- placing the node auhorization feature behind a feature flag

docs/node_authorization.md

@@ -33,7 +33,7 @@ Assuming all the conditions are met a secret token is generated and returned to
 
 #### **Enabling the Node Authorization Service**
 
-Enabling the node authorization service is as follows;
+Enabling the node authorization service is as follows; firstly you must enable the feature flag as node authorization is still experimental; export KOPS_FEATURE_FLAGS=EnableNodeAuthorization
 
 ```
 # in the cluster spec

pkg/apis/kops/validation/legacy.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/apis/kops/util"
+	"k8s.io/kops/pkg/featureflag"
 	"k8s.io/kops/pkg/model/components"
 	"k8s.io/kops/upup/pkg/fi"
 
@@ -375,6 +376,10 @@ func ValidateCluster(c *kops.Cluster, strict bool) *field.Error {
 
 	// NodeAuthorization
 	if c.Spec.NodeAuthorization != nil {
+		// @check the feature gate is enabled for this
+		if !featureflag.EnableNodeAuthorization.Enabled() {
+			return field.Invalid(field.NewPath("nodeAuthorization"), nil, "node authorization is experimental feature; set `export KOPS_FEATURE_FLAGS=EnableNodeAuthorization`")
+		}
 		if c.Spec.NodeAuthorization.NodeAuthorizer == nil {
 			return field.Invalid(field.NewPath("nodeAuthorization"), nil, "no node authorization policy has been set")
 		}

pkg/featureflag/featureflag.go

@@ -32,6 +32,7 @@ import (
 	"github.com/golang/glog"
 )
 
+// Bool returns a pointer to the boolean value
 func Bool(b bool) *bool {
 	return &b
 }
@@ -69,6 +70,9 @@ var SpecOverrideFlag = New("SpecOverrideFlag", Bool(false))
 // However we should no longer need it, with the keyset.yaml fix
 var GoogleCloudBucketAcl = New("GoogleCloudBucketAcl", Bool(false))
 
+// EnableNodeAuthorization enables the node authorization features
+var EnableNodeAuthorization = New("EnableNodeAuthorization", Bool(false))
+
 var flags = make(map[string]*FeatureFlag)
 var flagsMutex sync.Mutex