Identify Windows pods at API admission level authoritatively

[ravisantoshgudimetla]

Enhancement Description

Identifying Windows pods at the API admission level authoritatively is crucial to apply appropriate security constraints to the pod. We rely on kubelet to strip certain security constraints when the pod lands on the node. While this is workable solution identifying all the valid scenarios during kubelet admission time is hard and not scalable. Having the identification done during the API admission would also help the other admission controllers like PodSecurityAdmission to authoritatively apply security constraints.

• One-line enhancement description (can be used as a release note):
• Kubernetes Enhancement Proposal:
• Discussion Link:
• Primary contact (assignee): @ravisantoshgudimetla
• Responsible SIGs: Windows
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.23
  • Beta release target (x.y): 1.24
  • Stable release target (x.y): 1.25
• Alpha
  • KEP (k/enhancements) update PR(s):
    • Identify Pod's OS during API Server admission #2803
  • Code (k/k) update PR(s):
    • Add pod os field kubernetes#104693
    • [kubelet]: Reconcile OS and arch labels periodically kubernetes#104613
    • Pod os field kubelet kubernetes#105292
  • Docs (k/website) update PR(s): [docs][windows]: Pod OS field update website#30436
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP - Promote PodOS field to beta #3102
  • Code (k/k) update PR(s):
    • Promote PodOS field to beta kubernetes#107859
  • Testgrid:
    • https://testgrid.k8s.io/sig-node-release-blocking#node-kubelet-serial-containerd
  • Docs (k/website) update(s):
    • Promote IdentifyPodOS to Beta website#32481
• Stable
  • KEP (k/enhancements) update PR(s):
    • KEP-2802: Promote PodOS field to GA #3303
  • Code (k/k) update PR(s):
    • PodSecurity: OS based updates to restricted standard kubernetes#105919
  • Docs (k/website) update(s):
    • Promote PodOS field to GA website#35590
    • Update pod security standards to use PodOS field website#35772
    • Include Pod OS field website#35985

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[ravisantoshgudimetla]

/sig windows

[salaxander]

/milestone v1.23

[salaxander]

Hi @ravisantoshgudimetla! 1.23 Enhancements team here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a test plan section filled out.
• KEP has up to date gradution criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Starting with 1.23, we have implented a soft freeze on production readiness reviews beginning on Thursday 09/02. If your enhancement needs a PRR, please make sure to try and complete it by that date!

Thanks!

[supriya-premkumar]

Hi @ravisantoshgudimetla! 1.23 Enhancements shadow here👋🏽

Just following up as we are approaching the enhancements freeze on Thursday 09/09.

Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a test plan section filled out.
• KEP has up to date gradution criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like this issue is all set for the Enhancement Freeze 🎉
I will update the tracking sheet accordingly.

Thank you!

[mehabhalodiya]

Hi @ravisantoshgudimetla 👋 1.23 Docs shadow here.

This enhancement is marked as 'Needs Docs' for the 1.23 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.23 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu November 18, 11:59 PM PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

[sftim]

Do we have a list of recognised operating system names / intend to have a list like that?

If so, we should aim to document what that list of names consists of. These might be borrowed from elsewhere; that's OK, and we can document where to look.

[marosset]

Linking some implementation PRs
kubernetes/kubernetes#104693
kubernetes/kubernetes#104613

[supriya-premkumar]

Hi @ravisantoshgudimetla! 1.23 Enhancements shadow here👋🏽
Just checking on the PRs status for this issue as we are approaching code freeze deadline on Tuesday, November 16 at 6:00 pm PST

I see that the two PRs are merged. Are there any open PRs that need to be linked to this issue?
Marking this as tracked in the tracking sheet. Please let me know if there are any updates.

[ravisantoshgudimetla]

@supriya-premkumar - All the needed PRs merged. Will open a docs PR shortly

[rhockenbury]

👋 Hello @ravisantoshgudimetla,

1.25 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

Here's where this enhancement currently stands:

• KEP file using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable
• KEP has a updated detailed test plan section filled out
• KEP has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we need to merge #3303 which includes everything to meet all requirements for enhancements freeze.

For note, the status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[ravisantoshgudimetla]

Hi @rhockenbury KEP has updated test plan - Can you take a look. I can ask folks from prod readiness to review it then.

[rhockenbury]

@ravisantoshgudimetla Yes, it looks like all requirements for enhancement freeze will be met once #3303 is merged.

[rhockenbury]

With #3303 merged, I have this marked as tracked for the v1.25 cycle.

[jasonbraganza]

Hi @ravisantoshgudimetla 👋

Checking in once more as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure the following items are completed:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.
  • PodSecurity: OS based updates to restricted standard kubernetes#105919

Please verify, if there are any additional k/k PRs besides the ones listed above.
Please plan to get the open k/k merged by the code freeze deadline. The status of the enhancement is currently marked as at-risk.
Please also update the issue description with the relevant links for tracking purpose. Thank you so much!

[sftim]

We should document podOS outside of https://kubernetes.io/docs/concepts/windows/user-guide/

(Windows is one supported podOS, but it's not the only game in town)

When we add that documentation, consider updating the release note for kubernetes/kubernetes#111229

[cathchu]

Hi @ravisantoshgudimetla 👋

1.25 Release Docs Shadow here. Does this enhancement work planned for 1.25 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.25 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before August 4.
Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.
Thank you!

[jasonbraganza]

Hello @ravisantoshgudimetla 👋

With the k/k code PRs, now merged, the enhancement is ready for the 1.25 code freeze

The status of this enhancement is currently marked as tracked

Thank you.

[sftim]

I recommend mentioning kubernetes/website#35985 in the KEP issue description.

[marosset]

I recommend mentioning kubernetes/website#35985 in the KEP issue description.

done!

[marosset]

This is merged.
Let's do a final KEP update then we close this issue.

[marosset]

/close

Thanks @ravisantoshgudimetla for all of your contributions here!

[k8s-ci-robot]

@marosset: Closing this issue.

In response to this:

/close

Thanks @ravisantoshgudimetla for all of your contributions here!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.