Skip to content

Remove misleading SYS_PTRACE requirement from share-process-namespace#54890

Open
kovan wants to merge 1 commit intokubernetes:mainfrom
kovan:remove-sys-ptrace
Open

Remove misleading SYS_PTRACE requirement from share-process-namespace#54890
kovan wants to merge 1 commit intokubernetes:mainfrom
kovan:remove-sys-ptrace

Conversation

@kovan
Copy link
Copy Markdown
Contributor

@kovan kovan commented Mar 13, 2026

Summary

  • Remove the incorrect claim that SYS_PTRACE capability is required to signal processes in other containers sharing a process namespace
  • Remove the unnecessary securityContext from the example YAML
  • Sending signals via kill() only requires standard Unix permission checks (same UID or CAP_KILL), not ptrace access

This prevents users from unnecessarily weakening their pod security posture by adding SYS_PTRACE when it is not needed.

Continues the work from #50672.

Test plan

  • Verify that kill -HUP works without SYS_PTRACE in a shared process namespace pod
  • Example YAML validates correctly

🤖 Generated with Claude Code

@kovan
Remove misleading SYS_PTRACE requirement from share-process-namespace
7e2b375 
Sending signals to processes in other containers sharing a PID
namespace does not require the SYS_PTRACE capability. The kill()
syscall only needs standard Unix permission checks (same UID or
CAP_KILL), not ptrace access. SYS_PTRACE is only needed for
ptrace() operations like debugging.

Remove the incorrect claim and the unnecessary securityContext from
the example YAML to avoid users weakening their pod security posture.

Continues the work from kubernetes#50672.
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sayanchowdhury for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label Mar 13, 2026
@k8s-ci-robot k8s-ci-robot requested a review from yujuhong March 13, 2026 18:58
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 13, 2026
@netlify
Copy link
Copy Markdown

netlify bot commented Mar 13, 2026

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 7e2b375
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-io-main-staging/deploys/69b45e3e6d20340008e34e3b
😎 Deploy Preview https://deploy-preview-54890--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@Caesarsage
Copy link
Copy Markdown
Contributor

Caesarsage commented Mar 13, 2026

Thanks. LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@divya-mohan0209 divya-mohan0209 Awaiting requested review from divya-mohan0209

@yujuhong yujuhong Awaiting requested review from yujuhong

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kovan @k8s-ci-robot @Caesarsage