From c1323be2ba90ef6d94ed5cc12486f110b039ca32 Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Thu, 13 Jan 2022 13:29:51 -0500
Subject: [PATCH 1/6] beta apis off by default

---
 .../3136-beta-off-by-default/README.md        | 585 ++++++++++++++++++
 .../3136-beta-off-by-default/kep.yaml         |  46 ++
 2 files changed, 631 insertions(+)
 create mode 100644 keps/sig-architecture/3136-beta-off-by-default/README.md
 create mode 100644 keps/sig-architecture/3136-beta-off-by-default/kep.yaml

diff --git a/keps/sig-architecture/3136-beta-off-by-default/README.md b/keps/sig-architecture/3136-beta-off-by-default/README.md
new file mode 100644
index 00000000000..c84541af3c7
--- /dev/null
+++ b/keps/sig-architecture/3136-beta-off-by-default/README.md
@@ -0,0 +1,585 @@
+<!--
+**Note:** When your KEP is complete, all of these comment blocks should be removed.
+
+To get started with this template:
+
+- [ ] **Pick a hosting SIG.**
+  Make sure that the problem space is something the SIG is interested in taking
+  up. KEPs should not be checked in without a sponsoring SIG.
+- [ ] **Create an issue in kubernetes/enhancements**
+  When filing an enhancement tracking issue, please make sure to complete all
+  fields in that template. One of the fields asks for a link to the KEP. You
+  can leave that blank until this KEP is filed, and then go back to the
+  enhancement and add the link.
+- [ ] **Make a copy of this template directory.**
+  Copy this template into the owning SIG's directory and name it
+  `NNNN-short-descriptive-title`, where `NNNN` is the issue number (with no
+  leading-zero padding) assigned to your enhancement above.
+- [ ] **Fill out as much of the kep.yaml file as you can.**
+  At minimum, you should fill in the "Title", "Authors", "Owning-sig",
+  "Status", and date-related fields.
+- [ ] **Fill out this file as best you can.**
+  At minimum, you should fill in the "Summary" and "Motivation" sections.
+  These should be easy if you've preflighted the idea of the KEP with the
+  appropriate SIG(s).
+- [ ] **Create a PR for this KEP.**
+  Assign it to people in the SIG who are sponsoring this process.
+- [ ] **Merge early and iterate.**
+  Avoid getting hung up on specific details and instead aim to get the goals of
+  the KEP clarified and merged quickly. The best way to do this is to just
+  start with the high-level sections and fill out details incrementally in
+  subsequent PRs.
+
+Just because a KEP is merged does not mean it is complete or approved. Any KEP
+marked as `provisional` is a working document and subject to change. You can
+denote sections that are under active debate as follows:
+
+```
+<<[UNRESOLVED optional short context or usernames ]>>
+Stuff that is being argued.
+<<[/UNRESOLVED]>>
+```
+
+When editing KEPS, aim for tightly-scoped, single-topic PRs to keep discussions
+focused. If you disagree with what is already in a document, open a new PR
+with suggested changes.
+
+One KEP corresponds to one "feature" or "enhancement" for its whole lifecycle.
+You do not need a new KEP to move from beta to GA, for example. If
+new details emerge that belong in the KEP, edit the KEP. Once a feature has become
+"implemented", major changes should get new KEPs.
+
+The canonical place for the latest set of instructions (and the likely source
+of this file) is [here](/keps/NNNN-kep-template/README.md).
+
+**Note:** Any PRs to move a KEP to `implementable`, or significant changes once
+it is marked `implementable`, must be approved by each of the KEP approvers.
+If none of those approvers are still appropriate, then changes to that list
+should be approved by the remaining approvers and/or the owning SIG (or
+SIG Architecture for cross-cutting KEPs).
+-->
+# KEP-3136: Beta APIs Are Off by Default
+
+<!--
+This is the title of your KEP. Keep it short, simple, and descriptive. A good
+title can help communicate what the KEP is and should be considered as part of
+any review.
+-->
+
+<!--
+A table of contents is helpful for quickly jumping to sections of a KEP and for
+highlighting any additional information provided beyond the standard KEP
+template.
+
+Ensure the TOC is wrapped with
+  <code>&lt;!-- toc --&rt;&lt;!-- /toc --&rt;</code>
+tags, and then generate with `hack/update-toc.sh`.
+-->
+
+<!-- toc -->
+- [Release Signoff Checklist](#release-signoff-checklist)
+- [Summary](#summary)
+- [Motivation](#motivation)
+  - [Goals](#goals)
+  - [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  - [User Stories (Optional)](#user-stories-optional)
+    - [Story 1](#story-1)
+    - [Story 2](#story-2)
+  - [Notes/Constraints/Caveats (Optional)](#notesconstraintscaveats-optional)
+  - [Risks and Mitigations](#risks-and-mitigations)
+- [Design Details](#design-details)
+  - [Test Plan](#test-plan)
+  - [Graduation Criteria](#graduation-criteria)
+  - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
+  - [Version Skew Strategy](#version-skew-strategy)
+- [Production Readiness Review Questionnaire](#production-readiness-review-questionnaire)
+  - [Feature Enablement and Rollback](#feature-enablement-and-rollback)
+  - [Rollout, Upgrade and Rollback Planning](#rollout-upgrade-and-rollback-planning)
+  - [Monitoring Requirements](#monitoring-requirements)
+  - [Dependencies](#dependencies)
+  - [Scalability](#scalability)
+  - [Troubleshooting](#troubleshooting)
+- [Implementation History](#implementation-history)
+- [Drawbacks](#drawbacks)
+- [Alternatives](#alternatives)
+- [Infrastructure Needed (Optional)](#infrastructure-needed-optional)
+<!-- /toc -->
+
+## Release Signoff Checklist
+
+<!--
+**ACTION REQUIRED:** In order to merge code into a release, there must be an
+issue in [kubernetes/enhancements] referencing this KEP and targeting a release
+milestone **before the [Enhancement Freeze](https://git.k8s.io/sig-release/releases)
+of the targeted release**.
+
+For enhancements that make changes to code or processes/procedures in core
+Kubernetes—i.e., [kubernetes/kubernetes], we require the following Release
+Signoff checklist to be completed.
+
+Check these off as they are completed for the Release Team to track. These
+checklist items _must_ be updated for the enhancement to be released.
+-->
+
+Items marked with (R) are required *prior to targeting to a milestone / release*.
+
+- [ ] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR)
+- [ ] (R) KEP approvers have approved the KEP status as `implementable`
+- [ ] (R) Design details are appropriately documented
+- [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
+  - [ ] e2e Tests for all Beta API Operations (endpoints)
+  - [ ] (R) Ensure GA e2e tests for meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
+  - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
+- [ ] (R) Graduation criteria is in place
+  - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
+- [ ] (R) Production readiness review completed
+- [ ] (R) Production readiness review approved
+- [ ] "Implementation History" section is up-to-date for milestone
+- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
+- [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
+
+<!--
+**Note:** This checklist is iterative and should be reviewed and updated every time this enhancement is being considered for a milestone.
+-->
+
+[kubernetes.io]: https://kubernetes.io/
+[kubernetes/enhancements]: https://git.k8s.io/enhancements
+[kubernetes/kubernetes]: https://git.k8s.io/kubernetes
+[kubernetes/website]: https://git.k8s.io/website
+
+## Summary
+
+New beta APIs will not be enabled in clusters by default.
+Existing beta APIs and new versions of existing beta APIs, will continue to be enabled by default.
+
+## Motivation
+
+Beta APIs are not considered stable and reliance upon APIs in this state leads to exposure to bugs,
+guaranteed migration pain for users when the APIs move to stable, and the risk that dependencies will
+grow around unfinished APIs.
+Enabling beta APIs by default, exacerbates these problems by making them on in nearly every cluster.
+We observed these problems as we removed long-standing beta APIs and the PRR survey tells us that over
+90% of production clusters leave these APIs enabled.
