add ServiceAccountNodeAudienceRestriction feature gate in KAS and update beta criteria

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Author: aramase

keps/sig-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/README.md

@@ -667,6 +667,8 @@ in back-to-back releases.
 - Unit tests for current credential provider logic unchanged when token attributes are not set
 - Unit tests for credential provider logic when token attributes are set
 - Initial e2e tests completed and enabled
+- `ServiceAccountNodeAudienceRestriction` feature gate implemented in KAS as a beta feature
+  - Audience validation is enabled by default for service account tokens requested by the kubelet
 
 #### Post Alpha
 
@@ -675,6 +677,7 @@ in back-to-back releases.
 #### Beta
 
 - The implementation works well with the Ensure secret pull images KEP and supports pod image pull policy set to any value.
+- `ServiceAccountNodeAudienceRestriction` feature gate is beta in KAS and enabled by default. This feature needs to be enabled be beta/enabled by default at least one release before this KEP goes to beta. This is critical to support downgrade use cases.
 - Add metrics
 
 #### GA
@@ -722,7 +725,9 @@ Migration of the workloads to the new approach can be done per image or per regi
 
 When things can fail:
 
-1. If the kubelet is updated to enable the feature flag and the credential provider is configured with the `TokenAttributes` field set, but the KAS is not updated with `--allowed-kubelet-audiences` to allow the kubelet to generate service account tokens for the audience configured in the kubelet credential provider configuration, the image pull will fail. The old KAS will reject the token request from the kubelet.
+If the kubelet is updated to enable the feature flag and the credential provider is configured with the `TokenAttributes` field set, but the KAS is not updated with `--allowed-kubelet-audiences` to allow the kubelet to generate service account tokens for the audience configured in the kubelet credential provider configuration, the image pull will fail. The old KAS will reject the token request from the kubelet.
+
+Today we don't do any validation on the audience value that the kubelet requested -> we only check that the SA is in use on some pod scheduled to the kubelet. As part of this KEP, we're introducing a new feature gate `ServiceAccountNodeAudienceRestriction` in KAS to validate the audience value that the kubelet requests is either part of any API spec or is in the list of audiences configured in KAS via the `--allowed-kubelet-audiences` CLI flag. This audience validation will be beta/enabled by default at least one release before this KEP goes to beta.
 
 ## Production Readiness Review Questionnaire
 
@@ -778,6 +783,18 @@ FeatureSpec{
 }
 ```
 
+- [x] Feature gate (also fill in values in `kep.yaml`)
+  - Feature gate name: `ServiceAccountNodeAudienceRestriction`
+  - Components depending on the feature gate: kube-apiserver
+
+```go
+FeatureSpec{
+  Default: true,
+  LockToDefault: false,
+  PreRelease: featuregate.Beta,
+}
+```
+
 ###### Does enabling the feature change any default behavior?
 
 <!--

keps/sig-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/kep.yaml

@@ -24,6 +24,9 @@ feature-gates:
 - name: ServiceAccountTokenForKubeletCredentialProviders
   components:
   - kubelet
+- name: ServiceAccountNodeAudienceRestriction
+  components:
+  - kube-apiserver
 disable-supported: true
 metrics:
 - "TODO"