kubernetes
Support for ambient capabilities in kubernetes.
Enhancement Description
- One-line enhancement description (can be used as a release note): Support ambient capabilities in kubernetes.
- Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/pull/2757
- Discussion Link: https://github.com/kubernetes/kubernetes/issues/56374
- Primary contact (assignee): @vinayakankugoyal
- Responsible SIGs: sig-security
- Enhancement target (which target equals to which milestone):
- Alpha release target (x.y): 1.24
- Beta release target (x.y):
- Stable release target (x.y):
- [ ] Alpha
- [ ] KEP (
k/enhancements) update PR(s):- [ ] https://github.com/kubernetes/enhancements/pull/2757
- [ ] Code (
k/k) update PR(s): - [ ] Docs (
k/website) update PR(s):
- [ ] KEP (
Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.
@vinayakankugoyal: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your and have them propose you as an additional delegate for this responsibility.
In response to this:
/milestone 1.23
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Hello @vinayakankugoyal, 1.23 Enhancements shadow here. Just checking in as we approach enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:
- [ ] KEP file using the latest template has been merged into the k/enhancements repo.
- [ ] KEP status is marked as implementable
- [ ] KEP has a test plan section filled out.
- [ ] KEP has up to date gradution criteria.
- [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.
Starting with 1.23, we have implented a soft freeze on production readiness reviews beginning on Thursday 09/02. If your enhancement needs a PRR, please make sure to try and complete it by that date!
For this enhancement, it looks like we need the following to be updated in the PR https://github.com/kubernetes/enhancements/pull/2757:
- KEP status marked as implementable.
- KEP's test plan section filled out
- A completed PRR for the alpha release
Thanks!
Hello @vinayakankugoyal, 1.23 Enhancements shadow here. Just checking in once again as we approach more closer to the enhancements freeze on Thursday 09/09. Here's where this enhancement currently stands:
- [ ] KEP file using the latest template has been merged into the k/enhancements repo.
- [ ] KEP status is marked as implementable
- [ ] KEP has a test plan section filled out.
- [ ] KEP has up to date gradution criteria.
- [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.
For this enhancement, we need the following to be updated in the PR https://github.com/kubernetes/enhancements/pull/2757 to be tracked under the kubernetes 1.23 release:
- KEP status must be marked as implementable.
- KEP's test plan section filled out
- Update the
kep.yamlfile in the PR to fill all the TODO/TBC/TBD placeholders. - Add the PRR file for the alpha release stage & have it merged into the k/enhancements repo
Thanks!
Woops, completely missed your previous messages. Sorry about that! We are still discussing how the K8S API changes would look like, we need to figure those out before we can mark this as implementable. I don't think we would be able to meet the KEP deadline as the SIG security meeting is on 09/09.
@vinayakankugoyal , thank you so much for providing more information on the current status of the enhancement.
We are still discussing how the K8S API changes would look like, we need to figure those out before we can mark this as implementable. I don't think we would be able to meet the KEP deadline as the SIG security meeting is on 09/09.
As stated above, that this enhancement would not be able to the meet the requirements by the enhancements freeze time, would it be alright then if I remove the 1.23 release milestone for now?
And when you have more information in favor of marking it as implementable, you could raise an exception request for the enhancement?
Thanks once again. :)
@vinayakankugoyal, Thanks for the confirmation. I'll remove the 1.23 release milestone.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
Hi @vinayakankugoyal ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. This enhancements is targeting beta for 1.24, is that correct?.
Here’s where this enhancement currently stands:
- [ ] Updated KEP file using the latest template has been merged into the k/enhancements repo - this will be KEP file with test plan filled out
- [x] KEP status is marked as implementable for this release with
latest-milestone: 1.24 - [ ] KEP has a test plan section filled out.
- [x] KEP has up to date graduation criteria.
- [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.
The status of this enhancement is track as at risk. Please update this issue description to reflect enhancements target
Thanks!
Hello @gracenng - This KEP is targeting alpha for 1.24. I have updated the description to reflect the current status. Thanks!
@vinayakankugoyal can you please update your PR to ensure that the KEP is marked implementable and not provisional? It has me listed as the PRR approver but I did not review this.
Hi @vinayakankugoyal , 1.24 Enhancements Team here.
Reaching out as we're less than a week away from Enhancement Freeze on Thursday, February 3rd.
There's no update for this enhancement since last checkin, let me know if I missed anything.
Current status is at risk
We still haven't agreed upon the field to mark it implementable. I am going to remove it from milestone.
/remove milestone 1.24
I just noticed this is owned by SIG-Security, but the sig-security charter explicitly states that
SIG Security does not own any Kubernetes cluster component code
https://github.com/kubernetes/community/blob/master/sig-security/charter.md#out-of-scope
I think this feature should probably be owned by SIG-Node, with SIG-Security as a participating SIG.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
Link the related pr
- [v1.24] https://github.com/kubernetes/kubernetes/pull/104620
I would appreciate if this KEP could get some love. At least this limitation should be documented in https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container and the current workaround to use setcap in the dockerfile.