+By disabling beta APIs by default, a cluster-admin can opt-in for specific APIs without having every
+incomplete API present in the cluster.
+
+### Goals
+
+1. Disable new beta APIs by default.
+2. Continue enabling existing beta APIs and new version of existing beta APIs by default.
+3. Allow enabling specific resources in beta.  Enable cronjob.v1beta1.batch.k8s.io without enabling other-cool-job.v1beta1.batch.k8s.io
+
+### Non-Goals
+
+1. Change featuregate defaults.
+
+## Proposal
+
+New beta APIs will be placed into the `DisableVersions` stanza instead of the `EnableVersions` stanza (see [DefaultAPIResourceConfigSource](https://github.com/kubernetes/kubernetes/blob/0669da445fa8c1ae07c15c0827f0e83da11cbe58/pkg/controlplane/instance.go#L643)).
+The `--runtime-config` flag will be extended to allow `group/version/resource=true`, to enable specific resources.
+To enable a beta API, a cluster-admin will have to add the appropriate `--runtime-config` flags.
+
+### User Stories (Optional)
+
+#### Story 1
+
+As a cluster-admin I want to enable the cronjob.v1beta1.batch.k8s.io API in my cluster.
+
+To do this I call `kube-apiserver --runtime-config=batch.k8s.io/v1beta1/cronjob`.
+
+#### Story 1
+
+As a cluster-admin I want to enable all beta APIs as in past releases.
+
+To do this I call `kube-apiserver --runtime-config=api/beta=true`.
+
+
+### Notes/Constraints/Caveats (Optional)
+
+### Risks and Mitigations
+
+Adoption of beta features will slow.
+Given how kubernetes is now treated, this is a good thing, not a bad thing.
+Those users that want to move quickly and get new features can do so by enabling all beta feature
+or just enabling those that are important for their workload.
+
+## Design Details
+
+<!--
+This section should contain enough information that the specifics of your
+change are understandable. This may include API specs (though not always
+required) or even code snippets. If there's any ambiguity about HOW your
+proposal will be implemented, this is the place to discuss them.
+-->
+
+### Test Plan
+
+Integration tests will be written to ensure that no new beta APIs are enabled in the kube-apiserver by default.
+Unit tests will be written to ensure that the new flag functionality works as expected.
+
+### Graduation Criteria
+
+This KEP is a policy KEP, not a feature KEP.  It will start  as GA.
+
+#### GA
+
+- Integration and unit tests from above.
+
+### Upgrade / Downgrade Strategy
+
+The additional command line flag format for `--runtime-config` will not be recognized on older levels of kubernetes.
+This means that when downgrading, cluster-admins will have to adjust their CLI arguments if they opted into a new beta API.
+This is congruent to flag handling for new features today.
+Because this only impacts new beta APIs, there is no behavior change for existing APIs on upgrade.
+
+### Version Skew Strategy
+
+Because this only impacts new beta APIs, there is no novel skew risk.
+
+## Production Readiness Review Questionnaire
+
+Not applicable.
+
+<!--
+
+Production readiness reviews are intended to ensure that features merging into
+Kubernetes are observable, scalable and supportable; can be safely operated in
+production environments, and can be disabled or rolled back in the event they
+cause increased failures in production. See more in the PRR KEP at
+https://git.k8s.io/enhancements/keps/sig-architecture/1194-prod-readiness.
+
+The production readiness review questionnaire must be completed and approved
+for the KEP to move to `implementable` status and be included in the release.
+
+In some cases, the questions below should also have answers in `kep.yaml`. This
+is to enable automation to verify the presence of the review, and to reduce review
+burden and latency.
+
+The KEP must have a approver from the
+[`prod-readiness-approvers`](http://git.k8s.io/enhancements/OWNERS_ALIASES)
+team. Please reach out on the
+[#prod-readiness](https://kubernetes.slack.com/archives/CPNHUMN74) channel if
+you need any help or guidance.
+-->
+
+### Feature Enablement and Rollback
+
+<!--
+This section must be completed when targeting alpha to a release.
+-->
+
+###### How can this feature be enabled / disabled in a live cluster?
+
+<!--
+Pick one of these and delete the rest.
+-->
+
+- [ ] Feature gate (also fill in values in `kep.yaml`)
+  - Feature gate name:
+  - Components depending on the feature gate:
+- [ ] Other
+  - Describe the mechanism:
+  - Will enabling / disabling the feature require downtime of the control
+    plane?
+  - Will enabling / disabling the feature require downtime or reprovisioning
+    of a node? (Do not assume `Dynamic Kubelet Config` feature is enabled).
+
+###### Does enabling the feature change any default behavior?
+
+<!--
+Any change of default behavior may be surprising to users or break existing
+automations, so be extremely careful here.
+-->
+
+###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
+
+<!--
+Describe the consequences on existing workloads (e.g., if this is a runtime
+feature, can it break the existing applications?).
+
+NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`.
+-->
+
+###### What happens if we reenable the feature if it was previously rolled back?
+
+###### Are there any tests for feature enablement/disablement?
+
+<!--
+The e2e framework does not currently support enabling or disabling feature
+gates. However, unit tests in each component dealing with managing data, created
+with and without the feature, are necessary. At the very least, think about
+conversion tests if API types are being modified.
+-->
+
+### Rollout, Upgrade and Rollback Planning
+
+<!--
+This section must be completed when targeting beta to a release.
+-->
+
+###### How can a rollout or rollback fail? Can it impact already running workloads?
+
+<!--
+Try to be as paranoid as possible - e.g., what if some components will restart
+mid-rollout?
+
+Be sure to consider highly-available clusters, where, for example,
+feature flags will be enabled on some API servers and not others during the
+rollout. Similarly, consider large clusters and how enablement/disablement
+will rollout across nodes.
+-->
+
+###### What specific metrics should inform a rollback?
+
+<!--
+What signals should users be paying attention to when the feature is young
+that might indicate a serious problem?
+-->
+
+###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested?
+
+<!--
+Describe manual testing that was done and the outcomes.
+Longer term, we may want to require automated upgrade/rollback tests, but we
+are missing a bunch of machinery and tooling and can't do that now.
+-->
+
+###### Is the rollout accompanied by any deprecations and/or removals of features, APIs, fields of API types, flags, etc.?
+
+<!--
+Even if applying deprecation policies, they may still surprise some users.
+-->
+
+### Monitoring Requirements
+
+<!--
+This section must be completed when targeting beta to a release.
+-->
+
+###### How can an operator determine if the feature is in use by workloads?
+
+<!--
+Ideally, this should be a metric. Operations against the Kubernetes API (e.g.,
+checking if there are objects with field X set) may be a last resort. Avoid
+logs or events for this purpose.
+-->
+
+###### How can someone using this feature know that it is working for their instance?
+
+<!--
+For instance, if this is a pod-related feature, it should be possible to determine if the feature is functioning properly
+for each individual pod.
+Pick one more of these and delete the rest.
+Please describe all items visible to end users below with sufficient detail so that they can verify correct enablement
+and operation of this feature.
+Recall that end users cannot usually observe component logs or access metrics.
+-->
+
+- [ ] Events
+  - Event Reason: 
+- [ ] API .status
+  - Condition name: 
+  - Other field: 
+- [ ] Other (treat as last resort)
+  - Details:
+
+###### What are the reasonable SLOs (Service Level Objectives) for the enhancement?
+
+<!--
+This is your opportunity to define what "normal" quality of service looks like
+for a feature.
+
+It's impossible to provide comprehensive guidance, but at the very
+high level (needs more precise definitions) those may be things like:
