Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run control-plane as non-root in kubeadm. #2568

Open
18 tasks done
vinayakankugoyal opened this issue Mar 13, 2021 · 26 comments
Open
18 tasks done

Run control-plane as non-root in kubeadm. #2568

vinayakankugoyal opened this issue Mar 13, 2021 · 26 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team

Comments

@vinayakankugoyal
Copy link
Contributor

vinayakankugoyal commented Mar 13, 2021

Enhancement Description

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

k/kubeadm tracking issue:
kubernetes/kubeadm#1367
kubernetes/kubeadm#2473

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Mar 13, 2021
@pacoxu
Copy link
Member

pacoxu commented Mar 13, 2021

/sig cluster-lifecycle

@k8s-ci-robot k8s-ci-robot added sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 13, 2021
@neolit123 neolit123 added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 13, 2021
@vinayakankugoyal
Copy link
Contributor Author

vinayakankugoyal commented Apr 12, 2021

/milestone 1.22

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Apr 12, 2021

@vinayakankugoyal: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone 1.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pacoxu
Copy link
Member

pacoxu commented Apr 15, 2021

Feel free to ping me if any help is needed on this feature.
(develop/reviewing/testing)

@BenTheElder
Copy link
Member

BenTheElder commented Apr 23, 2021

/milestone v1.22

@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Apr 23, 2021
@neolit123 neolit123 added the stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status label Apr 26, 2021
@JamesLaverack JamesLaverack added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Apr 28, 2021
@jrsapi
Copy link

jrsapi commented May 13, 2021

Greetings @vinayakankugoyal!
1.22 Enhancement shadow checking in. After reviewing the KEP and PRR this has been marked as "Tracked" for 1.22. A reminder that the enhancement freeze starts Thursday, 5/13 at 23:59:59 PST.

Thanks!

@vinayakankugoyal
Copy link
Contributor Author

vinayakankugoyal commented May 13, 2021

Thanks @jrsapi. Is there any other action we need to take before 05/13?

@jrsapi
Copy link

jrsapi commented May 13, 2021

No other action is needed. The KEP will be reviewed after the freeze by the release lead.

Thanks!

@ritpanjw
Copy link

ritpanjw commented May 19, 2021

Hello @vinayakankugoyal 👋 , 1.22 Docs Shadow here.

This enhancement is marked as Needs Docs for 1.22 release.
Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.
Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thank you!

@vinayakankugoyal
Copy link
Contributor Author

vinayakankugoyal commented Jun 4, 2021

/assign @vinayakankugoyal

@neolit123
Copy link
Member

neolit123 commented Jul 2, 2021

note for the release team, this feature has just graduated to Alpha from our perspective:

  • code changes were made
  • e2e tests were added
  • docs are not needed for the alpha

thanks to @vinayakankugoyal

punch card of the PRs is here:
kubernetes/kubeadm#2473

@sftim
Copy link
Contributor

sftim commented Jul 4, 2021

Do we list kubeadm feature gates in https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ ?

If not, where do we document those?

@neolit123
Copy link
Member

neolit123 commented Jul 4, 2021

Do we list kubeadm feature gates in https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ ?

no, that page is only for core k8s FGs.

If not, where do we document those?

alpha kubeadm features behind a FGs are commonly not ducumented at k8s.io.
users can see it in a release note and can try it.
once a feature moves to beta. we document it as part of existing pages like "kubeadm init", "kubeadm join", etc.

@BenTheElder
Copy link
Member

BenTheElder commented Jul 4, 2021

no, that page is only for core k8s FGs.

aside: I actually feel like this might need calling out there, most binaries in the Kubernetes release have a unified set of featuregates and kubeadm's being distinct is perhaps not the most obvious.

@dims
Copy link
Member

dims commented Jul 4, 2021

@neolit123 @BenTheElder just one more reason kubeadm should be out-of-tree ...

@jrsapi
Copy link

jrsapi commented Jul 6, 2021

Greetings @vinayakankugoyal,
This is a reminder that code freeze is coming up this Thursday, July 8th. All PR's need to be code complete and merged by the freeze. Can you update this issue if all PR's have been merged?
Also, this Friday, July 9th is the Docs placeholder PR deadline. Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo.

@neolit123
Copy link
Member

neolit123 commented Jul 6, 2021

@jrsapi
we consider this feature graduated to alpha.

documentation updates are not needed, e2e tests are running here:
https://k8s-testgrid.appspot.com/sig-cluster-lifecycle-kubeadm#kubeadm-kinder-rootless-latest

kubernetes/website#28788
is out of band for 1.22.

@PI-Victor
Copy link
Member

PI-Victor commented Jul 9, 2021

@jrsapi
we consider this feature graduated to alpha.

documentation updates are not needed, e2e tests are running here:
https://k8s-testgrid.appspot.com/sig-cluster-lifecycle-kubeadm#kubeadm-kinder-rootless-latest

kubernetes/website#28788
is out of band for 1.22.

based on this comment, i will remove the 'Needs Docs' from this enhancements, thanks!

@salaxander salaxander added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Aug 19, 2021
@neolit123
Copy link
Member

neolit123 commented Sep 1, 2021

we discussed in the kubeadm office hours for Sep 1st 2021 that we might want to delay the graduation to Beta to 1.24 to give the users one more release to find potential problems. none thus far.

i have updated the OP with BETA targeting 1.24.

@k8s-triage-robot
Copy link

k8s-triage-robot commented Nov 30, 2021

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 30, 2021
@BenTheElder
Copy link
Member

BenTheElder commented Nov 30, 2021

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 30, 2021
@neolit123 neolit123 removed this from the v1.22 milestone Feb 1, 2022
@k8s-triage-robot
Copy link

k8s-triage-robot commented May 2, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 2, 2022
@BenTheElder
Copy link
Member

BenTheElder commented May 2, 2022

we discussed in the kubeadm office hours for Sep 1st 2021 that we might want to delay the graduation to Beta to 1.24 to give the users one more release to find potential problems. none thus far.

with 1.24 pending tomorrow, is this still the current state?

@neolit123
Copy link
Member

neolit123 commented May 2, 2022

a good summary is here:
kubernetes/kubeadm#2473 (comment)

we are considering user namespaces vs managed non-root users (this)

@neolit123 neolit123 removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 18, 2022
nberlee added a commit to nberlee/talos that referenced this issue Jul 17, 2022
KEP-2568: kubernetes/enhancements#2568

Deviation:
 - seccomp profile not implemented: depending on siderolabs#5293 ?
 - example sets UID/GID in container context, its safer to do this in pod context

Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
@k8s-triage-robot
Copy link

k8s-triage-robot commented Aug 16, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 16, 2022
@neolit123 neolit123 removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 16, 2022
@k8s-triage-robot
Copy link

k8s-triage-robot commented Nov 14, 2022

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 14, 2022
@neolit123 neolit123 added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Projects
None yet
Development

No branches or pull requests