implement LegacyServiceAccountTokenCleanUp alpha

2025-11-01 10:48:15 +00:00 · 2022-12-27 17:23:05 +00:00
parent 61ca72b541
commit 133eff3df4
24 changed files with 1134 additions and 16 deletions
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@@ -483,6 +483,9 @@ func NewControllerInitializers(loopMode ControllerLoopMode) map[string]InitFunc
 	if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.DynamicResourceAllocation) {
 		register("resource-claim-controller", startResourceClaimController)
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(kubefeatures.LegacyServiceAccountTokenCleanUp) {
+		register("legacy-service-account-token-cleaner", startLegacySATokenCleaner)
+	}

 	return controllers
 }
--- a/cmd/kube-controller-manager/app/core.go
+++ b/cmd/kube-controller-manager/app/core.go
@@ -68,6 +68,7 @@ import (
 	"k8s.io/kubernetes/pkg/controller/volume/pvprotection"
 	quotainstall "k8s.io/kubernetes/pkg/quota/v1/install"
 	"k8s.io/kubernetes/pkg/volume/csimigration"
+	"k8s.io/utils/clock"
 	netutils "k8s.io/utils/net"
 )

@@ -581,6 +582,25 @@ func startTTLAfterFinishedController(ctx context.Context, controllerContext Cont
 	return nil, true, nil
 }