+  - per-day percentage of API calls finishing with 5XX errors <= 1%
+  - 99% percentile over day of absolute value from (job creation time minus expected
+    job creation time) for cron job <= 10%
+  - 99.9% of /health requests per day finish with 200 code
+
+These goals will help you determine what you need to measure (SLIs) in the next
+question.
+-->
+
+###### What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service?
+
+<!--
+Pick one more of these and delete the rest.
+-->
+
+- [ ] Metrics
+  - Metric name:
+  - [Optional] Aggregation method:
+  - Components exposing the metric:
+- [ ] Other (treat as last resort)
+  - Details:
+
+###### Are there any missing metrics that would be useful to have to improve observability of this feature?
+
+<!--
+Describe the metrics themselves and the reasons why they weren't added (e.g., cost,
+implementation difficulties, etc.).
+-->
+
+### Dependencies
+
+<!--
+This section must be completed when targeting beta to a release.
+-->
+
+###### Does this feature depend on any specific services running in the cluster?
+
+<!--
+Think about both cluster-level services (e.g. metrics-server) as well
+as node-level agents (e.g. specific version of CRI). Focus on external or
+optional services that are needed. For example, if this feature depends on
+a cloud provider API, or upon an external software-defined storage or network
+control plane.
+
+For each of these, fill in the following—thinking about running existing user workloads
+and creating new ones, as well as about cluster-level services (e.g. DNS):
+  - [Dependency name]
+    - Usage description:
+      - Impact of its outage on the feature:
+      - Impact of its degraded performance or high-error rates on the feature:
+-->
+
+### Scalability
+
+<!--
+For alpha, this section is encouraged: reviewers should consider these questions
+and attempt to answer them.
+
+For beta, this section is required: reviewers must answer these questions.
+
+For GA, this section is required: approvers should be able to confirm the
+previous answers based on experience in the field.
+-->
+
+###### Will enabling / using this feature result in any new API calls?
+
+<!--
+Describe them, providing:
+  - API call type (e.g. PATCH pods)
+  - estimated throughput
+  - originating component(s) (e.g. Kubelet, Feature-X-controller)
+Focusing mostly on:
+  - components listing and/or watching resources they didn't before
+  - API calls that may be triggered by changes of some Kubernetes resources
+    (e.g. update of object X triggers new updates of object Y)
+  - periodic API calls to reconcile state (e.g. periodic fetching state,
+    heartbeats, leader election, etc.)
+-->
+
+###### Will enabling / using this feature result in introducing new API types?
+
+<!--
+Describe them, providing:
+  - API type
+  - Supported number of objects per cluster
+  - Supported number of objects per namespace (for namespace-scoped objects)
+-->
+
+###### Will enabling / using this feature result in any new calls to the cloud provider?
+
+<!--
+Describe them, providing:
+  - Which API(s):
+  - Estimated increase:
+-->
+
+###### Will enabling / using this feature result in increasing size or count of the existing API objects?
+
+<!--
+Describe them, providing:
+  - API type(s):
+  - Estimated increase in size: (e.g., new annotation of size 32B)
+  - Estimated amount of new objects: (e.g., new Object X for every existing Pod)
+-->
+
+###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?
+
+<!--
+Look at the [existing SLIs/SLOs].
+
+Think about adding additional work or introducing new steps in between
+(e.g. need to do X to start a container), etc. Please describe the details.
+
+[existing SLIs/SLOs]: https://git.k8s.io/community/sig-scalability/slos/slos.md#kubernetes-slisslos
+-->
+
+###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components?
+
+<!--
+Things to keep in mind include: additional in-memory state, additional
+non-trivial computations, excessive access to disks (including increased log
+volume), significant amount of data sent and/or received over network, etc.
+This through this both in small and large cases, again with respect to the
+[supported limits].
+
+[supported limits]: https://git.k8s.io/community//sig-scalability/configs-and-limits/thresholds.md
+-->
+
+### Troubleshooting
+
+<!--
+This section must be completed when targeting beta to a release.
+
+The Troubleshooting section currently serves the `Playbook` role. We may consider
+splitting it into a dedicated `Playbook` document (potentially with some monitoring
+details). For now, we leave it here.
+-->
+
+###### How does this feature react if the API server and/or etcd is unavailable?
+
+###### What are other known failure modes?
+
+<!--
+For each of them, fill in the following information by copying the below template:
+  - [Failure mode brief description]
+    - Detection: How can it be detected via metrics? Stated another way:
+      how can an operator troubleshoot without logging into a master or worker node?
+    - Mitigations: What can be done to stop the bleeding, especially for already
+      running user workloads?
+    - Diagnostics: What are the useful log messages and their required logging
+      levels that could help debug the issue?
+      Not required until feature graduated to beta.
+    - Testing: Are there any tests for failure mode? If not, describe why.
+-->
+
+###### What steps should be taken if SLOs are not being met to determine the problem?
+
+## Implementation History
+
+<!--
+Major milestones in the lifecycle of a KEP should be tracked in this section.
+Major milestones might include:
+- the `Summary` and `Motivation` sections being merged, signaling SIG acceptance
+- the `Proposal` section being merged, signaling agreement on a proposed design
+- the date implementation started
+- the first Kubernetes release where an initial version of the KEP was available
+- the version of Kubernetes where the KEP graduated to general availability
+- when the KEP was retired or superseded
+-->
+
+## Drawbacks
+
+<!--
+Why should this KEP _not_ be implemented?
+-->
+
+## Alternatives
+
+<!--
+What other approaches did you consider, and why did you rule them out? These do
+not need to be as detailed as the proposal, but should include enough
+information to express the idea and why it was not acceptable.
+-->
+
+## Infrastructure Needed (Optional)
+
+<!--
+Use this section if you need things from the project/SIG. Examples include a
+new subproject, repos requested, or GitHub details. Listing these here allows a
+SIG to get the process for these resources started right away.
+-->
diff --git a/keps/sig-architecture/3136-beta-off-by-default/kep.yaml b/keps/sig-architecture/3136-beta-off-by-default/kep.yaml
new file mode 100644
index 00000000000..7e000223da9
--- /dev/null
+++ b/keps/sig-architecture/3136-beta-off-by-default/kep.yaml
@@ -0,0 +1,46 @@
+title: Beta APIs Are Off by Default
+kep-number: 3136
+authors:
+  - "@deads2k"
+owning-sig: sig-architecture
+participating-sigs:
+  - sig-api-machinery
+status: implementable
+creation-date: 2022-01-13
+reviewers:
+approvers:
+  - "@liggitt"
+  - "@johnbelamaric"
+  - "@derekwaynecarr"
+  - "@dims"
+
+##### WARNING !!! ######
+# prr-approvers has been moved to its own location
+# You should create your own in keps/prod-readiness
+# Please make a copy of keps/prod-readiness/template/nnnn.yaml
+# to keps/prod-readiness/sig-xxxxx/00000.yaml (replace with kep number)
+#prr-approvers:
+
+see-also:
+  - "/keps/sig-architecture/1635-prevent-permabeta"
+replaces:
+
+# The target maturity stage in the current dev cycle for this KEP.
+stage: stable
+
+# The most recent milestone for which work toward delivery of this KEP has been
+# done. This can be the current (upcoming) milestone, if it is being actively
+# worked on.
+latest-milestone: "v1.24"
+
+# The milestone at which this feature was, or is targeted to be, at each stage.
+milestone:
+  stable: "v1.24"
+
+# The following PRR answers are required at alpha release
+# List the feature gate name and the components for which it must be enabled
+feature-gates:
+disable-supported: false
+
+# The following PRR answers are required at beta release
+metrics:

