KEP: Promote sysctl annotations to fields #2093
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
sig/architecture
ingvagabund
force-pushed
the
promote-sysctl-annotations-kep
branch
6 times, most recently
from
7df25db to
07982e8
Compare
20 tasks
ingvagabund
force-pushed
the
promote-sysctl-annotations-kep
branch
5 times, most recently
from
395afcf to
a6f2178
Compare
ingvagabund
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Thanks Jan 👍 /sig node |
k8s-ci-robot
added
the
sig/node
php-coder
reviewed
Apr 30, 2018
| authors: | ||
| - "@ingvagabund" | ||
| owning-sig: sig-node | ||
| participating-sigs: |
There was a problem hiding this comment.
As it touches PSP, I think that we may mention sig-auth here.
php-coder
reviewed
Apr 30, 2018
| // SecurityContext holds security configuration that will be applied to a container. | ||
| // Some fields are present in both SecurityContext and PodSecurityContext. When both | ||
| // are set, the values in SecurityContext take precedence. | ||
| type SecurityContext struct { |
There was a problem hiding this comment.
SecurityContext is for container-scoped restrictions. If we want to make it pod-scoped only, we need to modify PodSecurityContext instead.
|
@ingvagabund Thank you for working on this! |
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
|
Please add section for following: How to enable unsafe sysctls on node should move away from an experimental flag and become kubelet config api option |
|
The original support predates feature gates, but it’s move to first class fields should come with feature gate. Can you add details on feature gate? |
ingvagabund
force-pushed
the
promote-sysctl-annotations-kep
branch
3 times, most recently
from
94b9345 to
b90d346
Compare
|
@derekwaynecarr updated, PTAL |
derekwaynecarr
suggested changes
May 7, 2018
|
|
||
| Upstream issue: https://github.com/kubernetes/kubernetes/issues/61669 | ||
|
|
||
| ### Gate the feature |
There was a problem hiding this comment.
Please just state what the feature gate flag is and the default behavior.
I have no problem with what @sjenning has started, but this document will be read in the future and linking out like that is painful for future readers.
|
/cc @kubernetes/sig-node-proposals this is the document that describes the promotion of sysctl to fields for beta support. if folks have any comments, please provide them this week |
|
Lgtm. |
ingvagabund
force-pushed
the
promote-sysctl-annotations-kep
branch
2 times, most recently
from
afdcc25 to
ce422be
Compare
ingvagabund
force-pushed
the
promote-sysctl-annotations-kep
branch
from
ce422be to
6d6bfda
Compare
5 tasks
|
Thank you for the updates @ingvagabund /approve |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekwaynecarr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
derekwaynecarr
approved these changes
May 14, 2018
k8s-ci-robot
added
the
approved
|
🎉 |
Closed
4 tasks
|
After 2 weeks after merge, it became outdated. Do we care about making it up-to-date? |
k8s-github-robot
pushed a commit
to kubernetes/kubernetes
that referenced
this pull request
Jun 6, 2018
…-to-fields Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Promote sysctl annotations to fields # **What this PR does / why we need it**: Promoting experimental sysctl feature from annotations to API fields. **Special notes for your reviewer**: Following sysctl KEP: kubernetes/community#2093 **Release note**: ```release-note The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective. ``` **TODO**: * [x] - Promote sysctl annotation in Pod spec * [x] - Promote sysctl annotation in PodSecuritySpec spec * [x] - Feature gate the sysctl * [x] - Promote from alpha to beta * [x] - docs PR - kubernetes/website#8804
k8s-publishing-bot
added a commit
to kubernetes/api
that referenced
this pull request
Jun 6, 2018
…-to-fields Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Promote sysctl annotations to fields # **What this PR does / why we need it**: Promoting experimental sysctl feature from annotations to API fields. **Special notes for your reviewer**: Following sysctl KEP: kubernetes/community#2093 **Release note**: ```release-note The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective. ``` **TODO**: * [x] - Promote sysctl annotation in Pod spec * [x] - Promote sysctl annotation in PodSecuritySpec spec * [x] - Feature gate the sysctl * [x] - Promote from alpha to beta * [x] - docs PR - kubernetes/website#8804 Kubernetes-commit: b6f75ac30e863531ac73cfd02a0edd57983cc5c0
sttts
pushed a commit
to sttts/api
that referenced
this pull request
Jun 8, 2018
…-to-fields Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Promote sysctl annotations to fields # **What this PR does / why we need it**: Promoting experimental sysctl feature from annotations to API fields. **Special notes for your reviewer**: Following sysctl KEP: kubernetes/community#2093 **Release note**: ```release-note The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective. ``` **TODO**: * [x] - Promote sysctl annotation in Pod spec * [x] - Promote sysctl annotation in PodSecuritySpec spec * [x] - Feature gate the sysctl * [x] - Promote from alpha to beta * [x] - docs PR - kubernetes/website#8804 Kubernetes-commit: b6f75ac30e863531ac73cfd02a0edd57983cc5c0
k8s-publishing-bot
added a commit
to kubernetes/api
that referenced
this pull request
Jun 8, 2018
…-to-fields Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Promote sysctl annotations to fields # **What this PR does / why we need it**: Promoting experimental sysctl feature from annotations to API fields. **Special notes for your reviewer**: Following sysctl KEP: kubernetes/community#2093 **Release note**: ```release-note The Sysctls experimental feature has been promoted to beta (enabled by default via the `Sysctls` feature flag). PodSecurityPolicy and Pod objects now have fields for specifying and controlling sysctls. Alpha sysctl annotations will be ignored by 1.11+ kubelets. All alpha sysctl annotations in existing deployments must be converted to API fields to be effective. ``` **TODO**: * [x] - Promote sysctl annotation in Pod spec * [x] - Promote sysctl annotation in PodSecuritySpec spec * [x] - Feature gate the sysctl * [x] - Promote from alpha to beta * [x] - docs PR - kubernetes/website#8804 Kubernetes-commit: b6f75ac30e863531ac73cfd02a0edd57983cc5c0
thockin
reviewed
Jun 25, 2018
| sysctls: | ||
| - name: kernel.shm_rmid_forced | ||
| value: 1 | ||
| - name: net.ipv4.route.min_pmtu |
There was a problem hiding this comment.
Why are networking-related knobs in the security context? This seems like the wrong structure to me?
calebamiles
pushed a commit
to calebamiles/community
that referenced
this pull request
Sep 5, 2018
…notations-kep KEP: Promote sysctl annotations to fields
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Setting the
sysctlparameters through annotations provided a successful storyfor defining better constraints of running applications.
The
sysctlfeature has been tested by a number of people without any seriouscomplaints. Promoting the annotations to fields (i.e. to beta) is another step in making the
sysctlfeature closer towards the stable API.