diff --git a/keps/prod-readiness/sig-node/3619.yaml b/keps/prod-readiness/sig-node/3619.yaml index 0483f7351dc..1b115199f64 100644 --- a/keps/prod-readiness/sig-node/3619.yaml +++ b/keps/prod-readiness/sig-node/3619.yaml @@ -6,3 +6,5 @@ alpha: approver: "@johnbelamaric" beta: approver: "@johnbelamaric" +stable: + approver: "@johnbelamaric" diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md index d4f8382c160..108ec2d8a8a 100644 --- a/keps/sig-node/3619-supplemental-groups-policy/README.md +++ b/keps/sig-node/3619-supplemental-groups-policy/README.md @@ -57,7 +57,7 @@ tags, and then generate with `hack/update-toc.sh`. - [Implementation History](#implementation-history) - [Drawbacks](#drawbacks) - [Alternatives](#alternatives) - - [Introducing RutimeClass](#introducing-rutimeclass) + - [Introducing RuntimeClass](#introducing-runtimeclass) - [Adjusting container image by users](#adjusting-container-image-by-users) - [Just fixing CRI implementations](#just-fixing-cri-implementations) - [Infrastructure Needed (Optional)](#infrastructure-needed-optional) @@ -662,11 +662,7 @@ Because this KEP's core implementation(i.e. `SupplementalGroupsPolicy` handling) #### GA -- At least one of Container Runtimes which is not based on the classic container, gVisor for example, supports the updated CRI and released -- Assuming no negative user feedback based on production experience, promote after 2 releases in beta. -- [conformance tests] are added for `SupplementalGroupsPolicy` and `ContainerStatus.User` APIs - -[conformance tests]: https://git.k8s.io/community/contributors/devel/sig-architecture/conformance-tests.md +- No negative user feedback based on production experience, promote after 2 releases in beta. ### Upgrade / Downgrade Strategy @@ -785,12 +781,14 @@ feature. NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`. --> -Yes. It can be disabled after enabled. +Yes. It can be disabled after enabled until Beta. When disabled, you can not create pods with `SupplementalGroupsPolicy` fields and no `.status.containerStatuses[*].user` will be reported in pod status. Please note if there are pods that have been created with `Strict` policy, the policy of the containers in such pods will keep enforced even after its disablement. See ["Version Skew Strategy"](#version-skew-strategy) for more complex cases (including upgrading/downgrading). +But, starting v1.35, this feature graduates to GA, the `SupplementalGroupsPolicy` feature gate will be locked to true and will no longer be disable-able. + ###### What happens if we reenable the feature if it was previously rolled back? The `SupplementalGroupsPolicy` field in pod spec and `.status.containerStatuses[*].user` in pod status will be available again. @@ -859,12 +857,15 @@ $ kubectl get events -o json -w { ... "kind": "Event", + "reason": "SupplementalGroupsPolicyNotSupported", "message": "Error: SupplementalGroupsPolicy is not supported in this node.", ... } ... ``` +So, you can follow `kubelet_admission_rejections_total{reason='SupplementalGroupsPolicyNotSupported'}` metrics to track such events. + Also, the following kubelet metrics are also useful to check: - `kubelet_running_pods`: Shows the actual number of pods running @@ -1216,6 +1217,7 @@ Major milestones might include: - 2023-02-10: Initial KEP published. - v1.31.0(2024-08-13): Alpha +- v1.33.0(2025-04-23): Beta ## Drawbacks @@ -1227,7 +1229,7 @@ N/A ## Alternatives -### Introducing `RutimeClass` +### Introducing `RuntimeClass` As described in the [Motivation](#motivation) section, cluster administrators would need to deploy a custom low-level container runtime(e.g., [pfnet-research/strict-supplementalgroups-container-runtime](https://github.com/pfnet-research/strict-supplementalgroups-container-runtime)) that modifies OCI container runtime spec(`config.json`) produced by CRI implementations (e.g., containerd, cri-o). A custom `RuntimeClass` would be introduced for it. diff --git a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml index 2ea92fdb8ab..8b577adfd71 100644 --- a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml +++ b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml @@ -5,7 +5,7 @@ authors: owning-sig: sig-node participating-sigs: - sig-node -status: implementable +status: implemented creation-date: 2022-10-14 reviewers: - "@thockin" @@ -19,18 +19,18 @@ see-also: [] replaces: [] # The target maturity stage in the current dev cycle for this KEP. -stage: beta +stage: stable # The most recent milestone for which work toward delivery of this KEP has been # done. This can be the current (upcoming) milestone, if it is being actively # worked on. -latest-milestone: "v1.33" +latest-milestone: "v1.35" # The milestone at which this feature was, or is targeted to be, at each stage. milestone: alpha: "v1.31" beta: "v1.33" - stable: "v1.yy" + stable: "v1.35" # The following PRR answers are required at alpha release # List the feature gate name and the components for which it must be enabled