Remove the deprecated k8s_sat node attestor plugin

Signed-off-by: Amit Upadhyay <amit.upadhyay021@outlook.com>

conf/agent/agent_full.conf

@@ -204,20 +204,6 @@ plugins {
         }
     }
 
-    # NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
-    # using a Kubernetes Service Account token.
-    NodeAttestor "k8s_sat" {
-        plugin_data {
-            # cluster: Name of the cluster. It must correspond to a cluster
-            # configured in the server plugin.
-            # cluster = ""
-
-            # token_path: Path to the service account token on disk.
-            # Default: /var/run/secrets/kubernetes.io/serviceaccount/token.
-            # token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
-        }
-    }
-
     # NodeAttestor "sshpop": A node attestor which attests agent identity
     # using an existing ssh certificate.
     NodeAttestor "sshpop" {

conf/server/server_full.conf

@@ -533,47 +533,6 @@ plugins {
     #     }
     # }
 
-    # NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
-    # using a Kubernetes Service Account token.
-    # NodeAttestor "k8s_sat" {
-    #     plugin_data {
-    #         # clusters: A map of clusters, keyed by an arbitrary ID, that are
-    #         # authorized for attestation.
-    #         # clusters = {
-    #             # "<arbitrary ID>" = {
-    #                 # service_account_allow_list: A list of service account names,
-    #                 # qualified by namespace (for example, "default:blog" or
-    #                 # "production:web") to allow for node attestation. Attestation
-    #                 # will be rejected for tokens bound to service accounts that
-    #                 # aren't in the allow list.
-    #                 # service_account_allow_list = []
-
-    #                 # use_token_review_api_validation: Specifies how the service
-    #                 # account token is validated. If false, validation is done
-    #                 # locally using the provided key. If true, validation is done
-    #                 # using token review API. Default: false.
-    #                 # use_token_review_api_validation = false
-
-    #                 # service_account_key_file: It is only used if
-    #                 # use_token_review_api_validation is set to false. Path on disk
-    #                 # to a PEM encoded file containing public keys used in
-    #                 # validating tokens for that cluster. RSA and ECDSA keys are
-    #                 # supported. For RSA, X509 certificates, PKCS1, and PKIX encoded
-    #                 # public keys are accepted. For ECDSA, X509 certificates, and
-    #                 # PKIX encoded public keys are accepted.
-    #                 # service_account_key_file = ""
-
-    #                 # kube_config_file: It is only used if
-    #                 # use_token_review_api_validation is set to true. Path to a k8s
-    #                 # configuration file for API Server authentication. A kubernetes
-    #                 # configuration file must be specified if SPIRE server runs
-    #                 # outside of the k8s cluster. If empty, SPIRE server is assumed
-    #                 # to be running inside the cluster and in-cluster configuration
-    #                 # is used. Default: "".
-    #                 # kube_config_file = ""
-    #     }
-    # }
-
     # NodeAttestor "sshpop": A node attestor which attests agent identity
     # using an existing ssh certificate.
     # NodeAttestor "sshpop" {

doc/spire_agent.md

@@ -21,7 +21,6 @@ This document is a configuration reference for SPIRE Agent. It includes informat
 | NodeAttestor     | [azure_msi](/doc/plugin_agent_nodeattestor_azure_msi.md)                | A node attestor which attests agent identity using an Azure MSI token                                                                            |
 | NodeAttestor     | [gcp_iit](/doc/plugin_agent_nodeattestor_gcp_iit.md)                    | A node attestor which attests agent identity using a GCP Instance Identity Token                                                                 |
 | NodeAttestor     | [join_token](/doc/plugin_agent_nodeattestor_jointoken.md)               | A node attestor which uses a server-generated join token                                                                                         |
-| NodeAttestor     | [k8s_sat](/doc/plugin_agent_nodeattestor_k8s_sat.md) (deprecated)       | A node attestor which attests agent identity using a Kubernetes Service Account token                                                            |
 | NodeAttestor     | [k8s_psat](/doc/plugin_agent_nodeattestor_k8s_psat.md)                  | A node attestor which attests agent identity using a Kubernetes Projected Service Account token                                                  |
 | NodeAttestor     | [sshpop](/doc/plugin_agent_nodeattestor_sshpop.md)                      | A node attestor which attests agent identity using an existing ssh certificate                                                                   |
 | NodeAttestor     | [x509pop](/doc/plugin_agent_nodeattestor_x509pop.md)                    | A node attestor which attests agent identity using an existing X.509 certificate                                                                 |

doc/spire_server.md

@@ -27,7 +27,6 @@ This document is a configuration reference for SPIRE Server. It includes informa
 | NodeAttestor       | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md)                                            | A node attestor which attests agent identity using an Azure MSI token                                                       |
 | NodeAttestor       | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md)                                                | A node attestor which attests agent identity using a GCP Instance Identity Token                                            |
 | NodeAttestor       | [join_token](/doc/plugin_server_nodeattestor_jointoken.md)                                           | A node attestor which validates agents attesting with server-generated join tokens                                          |
-| NodeAttestor       | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated)                                   | A node attestor which attests agent identity using a Kubernetes Service Account token                                       |
 | NodeAttestor       | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md)                                              | A node attestor which attests agent identity using a Kubernetes Projected Service Account token                             |
 | NodeAttestor       | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md)                                                  | A node attestor which attests agent identity using an existing ssh certificate                                              |
 | NodeAttestor       | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md)                                            | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate                 |

pkg/agent/catalog/nodeattestor.go

@@ -8,7 +8,6 @@ import (
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/httpchallenge"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/jointoken"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8spsat"
-	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8ssat"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/sshpop"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/tpmdevid"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/x509pop"
@@ -41,7 +40,6 @@ func (repo *nodeAttestorRepository) BuiltIns() []catalog.BuiltIn {
 		httpchallenge.BuiltIn(),
 		jointoken.BuiltIn(),
 		k8spsat.BuiltIn(),
-		k8ssat.BuiltIn(),
 		sshpop.BuiltIn(),
 		tpmdevid.BuiltIn(),
 		x509pop.BuiltIn(),