Enhancement Description

• One-line enhancement description (can be used as a release note): Add new API surface to control and track how supplemental groups are applied in the container.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/3619-supplemental-groups-policy
• Discussion Link: Can bypass PodSecurityContext.SupplementalGroups by custom container image although PSP(or other policy engines) enforces the field kubernetes#112879
• Primary contact (assignee):　@everpeace
• Responsible SIGs: sig-node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.31
  • Beta release target (x.y): 1.33
  • Stable release target (x.y): 1.35
• Alpha: v1.31
  • KEP (k/enhancements) update PR(s):
    • KEP-3169: Fine-grained SupplementalGroups control #3620
    • KEP-3619: update Test Plan and Graduation Criteria for KEP freeze #3862
    • KEP-3619: Cleanup After Freeze #3874
    • KEP-3619: update the latest milestone to v1.31 #4628
    • KEP-3619: Add SupplementalGroupsPolicy feature fields in Kubernetes API(Node.Status) and CRI(RuntimeStatusResponse) #4728
  • Code (k/k) update PR(s):
    • KEP-3619: Fine-grained SupplementalGroups control kubernetes#117842
    • KEP-3619: Add NodeStatus.Features.SupplementalGroupsPolicy API and e2e kubernetes#125470
  • Docs (k/website) update PR(s):
    • [dev-1.31] KEP-3619: Fine-grained SupplementalGroups control website#46920
    • blog post for KEP-3619: Fine-grained SupplementalGroups control website#46921
  • contained (optional):
    • Fine-grained SupplementalGroups control containerd/containerd#9737
    • Implement RuntimeStatus.features.supplemental_groups_policy from KEP-3619 containerd/containerd#10410
  • CRI-O (optional):
    • server/*: add fine-grained SupplementalGroups control for enhanced security cri-o/cri-o#8268
    • KEP-3619: implement RuntimeStatus.features.supplemental_groups_policy cri-o/cri-o#8386
  • cri-tools (optional):
    • KEP-3619: Fine-grained SupplementalGroups control kubernetes-sigs/cri-tools#1438
• Beta: v1.33
  • KEP (k/enhancements) update PR(s):
    • KEP-3619: updated KEP with alpha release status, and added haircommander as a reviewer #4809
    • KEP-3619: updated Production Readiness Review Questionnaire for beta release #4895
    • KEP-3619: update latest-milestone to v1.33 #5165
  • Code (k/k) update PR(s):
    • KEP-3619: Promote SupplementalGroupsPolicy feature to Beta kubernetes#130210
  • Docs (k/website) update(s):
    • [dev-1.33] KEP-3619: Promote Fine-grained SupplementalGroups control to Beta website#49880
    • blog post for KEP-3619: Fine-grained SupplementalGroups control graduates to beta website#49944
  • cri-tools (optional)
    • KEP-3619: Support RuntimeFeatures(.features) in "crictl info" command kubernetes-sigs/cri-tools#1772
• Stable: v1.35
  • KEP (k/enhancements) update PR(s):
    • KEP-3619: Graduate "Fine-grained SupplementalGroups control" To GA #5613
  • Code (k/k) update PR(s):
    • KEP-3619: Promote SupplementalGroupspolicy feature To GA kubernetes#135088
  • Docs (k/website) update(s):
    • [dev-1.35] KEP-3619: Promote Fine-grained SupplementalGroups control to GA  website#52860 no need to update the docs
    • blog post for KEP-3619: Fine-grained SupplementalGroups control graduates to GA website#52984

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

/assign
/sig node
/kind feature