Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for ambient capabilities in kubernetes. #2763

Open
5 of 6 tasks
vinayakankugoyal opened this issue May 21, 2021 · 24 comments
Open
5 of 6 tasks

Support for ambient capabilities in kubernetes. #2763

vinayakankugoyal opened this issue May 21, 2021 · 24 comments
Assignees
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status

Comments

@vinayakankugoyal
Copy link
Contributor

vinayakankugoyal commented May 21, 2021

Enhancement Description

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label May 21, 2021
@vinayakankugoyal
Copy link
Contributor Author

/sig security

@k8s-ci-robot k8s-ci-robot added sig/security Categorizes an issue or PR as relevant to SIG Security. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 21, 2021
@vinayakankugoyal
Copy link
Contributor Author

/assign @vinayakankugoyal

@vinayakankugoyal
Copy link
Contributor Author

/milestone 1.23

@k8s-ci-robot
Copy link
Contributor

@vinayakankugoyal: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone 1.23

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Priyankasaggu11929
Copy link
Member

Priyankasaggu11929 commented Sep 1, 2021

Hello @vinayakankugoyal, 1.23 Enhancements shadow here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

  • KEP file using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable
  • KEP has a test plan section filled out.
  • KEP has up to date gradution criteria.
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

Starting with 1.23, we have implented a soft freeze on production readiness reviews beginning on Thursday 09/02. If your enhancement needs a PRR, please make sure to try and complete it by that date!

For this enhancement, it looks like we need the following to be updated in the PR #2757:

  • KEP status marked as implementable.
  • KEP's test plan section filled out
  • A completed PRR for the alpha release

Thanks!

@Priyankasaggu11929 Priyankasaggu11929 added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status labels Sep 7, 2021
@Priyankasaggu11929
Copy link
Member

Priyankasaggu11929 commented Sep 7, 2021

Hello @vinayakankugoyal, 1.23 Enhancements shadow here. Just checking in once again as we approach more closer to the enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

  • KEP file using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable
  • KEP has a test plan section filled out.
  • KEP has up to date gradution criteria.
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

For this enhancement, we need the following to be updated in the PR #2757 to be tracked under the kubernetes 1.23 release:

  • KEP status must be marked as implementable.
  • KEP's test plan section filled out
  • Update the kep.yaml file in the PR to fill all the TODO/TBC/TBD placeholders.
  • Add the PRR file for the alpha release stage & have it merged into the k/enhancements repo

Thanks!

@vinayakankugoyal
Copy link
Contributor Author

Woops, completely missed your previous messages. Sorry about that!
We are still discussing how the K8S API changes would look like, we need to figure those out before we can mark this as implementable. I don't think we would be able to meet the KEP deadline as the SIG security meeting is on 09/09.

@Priyankasaggu11929
Copy link
Member

@vinayakankugoyal , thank you so much for providing more information on the current status of the enhancement.

We are still discussing how the K8S API changes would look like, we need to figure those out before we can mark this as implementable. I don't think we would be able to meet the KEP deadline as the SIG security meeting is on 09/09.

As stated above, that this enhancement would not be able to the meet the requirements by the enhancements freeze time, would it be alright then if I remove the 1.23 release milestone for now?

And when you have more information in favor of marking it as implementable, you could raise an exception request for the enhancement?

Thanks once again. :)

@Priyankasaggu11929
Copy link
Member

@vinayakankugoyal, Thanks for the confirmation. I'll remove the 1.23 release milestone.

@Priyankasaggu11929 Priyankasaggu11929 removed this from the v1.23 milestone Sep 10, 2021
@Priyankasaggu11929 Priyankasaggu11929 added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Sep 10, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 9, 2021
@vinayakankugoyal
Copy link
Contributor Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 9, 2021
@gracenng gracenng added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels Jan 17, 2022
@gracenng gracenng added this to the v1.24 milestone Jan 17, 2022
@gracenng
Copy link
Member

Hi @vinayakankugoyal ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. This enhancements is targeting beta for 1.24, is that correct?.
Here’s where this enhancement currently stands:

  • Updated KEP file using the latest template has been merged into the k/enhancements repo - this will be KEP file with test plan filled out
  • KEP status is marked as implementable for this release with latest-milestone: 1.24
  • KEP has a test plan section filled out.
  • KEP has up to date graduation criteria.
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. Please update this issue description to reflect enhancements target
Thanks!

@vinayakankugoyal
Copy link
Contributor Author

Hello @gracenng - This KEP is targeting alpha for 1.24. I have updated the description to reflect the current status. Thanks!

@ehashman
Copy link
Member

@vinayakankugoyal can you please update your PR to ensure that the KEP is marked implementable and not provisional? It has me listed as the PRR approver but I did not review this.

@gracenng
Copy link
Member

Hi @vinayakankugoyal , 1.24 Enhancements Team here.

Reaching out as we're less than a week away from Enhancement Freeze on Thursday, February 3rd.
There's no update for this enhancement since last checkin, let me know if I missed anything.
Current status is at risk

@vinayakankugoyal
Copy link
Contributor Author

We still haven't agreed upon the field to mark it implementable. I am going to remove it from milestone.

/remove milestone 1.24

@ehashman
Copy link
Member

ehashman commented Feb 1, 2022

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.24 milestone Feb 1, 2022
@gracenng gracenng removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Mar 6, 2022
@tallclair
Copy link
Member

I just noticed this is owned by SIG-Security, but the sig-security charter explicitly states that

SIG Security does not own any Kubernetes cluster component code

https://github.com/kubernetes/community/blob/master/sig-security/charter.md#out-of-scope

I think this feature should probably be owned by SIG-Node, with SIG-Security as a participating SIG.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 9, 2022
@tallclair
Copy link
Member

/remove-lifecycle stale
/lifecycle frozen
/sig node

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 24, 2022
@pacoxu
Copy link
Member

pacoxu commented Aug 26, 2022

@tallclair
Copy link
Member

Are there any plans to make progress on this in the v1.26 cycle?

@tamalsaha
Copy link
Member

I would appreciate if this KEP could get some love. At least this limitation should be documented in https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container and the current workaround to use setcap in the dockerfile.

@pacoxu
Copy link
Member

pacoxu commented Sep 9, 2024

The feature PRs in CRI-O and Containerd are all closed now.

@mrunalp @vinayakankugoyal Should we revisit the feature at this point(v1.32 KEP planning)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status
Projects
Status: Not for release
Development

No branches or pull requests

10 participants