+func startLegacySATokenCleaner(ctx context.Context, controllerContext ControllerContext) (controller.Interface, bool, error) {
+	cleanUpPeriod := controllerContext.ComponentConfig.LegacySATokenCleaner.CleanUpPeriod.Duration
+	legacySATokenCleaner, err := serviceaccountcontroller.NewLegacySATokenCleaner(
+		controllerContext.InformerFactory.Core().V1().ServiceAccounts(),
+		controllerContext.InformerFactory.Core().V1().Secrets(),
+		controllerContext.InformerFactory.Core().V1().Pods(),
+		controllerContext.ClientBuilder.ClientOrDie("legacy-service-account-token-cleaner"),
+		clock.RealClock{},
+		serviceaccountcontroller.LegacySATokenCleanerOptions{
+			CleanUpPeriod: cleanUpPeriod,
+			SyncInterval:  serviceaccountcontroller.DefaultCleanerSyncInterval,
+		})
+	if err != nil {
+		return nil, true, fmt.Errorf("failed to start the legacy service account token cleaner: %v", err)
+	}
+	go legacySATokenCleaner.Run(ctx)
+	return nil, true, nil
+}
+
 // processCIDRs is a helper function that works on a comma separated cidrs and returns
 // a list of typed cidrs
 // error if failed to parse any of the cidrs or invalid length of cidrs
--- a/cmd/kube-controller-manager/app/options/legacyserviceaccounttokencleaner.go
+++ b/cmd/kube-controller-manager/app/options/legacyserviceaccounttokencleaner.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"github.com/spf13/pflag"
+
+	serviceaccountconfig "k8s.io/kubernetes/pkg/controller/serviceaccount/config"
+)
+
+// LegacySATokenCleanerOptions holds the LegacySATokenCleaner options.
+type LegacySATokenCleanerOptions struct {
+	*serviceaccountconfig.LegacySATokenCleanerConfiguration
+}
+
+// AddFlags adds flags related to LegacySATokenCleaner for controller manager to the specified FlagSet
+func (o *LegacySATokenCleanerOptions) AddFlags(fs *pflag.FlagSet) {
+	if o == nil {
+		return
+	}
+
+	fs.DurationVar(&o.CleanUpPeriod.Duration, "legacy-service-account-token-clean-up-period", o.CleanUpPeriod.Duration, "The period of time since the last usage of an legacy service account token before it can be deleted.")
+}
+
+// ApplyTo fills up LegacySATokenCleaner config with options.
+func (o *LegacySATokenCleanerOptions) ApplyTo(cfg *serviceaccountconfig.LegacySATokenCleanerConfiguration) error {
+	if o == nil {
+		return nil
+	}
+
+	cfg.CleanUpPeriod = o.CleanUpPeriod
+
+	return nil
+}
+
+// Validate checks validation of LegacySATokenCleanerOptions.
+func (o *LegacySATokenCleanerOptions) Validate() []error {
+	if o == nil {
+		return nil
+	}
+
+	errs := []error{}
+	return errs
+}
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@@ -74,6 +74,7 @@ type KubeControllerManagerOptions struct {
 	HPAController                    *HPAControllerOptions
 	JobController                    *JobControllerOptions
 	CronJobController                *CronJobControllerOptions
+	LegacySATokenCleaner             *LegacySATokenCleanerOptions
 	NamespaceController              *NamespaceControllerOptions
 	NodeIPAMController               *NodeIPAMControllerOptions
 	NodeLifecycleController          *NodeLifecycleControllerOptions
@@ -150,6 +151,9 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 		CronJobController: &CronJobControllerOptions{
 			&componentConfig.CronJobController,
 		},
+		LegacySATokenCleaner: &LegacySATokenCleanerOptions{
+			&componentConfig.LegacySATokenCleaner,
+		},
 		NamespaceController: &NamespaceControllerOptions{
 			&componentConfig.NamespaceController,
 		},
@@ -244,6 +248,7 @@ func (s *KubeControllerManagerOptions) Flags(allControllers []string, disabledBy
 	s.HPAController.AddFlags(fss.FlagSet("horizontalpodautoscaling controller"))
 	s.JobController.AddFlags(fss.FlagSet("job controller"))
 	s.CronJobController.AddFlags(fss.FlagSet("cronjob controller"))
+	s.LegacySATokenCleaner.AddFlags(fss.FlagSet("legacy service account token cleaner"))
 	s.NamespaceController.AddFlags(fss.FlagSet("namespace controller"))
 	s.NodeIPAMController.AddFlags(fss.FlagSet("nodeipam controller"))
 	s.NodeLifecycleController.AddFlags(fss.FlagSet("nodelifecycle controller"))
@@ -315,6 +320,9 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e
 	if err := s.CronJobController.ApplyTo(&c.ComponentConfig.CronJobController); err != nil {
 		return err
 	}
+	if err := s.LegacySATokenCleaner.ApplyTo(&c.ComponentConfig.LegacySATokenCleaner); err != nil {
+		return err
+	}
 	if err := s.NamespaceController.ApplyTo(&c.ComponentConfig.NamespaceController); err != nil {
 		return err
 	}
@@ -382,6 +390,7 @@ func (s *KubeControllerManagerOptions) Validate(allControllers []string, disable
 	errs = append(errs, s.HPAController.Validate()...)
 	errs = append(errs, s.JobController.Validate()...)
 	errs = append(errs, s.CronJobController.Validate()...)
+	errs = append(errs, s.LegacySATokenCleaner.Validate()...)
 	errs = append(errs, s.NamespaceController.Validate()...)
 	errs = append(errs, s.NodeIPAMController.Validate()...)
 	errs = append(errs, s.NodeLifecycleController.Validate()...)
--- a/cmd/kube-controller-manager/app/options/options_test.go
+++ b/cmd/kube-controller-manager/app/options/options_test.go
@@ -129,6 +129,7 @@ var args = []string{
 	"--leader-elect-renew-deadline=15s",
 	"--leader-elect-resource-lock=configmap",
 	"--leader-elect-retry-period=5s",
+	"--legacy-service-account-token-clean-up-period=8760h",
 	"--master=192.168.4.20",
 	"--max-endpoints-per-slice=200",
 	"--min-resync-period=8h",
@@ -397,6 +398,11 @@ func TestAddFlags(t *testing.T) {
 				ConcurrentSATokenSyncs: 10,
 			},
 		},
+		LegacySATokenCleaner: &LegacySATokenCleanerOptions{
+			&serviceaccountconfig.LegacySATokenCleanerConfiguration{
+				CleanUpPeriod: metav1.Duration{Duration: 365 * 24 * time.Hour},
+			},
+		},
 		TTLAfterFinishedController: &TTLAfterFinishedControllerOptions{
 			&ttlafterfinishedconfig.TTLAfterFinishedControllerConfiguration{
 				ConcurrentTTLSyncs: 8,
@@ -627,6 +633,9 @@ func TestApplyTo(t *testing.T) {
 				ServiceAccountKeyFile:  "/service-account-private-key",
 				ConcurrentSATokenSyncs: 10,
 			},
+			LegacySATokenCleaner: serviceaccountconfig.LegacySATokenCleanerConfiguration{
+				CleanUpPeriod: metav1.Duration{Duration: 365 * 24 * time.Hour},
+			},
 			TTLAfterFinishedController: ttlafterfinishedconfig.TTLAfterFinishedControllerConfiguration{
 				ConcurrentTTLSyncs: 8,
 			},
@@ -1225,6 +1234,15 @@ func TestValidateControllersOptions(t *testing.T) {
 				},
 			}).Validate,
 		},
+		{
+			name:         "LegacySATokenCleanerOptions",
+			expectErrors: false,
+			validate: (&LegacySATokenCleanerOptions{
+				&serviceaccountconfig.LegacySATokenCleanerConfiguration{
+					CleanUpPeriod: metav1.Duration{Duration: 24 * 365 * time.Hour},
+				},
+			}).Validate,
+		},
 		{
 			name:         "TTLAfterFinishedControllerOptions",
 			expectErrors: false,