diff --git a/internal/concierge/server/server.go b/internal/concierge/server/server.go index 1e18a028a..b8ce81475 100644 --- a/internal/concierge/server/server.go +++ b/internal/concierge/server/server.go @@ -17,7 +17,6 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" apimachineryversion "k8s.io/apimachinery/pkg/version" openapinamer "k8s.io/apiserver/pkg/endpoints/openapi" - "k8s.io/apiserver/pkg/features" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" "k8s.io/client-go/rest" @@ -28,7 +27,6 @@ import ( "go.pinniped.dev/internal/concierge/apiserver" conciergescheme "go.pinniped.dev/internal/concierge/scheme" "go.pinniped.dev/internal/config/concierge" - "go.pinniped.dev/internal/config/featuregates" "go.pinniped.dev/internal/controller/authenticator/authncache" "go.pinniped.dev/internal/controllerinit" "go.pinniped.dev/internal/controllermanager" @@ -105,8 +103,10 @@ func addCommandlineFlagsToCommand(cmd *cobra.Command, app *App) { // Boot the aggregated API server, which will in turn boot the controllers. // In practice, the ctx passed in should be one which will be cancelled when the process receives SIGTERM or SIGINT. func (a *App) runServer(ctx context.Context) error { - // Enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120. - featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation) + // We tried to enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120, + // but it causes errors when there are lots of parallel anonymous requests for our aggregated API endpoints. + // We will need to figure out if that is a bug in Kubernetes before we enable this again. + // featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation) // Read the server config file. cfg, err := concierge.FromPath(ctx, a.configPath) diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index c3f519b16..71784f697 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -28,7 +28,6 @@ import ( apimachineryversion "k8s.io/apimachinery/pkg/version" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" openapinamer "k8s.io/apiserver/pkg/endpoints/openapi" - "k8s.io/apiserver/pkg/features" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" k8sinformers "k8s.io/client-go/informers" @@ -44,7 +43,6 @@ import ( supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions" supervisoropenapi "go.pinniped.dev/generated/latest/client/supervisor/openapi" "go.pinniped.dev/internal/apiserviceref" - "go.pinniped.dev/internal/config/featuregates" "go.pinniped.dev/internal/config/supervisor" "go.pinniped.dev/internal/controller/apicerts" "go.pinniped.dev/internal/controller/supervisorconfig" @@ -388,8 +386,10 @@ func prepareControllers( // and start serving the health endpoint and the endpoints of the configured FederationDomains. // In practice, the ctx passed in should be one which will be cancelled when the process receives SIGTERM or SIGINT. func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervisor.Config) error { //nolint:funlen - // Enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120. - featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation) + // We tried to enable the feature gate from https://github.com/kubernetes/kubernetes/pull/121120, + // but it causes errors when there are lots of parallel anonymous requests for our aggregated API endpoints. + // We will need to figure out if that is a bug in Kubernetes before we enable this again. + // featuregates.EnableKubeFeatureGate(features.UnauthenticatedHTTP2DOSMitigation) serverInstallationNamespace := podInfo.Namespace clientSecretSupervisorGroupData := groupsuffix.SupervisorAggregatedGroups(*cfg.APIGroupSuffix)