Fine-grained SupplementalGroups control

[everpeace]

Enhancement Description

• One-line enhancement description (can be used as a release note): Add new API surface to control and track how supplemental groups are applied in the container.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/3619-supplemental-groups-policy
• Discussion Link: Can bypass PodSecurityContext.SupplementalGroups by custom container image although PSP(or other policy engines) enforces the field kubernetes#112879
• Primary contact (assignee):　@everpeace
• Responsible SIGs: sig-node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.27?
  • Beta release target (x.y):
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • KEP-3169: Fine-grained SupplementalGroups control #3620
    • KEP-3619: update Test Plan and Graduation Criteria for KEP freeze #3862
    • KEP-3619: Cleanup After Freeze #3874
  • Code (k/k) update PR(s):
  • Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/assign
/sig node
/kind feature

[k8s-ci-robot]

@everpeace: The label(s) /remove-label sig/scheduling cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, lead-opted-in, tracked/no, tracked/out-of-tree, tracked/yes. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/remove-label sig/scheduling

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[everpeace]

/remove-lifecycle stale

[SergeyKanzhelev]

/milestone v1.27

let's see if we can start it in 1.27

[SergeyKanzhelev]

/label lead-opted-in

[SergeyKanzhelev]

/stage alpha

[npolshakova]

Hello @everpeace 👋, 1.27 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.27
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

It looks like #3620 will address most of these issues.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[SergeyKanzhelev]

@npolshakova, kep yaml has correct values for stage, milestone, etc:

enhancements/keps/sig-node/3619-supplemental-groups-policy/kep.yaml

Lines 8 to 30 in 472a381

	status: implementable
	creation-date: 2022-10-14
	reviewers:
	- "@thockin"
	- "@mrunalp"
	- "@SergeyKanzhelev"
	approvers:
	- "@mrunalp"
	see-also: []
	replaces: []
	# The target maturity stage in the current dev cycle for this KEP.
	stage: alpha
	# The most recent milestone for which work toward delivery of this KEP has been
	# done. This can be the current (upcoming) milestone, if it is being actively
	# worked on.
	latest-milestone: "v1.27"
	# The milestone at which this feature was, or is targeted to be, at each stage.
	milestone:
	alpha: "v1.27"

This KEP updates to the latest template and covers testing section: #3862

PRR review completed:

enhancements/keps/prod-readiness/sig-node/3619.yaml

Lines 1 to 6 in 472a381

	# The KEP must have an approver from the
	# "prod-readiness-approvers" group
	# of http://git.k8s.io/enhancements/OWNERS_ALIASES
	kep-number: 3619
	alpha:
	approver: "@johnbelamaric"

So once #3862 is merged, this KEP is ready for the milestone

[npolshakova]

Great! Looks like #3862 went in so this enhancement as tracked for v1.27.
Thanks!

/label tracked/yes

[npolshakova]

Hi @everpeace,

Checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023.

Please ensure the following items are completed:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.

Please let me know if there are any other PRs in k/k I should be tracking for this KEP.
As always, we are here to help should questions come up. Thanks!

[taniaduggal]

Hi @everpeace 👋 , I’m reaching out from the 1.27 Release Docs team. This enhancement is marked as ‘Needs Docs’ for the 1.27 release.
Please follow the steps detailed in the documentation to open a PR against dev-1.27 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by March 16. For more information, please take a look at Documenting for a release to familiarize yourself with the documentation requirements for the release.
Please feel free to reach out with any questions. Thanks!

[npolshakova]

Hi @everpeace, this is the status as we approach code freeze today:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.

Please let me know what other PRs in k/k I should be tracking for this KEP.

As always, we are here to help should questions come up. Thanks!

[npolshakova]

Unfortunately the implementation PRs associated with this enhancement have not merged by code-freeze so this enhancement is getting removed from the release.

If you would like to file an exception please see https://github.com/kubernetes/sig-release/blob/master/releases/EXCEPTIONS.md

/milestone clear
/remove-label tracked/yes
/label tracked/no