From e55c925f889bef3c663c88f09399c62555617cf0 Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Fri, 14 Jan 2022 10:16:59 -0500
Subject: [PATCH 2/6] clarify beta apis off by default

---
 .../prod-readiness/sig-architecture/3136.yaml |   3 +
 .../3136-beta-apis-off-by-default/README.md   | 286 +++++++++
 .../kep.yaml                                  |   0
 .../3136-beta-off-by-default/README.md        | 585 ------------------
 4 files changed, 289 insertions(+), 585 deletions(-)
 create mode 100644 keps/prod-readiness/sig-architecture/3136.yaml
 create mode 100644 keps/sig-architecture/3136-beta-apis-off-by-default/README.md
 rename keps/sig-architecture/{3136-beta-off-by-default => 3136-beta-apis-off-by-default}/kep.yaml (100%)
 delete mode 100644 keps/sig-architecture/3136-beta-off-by-default/README.md

diff --git a/keps/prod-readiness/sig-architecture/3136.yaml b/keps/prod-readiness/sig-architecture/3136.yaml
new file mode 100644
index 00000000000..091381a82cd
--- /dev/null
+++ b/keps/prod-readiness/sig-architecture/3136.yaml
@@ -0,0 +1,3 @@
+kep-number: 3136
+stable:
+  approver: "@wojtek-t"
diff --git a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
new file mode 100644
index 00000000000..ecaeaa93c79
--- /dev/null
+++ b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
@@ -0,0 +1,286 @@
+<!--
+**Note:** When your KEP is complete, all of these comment blocks should be removed.
+
+To get started with this template:
+
+- [ ] **Pick a hosting SIG.**
+  Make sure that the problem space is something the SIG is interested in taking
+  up. KEPs should not be checked in without a sponsoring SIG.
+- [ ] **Create an issue in kubernetes/enhancements**
+  When filing an enhancement tracking issue, please make sure to complete all
+  fields in that template. One of the fields asks for a link to the KEP. You
+  can leave that blank until this KEP is filed, and then go back to the
+  enhancement and add the link.
+- [ ] **Make a copy of this template directory.**
+  Copy this template into the owning SIG's directory and name it
+  `NNNN-short-descriptive-title`, where `NNNN` is the issue number (with no
+  leading-zero padding) assigned to your enhancement above.
+- [ ] **Fill out as much of the kep.yaml file as you can.**
+  At minimum, you should fill in the "Title", "Authors", "Owning-sig",
+  "Status", and date-related fields.
+- [ ] **Fill out this file as best you can.**
+  At minimum, you should fill in the "Summary" and "Motivation" sections.
+  These should be easy if you've preflighted the idea of the KEP with the
+  appropriate SIG(s).
+- [ ] **Create a PR for this KEP.**
+  Assign it to people in the SIG who are sponsoring this process.
+- [ ] **Merge early and iterate.**
+  Avoid getting hung up on specific details and instead aim to get the goals of
+  the KEP clarified and merged quickly. The best way to do this is to just
+  start with the high-level sections and fill out details incrementally in
+  subsequent PRs.
+
+Just because a KEP is merged does not mean it is complete or approved. Any KEP
+marked as `provisional` is a working document and subject to change. You can
+denote sections that are under active debate as follows:
+
+```
+<<[UNRESOLVED optional short context or usernames ]>>
+Stuff that is being argued.
+<<[/UNRESOLVED]>>
+```
+
+When editing KEPS, aim for tightly-scoped, single-topic PRs to keep discussions
+focused. If you disagree with what is already in a document, open a new PR
+with suggested changes.
+
+One KEP corresponds to one "feature" or "enhancement" for its whole lifecycle.
+You do not need a new KEP to move from beta to GA, for example. If
+new details emerge that belong in the KEP, edit the KEP. Once a feature has become
+"implemented", major changes should get new KEPs.
+
+The canonical place for the latest set of instructions (and the likely source
+of this file) is [here](/keps/NNNN-kep-template/README.md).
+
+**Note:** Any PRs to move a KEP to `implementable`, or significant changes once
+it is marked `implementable`, must be approved by each of the KEP approvers.
+If none of those approvers are still appropriate, then changes to that list
+should be approved by the remaining approvers and/or the owning SIG (or
+SIG Architecture for cross-cutting KEPs).
+-->
+# KEP-3136: Beta APIs Are Off by Default
+
+<!--
+This is the title of your KEP. Keep it short, simple, and descriptive. A good
+title can help communicate what the KEP is and should be considered as part of
+any review.
+-->
+
+<!--
+A table of contents is helpful for quickly jumping to sections of a KEP and for
+highlighting any additional information provided beyond the standard KEP
+template.
+
+Ensure the TOC is wrapped with
+  <code>&lt;!-- toc --&rt;&lt;!-- /toc --&rt;</code>
+tags, and then generate with `hack/update-toc.sh`.
+-->
+
+<!-- toc -->
+- [Release Signoff Checklist](#release-signoff-checklist)
+- [Summary](#summary)
+- [Motivation](#motivation)
+  - [Goals](#goals)
+  - [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  - [User Stories (Optional)](#user-stories-optional)
+    - [Story 1](#story-1)
+    - [Story 2](#story-2)
+  - [Notes/Constraints/Caveats (Optional)](#notesconstraintscaveats-optional)
+  - [Risks and Mitigations](#risks-and-mitigations)
+- [Design Details](#design-details)
+  - [Test Plan](#test-plan)
+  - [Graduation Criteria](#graduation-criteria)
+    - [GA](#ga)
+  - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
+  - [Version Skew Strategy](#version-skew-strategy)
+- [Production Readiness Review Questionnaire](#production-readiness-review-questionnaire)
+- [Implementation History](#implementation-history)
+- [Drawbacks](#drawbacks)
+- [Alternatives](#alternatives)
+- [Infrastructure Needed (Optional)](#infrastructure-needed-optional)
+<!-- /toc -->
+
+## Release Signoff Checklist
+
+<!--
+**ACTION REQUIRED:** In order to merge code into a release, there must be an
+issue in [kubernetes/enhancements] referencing this KEP and targeting a release
+milestone **before the [Enhancement Freeze](https://git.k8s.io/sig-release/releases)
+of the targeted release**.
+
+For enhancements that make changes to code or processes/procedures in core
+Kubernetes—i.e., [kubernetes/kubernetes], we require the following Release
+Signoff checklist to be completed.
+
+Check these off as they are completed for the Release Team to track. These
+checklist items _must_ be updated for the enhancement to be released.
+-->
+
+Items marked with (R) are required *prior to targeting to a milestone / release*.
+
+- [ ] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR)
+- [ ] (R) KEP approvers have approved the KEP status as `implementable`
+- [ ] (R) Design details are appropriately documented
+- [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
+  - [ ] e2e Tests for all Beta API Operations (endpoints)
+  - [ ] (R) Ensure GA e2e tests for meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
+  - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
+- [ ] (R) Graduation criteria is in place
+  - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
+- [ ] (R) Production readiness review completed
+- [ ] (R) Production readiness review approved
+- [ ] "Implementation History" section is up-to-date for milestone
+- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
+- [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
+
+<!--
+**Note:** This checklist is iterative and should be reviewed and updated every time this enhancement is being considered for a milestone.
+-->
+
+[kubernetes.io]: https://kubernetes.io/
+[kubernetes/enhancements]: https://git.k8s.io/enhancements
+[kubernetes/kubernetes]: https://git.k8s.io/kubernetes
+[kubernetes/website]: https://git.k8s.io/website
+
+## Summary
+
+New beta APIs will not be enabled in clusters by default.
+Existing beta APIs and new versions of existing beta APIs, will continue to be enabled by default: 
+if v1beta.some.group is currently enabled by default and we create v1beta2.some.group, v1beta2.some.group will still be enabled by default.
+
+## Motivation
+
+Beta APIs are not considered stable and reliance upon APIs in this state leads to exposure to bugs,
+guaranteed migration pain for users when the APIs move to stable, and the risk that dependencies will
+grow around unfinished APIs.
+Enabling beta APIs by default, exacerbates these problems by making them on in nearly every cluster.
+We observed these problems as we removed long-standing beta APIs and the PRR survey tells us that over
+90% of production clusters leave these APIs enabled.
+Unsuitability for production use is documented at https://kubernetes.io/docs/reference/using-api/#api-versioning 
+("The software is not recommended for production uses"), but defaulting on means they are present in nearly every 
+production cluster.
+By disabling beta APIs by default, a cluster-admin can opt-in for specific APIs without having every
+incomplete API present in the cluster.
+
+### Goals
+
+1. Disable new beta APIs by default.
+2. Continue enabling existing beta APIs and new version of existing beta APIs by default:
+   if v1beta.some.group is currently enabled by default and we create v1beta2.some.group, v1beta2.some.group will still be enabled by default.
