From 7f4ee652eaa0b0782348304ea9fbf7a7f53a19ab Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Mon, 28 Jul 2025 16:54:31 -0400
Subject: [PATCH] Delete temporary ProbeHostPodSecurityStandards feature gate

---
 pkg/features/kube_features.go                     | 11 -----------
 .../admission/security/podsecurity/admission.go   |  4 ----
 .../policy/check_hostProbesAndhostLifecycle.go    | 15 ---------------
 .../reference/versioned_feature_list.yaml         |  6 ------
 4 files changed, 36 deletions(-)

diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go
index ab9ae3432b4..2d537271a20 100644
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -736,12 +736,6 @@ const (
 	// Denies pod admission if static pods reference other API objects.
 	PreventStaticPodAPIReferences featuregate.Feature = "PreventStaticPodAPIReferences"
 
-	// owner: @tssurya
-	// kep: https://kep.k8s.io/4559
-	//
-	// Enables probe host enforcement for Pod Security Standards.
-	ProbeHostPodSecurityStandards featuregate.Feature = "ProbeHostPodSecurityStandards"
-
 	// owner: @jessfraz
 	//
 	// Enables control over ProcMountType for containers.
@@ -1566,11 +1560,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.Beta},
 	},
 
-	// Policy is GA in first release, this gate only exists to disable the enforcement when emulating older minors
-	ProbeHostPodSecurityStandards: {
-		{Version: version.MustParse("1.34"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
-	},
-
 	ProcMountType: {
 		{Version: version.MustParse("1.12"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.31"), Default: false, PreRelease: featuregate.Beta},
diff --git a/plugin/pkg/admission/security/podsecurity/admission.go b/plugin/pkg/admission/security/podsecurity/admission.go
index 64940994e62..e4b55cb4908 100644
--- a/plugin/pkg/admission/security/podsecurity/admission.go
+++ b/plugin/pkg/admission/security/podsecurity/admission.go
@@ -153,10 +153,6 @@ func (p *Plugin) updateDelegate() {
 func (c *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
 	c.inspectedFeatureGates = true
 	policy.RelaxPolicyForUserNamespacePods(featureGates.Enabled(features.UserNamespacesPodSecurityStandards))
-
-	if !featureGates.Enabled(features.ProbeHostPodSecurityStandards) {
-		policy.SkipProbeHostEnforcement()
-	}
 }
 
 // ValidateInitialization ensures all required options are set
diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
index 43387c05219..ad25d8eab28 100644
--- a/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostProbesAndhostLifecycle.go
@@ -18,7 +18,6 @@ package policy
 
 import (
 	"fmt"
-	"sync/atomic"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -74,21 +73,7 @@ func CheckHostProbesAndHostLifecycle() Check {
 	}
 }
 
-// TODO(liggitt): rework this to make emulation version influence "latest" across all checks, instead of piece-mill feature gate checking.
-var skipProbeHostEnforcement = &atomic.Bool{}
-
-// SkipProbeHostEnforcement allows opting out of probe host enforcement in baseline policies.
-// This should only be done in clusters emulating minor versions prior to introduction of this check.
-func SkipProbeHostEnforcement() {
-	skipProbeHostEnforcement.Store(true)
-}
-
 func hostProbesAndHostLifecycleV1Dot34(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
-	// cluster is emulating a minor prior to this check existing
-	if skipProbeHostEnforcement.Load() {
-		return CheckResult{Allowed: true}
-	}
-
 	badContainers := sets.New[string]()
 	forbidden := sets.New[string]()
 	visitContainers(podSpec, func(container *corev1.Container) {
diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
index 3fa2e3a8fdf..4953bf10750 100644
--- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
+++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml
@@ -1233,12 +1233,6 @@
     lockToDefault: false
     preRelease: Beta
     version: "1.34"
-- name: ProbeHostPodSecurityStandards
-  versionedSpecs:
-  - default: true
-    lockToDefault: true
-    preRelease: GA
-    version: "1.34"
 - name: ProcMountType
   versionedSpecs:
   - default: false