[KEP-127] Add documentation about user namespaces and PSS #43803
Conversation
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/S
k8s-ci-robot
added
language/en
|
/sig node |
k8s-ci-robot
added
the
sig/node
There was a problem hiding this comment.
Thanks.
This change is actually about Pod security admission, right?
I think we might want to make an associated change to https://kubernetes.io/docs/concepts/security/pod-security-standards/ to explain what the standards are. These standards are not behind a feature gate, even if our in-tree enforcement mechanism is.
content/en/docs/reference/command-line-tools-reference/feature-gates.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I wonder if the change should really be made to https://kubernetes.io/docs/concepts/security/pod-security-admission/, and then have a small section in the user namespaces concept that links to the relevant part of the PSA docs.
There was a problem hiding this comment.
Do you mean pod security admission or pod security standards? That page you link doesn't seem related, but this one (about pod security standards) does: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Can you explain why pod security admisions?
There was a problem hiding this comment.
Well, because that's where the feature gate has an effect.
Think about it like this: imagine we were adding support for TLS 1.3; we'd document that in our pages about configuring transport layer security and maybe around setting which TLS versions were supported. But we wouldn't propose an update to https://datatracker.ietf.org/doc/html/rfc8446
On the other hand, if someone does want to revise the TLS standard, they don't put the update to the standard behind a feature gate. But they might have a feature gate to - eg - enable the RSASSA-PSS signature scheme.
I don't really understand how you feature gate a standard.
There was a problem hiding this comment.
Do you mean pod security admission or pod security standards? That page you link doesn't seem related, but this one (about pod security standards) does: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Can you explain why pod security admisions?
content/en/docs/reference/command-line-tools-reference/feature-gates.md
Outdated
Show resolved
Hide resolved
rata
force-pushed
the
dev-1.29-user-namespaces-pss
branch
from
38b4d39 to
7eb729d
Compare
k8s-ci-robot
added
size/M
|
We don't (and IMO shouldn't) have a feature gate that controls Pod Security Standards. That wouldn't fit with what I think standards are. An analogy: the IEC-60320 standard (for electrical connectors) is one standard that a connector either complies with or not. If you turned on a toggle switch on some appliance, the cable you plug into it either would or wouldn't comply with the standard just the same. People will want to know what standard their Pod manifest complies with, and if we tell them the answer depends on the cluster where they run it, they might wonder why we (Kubernetes) took that approach. I've tried to build a mental model where the explanation in this PR makes sense, and I can't. I think we should change at least the explanation and possibly some of the meaning too. |
|
Well, the PR is merged and the KEP too, with all the approvals in place. I think we just need to document it. But if you feel strongly about it, I'll let you discuss it with @saschagrunert when he is back next week. He is the one doing all the work here, so he should be involved in the discussion. |
|
I am not sure that the So please, let's just stick to the fact that this PR is about adding documentation for an existing feature. |
|
I agree that we should focus on the docs within this PR rather than questioning the whole KEP. |
|
I see that https://github.com/kubernetes/enhancements/blob/fa647b424a0b11316e8e31274e50332b14434f9c/keps/sig-node/127-user-namespaces/README.md#pod-security-standards-pss-integration does say that the pod security standards will be gated. OK, we should document that. However, we'll need to make it really clear to users what this means. It doesn't make sense to me, and I'm confident I won't be the only puzzled person. If I get time, I will also PR an update to the KEP. |
sftim
dismissed
their stale review
It turns out the KEP also specifies the problematic framing
|
Hello @saschagrunert @onlydole @tengqm @rata @sftim 👋, Friendly reminder that the deadline to have docs merged is next Tuesday 28th November 2023. If this feature needs documentation and the docs are not ready, the feature may be removed from the milestone. Let me know if you have any questions. Thank you! |
There was a problem hiding this comment.
If folks are willing to make the changes I've proposed, that might be enough.
Should we also add explanatory text to https://kubernetes.io/docs/concepts/security/pod-security-standards/? I really think we should do, even for alpha.
content/en/docs/reference/command-line-tools-reference/feature-gates.md
Outdated
Show resolved
Hide resolved
saschagrunert
force-pushed
the
dev-1.29-user-namespaces-pss
branch
from
f3ede39 to
cf53f8c
Compare
Thanks! I incorporated the changes as suggested.
Can I follow-up on that? I assume linking back with a note would be enough, but having that as part of a separate PR would allow us more time. |
|
This isn't passing tests. LGTM though. |
Sure, I was also thinking a separate PR. |
Adding required documentation for [KEP-127](kubernetes/enhancements#127). Signed-off-by: Sascha Grunert <sgrunert@redhat.com> Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Co-authored-by: Tim Bannister <tim@scalefactory.com> Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
saschagrunert
force-pushed
the
dev-1.29-user-namespaces-pss
branch
from
cf53f8c to
4e156c7
Compare
Green now :) |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 5b846f798373c2dafd4c6013fc587ccb2c7643af
|
|
/assign @kbhawkey per #43803 (comment) |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: reylejano The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
| - `UserNamespacesPodSecurityStandards`: Enable Pod Security Standards policies relaxation for pods | ||
| that run with namespaces. You must set the value of this feature gate consistently across all nodes in | ||
| your cluster, and you must also enable `UserNamespacesSupport` to use this feature. | ||
| See [User Namespaces](/docs/concepts/workloads/pods/user-namespaces/#integration-with-pod-security-standards) for more details. |
There was a problem hiding this comment.
Oops. Should be:
- See [User Namespaces](/docs/concepts/workloads/pods/user-namespaces/#integration-with-pod-security-standards) for more details.
+ See [User Namespaces](/docs/concepts/workloads/pods/user-namespaces/#integration-with-pod-security-admission-checks) for more details.There was a problem hiding this comment.
Fixing in the follow-up PR.
Adding required documentation for KEP-127.
Supersedes #43437
cc @giuseppe @rata @mrunalp
Preview: https://deploy-preview-43803--kubernetes-io-vnext-staging.netlify.app/docs/concepts/workloads/pods/user-namespaces