+3. Allow enabling specific resources in beta.  Enable coolnewjobtype.v1beta1.batch.k8s.io without enabling other-neat-job.v1beta1.batch.k8s.io
+
+### Non-Goals
+
+1. Change featuregate defaults.
+
+## Proposal
+
+New beta APIs will be placed into the `DisableVersions` stanza instead of the `EnableVersions` stanza (see [DefaultAPIResourceConfigSource](https://github.com/kubernetes/kubernetes/blob/0669da445fa8c1ae07c15c0827f0e83da11cbe58/pkg/controlplane/instance.go#L643)).
+The `--runtime-config` flag will be extended to allow `group/version/resource=true`, to enable specific resources.
+To enable a beta API, a cluster-admin will have to add the appropriate `--runtime-config` flags.
+
+### User Stories (Optional)
+
+#### Story 1
+
+As a cluster-admin I want to enable the coolnewjobtype.v1beta1.batch.k8s.io API in my cluster.
+
+To do this I call `kube-apiserver --runtime-config=batch.k8s.io/v1beta1/coolnewjobtype`.
+
+#### Story 2
+
+As a cluster-admin I want to enable all beta APIs as in past releases.
+
+To do this I call `kube-apiserver --runtime-config=api/beta=true`.
+This already exists and will continue to function.
+
+
+### Notes/Constraints/Caveats (Optional)
+
+### Risks and Mitigations
+
+Adoption of beta features will slow.
+Given how kubernetes is now treated, this is a good thing, not a bad thing.
+Those users that want to move quickly and get new features can do so by enabling all beta feature
+or just enabling those that are important for their workload.
+The [PRR survey](https://datastudio.google.com/reporting/2e9c7439-202b-48a9-8c57-4459e0d69c8d/page/Cv5HB) shows that 
+over 30% of production clusters have alpha features enabled, so clsuter-admins are willing and able to enable features
+that are not on by default when they are desired.
+
+## Design Details
+
+<!--
+This section should contain enough information that the specifics of your
+change are understandable. This may include API specs (though not always
+required) or even code snippets. If there's any ambiguity about HOW your
+proposal will be implemented, this is the place to discuss them.
+-->
+
+### Test Plan
+
+Integration tests will be written to ensure that no new beta APIs are enabled in the kube-apiserver by default.
+Unit tests will be written to ensure that the new flag functionality works as expected.
+
+### Graduation Criteria
+
+This KEP is a policy KEP, not a feature KEP.  It will start as GA.
+
+#### GA
+
+- Integration and unit tests from above.
+- updating the enablement docs for beta
+  - https://kubernetes.io/docs/reference/using-api/#api-versioning
+  - https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#using-a-feature 
+    Even though that is talking about feature gates, it is likely worth calling out there that new beta REST APIs are no
+    longer enabled by default)
+
+### Upgrade / Downgrade Strategy
+
+The additional command line flag format for `--runtime-config` will not be recognized on older levels of kubernetes.
+This means that when downgrading, cluster-admins will have to adjust their CLI arguments if they opted into a new beta API.
+This is congruent to flag handling for new features today.
+Because this only impacts new beta APIs, there is no behavior change for existing APIs on upgrade.
+
+### Version Skew Strategy
+
+Because this only impacts new beta APIs, there is no novel skew risk.
+
+## Production Readiness Review Questionnaire
+
+Not applicable because this is a policy KEP.
+
+## Implementation History
+
+<!--
+Major milestones in the lifecycle of a KEP should be tracked in this section.
+Major milestones might include:
+- the `Summary` and `Motivation` sections being merged, signaling SIG acceptance
+- the `Proposal` section being merged, signaling agreement on a proposed design
+- the date implementation started
+- the first Kubernetes release where an initial version of the KEP was available
+- the version of Kubernetes where the KEP graduated to general availability
+- when the KEP was retired or superseded
+-->
+
+## Drawbacks
+
+<!--
+Why should this KEP _not_ be implemented?
+-->
+
+## Alternatives
+
+<!--
+What other approaches did you consider, and why did you rule them out? These do
+not need to be as detailed as the proposal, but should include enough
+information to express the idea and why it was not acceptable.
+-->
+
+## Infrastructure Needed (Optional)
+
+<!--
+Use this section if you need things from the project/SIG. Examples include a
+new subproject, repos requested, or GitHub details. Listing these here allows a
+SIG to get the process for these resources started right away.
+-->
diff --git a/keps/sig-architecture/3136-beta-off-by-default/kep.yaml b/keps/sig-architecture/3136-beta-apis-off-by-default/kep.yaml
similarity index 100%
rename from keps/sig-architecture/3136-beta-off-by-default/kep.yaml
rename to keps/sig-architecture/3136-beta-apis-off-by-default/kep.yaml
diff --git a/keps/sig-architecture/3136-beta-off-by-default/README.md b/keps/sig-architecture/3136-beta-off-by-default/README.md
deleted file mode 100644
index c84541af3c7..00000000000
--- a/keps/sig-architecture/3136-beta-off-by-default/README.md
+++ /dev/null
@@ -1,585 +0,0 @@
-<!--
-**Note:** When your KEP is complete, all of these comment blocks should be removed.
-
-To get started with this template:
-
-- [ ] **Pick a hosting SIG.**
-  Make sure that the problem space is something the SIG is interested in taking
-  up. KEPs should not be checked in without a sponsoring SIG.
-- [ ] **Create an issue in kubernetes/enhancements**
-  When filing an enhancement tracking issue, please make sure to complete all
-  fields in that template. One of the fields asks for a link to the KEP. You
-  can leave that blank until this KEP is filed, and then go back to the
-  enhancement and add the link.
-- [ ] **Make a copy of this template directory.**
-  Copy this template into the owning SIG's directory and name it
-  `NNNN-short-descriptive-title`, where `NNNN` is the issue number (with no
-  leading-zero padding) assigned to your enhancement above.
-- [ ] **Fill out as much of the kep.yaml file as you can.**
-  At minimum, you should fill in the "Title", "Authors", "Owning-sig",
-  "Status", and date-related fields.
-- [ ] **Fill out this file as best you can.**
-  At minimum, you should fill in the "Summary" and "Motivation" sections.
-  These should be easy if you've preflighted the idea of the KEP with the
-  appropriate SIG(s).
-- [ ] **Create a PR for this KEP.**
-  Assign it to people in the SIG who are sponsoring this process.
-- [ ] **Merge early and iterate.**
-  Avoid getting hung up on specific details and instead aim to get the goals of
-  the KEP clarified and merged quickly. The best way to do this is to just
-  start with the high-level sections and fill out details incrementally in
-  subsequent PRs.
-
-Just because a KEP is merged does not mean it is complete or approved. Any KEP
-marked as `provisional` is a working document and subject to change. You can
-denote sections that are under active debate as follows:
-
-```
-<<[UNRESOLVED optional short context or usernames ]>>
-Stuff that is being argued.
-<<[/UNRESOLVED]>>
-```
-
-When editing KEPS, aim for tightly-scoped, single-topic PRs to keep discussions
-focused. If you disagree with what is already in a document, open a new PR
-with suggested changes.
-
-One KEP corresponds to one "feature" or "enhancement" for its whole lifecycle.
-You do not need a new KEP to move from beta to GA, for example. If
-new details emerge that belong in the KEP, edit the KEP. Once a feature has become
-"implemented", major changes should get new KEPs.
-
-The canonical place for the latest set of instructions (and the likely source
-of this file) is [here](/keps/NNNN-kep-template/README.md).
-
-**Note:** Any PRs to move a KEP to `implementable`, or significant changes once
-it is marked `implementable`, must be approved by each of the KEP approvers.
-If none of those approvers are still appropriate, then changes to that list
-should be approved by the remaining approvers and/or the owning SIG (or
-SIG Architecture for cross-cutting KEPs).
--->
-# KEP-3136: Beta APIs Are Off by Default
-
-<!--
-This is the title of your KEP. Keep it short, simple, and descriptive. A good
-title can help communicate what the KEP is and should be considered as part of
-any review.
--->
-
-<!--
-A table of contents is helpful for quickly jumping to sections of a KEP and for
-highlighting any additional information provided beyond the standard KEP
-template.
-
-Ensure the TOC is wrapped with
-  <code>&lt;!-- toc --&rt;&lt;!-- /toc --&rt;</code>
-tags, and then generate with `hack/update-toc.sh`.
--->
-
-<!-- toc -->
-- [Release Signoff Checklist](#release-signoff-checklist)
-- [Summary](#summary)
-- [Motivation](#motivation)
-  - [Goals](#goals)
-  - [Non-Goals](#non-goals)
-- [Proposal](#proposal)
-  - [User Stories (Optional)](#user-stories-optional)
-    - [Story 1](#story-1)
-    - [Story 2](#story-2)
-  - [Notes/Constraints/Caveats (Optional)](#notesconstraintscaveats-optional)
-  - [Risks and Mitigations](#risks-and-mitigations)
-- [Design Details](#design-details)
-  - [Test Plan](#test-plan)
-  - [Graduation Criteria](#graduation-criteria)
-  - [Upgrade / Downgrade Strategy](#upgrade--downgrade-strategy)
-  - [Version Skew Strategy](#version-skew-strategy)
-- [Production Readiness Review Questionnaire](#production-readiness-review-questionnaire)
-  - [Feature Enablement and Rollback](#feature-enablement-and-rollback)
-  - [Rollout, Upgrade and Rollback Planning](#rollout-upgrade-and-rollback-planning)
-  - [Monitoring Requirements](#monitoring-requirements)
-  - [Dependencies](#dependencies)
-  - [Scalability](#scalability)
-  - [Troubleshooting](#troubleshooting)
-- [Implementation History](#implementation-history)
-- [Drawbacks](#drawbacks)
-- [Alternatives](#alternatives)
-- [Infrastructure Needed (Optional)](#infrastructure-needed-optional)
-<!-- /toc -->
-
-## Release Signoff Checklist
-
-<!--
-**ACTION REQUIRED:** In order to merge code into a release, there must be an
-issue in [kubernetes/enhancements] referencing this KEP and targeting a release
-milestone **before the [Enhancement Freeze](https://git.k8s.io/sig-release/releases)
-of the targeted release**.
-
-For enhancements that make changes to code or processes/procedures in core
-Kubernetes—i.e., [kubernetes/kubernetes], we require the following Release
-Signoff checklist to be completed.
-
-Check these off as they are completed for the Release Team to track. These
-checklist items _must_ be updated for the enhancement to be released.
--->
-
-Items marked with (R) are required *prior to targeting to a milestone / release*.
-
-- [ ] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR)
-- [ ] (R) KEP approvers have approved the KEP status as `implementable`
-- [ ] (R) Design details are appropriately documented
-- [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
-  - [ ] e2e Tests for all Beta API Operations (endpoints)
-  - [ ] (R) Ensure GA e2e tests for meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
-  - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
-- [ ] (R) Graduation criteria is in place
-  - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) 
-- [ ] (R) Production readiness review completed
-- [ ] (R) Production readiness review approved
-- [ ] "Implementation History" section is up-to-date for milestone
-- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
-- [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
-
-<!--
-**Note:** This checklist is iterative and should be reviewed and updated every time this enhancement is being considered for a milestone.
--->
-
-[kubernetes.io]: https://kubernetes.io/
-[kubernetes/enhancements]: https://git.k8s.io/enhancements
-[kubernetes/kubernetes]: https://git.k8s.io/kubernetes
-[kubernetes/website]: https://git.k8s.io/website
-
-## Summary
-
-New beta APIs will not be enabled in clusters by default.
-Existing beta APIs and new versions of existing beta APIs, will continue to be enabled by default.
-
-## Motivation
-
-Beta APIs are not considered stable and reliance upon APIs in this state leads to exposure to bugs,
-guaranteed migration pain for users when the APIs move to stable, and the risk that dependencies will
-grow around unfinished APIs.
-Enabling beta APIs by default, exacerbates these problems by making them on in nearly every cluster.
-We observed these problems as we removed long-standing beta APIs and the PRR survey tells us that over
-90% of production clusters leave these APIs enabled.
-By disabling beta APIs by default, a cluster-admin can opt-in for specific APIs without having every
-incomplete API present in the cluster.
-
-### Goals
-
-1. Disable new beta APIs by default.
-2. Continue enabling existing beta APIs and new version of existing beta APIs by default.
-3. Allow enabling specific resources in beta.  Enable cronjob.v1beta1.batch.k8s.io without enabling other-cool-job.v1beta1.batch.k8s.io
-
-### Non-Goals
-
-1. Change featuregate defaults.
-
-## Proposal
-
-New beta APIs will be placed into the `DisableVersions` stanza instead of the `EnableVersions` stanza (see [DefaultAPIResourceConfigSource](https://github.com/kubernetes/kubernetes/blob/0669da445fa8c1ae07c15c0827f0e83da11cbe58/pkg/controlplane/instance.go#L643)).
-The `--runtime-config` flag will be extended to allow `group/version/resource=true`, to enable specific resources.
-To enable a beta API, a cluster-admin will have to add the appropriate `--runtime-config` flags.
-
-### User Stories (Optional)
-
-#### Story 1
-
-As a cluster-admin I want to enable the cronjob.v1beta1.batch.k8s.io API in my cluster.
-
-To do this I call `kube-apiserver --runtime-config=batch.k8s.io/v1beta1/cronjob`.
-
-#### Story 1
-
-As a cluster-admin I want to enable all beta APIs as in past releases.
-
-To do this I call `kube-apiserver --runtime-config=api/beta=true`.
-
-
-### Notes/Constraints/Caveats (Optional)
-
-### Risks and Mitigations
-
-Adoption of beta features will slow.
-Given how kubernetes is now treated, this is a good thing, not a bad thing.
-Those users that want to move quickly and get new features can do so by enabling all beta feature
-or just enabling those that are important for their workload.
-
-## Design Details
-
-<!--
-This section should contain enough information that the specifics of your
-change are understandable. This may include API specs (though not always
-required) or even code snippets. If there's any ambiguity about HOW your
-proposal will be implemented, this is the place to discuss them.
--->
-
-### Test Plan
-
-Integration tests will be written to ensure that no new beta APIs are enabled in the kube-apiserver by default.
-Unit tests will be written to ensure that the new flag functionality works as expected.
-
-### Graduation Criteria
-
-This KEP is a policy KEP, not a feature KEP.  It will start  as GA.
-
-#### GA
-
-- Integration and unit tests from above.
-
-### Upgrade / Downgrade Strategy
-
-The additional command line flag format for `--runtime-config` will not be recognized on older levels of kubernetes.
-This means that when downgrading, cluster-admins will have to adjust their CLI arguments if they opted into a new beta API.
-This is congruent to flag handling for new features today.
-Because this only impacts new beta APIs, there is no behavior change for existing APIs on upgrade.
-
-### Version Skew Strategy
-
-Because this only impacts new beta APIs, there is no novel skew risk.
-
-## Production Readiness Review Questionnaire
-
-Not applicable.
-
-<!--
-
-Production readiness reviews are intended to ensure that features merging into
-Kubernetes are observable, scalable and supportable; can be safely operated in
-production environments, and can be disabled or rolled back in the event they
-cause increased failures in production. See more in the PRR KEP at
-https://git.k8s.io/enhancements/keps/sig-architecture/1194-prod-readiness.
-
-The production readiness review questionnaire must be completed and approved
-for the KEP to move to `implementable` status and be included in the release.
-
-In some cases, the questions below should also have answers in `kep.yaml`. This
-is to enable automation to verify the presence of the review, and to reduce review
-burden and latency.
-
-The KEP must have a approver from the
-[`prod-readiness-approvers`](http://git.k8s.io/enhancements/OWNERS_ALIASES)
-team. Please reach out on the
-[#prod-readiness](https://kubernetes.slack.com/archives/CPNHUMN74) channel if
-you need any help or guidance.
--->
-
-### Feature Enablement and Rollback
-
-<!--
-This section must be completed when targeting alpha to a release.
--->
-
-###### How can this feature be enabled / disabled in a live cluster?
-
-<!--
-Pick one of these and delete the rest.
--->
-
-- [ ] Feature gate (also fill in values in `kep.yaml`)
-  - Feature gate name:
-  - Components depending on the feature gate:
-- [ ] Other
-  - Describe the mechanism:
-  - Will enabling / disabling the feature require downtime of the control
-    plane?
-  - Will enabling / disabling the feature require downtime or reprovisioning
-    of a node? (Do not assume `Dynamic Kubelet Config` feature is enabled).
-
-###### Does enabling the feature change any default behavior?
-
-<!--
-Any change of default behavior may be surprising to users or break existing
-automations, so be extremely careful here.
--->
-
-###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
-
-<!--
-Describe the consequences on existing workloads (e.g., if this is a runtime
-feature, can it break the existing applications?).
-
-NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`.
--->
-
-###### What happens if we reenable the feature if it was previously rolled back?
-
-###### Are there any tests for feature enablement/disablement?
-
-<!--
-The e2e framework does not currently support enabling or disabling feature
-gates. However, unit tests in each component dealing with managing data, created
-with and without the feature, are necessary. At the very least, think about
-conversion tests if API types are being modified.
--->
-
-### Rollout, Upgrade and Rollback Planning
-
-<!--
-This section must be completed when targeting beta to a release.
--->
-
