nonPreemptingPriority = featureGates.Enabled(features.NonPreemptingPriority)
-	p.resourceQuotaFeatureGateEnabled = featureGates.Enabled(features.ResourceQuotaScopeSelectors)
 }
 
 // SetExternalKubeClientSet implements the WantsInternalKubeClientSet interface.
@@ -147,20 +143,6 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
 	}
 }
 
-// priorityClassPermittedInNamespace returns true if we allow the given priority class name in the
-// given namespace. It currently checks that system priorities are created only in the system namespace.
-func priorityClassPermittedInNamespace(priorityClassName string, namespace string) bool {
-	// Only allow system priorities in the system namespace. This is to prevent abuse or incorrect
-	// usage of these priorities. Pods created at these priorities could preempt system critical
-	// components.
-	for _, spc := range schedulingapiv1.SystemPriorityClasses() {
-		if spc.Name == priorityClassName && namespace != metav1.NamespaceSystem {
-			return false
-		}
-	}
-	return true
-}
-
 // admitPod makes sure a new pod does not set spec.Priority field. It also makes sure that the PriorityClassName exists if it is provided and resolves the pod priority from the PriorityClassName.
 func (p *Plugin) admitPod(a admission.Attributes) error {
 	operation := a.GetOperation()
@@ -196,15 +178,6 @@ func (p *Plugin) admitPod(a admission.Attributes) error {
 			}
 			pod.Spec.PriorityClassName = pcName
 		} else {
-			pcName := pod.Spec.PriorityClassName
-			// If ResourceQuotaScopeSelectors is enabled, we should let pods with critical priorityClass to be created
-			// any namespace where administrator wants it to be created.
-			if !p.resourceQuotaFeatureGateEnabled {
-				if !priorityClassPermittedInNamespace(pcName, a.GetNamespace()) {
-					return admission.NewForbidden(a, fmt.Errorf("pods with %v priorityClass is not permitted in %v namespace", pcName, a.GetNamespace()))
-				}
-			}
-
 			// Try resolving the priority class name.
 			pc, err := p.lister.Get(pod.Spec.PriorityClassName)
 			if err != nil {

plugin/pkg/admission/priority/admission_test.go

@@ -682,7 +682,6 @@ func TestPodAdmission(t *testing.T) {
 	for _, test := range tests {
 		klog.V(4).Infof("starting test %q", test.name)
 		ctrl := NewPlugin()
-		ctrl.resourceQuotaFeatureGateEnabled = true
 		ctrl.nonPreemptingPriority = true
 		// Add existing priority classes.
 		if err := addPriorityClasses(ctrl, test.existingClasses); err != nil {