diff --git a/keps/prod-readiness/sig-node/3619.yaml b/keps/prod-readiness/sig-node/3619.yaml
index 0483f7351dc..1b115199f64 100644
--- a/keps/prod-readiness/sig-node/3619.yaml
+++ b/keps/prod-readiness/sig-node/3619.yaml
@@ -6,3 +6,5 @@ alpha:
approver: "@johnbelamaric"
beta:
approver: "@johnbelamaric"
+stable:
+ approver: "@johnbelamaric"
diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md
index d4f8382c160..108ec2d8a8a 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/README.md
+++ b/keps/sig-node/3619-supplemental-groups-policy/README.md
@@ -57,7 +57,7 @@ tags, and then generate with `hack/update-toc.sh`.
- [Implementation History](#implementation-history)
- [Drawbacks](#drawbacks)
- [Alternatives](#alternatives)
- - [Introducing RutimeClass
](#introducing-rutimeclass)
+ - [Introducing RuntimeClass
](#introducing-runtimeclass)
- [Adjusting container image by users](#adjusting-container-image-by-users)
- [Just fixing CRI implementations](#just-fixing-cri-implementations)
- [Infrastructure Needed (Optional)](#infrastructure-needed-optional)
@@ -662,11 +662,7 @@ Because this KEP's core implementation(i.e. `SupplementalGroupsPolicy` handling)
#### GA
-- At least one of Container Runtimes which is not based on the classic container, gVisor for example, supports the updated CRI and released
-- Assuming no negative user feedback based on production experience, promote after 2 releases in beta.
-- [conformance tests] are added for `SupplementalGroupsPolicy` and `ContainerStatus.User` APIs
-
-[conformance tests]: https://git.k8s.io/community/contributors/devel/sig-architecture/conformance-tests.md
+- No negative user feedback based on production experience, promote after 2 releases in beta.
### Upgrade / Downgrade Strategy
@@ -785,12 +781,14 @@ feature.
NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`.
-->
-Yes. It can be disabled after enabled.
+Yes. It can be disabled after enabled until Beta.
When disabled, you can not create pods with `SupplementalGroupsPolicy` fields and no `.status.containerStatuses[*].user` will be reported in pod status.
Please note if there are pods that have been created with `Strict` policy, the policy of the containers in such pods will keep enforced even after its disablement.
See ["Version Skew Strategy"](#version-skew-strategy) for more complex cases (including upgrading/downgrading).
+But, starting v1.35, this feature graduates to GA, the `SupplementalGroupsPolicy` feature gate will be locked to true and will no longer be disable-able.
+
###### What happens if we reenable the feature if it was previously rolled back?
The `SupplementalGroupsPolicy` field in pod spec and `.status.containerStatuses[*].user` in pod status will be available again.
@@ -859,12 +857,15 @@ $ kubectl get events -o json -w
{
...
"kind": "Event",
+ "reason": "SupplementalGroupsPolicyNotSupported",
"message": "Error: SupplementalGroupsPolicy is not supported in this node.",
...
}
...
```
+So, you can follow `kubelet_admission_rejections_total{reason='SupplementalGroupsPolicyNotSupported'}` metrics to track such events.
+
Also, the following kubelet metrics are also useful to check:
- `kubelet_running_pods`: Shows the actual number of pods running
@@ -1216,6 +1217,7 @@ Major milestones might include:
- 2023-02-10: Initial KEP published.
- v1.31.0(2024-08-13): Alpha
+- v1.33.0(2025-04-23): Beta
## Drawbacks
@@ -1227,7 +1229,7 @@ N/A
## Alternatives
-### Introducing `RutimeClass`
+### Introducing `RuntimeClass`
As described in the [Motivation](#motivation) section, cluster administrators would need to deploy a custom low-level container runtime(e.g., [pfnet-research/strict-supplementalgroups-container-runtime](https://github.com/pfnet-research/strict-supplementalgroups-container-runtime)) that modifies OCI container runtime spec(`config.json`) produced by CRI implementations (e.g., containerd, cri-o). A custom `RuntimeClass` would be introduced for it.
diff --git a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
index 2ea92fdb8ab..8b577adfd71 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
+++ b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
@@ -5,7 +5,7 @@ authors:
owning-sig: sig-node
participating-sigs:
- sig-node
-status: implementable
+status: implemented
creation-date: 2022-10-14
reviewers:
- "@thockin"
@@ -19,18 +19,18 @@ see-also: []
replaces: []
# The target maturity stage in the current dev cycle for this KEP.
-stage: beta
+stage: stable
# The most recent milestone for which work toward delivery of this KEP has been
# done. This can be the current (upcoming) milestone, if it is being actively
# worked on.
-latest-milestone: "v1.33"
+latest-milestone: "v1.35"
# The milestone at which this feature was, or is targeted to be, at each stage.
milestone:
alpha: "v1.31"
beta: "v1.33"
- stable: "v1.yy"
+ stable: "v1.35"
# The following PRR answers are required at alpha release
# List the feature gate name and the components for which it must be enabled