-###### How can a rollout or rollback fail? Can it impact already running workloads?
-
-<!--
-Try to be as paranoid as possible - e.g., what if some components will restart
-mid-rollout?
-
-Be sure to consider highly-available clusters, where, for example,
-feature flags will be enabled on some API servers and not others during the
-rollout. Similarly, consider large clusters and how enablement/disablement
-will rollout across nodes.
--->
-
-###### What specific metrics should inform a rollback?
-
-<!--
-What signals should users be paying attention to when the feature is young
-that might indicate a serious problem?
--->
-
-###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested?
-
-<!--
-Describe manual testing that was done and the outcomes.
-Longer term, we may want to require automated upgrade/rollback tests, but we
-are missing a bunch of machinery and tooling and can't do that now.
--->
-
-###### Is the rollout accompanied by any deprecations and/or removals of features, APIs, fields of API types, flags, etc.?
-
-<!--
-Even if applying deprecation policies, they may still surprise some users.
--->
-
-### Monitoring Requirements
-
-<!--
-This section must be completed when targeting beta to a release.
--->
-
-###### How can an operator determine if the feature is in use by workloads?
-
-<!--
-Ideally, this should be a metric. Operations against the Kubernetes API (e.g.,
-checking if there are objects with field X set) may be a last resort. Avoid
-logs or events for this purpose.
--->
-
-###### How can someone using this feature know that it is working for their instance?
-
-<!--
-For instance, if this is a pod-related feature, it should be possible to determine if the feature is functioning properly
-for each individual pod.
-Pick one more of these and delete the rest.
-Please describe all items visible to end users below with sufficient detail so that they can verify correct enablement
-and operation of this feature.
-Recall that end users cannot usually observe component logs or access metrics.
--->
-
-- [ ] Events
-  - Event Reason: 
-- [ ] API .status
-  - Condition name: 
-  - Other field: 
-- [ ] Other (treat as last resort)
-  - Details:
-
-###### What are the reasonable SLOs (Service Level Objectives) for the enhancement?
-
-<!--
-This is your opportunity to define what "normal" quality of service looks like
-for a feature.
-
-It's impossible to provide comprehensive guidance, but at the very
-high level (needs more precise definitions) those may be things like:
-  - per-day percentage of API calls finishing with 5XX errors <= 1%
-  - 99% percentile over day of absolute value from (job creation time minus expected
-    job creation time) for cron job <= 10%
-  - 99.9% of /health requests per day finish with 200 code
-
-These goals will help you determine what you need to measure (SLIs) in the next
-question.
--->
-
-###### What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service?
-
-<!--
-Pick one more of these and delete the rest.
--->
-
-- [ ] Metrics
-  - Metric name:
-  - [Optional] Aggregation method:
-  - Components exposing the metric:
-- [ ] Other (treat as last resort)
-  - Details:
-
-###### Are there any missing metrics that would be useful to have to improve observability of this feature?
-
-<!--
-Describe the metrics themselves and the reasons why they weren't added (e.g., cost,
-implementation difficulties, etc.).
--->
-
-### Dependencies
-
-<!--
-This section must be completed when targeting beta to a release.
--->
-
-###### Does this feature depend on any specific services running in the cluster?
-
-<!--
-Think about both cluster-level services (e.g. metrics-server) as well
-as node-level agents (e.g. specific version of CRI). Focus on external or
-optional services that are needed. For example, if this feature depends on
-a cloud provider API, or upon an external software-defined storage or network
-control plane.
-
-For each of these, fill in the following—thinking about running existing user workloads
-and creating new ones, as well as about cluster-level services (e.g. DNS):
-  - [Dependency name]
-    - Usage description:
-      - Impact of its outage on the feature:
-      - Impact of its degraded performance or high-error rates on the feature:
--->
-
-### Scalability
-
-<!--
-For alpha, this section is encouraged: reviewers should consider these questions
-and attempt to answer them.
-
-For beta, this section is required: reviewers must answer these questions.
-
-For GA, this section is required: approvers should be able to confirm the
-previous answers based on experience in the field.
--->
-
-###### Will enabling / using this feature result in any new API calls?
-
-<!--
-Describe them, providing:
-  - API call type (e.g. PATCH pods)
-  - estimated throughput
-  - originating component(s) (e.g. Kubelet, Feature-X-controller)
-Focusing mostly on:
-  - components listing and/or watching resources they didn't before
-  - API calls that may be triggered by changes of some Kubernetes resources
-    (e.g. update of object X triggers new updates of object Y)
-  - periodic API calls to reconcile state (e.g. periodic fetching state,
-    heartbeats, leader election, etc.)
--->
-
-###### Will enabling / using this feature result in introducing new API types?
-
-<!--
-Describe them, providing:
-  - API type
-  - Supported number of objects per cluster
-  - Supported number of objects per namespace (for namespace-scoped objects)
--->
-
-###### Will enabling / using this feature result in any new calls to the cloud provider?
-
-<!--
-Describe them, providing:
-  - Which API(s):
-  - Estimated increase:
--->
-
-###### Will enabling / using this feature result in increasing size or count of the existing API objects?
-
-<!--
-Describe them, providing:
-  - API type(s):
-  - Estimated increase in size: (e.g., new annotation of size 32B)
-  - Estimated amount of new objects: (e.g., new Object X for every existing Pod)
--->
-
-###### Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?
-
-<!--
-Look at the [existing SLIs/SLOs].
-
-Think about adding additional work or introducing new steps in between
-(e.g. need to do X to start a container), etc. Please describe the details.
-
-[existing SLIs/SLOs]: https://git.k8s.io/community/sig-scalability/slos/slos.md#kubernetes-slisslos
--->
-
-###### Will enabling / using this feature result in non-negligible increase of resource usage (CPU, RAM, disk, IO, ...) in any components?
-
-<!--
-Things to keep in mind include: additional in-memory state, additional
-non-trivial computations, excessive access to disks (including increased log
-volume), significant amount of data sent and/or received over network, etc.
-This through this both in small and large cases, again with respect to the
-[supported limits].
-
-[supported limits]: https://git.k8s.io/community//sig-scalability/configs-and-limits/thresholds.md
--->
-
-### Troubleshooting
-
-<!--
-This section must be completed when targeting beta to a release.
-
-The Troubleshooting section currently serves the `Playbook` role. We may consider
-splitting it into a dedicated `Playbook` document (potentially with some monitoring
-details). For now, we leave it here.
--->
-
-###### How does this feature react if the API server and/or etcd is unavailable?
-
-###### What are other known failure modes?
-
-<!--
-For each of them, fill in the following information by copying the below template:
-  - [Failure mode brief description]
-    - Detection: How can it be detected via metrics? Stated another way:
-      how can an operator troubleshoot without logging into a master or worker node?
-    - Mitigations: What can be done to stop the bleeding, especially for already
-      running user workloads?
-    - Diagnostics: What are the useful log messages and their required logging
-      levels that could help debug the issue?
-      Not required until feature graduated to beta.
-    - Testing: Are there any tests for failure mode? If not, describe why.
--->
-
-###### What steps should be taken if SLOs are not being met to determine the problem?
-
-## Implementation History
-
-<!--
-Major milestones in the lifecycle of a KEP should be tracked in this section.
-Major milestones might include:
-- the `Summary` and `Motivation` sections being merged, signaling SIG acceptance
-- the `Proposal` section being merged, signaling agreement on a proposed design
-- the date implementation started
-- the first Kubernetes release where an initial version of the KEP was available
-- the version of Kubernetes where the KEP graduated to general availability
-- when the KEP was retired or superseded
--->
-
-## Drawbacks
-
-<!--
-Why should this KEP _not_ be implemented?
--->
-
-## Alternatives
-
-<!--
-What other approaches did you consider, and why did you rule them out? These do
-not need to be as detailed as the proposal, but should include enough
-information to express the idea and why it was not acceptable.
--->
-
-## Infrastructure Needed (Optional)
-
-<!--
-Use this section if you need things from the project/SIG. Examples include a
-new subproject, repos requested, or GitHub details. Listing these here allows a
-SIG to get the process for these resources started right away.
--->

