kubernetes-sigs
add sysched design KEP
What type of PR is this?
/kind feature
What this PR does / why we need it:
KEP for the design of SySched scoring plugin. Allows the scheduling of pods based on pods' system call profiles. Has the potential of using scheduling to enhance overall cluster security.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Some description of the plugin can be found in the mailing list: https://groups.google.com/g/kubernetes-sig-scheduling/c/fXTaIf4dbh8
We presented the proposal to the community on April 7, 2022 but it looks like the recording has not been uploaded.
@mvle: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Welcome @mvle!
It looks like this is your first PR to kubernetes-sigs/scheduler-plugins 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.
You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.
You can also check if kubernetes-sigs/scheduler-plugins has its own contribution guidelines.
You may want to refer to our testing guide if you run into trouble with your tests not passing.
If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!
Thank you, and welcome to Kubernetes. :smiley:
Hi @mvle. Thanks for your PR.
I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@Huang-Wei Curious to see if there are any other concerns or comments? I've updated the KEP based on your previous comment in case you haven't seen.
@mvle will review later this week (was on vacation last week). Meanwhile, I'd like a reviewer who is competent on k8s security to chime in.
@Huang-Wei can you recommend k8 security reviewers or how else we can proceed?
The proposed plugin is pretty self-contained. The security benefits are really dependent on many factors including cluster size, workload characteristics and other topological/performance requirements.
More than happy to discuss further over a different medium if so desired.
@Huang-Wei can you recommend k8 security reviewers or how else we can proceed?
If you're acquainted with someone in https://github.com/kubernetes-sigs/security-profiles-operator, getting thoughts from them would be super helpful.
The committers listed above are authorized under a signed CLA.
- :white_check_mark: login: mvle / name: Michael Le (eb779d07674be17e7e38692a9df1686588f8fa76, 31341e62872d483ef485a0ba1d0d4e48e00848ce, 6b10e61c487c0243bdb16385eb5eaf288bf784d5, 0087b93871f5ac4e9583b81b70636aae4cf49773)
![linux-foundation-easycla[bot] avatar](https://avatars.githubusercontent.com/in/17893?v=4 "Published by a pub.dev verified publisher"){kind=small}
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: mvle
Once this PR has been reviewed and has the lgtm label, please assign huang-wei for approval by writing /assign @huang-wei in a comment. For more information see:The Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
@Huang-Wei Thanks for your comments! We've updated the KEP to incorporate your suggestions. Please take another look.
If you're acquainted with someone in https://github.com/kubernetes-sigs/security-profiles-operator, getting thoughts from them would be super helpful.
We are not acquainted but will seek their input on this KEP.
@saschagrunert Thank you for taking the time to review our KEP!
@Huang-Wei We've updated the KEP to incorporate your comments and also @saschagrunert (mainly to clarify what and how seccomp is used). Please take another look and let us know your thoughts.
@Huang-Wei Can you please let us know if you have further comments or concerns?
@Huang-Wei Thanks for the comments. Updated the KEP. Please check it out again.
@mvle thanks for the work again.
/lgtm /approve
/label tide/merge-method-squash
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Huang-Wei, mvle
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [Huang-Wei]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment