Fine-grained SupplementalGroups control

[everpeace]

Enhancement Description

• One-line enhancement description (can be used as a release note): Add new API surface to control and track how supplemental groups are applied in the container.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/3619-supplemental-groups-policy
• Discussion Link: Can bypass PodSecurityContext.SupplementalGroups by custom container image although PSP(or other policy engines) enforces the field kubernetes#112879
• Primary contact (assignee):　@everpeace
• Responsible SIGs: sig-node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.28?
  • Beta release target (x.y):
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • KEP-3169: Fine-grained SupplementalGroups control #3620
    • KEP-3619: update Test Plan and Graduation Criteria for KEP freeze #3862
    • KEP-3619: Cleanup After Freeze #3874
  • Code (k/k) update PR(s): KEP-3619: Fine-grained SupplementalGroups control kubernetes#117842
  • Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/assign
/sig node
/kind feature

[k8s-ci-robot]

@everpeace: The label(s) /remove-label sig/scheduling cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, lead-opted-in, tracked/no, tracked/out-of-tree, tracked/yes. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/remove-label sig/scheduling

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[everpeace]

/remove-lifecycle stale

[SergeyKanzhelev]

/milestone v1.27

let's see if we can start it in 1.27

[SergeyKanzhelev]

/label lead-opted-in

[SergeyKanzhelev]

/stage alpha

[npolshakova]

Hello @everpeace 👋, 1.27 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.27
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

It looks like #3620 will address most of these issues.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[SergeyKanzhelev]

@npolshakova, kep yaml has correct values for stage, milestone, etc:

enhancements/keps/sig-node/3619-supplemental-groups-policy/kep.yaml

Lines 8 to 30 in 472a381

	status: implementable
	creation-date: 2022-10-14
	reviewers:
	- "@thockin"
	- "@mrunalp"
	- "@SergeyKanzhelev"
	approvers:
	- "@mrunalp"
	see-also: []
	replaces: []
	# The target maturity stage in the current dev cycle for this KEP.
	stage: alpha
	# The most recent milestone for which work toward delivery of this KEP has been
	# done. This can be the current (upcoming) milestone, if it is being actively
	# worked on.
	latest-milestone: "v1.27"
	# The milestone at which this feature was, or is targeted to be, at each stage.
	milestone:
	alpha: "v1.27"

This KEP updates to the latest template and covers testing section: #3862

PRR review completed:

enhancements/keps/prod-readiness/sig-node/3619.yaml

Lines 1 to 6 in 472a381

	# The KEP must have an approver from the
	# "prod-readiness-approvers" group
	# of http://git.k8s.io/enhancements/OWNERS_ALIASES
	kep-number: 3619
	alpha:
	approver: "@johnbelamaric"

So once #3862 is merged, this KEP is ready for the milestone

[npolshakova]

Great! Looks like #3862 went in so this enhancement as tracked for v1.27.
Thanks!

/label tracked/yes

[SergeyKanzhelev]

@everpeace do you plan to continue working on this KEP in 1.28?

[everpeace]

@SergeyKanzhelev Yes, I will continue working on this KEP. As I wrote in #3620 (comment) , my cleanup PR in containerd took much time to merge than I expected.

[everpeace]

Memo: Tasklist to alpha(v1.28)

• implement SupplementalGroupsPolicy in k/k (incl. updating cri-api)
• implement cri-api's SupplementalGroupsPolicy in containerd
• release containerd with cri-api's SupplementalGroupsPolicy support
• implement e2e for SupplementalGroupsPolicy
• add SupplementalGroupsPolicy to cri-test
• add SupplementalGroupsPolicy to k/website (https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)

[SergeyKanzhelev]

/milestone v1.28

[thockin]

Is this still hoping to land alpha in 1.28?

[SergeyKanzhelev]

/label lead-opted-in

[npolshakova]

Hello @everpeace 👋, 1.28 Enhancements team here!

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.28 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.28
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following:

• Update latest milestone to 1.28
• Update alpha milestone to 1.28

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[SergeyKanzhelev]

For this KEP, we would just need to update the following:

• Update latest milestone to 1.28
• Update alpha milestone to 1.28

this is done, KEP should be ok to be tracked

[npolshakova]

With all the requirements fulfilled this enhancement is marked as tracked for the Enhancements freeze 🚀

[taniaduggal]

Hello @everpeace 1.28 Docs Shadow here.

Does this enhancement work planned for 1.28 require any new docs or modification to existing docs?

If so, please follows the steps here to open a PR against dev-1.28 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 20th July 2023.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[npolshakova]

Hey again @everpeace 👋

Just checking in as we approach Code freeze at 01:00 UTC Friday, 19th July 2023 .

Here’s the enhancement’s state for the upcoming code freeze:

• All the PRs that are related to your enhancement are linked in the above issue description (for tracking purposes). This includes code, tests, and documentation related PR/s.
• All code related PR/s are merged or are in merge-ready state ( i.e they have approved and lgtm labels applied) by the code freeze deadline. This includes any tests related PR/s too.

Also please let me know if there are other PRs in k/k we should be tracking for this KEP.
As always, we are here to help if any questions come up. Thanks!

[Rishit-dagli]

Hey @everpeace , could you please create a docs PR even if it is a draft PR with no content yet against dev-1.28 branch in the k/website repo. The deadline to create this draft PR is Thursday 20th July 2023.

[taniaduggal]

Hey @everpeace, Docs Shadow here! could you please create a docs PR even if it is a draft PR with no content yet against dev-1.28 branch in the k/website repo. The deadline to create this draft PR is Thursday 20th July 2023.

[Atharva-Shinde]

Hello @everpeace 👋, 1.28 Enhancements Lead here.

Unfortunately, the implementation (code related) PR associated with this enhancement was not in the merge-ready state by the code-freeze and hence this enhancement is now being removed from the v1.28 milestone.

If you still wish to progress this enhancement in v1.28, please file an exception request. Thanks!

/milestone clear

[SergeyKanzhelev]

@everpeace do you plan to keep working on this KEP for 1.29?

[SergeyKanzhelev]

/remove-label lead-opted-in

while we are confirming the owner for the KEP

[everpeace]

@SergeyKanzhelev Sorry for my long absence. Yes, let me work on this for 1.29.

[npolshakova]

Hello @everpeace, 1.29 Enhancements team here! Is this enhancement targeting 1.29? If it is, can you follow the instructions here to opt in the enhancement and make sure the lead-opted-in label is set so it can get added to the tracking board? Thanks!