From c99f1042504745d0895e58128c93926db4c9e07b Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Thu, 20 Jan 2022 15:35:47 -0500
Subject: [PATCH 3/6] add additional GA criteria for beta off by default

---
 .../3136-beta-apis-off-by-default/README.md              | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
index ecaeaa93c79..fef640e48f6 100644
--- a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
+++ b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
@@ -205,9 +205,13 @@ Given how kubernetes is now treated, this is a good thing, not a bad thing.
 Those users that want to move quickly and get new features can do so by enabling all beta feature
 or just enabling those that are important for their workload.
 The [PRR survey](https://datastudio.google.com/reporting/2e9c7439-202b-48a9-8c57-4459e0d69c8d/page/Cv5HB) shows that 
-over 30% of production clusters have alpha features enabled, so clsuter-admins are willing and able to enable features
+over 30% of production clusters have alpha features enabled, so cluster-admins are willing and able to enable features
 that are not on by default when they are desired.
 
+If two or more APIs are tightly coupled together, it will now be possible to enable them independently.
+This can lead to unanticipated failure modes, but should only impact beta APIs with beta dependencies.
+While this is a risk, it is not very common and components should fail safe as a general principle.
+
 ## Design Details
 
 <!--
@@ -234,6 +238,9 @@ This KEP is a policy KEP, not a feature KEP.  It will start as GA.
   - https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#using-a-feature 
     Even though that is talking about feature gates, it is likely worth calling out there that new beta REST APIs are no
     longer enabled by default)
+- email to dev@kubernetes.io to explain the new policy
+- blog post explaining change in time for 1.24 release
+- CI configuration updated to have a testing mode that enables beta APIs, likely set using `kube-apiserver --runtime-config=api/beta=true`
 
 ### Upgrade / Downgrade Strategy
 

From 31b12d806c690a169c945d2db11473b1522ba2d1 Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Fri, 21 Jan 2022 15:52:35 -0500
Subject: [PATCH 4/6] more clarifications

---
 .../3136-beta-apis-off-by-default/README.md       | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
index fef640e48f6..1cd3a9cde35 100644
--- a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
+++ b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
@@ -156,7 +156,7 @@ guaranteed migration pain for users when the APIs move to stable, and the risk t
 grow around unfinished APIs.
 Enabling beta APIs by default, exacerbates these problems by making them on in nearly every cluster.
 We observed these problems as we removed long-standing beta APIs and the PRR survey tells us that over
-90% of production clusters leave these APIs enabled.
+90% of cluster-admins leave production clusters with these APIs enabled.
 Unsuitability for production use is documented at https://kubernetes.io/docs/reference/using-api/#api-versioning 
 ("The software is not recommended for production uses"), but defaulting on means they are present in nearly every 
 production cluster.
@@ -198,6 +198,9 @@ This already exists and will continue to function.
 
 ### Notes/Constraints/Caveats (Optional)
 
+Installers, utilities, controllers, etc that need to know if a certain beta API is present can continue to use the
+existing discovery mechanisms (example: kubectl's api-resources sub command or the `/api/apps/v1` REST API).
+
 ### Risks and Mitigations
 
 Adoption of beta features will slow.
@@ -205,13 +208,21 @@ Given how kubernetes is now treated, this is a good thing, not a bad thing.
 Those users that want to move quickly and get new features can do so by enabling all beta feature
 or just enabling those that are important for their workload.
 The [PRR survey](https://datastudio.google.com/reporting/2e9c7439-202b-48a9-8c57-4459e0d69c8d/page/Cv5HB) shows that 
-over 30% of production clusters have alpha features enabled, so cluster-admins are willing and able to enable features
+over 30% of cluster-admins have enabled alpha features on at least some production clusters, so cluster-admins are willing and able to enable features
 that are not on by default when they are desired.
 
 If two or more APIs are tightly coupled together, it will now be possible to enable them independently.
 This can lead to unanticipated failure modes, but should only impact beta APIs with beta dependencies.
 While this is a risk, it is not very common and components should fail safe as a general principle.
 
+If beta APIs are off by default, it's possible that fewer clients will use them and provide feedback.
+This is a risk, but early adopters are able to enable these features and have a history of enabling alpha features.
+When moving from beta to GA, it will be important for sigs to explicitly seek feedback.
+
+If beta APIs are off by default, it is possible that sigs don't treat taking an API as an indication of a "mostly-baked" API.
+If this happens, then more transformation may be required.
+Keeping our beta API rules consistent and continuing to enforce easy to use APIs seems to be the best option.
+
 ## Design Details
 
 <!--

From ead3b897065b6b2b6b6a3a7238931aa8b0a0f7ba Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Fri, 28 Jan 2022 15:42:21 -0500
Subject: [PATCH 5/6] add clarifications about when beta APIs are off by
 default

---
 keps/sig-architecture/3136-beta-apis-off-by-default/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
index 1cd3a9cde35..a14f2a8a10d 100644
--- a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
+++ b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
@@ -145,7 +145,7 @@ Items marked with (R) are required *prior to targeting to a milestone / release*
 
 ## Summary
 
-New beta APIs will not be enabled in clusters by default.
+From the Kubernetes release where this change is introduced, and onwards, beta APIs will not be enabled in clusters by default.
 Existing beta APIs and new versions of existing beta APIs, will continue to be enabled by default: 
 if v1beta.some.group is currently enabled by default and we create v1beta2.some.group, v1beta2.some.group will still be enabled by default.
 
@@ -162,6 +162,7 @@ Unsuitability for production use is documented at https://kubernetes.io/docs/ref
 production cluster.
 By disabling beta APIs by default, a cluster-admin can opt-in for specific APIs without having every
 incomplete API present in the cluster.
+This is now practical to do since conformance no longer relies on non-stable APIs.
 
 ### Goals
 

From f73839c34e6b0752d6bc4e1381954c2ecf8edbcc Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Tue, 1 Feb 2022 09:26:09 -0500
Subject: [PATCH 6/6] add beta-off-by-default criteria for adding to PRR
 questionaire

---
 .../3136-beta-apis-off-by-default/README.md               | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
index a14f2a8a10d..c388fdc86e3 100644
--- a/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
+++ b/keps/sig-architecture/3136-beta-apis-off-by-default/README.md
@@ -173,7 +173,10 @@ This is now practical to do since conformance no longer relies on non-stable API
 
 ### Non-Goals
 
-1. Change featuregate defaults.
+1. Change feature gate defaults.
+   Feature gates control new features (not just new APIs) and they are on by default for beta features.
+   This KEP is not changing the lifecycle flow for feature gates.
+   It is currently alpha=off-by-default, beta=on-by-default, stable=locked-to-on.
 
 ## Proposal
 
@@ -219,6 +222,8 @@ While this is a risk, it is not very common and components should fail safe as a
 If beta APIs are off by default, it's possible that fewer clients will use them and provide feedback.
 This is a risk, but early adopters are able to enable these features and have a history of enabling alpha features.
 When moving from beta to GA, it will be important for sigs to explicitly seek feedback.
+We will address this by extending the PRR questionnaire to include a GA-targeted question to validate that the feature
+was reasonably validated in production use-cases.
 
 If beta APIs are off by default, it is possible that sigs don't treat taking an API as an indication of a "mostly-baked" API.
 If this happens, then more transformation may be required.
@@ -253,6 +258,7 @@ This KEP is a policy KEP, not a feature KEP.  It will start as GA.
 - email to dev@kubernetes.io to explain the new policy
 - blog post explaining change in time for 1.24 release
 - CI configuration updated to have a testing mode that enables beta APIs, likely set using `kube-apiserver --runtime-config=api/beta=true`
+- extend the PRR questionnaire to include a GA-targeted question to validate that the feature was reasonably validated in production use-cases.
 
 ### Upgrade / Downgrade Strategy