feat: drop and lock deprecated features

These features don't make any sense right now, so remove them from the
machine config to reduce clutter.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: smira

api/lock.binpb

@@ -20,7 +20,6 @@ message APIServerConfigSpec {
   map<string, string> extra_args = 7;
   repeated ExtraVolume extra_volumes = 8;
   map<string, string> environment_variables = 9;
-  bool pod_security_policy_enabled = 10;
   string advertised_address = 11;
   Resources resources = 12;
 }

api/resource/definitions/k8s/k8s.proto

@@ -81,6 +81,18 @@ This field can be set to enable WOL and specify the desired WOL modes.
         title = "Embedded Config"
         description = """\
 Talos Linux now supports [embedding the machine configuration](https://www.talos.dev/v1.12/talos-guides/configuration/acquire/) directly into the boot image.
+"""
+
+    [notes.feature-lock]
+        title = "Feature Lock"
+        description = """\
+Talos now ignores the following machine configuration fields:
+
+- `machine.features.rbac` (locked to true)
+- `machine.features.apidCheckExtKeyUsage` (locked to true)
+- `cluster.apiServer.disablePodSecurityPolicy` (locked to false)
+
+These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.
 """
 
 [make_deps]

hack/release.toml

@@ -65,9 +65,6 @@ func apidMain() error {
 
 	log.SetFlags(log.Lshortfile | log.Ldate | log.Lmicroseconds | log.Ltime)
 
-	rbacEnabled := flag.Bool("enable-rbac", false, "enable RBAC for Talos API")
-	extKeyUsageCheckEnabled := flag.Bool("enable-ext-key-usage-check", false, "enable check for client certificate ext key usage")
-
 	flag.Parse()
 
 	go runDebugServer(ctx)
@@ -95,9 +92,7 @@ func apidMain() error {
 		return fmt.Errorf("failed to create OS-level TLS configuration: %w", err)
 	}
 
-	if *extKeyUsageCheckEnabled {
-		serverTLSConfig.VerifyPeerCertificate = verifyExtKeyUsage
-	}
+	serverTLSConfig.VerifyPeerCertificate = verifyExtKeyUsage
 
 	clientTLSConfig, err := tlsConfig.ClientConfig()
 	if err != nil {
@@ -168,13 +163,8 @@ func apidMain() error {
 	}
 
 	networkServer := func() *grpc.Server {
-		mode := authz.Disabled
-		if *rbacEnabled {
-			mode = authz.Enabled
-		}
-
 		injector := &authz.Injector{
-			Mode: mode,
+			Mode: authz.Enabled,
 		}
 
 		if debug.Enabled {

internal/app/apid/main.go

@@ -1190,7 +1190,7 @@ func (s *Server) Version(ctx context.Context, in *emptypb.Empty) (reply *machine
 	config := s.Controller.Runtime().Config()
 	if config != nil && config.Machine() != nil {
 		features = &machine.FeaturesInfo{
-			Rbac: config.Machine().Features().RBACEnabled(),
+			Rbac: true,
 		}
 	}
 

internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go

@@ -189,18 +189,17 @@ func NewControlPlaneAPIServerController() *ControlPlaneAPIServerController {
 				}
 
 				*res.TypedSpec() = k8s.APIServerConfigSpec{
-					Image:                    cfgProvider.Cluster().APIServer().Image(),
-					CloudProvider:            cloudProvider,
-					ControlPlaneEndpoint:     cfgProvider.Cluster().Endpoint().String(),
-					EtcdServers:              []string{fmt.Sprintf("https://%s", nethelpers.JoinHostPort("localhost", constants.EtcdClientPort))},
-					LocalPort:                cfgProvider.Cluster().LocalAPIServerPort(),
-					ServiceCIDRs:             cfgProvider.Cluster().Network().ServiceCIDRs(),
-					ExtraArgs:                cfgProvider.Cluster().APIServer().ExtraArgs(),
-					ExtraVolumes:             convertVolumes(cfgProvider.Cluster().APIServer().ExtraVolumes()),
-					EnvironmentVariables:     cfgProvider.Cluster().APIServer().Env(),
-					PodSecurityPolicyEnabled: !cfgProvider.Cluster().APIServer().DisablePodSecurityPolicy(),
-					AdvertisedAddress:        advertisedAddress,
-					Resources:                convertResources(cfgProvider.Cluster().APIServer().Resources()),
+					Image:                cfgProvider.Cluster().APIServer().Image(),
+					CloudProvider:        cloudProvider,
+					ControlPlaneEndpoint: cfgProvider.Cluster().Endpoint().String(),
+					EtcdServers:          []string{fmt.Sprintf("https://%s", nethelpers.JoinHostPort("localhost", constants.EtcdClientPort))},
+					LocalPort:            cfgProvider.Cluster().LocalAPIServerPort(),
+					ServiceCIDRs:         cfgProvider.Cluster().Network().ServiceCIDRs(),
+					ExtraArgs:            cfgProvider.Cluster().APIServer().ExtraArgs(),
+					ExtraVolumes:         convertVolumes(cfgProvider.Cluster().APIServer().ExtraVolumes()),
+					EnvironmentVariables: cfgProvider.Cluster().APIServer().Env(),
+					AdvertisedAddress:    advertisedAddress,
+					Resources:            convertResources(cfgProvider.Cluster().APIServer().Resources()),
 				}
 
 				return nil
@@ -345,8 +344,6 @@ func NewControlPlaneBootstrapManifestsController() *ControlPlaneBootstrapManifes
 					FlannelKubeServiceHost: flannelKubeServiceHost,
 					FlannelKubeServicePort: flannelKubeServicePort,
 
-					PodSecurityPolicyEnabled: !cfgProvider.Cluster().APIServer().DisablePodSecurityPolicy(),
-
 					TalosAPIServiceEnabled: cfgProvider.Machine().Features().KubernetesTalosAPIAccess().Enabled(),
 				}
 

internal/app/machined/pkg/controllers/k8s/control_plane.go

@@ -348,10 +348,6 @@ func (ctrl *ControlPlaneStaticPodController) manageAPIServer(ctx context.Context
 
 	enabledAdmissionPlugins := []string{"NodeRestriction"}
 
-	if cfg.PodSecurityPolicyEnabled {
-		enabledAdmissionPlugins = append(enabledAdmissionPlugins, "PodSecurityPolicy")
-	}
-
 	args := []string{
 		"/usr/local/bin/kube-apiserver",
 	}

internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go

@@ -162,14 +162,6 @@ func (o *APID) Runner(r runtime.Runtime) (runner.Runner, error) {
 		},
 	}
 
-	if r.Config().Machine().Features().RBACEnabled() {
-		args.ProcessArgs = append(args.ProcessArgs, "--enable-rbac")
-	}
-
-	if r.Config().Machine().Features().ApidCheckExtKeyUsageEnabled() {
-		args.ProcessArgs = append(args.ProcessArgs, "--enable-ext-key-usage-check")
-	}
-
 	// Set the mounts.
 	mounts := []specs.Mount{
 		{Type: "bind", Destination: "/etc/ssl", Source: "/etc/ssl", Options: []string{"bind", "ro"}},