Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-127: Update PSS based on feature gate #118760

Merged
merged 1 commit into from Oct 28, 2023
Merged

KEP-127: Update PSS based on feature gate #118760

merged 1 commit into from Oct 28, 2023

Conversation

saschagrunert
Copy link
Member

@saschagrunert saschagrunert commented Jun 20, 2023
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Refers to kubernetes/enhancements#127

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

Added `UserNamespacesPodSecurityStandards` feature gate to enable user namespace support for Pod Security Standards.
Enabling this feature will modify all Pod Security Standard rules to allow setting: `spec[.*].securityContext.[runAsNonRoot,runAsUser]`.
This feature gate should only be enabled if all nodes in the cluster support the user namespace feature and have it enabled.
The feature gate will not graduate or be enabled by default in future Kubernetes releases.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

KEP: https://github.com/kubernetes/enhancements/issues/127

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/code-generation kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 20, 2023
@saschagrunert saschagrunert changed the title KEP-127: Update PSS based on feature gate WIP: KEP-127: Update PSS based on feature gate Jun 20, 2023
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 20, 2023
@saschagrunert saschagrunert force-pushed the user-namespaces-pss branch 3 times, most recently from 4d81571 to f0d569b Compare June 20, 2023 09:09
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 20, 2023
@saschagrunert saschagrunert changed the title WIP: KEP-127: Update PSS based on feature gate KEP-127: Update PSS based on feature gate Jun 20, 2023
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 20, 2023
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/release Categorizes an issue or PR as relevant to SIG Release. labels Jun 20, 2023
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 20, 2023
@saschagrunert
KEP-127: Update PSS based on feature gate
77e0ade 
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert
Copy link
Member Author

Updated the PR @liggitt @mrunalp PTAL again

@liggitt
Copy link
Member

liggitt commented Oct 27, 2023

/lgtm
/approve

please open a PR to update the KEP with the initial state merged here and move the capabilities / allowPrivilegeEscalation bits into an unresolved block

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 27, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: c266812d3fca0b0bc14fea4a99c2d867d7304560

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 27, 2023
@pacoxu
Copy link
Member

pacoxu commented Oct 28, 2023

/test pull-kubernetes-e2e-kind
for a known flake that is tracked in #118037

@k8s-ci-robot k8s-ci-robot merged commit 1c8f88d into kubernetes:master Oct 28, 2023
15 checks passed
SIG Node PR Triage automation moved this from Needs Reviewer to Done Oct 28, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Oct 28, 2023
@saschagrunert saschagrunert deleted the user-namespaces-pss branch October 30, 2023 08:22
saschagrunert added a commit to saschagrunert/kubernetes-enhancements that referenced this pull request Oct 30, 2023
@saschagrunert
Update KEP 127 to reflect integration state
e0ef157 
We decided to drop those security context fields from the integration in
kubernetes/kubernetes#118760. The KEP is now
updated to reflect that.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@saschagrunert saschagrunert mentioned this pull request Oct 30, 2023
Merged
@saschagrunert
Copy link
Member Author

please open a PR to update the KEP with the initial state merged here and move the capabilities / allowPrivilegeEscalation bits into an unresolved block

Closing the loop: kubernetes/enhancements#4320

@saschagrunert saschagrunert mentioned this pull request Oct 30, 2023
Merged
saschagrunert added a commit to saschagrunert/kubernetes that referenced this pull request Nov 1, 2023
@saschagrunert
KEP-127: Add UserNamespacesPodSecurityStandards e2e test
59570a2 
Adding a e2e test for the functionality added in
kubernetes#118760.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/kubernetes that referenced this pull request Feb 15, 2024
@saschagrunert
KEP-127: Add UserNamespacesPodSecurityStandards e2e test
ace3c38 
Adding a e2e test for the functionality added in
kubernetes#118760.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert added a commit to saschagrunert/kubernetes that referenced this pull request Feb 19, 2024
@saschagrunert
KEP-127: Add UserNamespacesPodSecurityStandards e2e test
e158a83 
Adding a e2e test for the functionality added in
kubernetes#118760.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Jeffwan pushed a commit to Jeffwan/kubernetes that referenced this pull request Mar 6, 2024
@saschagrunert @Jeffwan
KEP-127: Add UserNamespacesPodSecurityStandards e2e test
389413e 
Adding a e2e test for the functionality added in
kubernetes#118760.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
dinhxuanvu pushed a commit to dinhxuanvu/kubernetes that referenced this pull request Mar 28, 2024
@saschagrunert @dinhxuanvu
KEP-127: Add UserNamespacesPodSecurityStandards e2e test
0637f72 
Adding a e2e test for the functionality added in
kubernetes#118760.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
ah8ad3 pushed a commit to ah8ad3/kubernetes that referenced this pull request Apr 6, 2024
@saschagrunert @ah8ad3
KEP-127: Add UserNamespacesPodSecurityStandards e2e test
7d96fa4 
Adding a e2e test for the functionality added in
kubernetes#118760.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrunalp mrunalp mrunalp left review comments

@liggitt liggitt liggitt left review comments

@haircommander haircommander haircommander left review comments

@cici37 cici37 Awaiting requested review from cici37

@justinsb justinsb Awaiting requested review from justinsb

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/code-generation area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/release Categorizes an issue or PR as relevant to SIG Release. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG Node PR Triage
Done
[sig-release] Bug Triage
Archived in project
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@saschagrunert @k8s-triage-robot @alexzielenski @jiahuif @furkatgofurov7 @haircommander @liggitt @k8s-ci-robot @pacoxu @mrunalp