Delete temporary ProbeHostPodSecurityStandards feature gate

2026-02-03 20:40:26 -05:00 · 2025-07-28 16:54:31 -04:00 · 2025-07-28 16:54:31 -04:00 · 7f4ee652ea
commit 7f4ee652ea
parent 55419eca7a
4 changed files with 0 additions and 36 deletions
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@ -736,12 +736,6 @@ const (
 	// Denies pod admission if static pods reference other API objects.
 	PreventStaticPodAPIReferences featuregate.Feature = "PreventStaticPodAPIReferences"

-	// owner: @tssurya
-	// kep: https://kep.k8s.io/4559
-	//
-	// Enables probe host enforcement for Pod Security Standards.
-	ProbeHostPodSecurityStandards featuregate.Feature = "ProbeHostPodSecurityStandards"
-
 	// owner: @jessfraz
 	//
 	// Enables control over ProcMountType for containers.
@ -1566,11 +1560,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},

-	// Policy is GA in first release, this gate only exists to disable the enforcement when emulating older minors
-	ProbeHostPodSecurityStandards: {
-		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
 	ProcMountType: {
 		{Version: version.MustParse("1.12"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Beta},
--- a/plugin/pkg/admission/security/podsecurity/admission.go
+++ b/plugin/pkg/admission/security/podsecurity/admission.go
@ -153,10 +153,6 @@ func (p *Plugin) updateDelegate() {
 func (c *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
 	c.inspectedFeatureGates = true
 	policy.RelaxPolicyForUserNamespacePods(featureGates.Enabled(features.UserNamespacesPodSecurityStandards))
-
-	if !featureGates.Enabled(features.ProbeHostPodSecurityStandards) {
-		policy.SkipProbeHostEnforcement()
-	}
 }

 // ValidateInitialization ensures all required options are set
--- a/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
@ -18,7 +18,6 @@ package policy

 import (
 	"fmt"
-	"sync/atomic"

 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -74,21 +73,7 @@ func CheckHostProbesAndHostLifecycle() Check {
 	}
 }

-// TODO(liggitt): rework this to make emulation version influence "latest" across all checks, instead of piece-mill feature gate checking.
-var skipProbeHostEnforcement = &atomic.Bool{}
-
-// SkipProbeHostEnforcement allows opting out of probe host enforcement in baseline policies.
-// This should only be done in clusters emulating minor versions prior to introduction of this check.
-func SkipProbeHostEnforcement() {
-	skipProbeHostEnforcement.Store(true)
-}
-
 func hostProbesAndHostLifecycleV1Dot34(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
-	// cluster is emulating a minor prior to this check existing
-	if skipProbeHostEnforcement.Load() {
-		return CheckResult{Allowed: true}
-	}
-
 	badContainers := sets.New[string]()
 	forbidden := sets.New[string]()
 	visitContainers(podSpec, func(container *corev1.Container) {
--- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
+++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
@ -1233,12 +1233,6 @@
    lockToDefault: false
    preRelease: Beta
    version: "1.34"
- name: ProbeHostPodSecurityStandards
-  versionedSpecs:
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.34"
 - name: ProcMountType
  versionedSpecs:
  - default: false