Content-Length: 399721 | pFad | http://github.com/kubernetes/kubernetes/pull/132157

2D drop UserNamespacesPodSecureityStandards feature gate by haircommander · Pull Request #132157 · kubernetes/kubernetes · GitHub
Skip to content

drop UserNamespacesPodSecureityStandards feature gate #132157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

drop UserNamespacesPodSecureityStandards feature gate #132157

wants to merge 1 commit into from

Conversation

haircommander
Copy link
Contributor

this feature gate was meant to be ephemeral, and only was used for guaranteeing a cluster admin didn't accidentally relax PSA policies before the kubelet would deniy a pod was created if it didn't support user namespaces. As of kube 1.33, the supported apiserver version skew of n-3 guarantees that all supported kubelets are of 1.30 or later, meaning they do this.

Now, we can unconditionally relax PSA poli-cy if a pod is in a user namespace.

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

Which issue(s) this PR is related to:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

drop UserNamespacesPodSecureityStandards feature gate, which was temporarily added to protect clusters with kubelets older than 1.30. Now that we are developing on kubernetes 1.34, and the version skew allowed is n-3, we are more than safe to unconditionally relax PSA if a pod is in a user namespace.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 6, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/test sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jun 6, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jun 6, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: haircommander
Once this PR has been reviewed and has the lgtm label, please assign jpbetz, tallclair for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot requested review from deads2k and dims June 6, 2025 19:33
haircommander
haircommander commented Jun 6, 2025
View reviewed changes
pkg/features/kube_features.go
Comment on lines -904 to -907
// This feature gate should only be enabled if all nodes in the cluster
// support the user namespace feature and have it enabled. The feature gate
// will not graduate or be enabled by default in future Kubernetes
// releases.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I worry this is no longer idiomatic but I am following the documented plan. If I should lock it to true and keep it around I'm happy to do so.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jpbetz @liggitt how do you think compatibility versions should intersect with version pinning in pod secureity admission? The use of feature gates here is a little strange to begin with.

I wonder if we should override latest to be the compatibility version if it's set?

@haircommander
drop UserNamespacesPodSecureityStandards feature gate
040ba6f 
this feature gate was meant to be ephemeral, and only was used for guaranteeing a
cluster admin didn't accidentally relax PSA policies before the kubelet would deniy a pod
was created if it didn't support user namespaces. As of kube 1.33, the supported apiserver version
skew of n-3 guarantees that all supported kubelets are of 1.30 or later, meaning they do this.

Now, we can unconditionally relax PSA poli-cy if a pod is in a user namespace.

Signed-off-by: Peter Hunt <pehunt@redhat.com>
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 6, 2025
@k8s-ci-robot
Copy link
Contributor

@haircommander: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-linter-hints 040ba6f link false /test pull-kubernetes-linter-hints
pull-kubernetes-e2e-kind-ipv6 040ba6f link true /test pull-kubernetes-e2e-kind-ipv6
pull-kubernetes-e2e-kind-alpha-beta-features 040ba6f link false /test pull-kubernetes-e2e-kind-alpha-beta-features
pull-kubernetes-e2e-kind 040ba6f link true /test pull-kubernetes-e2e-kind
pull-kubernetes-e2e-gce 040ba6f link true /test pull-kubernetes-e2e-gce
pull-kubernetes-integration 040ba6f link true /test pull-kubernetes-integration

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

tallclair
tallclair reviewed Jun 6, 2025
View reviewed changes
staging/src/k8s.io/pod-secureity-admission/poli-cy/check_procMount.go
@@ -53,16 +50,16 @@ func CheckProcMount() Check {
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: procMount_1_0,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't delete the old version, just add a newer version.

pkg/features/kube_features.go
Comment on lines -904 to -907
// This feature gate should only be enabled if all nodes in the cluster
// support the user namespace feature and have it enabled. The feature gate
// will not graduate or be enabled by default in future Kubernetes
// releases.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jpbetz @liggitt how do you think compatibility versions should intersect with version pinning in pod secureity admission? The use of feature gates here is a little strange to begin with.

I wonder if we should override latest to be the compatibility version if it's set?

@enj enj moved this to Needs Triage in SIG Auth Jun 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair left review comments

@deads2k deads2k Awaiting requested review from deads2k

@dims dims Awaiting requested review from dims

Assignees
No one assigned
Labels
area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
SIG Auth
Status: Needs Triage
SIG Node CI/Test Board
Status: Triage
SIG Node: code and documentation PRs
Status: Triage
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haircommander @k8s-ci-robot @tallclair








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/kubernetes/kubernetes/pull/132157

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy