diff --git a/keps/prod-readiness/sig-node/3619.yaml b/keps/prod-readiness/sig-node/3619.yaml new file mode 100644 index 00000000000..5498ea6c31b --- /dev/null +++ b/keps/prod-readiness/sig-node/3619.yaml @@ -0,0 +1,6 @@ +# The KEP must have an approver from the +# "prod-readiness-approvers" group +# of http://git.k8s.io/enhancements/OWNERS_ALIASES +kep-number: 3619 +alpha: + approver: "@johnbelamaric" diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md index 55e02dbc7a6..53bd74fece7 100644 --- a/keps/sig-node/3619-supplemental-groups-policy/README.md +++ b/keps/sig-node/3619-supplemental-groups-policy/README.md @@ -671,9 +671,9 @@ well as the [existing list] of feature gates. [existing list]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ --> -- [ ] Feature gate (also fill in values in `kep.yaml`) - - Feature gate name: - - Components depending on the feature gate: +- [x] Feature gate (also fill in values in `kep.yaml`) + - Feature gate name: SupplementalGroupsPolicy + - Components depending on the feature gate: kube-apiserver, kubelet, (and CRI implementations(e.g. containerd, cri-o)) - [ ] Other - Describe the mechanism: - Will enabling / disabling the feature require downtime of the control @@ -687,6 +687,7 @@ well as the [existing list] of feature gates. Any change of default behavior may be surprising to users or break existing automations, so be extremely careful here. --> +No. Just introducing new API fields in Pod spec and CRI which does NOT change the default behavior. ###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)? @@ -701,8 +702,12 @@ feature. NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`. --> +Yes. It can be disabled after enabled. However, users should pay attention that gids of container processes in pods with `IgnoreGroupsInImage` policy would change. It means the action might break the application in permission. We plan to provide a way for users to detect which pods are affected. + ###### What happens if we reenable the feature if it was previously rolled back? +Just the policy `IgnoreGroupsInImage` is reenabled. Users should pay attention that gids of containers in pods with `IgnoreGroupsInImage` policy would change. It means that the action might break the application in permission. We plan to provide a way for users to detect which pods are affected. + ###### Are there any tests for feature enablement/disablement? +Planned for Alpha. + ### Rollout, Upgrade and Rollback Planning +No. Just introducing new API fields in Pod spec and CRI which does NOT change the default behavior. + ###### Will enabling / using this feature result in introducing new API types? +No. + ###### Will enabling / using this feature result in any new calls to the cloud provider? +No. + ###### Will enabling / using this feature result in increasing size or count of the existing API objects? +No. + ###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs? +No. + ###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components? +No. + ### Troubleshooting