Fine-grained SupplementalGroups control

[everpeace]

Enhancement Description

• One-line enhancement description (can be used as a release note): Add new API surface to control and track how supplemental groups are applied in the container.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/3619-supplemental-groups-policy
• Discussion Link: Can bypass PodSecurityContext.SupplementalGroups by custom container image although PSP(or other policy engines) enforces the field kubernetes#112879
• Primary contact (assignee):　@everpeace
• Responsible SIGs: sig-node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.31
  • Beta release target (x.y): 1.33
  • Stable release target (x.y):
• Alpha: v1.31
  • KEP (k/enhancements) update PR(s):
    • KEP-3169: Fine-grained SupplementalGroups control #3620
    • KEP-3619: update Test Plan and Graduation Criteria for KEP freeze #3862
    • KEP-3619: Cleanup After Freeze #3874
    • KEP-3619: update the latest milestone to v1.31 #4628
    • KEP-3619: Add SupplementalGroupsPolicy feature fields in Kubernetes API(Node.Status) and CRI(RuntimeStatusResponse) #4728
  • Code (k/k) update PR(s):
    • KEP-3619: Fine-grained SupplementalGroups control kubernetes#117842
    • KEP-3619: Add NodeStatus.Features.SupplementalGroupsPolicy API and e2e kubernetes#125470
  • Docs (k/website) update PR(s):
    • [dev-1.31] KEP-3619: Fine-grained SupplementalGroups control website#46920
    • blog post for KEP-3619: Fine-grained SupplementalGroups control website#46921
  • contained (optional):
    • Fine-grained SupplementalGroups control containerd/containerd#9737
    • Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 containerd/containerd#10410
  • CRI-O (optional):
    • server/*: add fine-grained SupplementalGroups control for enhanced security cri-o/cri-o#8268
    • KEP-3619: implement RuntimeStatus.features.supplemental_groups_policy cri-o/cri-o#8386
  • cri-tools (optional):
    • KEP-3619: Fine-grained SupplementalGroups control kubernetes-sigs/cri-tools#1438
• Beta: v1.33
  • KEP (k/enhancements) update PR(s):
    • KEP-3619: updated KEP with alpha release status, and added haircommander as a reviewer #4809
    • KEP-3619: updated Production Readiness Review Questionnaire for beta release #4895
    • KEP-3619: update latest-milestone to v1.33 #5165
  • Code (k/k) update PR(s):
    • KEP-3619: Promote SupplementalGroupsPolicy feature to Beta kubernetes#130210
  • Docs (k/website) update(s):
    • [dev-1.33] KEP-3619: Promote Fine-grained SupplementalGroups control to Beta website#49880
    • blog post for KEP-3619: Fine-grained SupplementalGroups control graduates to beta website#49944
  • cri-tools (optional)
    • KEP-3619: Support RuntimeFeatures(.features) in "crictl info" command kubernetes-sigs/cri-tools#1772

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/assign
/sig node
/kind feature

[everpeace]

/assign
/sig scheduling

[k8s-ci-robot]

@everpeace: The label(s) /remove-label sig/scheduling cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, lead-opted-in, tracked/no, tracked/out-of-tree, tracked/yes. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/remove-label sig/scheduling

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[everpeace]

/kind feature