Disable UnauthenticatedHTTP2DOSMitigation feature gate

internal/concierge/server/server.go

@@ -17,7 +17,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
-	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/client-go/rest"
@@ -28,7 +27,6 @@ import (
 	"go.pinniped.dev/internal/concierge/apiserver"
 	conciergescheme "go.pinniped.dev/internal/concierge/scheme"
 	"go.pinniped.dev/internal/config/concierge"
-	"go.pinniped.dev/internal/config/featuregates"
 	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controllerinit"
 	"go.pinniped.dev/internal/controllermanager"
@@ -105,8 +103,10 @@ func addCommandlineFlagsToCommand(cmd *cobra.Command, app *App) {
 // Boot the aggregated API server, which will in turn boot the controllers.
 // In practice, the ctx passed in should be one which will be cancelled when the process receives SIGTERM or SIGINT.
 func (a *App) runServer(ctx context.Context) error {
-	// Enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120.
-	featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)
+	// We tried to enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120,
+	// but it causes errors when there are lots of parallel anonymous requests for our aggregated API endpoints.
+	// We will need to figure out if that is a bug in Kubernetes before we enable this again.
+	// featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)
 
 	// Read the server config file.
 	cfg, err := concierge.FromPath(ctx, a.configPath)

internal/supervisor/server/server.go

@@ -28,7 +28,6 @@ import (
 	apimachineryversion "k8s.io/apimachinery/pkg/version"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	openapinamer "k8s.io/apiserver/pkg/endpoints/openapi"
-	"k8s.io/apiserver/pkg/features"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	k8sinformers "k8s.io/client-go/informers"
@@ -44,7 +43,6 @@ import (
 	supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
 	supervisoropenapi "go.pinniped.dev/generated/latest/client/supervisor/openapi"
 	"go.pinniped.dev/internal/apiserviceref"
-	"go.pinniped.dev/internal/config/featuregates"
 	"go.pinniped.dev/internal/config/supervisor"
 	"go.pinniped.dev/internal/controller/apicerts"
 	"go.pinniped.dev/internal/controller/supervisorconfig"
@@ -388,8 +386,10 @@ func prepareControllers(
 // and start serving the health endpoint and the endpoints of the configured FederationDomains.
 // In practice, the ctx passed in should be one which will be cancelled when the process receives SIGTERM or SIGINT.
 func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervisor.Config) error { //nolint:funlen
-	// Enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120.
-	featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)
+	// We tried to enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120,
+	// but it causes errors when there are lots of parallel anonymous requests for our aggregated API endpoints.
+	// We will need to figure out if that is a bug in Kubernetes before we enable this again.
+	// featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation)
 
 	serverInstallationNamespace := podInfo.Namespace
 	clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix)