Promote RunAsGroup to GA #94641

krmayankk · 2020-09-09T08:17:03Z

/kind feature

What this PR does / why we need it:

promote this feature to GA for 1.20 kubernetes/enhancements#213
API is unchanged

Which issue(s) this PR fixes:
Fixes #kubernetes/enhancements#213

Special notes for your reviewer:

The `RunAsGroup` feature has been promoted to GA in this release.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

krmayankk · 2020-09-09T08:17:27Z

/sig auth
/sig node

liggitt · 2020-09-09T13:44:48Z

pkg/features/kube_features.go

@@ -700,7 +700,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	CSIMigrationAzureFileComplete:  {Default: false, PreRelease: featuregate.Alpha},
 	CSIMigrationvSphere:            {Default: false, PreRelease: featuregate.Beta},
 	CSIMigrationvSphereComplete:    {Default: false, PreRelease: featuregate.Beta},
-	RunAsGroup:                     {Default: true, PreRelease: featuregate.Beta},
+	RunAsGroup:                     {Default: true, PreRelease: featuregate.GA},


when moving features to GA, we should:

set LockToDefault: true and add a comment tracking removal in 2 releases (1.22 in this case)

remove checks for .Enabled(features.RunAsGroup) (since it is locked to true)

ensure API docs no longer indicate it is a beta feature (I think this is already done for this field)

ensure e2e test coverage exists

liggitt · 2020-09-09T13:45:06Z

pkg/features/kube_features.go

@@ -249,7 +249,7 @@ const (
 	CRIContainerLogRotation featuregate.Feature = "CRIContainerLogRotation"

 	// owner: @krmayankk
-	// beta: v1.14
+	// ga: v1.20


leave the beta line as-is to make it easy to see the history, and add the GA line

SergeyKanzhelev · 2020-09-10T06:15:03Z

/cc @mrunalp

(Mrunal was interested to help with this in this doc: https://docs.google.com/document/d/1-NNfuFMh246_ujQpYBCldLQ9hmqEbukaa79Xe1WGwdQ/edit#)

pkg/security/podsecuritypolicy/factory.go

pkg/security/podsecuritypolicy/provider.go

mrunalp · 2020-09-22T17:09:58Z

👍

SergeyKanzhelev · 2020-12-16T00:59:59Z

@krmayankk as part of the GA process, can you please also help with the following:

Convert KEP into the new format with the kep.yaml file (example here: Runtime class GA enhancements#2071)
Request release managers to add milestone 1.21 to the KEP issue so it will be tracked by release team
Add notes to the description of this PR confirming that the graduation requirements were met (you may decide to accumulate results as a do like this: https://docs.google.com/document/d/17nROj6ayPsUpx09mhLrzOkRLgo-8sn6Vgfyy-gmyuo4/edit or any other alternative way like a list of PRs confirming that the graduation criteria was met).

LMK if you need some help with these. Thank you!

krmayankk · 2021-01-05T09:31:08Z

@krmayankk as part of the GA process, can you please also help with the following:

Convert KEP into the new format with the kep.yaml file (example here: kubernetes/enhancements#2071)

Request release managers to add milestone 1.21 to the KEP issue so it will be tracked by release team

Add notes to the description of this PR confirming that the graduation requirements were met (you may decide to accumulate results as a do like this: https://docs.google.com/document/d/17nROj6ayPsUpx09mhLrzOkRLgo-8sn6Vgfyy-gmyuo4/edit or any other alternative way like a list of PRs confirming that the graduation criteria was met).

LMK if you need some help with these. Thank you!

thanks will do

liggitt · 2021-01-22T16:14:34Z

is there an e2e test for this that should be promoted to a (Linux-only?) conformance test as part of this?

krmayankk · 2021-01-27T02:51:43Z

is there an e2e test for this that should be promoted to a (Linux-only?) conformance test as part of this?

i see these two e2e tests which are Linux-only and agree, they shouuld be part of conformance.
https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L89
https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L118

How do you make a test part of conformance @liggitt ?

krmayankk · 2021-01-27T02:52:28Z

/test pull-kubernetes-e2e-gce-ubuntu-containerd

krmayankk · 2021-02-01T03:45:24Z

is there an e2e test for this that should be promoted to a (Linux-only?) conformance test as part of this?

i see these two e2e tests which are Linux-only and agree, they shouuld be part of conformance.
https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L89
https://github.com/kubernetes/kubernetes/blob/master/test/e2e/node/security_context.go#L118

How do you make a test part of conformance @liggitt ?

opened a PR to make RunAsGroup part of Conformance @liggitt @tallclair @BenTheElder FYI

#98645

krmayankk · 2021-02-10T05:44:08Z

the kep with prr just merged kubernetes/enhancements#1974 , can you take another look @liggitt @tallclair and tell me what else is needed. Also i have opened a PR for making these tests part of conformance, which will merge after this gets in

tallclair · 2021-02-17T01:07:34Z

pkg/features/kube_features.go

@@ -208,7 +208,8 @@ const (
 	CRIContainerLogRotation featuregate.Feature = "CRIContainerLogRotation"

 	// owner: @krmayankk
-	// beta: v1.14
+	// beta:  v1.14
+	// ga:    v1.22


Can we get this in v1.21?

the KEP is actually assigned to 1.21: kubernetes/enhancements#213

correct, do i just need to fix this item here to say ga: 1.21 ? Who owns reviewing this ?

Yes, it should say 1.21. Any feature approver can review this file.

ehashman · 2021-02-18T21:54:41Z

pkg/security/podsecuritypolicy/factory.go

@@ -51,11 +48,9 @@ func (f *simpleStrategyFactory) CreateStrategies(psp *policy.PodSecurityPolicy,
 	}

 	var groupStrat group.GroupStrategy
-	if utilfeature.DefaultFeatureGate.Enabled(features.RunAsGroup) {


Shouldn't we keep this until the feature flag is removed in 1.22?

This is example shows that it is not needed: #94140 Flag stays to make sure kubelet starts with this flag set

So no action required from me right ?

dims · 2021-02-19T12:12:13Z

/retest

dims · 2021-02-19T12:12:24Z

/approve

ehashman

/lgtm

ehashman · 2021-02-19T18:52:05Z

/retest

liggitt · 2021-02-19T19:08:08Z

/approve

k8s-ci-robot · 2021-02-19T19:08:39Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, krmayankk, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~pkg/api/OWNERS~~ [liggitt]
~~pkg/features/OWNERS~~ [dims,liggitt]
~~pkg/security/podsecuritypolicy/OWNERS~~ [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 9, 2020

krmayankk mentioned this pull request Sep 9, 2020

Provide RunAsGroup feature for Containers in a Pod kubernetes/enhancements#213

Closed

5 tasks

k8s-ci-robot requested review from dims and smarterclayton September 9, 2020 08:17

liggitt reviewed Sep 9, 2020

View reviewed changes

k8s-ci-robot requested a review from mrunalp September 10, 2020 06:15

krmayankk force-pushed the runasg branch from 5b32c4b to 70431aa Compare September 11, 2020 00:43

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 11, 2020

krmayankk force-pushed the runasg branch from 70431aa to 35476bf Compare September 11, 2020 00:44

SergeyKanzhelev reviewed Sep 11, 2020

View reviewed changes

pkg/security/podsecuritypolicy/factory.go Show resolved Hide resolved

SergeyKanzhelev reviewed Sep 11, 2020

View reviewed changes

pkg/security/podsecuritypolicy/provider.go Show resolved Hide resolved

krmayankk force-pushed the runasg branch from 35476bf to 7b98a96 Compare September 12, 2020 04:20

krmayankk force-pushed the runasg branch 2 times, most recently from c151427 to ab0a3f0 Compare December 14, 2020 08:21

dims removed their request for review January 4, 2021 19:31

krmayankk force-pushed the runasg branch 2 times, most recently from 86845d8 to eec6e4f Compare January 22, 2021 08:23

krmayankk force-pushed the runasg branch 2 times, most recently from 7c692e1 to cef8ff4 Compare January 31, 2021 20:45

ehashman mentioned this pull request Feb 1, 2021

Promote RunAsGroup e2e test to Conformance #98645

Merged

kikisdeliveryservice moved this from Waiting on Author to Needs Reviewer in SIG Node PR Triage Feb 11, 2021

tallclair reviewed Feb 17, 2021

View reviewed changes

Promote RunAsGroup to GA

9a6f1e8

krmayankk force-pushed the runasg branch from cef8ff4 to 9a6f1e8 Compare February 18, 2021 21:33

ehashman suggested changes Feb 18, 2021

View reviewed changes

ehashman reviewed Feb 19, 2021

View reviewed changes

k8s-ci-robot assigned ehashman Feb 19, 2021

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 19, 2021

ehashman moved this from Needs Reviewer to Needs Approver in SIG Node PR Triage Feb 19, 2021

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 19, 2021

k8s-ci-robot merged commit 4d75279 into kubernetes:master Feb 19, 2021

SIG Node PR Triage automation moved this from Needs Approver to Done Feb 19, 2021

k8s-ci-robot added this to the v1.21 milestone Feb 19, 2021

carlory mentioned this pull request Apr 28, 2021

remove RunAsGroup feature gate #101581

Merged

aojea mentioned this pull request Feb 7, 2022

Promote load balancer class to GA #107979

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Promote RunAsGroup to GA #94641

Promote RunAsGroup to GA #94641

krmayankk commented Sep 9, 2020

krmayankk commented Sep 9, 2020

liggitt Sep 9, 2020 •

edited

liggitt Sep 9, 2020

SergeyKanzhelev commented Sep 10, 2020

mrunalp commented Sep 22, 2020

SergeyKanzhelev commented Dec 16, 2020

krmayankk commented Jan 5, 2021

liggitt commented Jan 22, 2021

krmayankk commented Jan 27, 2021 •

edited

krmayankk commented Jan 27, 2021

krmayankk commented Feb 1, 2021 •

edited

krmayankk commented Feb 10, 2021

tallclair Feb 17, 2021

SergeyKanzhelev Feb 17, 2021

krmayankk Feb 18, 2021

ehashman Feb 18, 2021

krmayankk Feb 18, 2021

ehashman Feb 18, 2021

SergeyKanzhelev Feb 18, 2021

krmayankk Feb 19, 2021

dims commented Feb 19, 2021

dims commented Feb 19, 2021

ehashman left a comment

ehashman commented Feb 19, 2021

liggitt commented Feb 19, 2021

k8s-ci-robot commented Feb 19, 2021

Promote RunAsGroup to GA #94641

Promote RunAsGroup to GA #94641

Conversation

krmayankk commented Sep 9, 2020

krmayankk commented Sep 9, 2020

liggitt Sep 9, 2020 • edited

Choose a reason for hiding this comment

Choose a reason for hiding this comment

SergeyKanzhelev commented Sep 10, 2020

mrunalp commented Sep 22, 2020

SergeyKanzhelev commented Dec 16, 2020

krmayankk commented Jan 5, 2021

liggitt commented Jan 22, 2021

krmayankk commented Jan 27, 2021 • edited

krmayankk commented Jan 27, 2021

krmayankk commented Feb 1, 2021 • edited

krmayankk commented Feb 10, 2021

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

dims commented Feb 19, 2021

dims commented Feb 19, 2021

ehashman left a comment

Choose a reason for hiding this comment

ehashman commented Feb 19, 2021

liggitt commented Feb 19, 2021

k8s-ci-robot commented Feb 19, 2021

liggitt Sep 9, 2020 •

edited

krmayankk commented Jan 27, 2021 •

edited

krmayankk commented Feb 1, 2021 •

edited