WIP: Roughly how each gate conversion will look

Author: thockin

pkg/api/pod/util.go

@@ -29,6 +29,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/core/helper"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
 	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/utils/feature"
 )
 
 // ContainerType signifies container type
@@ -685,7 +686,8 @@ func dropDisabledFields(
 		// For other types of containers, validateContainers will handle them.
 	}
 
-	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) && !rroInUse(oldPodSpec) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) &&
+		!feature.Enabled(features.RecursiveReadOnlyMounts3) && !rroInUse(oldPodSpec) {
 		for i := range podSpec.Containers {
 			for j := range podSpec.Containers[i].VolumeMounts {
 				podSpec.Containers[i].VolumeMounts[j].RecursiveReadOnly = nil
@@ -809,7 +811,8 @@ func dropDisabledPodStatusFields(podStatus, oldPodStatus *api.PodStatus, podSpec
 		podStatus.HostIPs = nil
 	}
 
-	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) && !rroInUse(oldPodSpec) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) &&
+		!feature.Enabled(features.RecursiveReadOnlyMounts3) && !rroInUse(oldPodSpec) {
 		for i := range podStatus.ContainerStatuses {
 			podStatus.ContainerStatuses[i].VolumeMounts = nil
 		}

pkg/features/kube_features.go

@@ -993,6 +993,15 @@ var (
 		clientfeatures.LibFeatureGates(),
 		//kubeaggregatorfeatures.FeatureGates(),
 		apiextensionsfeatures.FeatureGates())
+
+	// owner: @AkihiroSuda
+	// kep: https://kep.k8s.io/3857
+	// alpha: v1.30
+	//
+	// Allows recursive read-only mounts.
+	RecursiveReadOnlyMounts3 = kubeGates.Add(&feature.Gate{
+		Name: "RecursiveReadOnlyMounts", Default: false, Release: feature.Alpha,
+	})
 )
 
 func init() {

pkg/kubelet/kubelet_pods.go

@@ -68,6 +68,7 @@ import (
 	"k8s.io/kubernetes/pkg/volume/util/volumepathhandler"
 	volumevalidation "k8s.io/kubernetes/pkg/volume/validation"
 	"k8s.io/kubernetes/third_party/forked/golang/expansion"
+	"k8s.io/utils/feature"
 	utilnet "k8s.io/utils/net"
 )
 
@@ -347,7 +348,8 @@ func makeMounts(pod *v1.Pod, podDir string, container *v1.Container, hostName, h
 		if err != nil {
 			return nil, cleanupAction, fmt.Errorf("failed to resolve recursive read-only mode: %w", err)
 		}
-		if rro && !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) {
+		if rro && !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) &&
+			!feature.Enabled(features.RecursiveReadOnlyMounts3) {
 			return nil, cleanupAction, fmt.Errorf("recursive read-only mount needs feature gate %q to be enabled", features.RecursiveReadOnlyMounts)
 		}
 
@@ -2135,7 +2137,8 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 		}
 		// status.VolumeMounts cannot be propagated from kubecontainer.Status
 		// because the CRI API is unaware of the volume names.
-		if utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) {
+		if utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) ||
+			feature.Enabled(features.RecursiveReadOnlyMounts3) {
 			for _, vol := range container.VolumeMounts {
 				volStatus := v1.VolumeMountStatus{
 					Name:      vol.Name,
@@ -2147,7 +2150,8 @@ func (kl *Kubelet) convertToAPIContainerStatuses(pod *v1.Pod, podStatus *kubecon
 					if b, err := resolveRecursiveReadOnly(vol, supportsRRO); err != nil {
 						klog.ErrorS(err, "failed to resolve recursive read-only mode", "mode", *vol.RecursiveReadOnly)
 					} else if b {
-						if utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) {
+						if utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) ||
+							feature.Enabled(features.RecursiveReadOnlyMounts3) {
 							rroMode = v1.RecursiveReadOnlyEnabled
 						} else {
 							klog.ErrorS(nil, "recursive read-only mount needs feature gate to be enabled",

pkg/kubelet/nodestatus/setters.go

@@ -44,6 +44,7 @@ import (
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/events"
 	"k8s.io/kubernetes/pkg/volume"
+	"k8s.io/utils/feature"
 	netutils "k8s.io/utils/net"
 
 	"k8s.io/klog/v2"
@@ -483,7 +484,8 @@ func GoRuntime() Setter {
 // RuntimeHandlers returns a Setter that sets RuntimeHandlers on the node.
 func RuntimeHandlers(fn func() []kubecontainer.RuntimeHandler) Setter {
 	return func(ctx context.Context, node *v1.Node) error {
-		if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) {
+		if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) &&
+			!feature.Enabled(features.RecursiveReadOnlyMounts3) {
 			return nil
 		}
 		handlers := fn()

pkg/registry/core/node/strategy.go

@@ -40,6 +40,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/core/validation"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubelet/client"
+	"k8s.io/utils/feature"
 	"sigs.k8s.io/structured-merge-diff/v4/fieldpath"
 )
 
@@ -103,7 +104,8 @@ func dropDisabledFields(node *api.Node, oldNode *api.Node) {
 		node.Spec.ConfigSource = nil
 	}
 
-	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) {
+	if !utilfeature.DefaultFeatureGate.Enabled(features.RecursiveReadOnlyMounts) &&
+		!feature.Enabled(features.RecursiveReadOnlyMounts3) {
 		node.Status.RuntimeHandlers = nil
 	}
 }