Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: deprecate the RootlessControlPlane feature gate #124997

Merged
merged 1 commit into from
May 23, 2024
Merged

kubeadm: deprecate the RootlessControlPlane feature gate #124997

merged 1 commit into from
May 23, 2024
+4 −1

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented May 20, 2024
edited

What type of PR is this?

/kind deprecation

What this PR does / why we need it:

The feature was left in alpha for a few releases, since k8s started planning on a broader feature UserNamespacesSupport, which is what kubeadm should integrate with.

UserNamespacesSupport graduated to beta in 1.30.
Once it graduates to GA kubeadm can start using it an remove RootlessControlPlane.

Which issue(s) this PR fixes:

xref kubernetes/kubeadm#2473 (comment)

Special notes for your reviewer:

Does this PR introduce a user-facing change?

kubeadm: deprecated the kubeadm `RootlessControlPlane` feature gate (previously alpha), given that the core K8s `UserNamespacesSupport` feature gate graduated to Beta in 1.30.
Once core Kubernetes support for user namespaces is generally available and kubeadm has started to support running the control plane in userns pods, the kubeadm `RootlessControlPlane` feature gate will be removed entirely.
Until kubeadm supports the userns functionality out of the box, users can continue using the deprecated  `RootlessControlPlane` feature gate, or  opt-in `UserNamespacesSupport` by using kubeadm patches on the static pod manifests.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@neolit123
kubeadm: deprecate the RootlessControlPlane feature gate
4a6d318 
The feature was left in alpha for a few releases, since
k8s started planning on a broader feature UserNamespacesSupport,
which is what kubeadm should integrate with.

UserNamespacesSupport graduated to beta in 1.30.
Once it graduates to GA kubeadm can start using it an remove
RootlessControlPlane.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 20, 2024
@neolit123
Copy link
Member Author

/triage accepted
/priority important-soon
/cc @pacoxu

@k8s-ci-robot k8s-ci-robot requested a review from pacoxu May 20, 2024 13:58
@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 20, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 20, 2024
@neolit123 neolit123 mentioned this pull request May 20, 2024
Merged
@sftim
Copy link
Contributor

sftim commented May 21, 2024

Changelog suggestion

-kubeadm; deprecate the kubeadm RootlessControlPlane feature gate, as the core k8s UserNamespacesSupport feature gate graduated to Beta in 1.30. RootlessControlPlane will be removed once UserNamespacesSupport graduates to GA and kubeadm starts using it.
+kubeadm: deprecated the kubeadm `RootlessControlPlane` feature gate (previously alpha), given that the core K8s `UserNamespacesSupport` feature gate graduated to Beta in 1.30.
+Once core Kubernetes support for user namespaces is generally available and kubeadm has started to support running the control plane in userns pods, the kubeadm `RootlessControlPlane` feature gate will be removed entirely.

However, this implies that kubeadm doesn't support user namespaces yet, and people might also infer that having a control plane running as non-root is now deprecated.
Are we intending for people to run the control plane as a root user but inside a Pod using a user namespace? To me, the changelog entry isn't clear.

@neolit123
Copy link
Member Author

neolit123 commented May 21, 2024
edited

Changelog suggestion

updated.

However, this implies that kubeadm doesn't support user namespaces yet, and people might also infer that having a control plane running as non-root is now deprecated.
Are we intending for people to run the control plane as a root user but inside a Pod using a user namespace? To me, the changelog entry isn't clear.

users can continue using the deprecated kubeadm feature RootlessControlPlane until it's removed.
alternatively, they can use kubeadm patches to opt-in userns with UserNamespacesSupport .

added one more sentance to clarify this in the release note:

Until kubeadm supports the userns functionality out of the box, users can continue using the deprecated RootlessControlPlane feature gate, or opt-in UserNamespacesSupport by using kubeadm patches on the static pod manifests.

@pacoxu
Copy link
Member

pacoxu commented May 23, 2024

+1 for this
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 23, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: c8507d9fa6e283206b83ad29b8ecb422cbb73b34

@k8s-ci-robot k8s-ci-robot merged commit 25b3912 into kubernetes:master May 23, 2024
15 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.31 milestone May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pacoxu pacoxu Awaiting requested review from pacoxu

@chendave chendave Awaiting requested review from chendave

@SataQiu SataQiu Awaiting requested review from SataQiu

Assignees

@pacoxu pacoxu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.31
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@neolit123 @k8s-ci-robot @sftim @pacoxu