[EXCEPTION REQUEST] DRA: Resource Claim Status with possible standardized network interface data
162 views
Skip to first unread message
Antonio Ojea
Mar 17, 2026, 5:41:06 PMMar 17
to sig-node, sig-n...@kubernetes.io, release-team, kubernetes-sig-release
- Enhancement name: DRA: Resource Claim Status with possible standardized network interface data
- Enhancement status (alpha/beta/stable): beta
- SIG: Node , Network
- k/enhancements repo issue #: https://github.com/kubernetes/enhancements/issues/4817
- PR #’s: https://github.com/kubernetes/kubernetes/pull/134947
- Additional time needed (in calendar days, due end of day AoE): 7 days to handle the roundtrip of reviews during kubecon on the existing PR.
- Reason this enhancement is critical for this milestone: This enhancement is critical for 1.36 because there are downstream features actively depending on these standardized network attributes to build upon. We originally planned to graduate this feature to stable in 1.35, but late in that cycle, SIG Auth identified a security gap in the underlying DRA design regarding how the status object is updated. We must address this DRA security issue in 1.36 so we can safely graduate the feature to stable without security issues, and consequently unblock the dependent features waiting on this standard.
- Risks from adding code late: (to k8s stability, testing, etc.): The risk to Kubernetes stability is low. The code is focused on the authorization logic required to modify the status object. There are no changes to functional behavior, and the code is localized to this specific object, minimizing the blast radius.
- Risks from cutting enhancement: (partial implementation, critical customer usecase, etc.): Because this feature is Beta and enabled by default, cutting it can cause a backward compatibility risk. If third-party projects and DRA drivers start depending on the current permissive behavior, making the authorization stricter later will cause breaking changes across the ecosystem.
Mo Khan
Mar 18, 2026, 12:28:41 PMMar 18
to Antonio Ojea, sig-node, sig-n...@kubernetes.io, release-team, kubernetes-sig-release, sig-...@kubernetes.io, kubernete...@googlegroups.com
+1 from me, this is an important security gap to resolve before GA.
--
You received this message because you are subscribed to the Google Groups "sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sig-node+u...@kubernetes.io.
To view this discussion visit https://groups.google.com/a/kubernetes.io/d/msgid/sig-node/CABhP%3DtbYGLGxANYJ%3DPqZKdEh0_M%3DcU_WfaHyxNStgZPF7RP07Q%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sig-node+u...@kubernetes.io.
To view this discussion visit https://groups.google.com/a/kubernetes.io/d/msgid/sig-node/CABhP%3DtbYGLGxANYJ%3DPqZKdEh0_M%3DcU_WfaHyxNStgZPF7RP07Q%40mail.gmail.com.
Mrunal
Mar 18, 2026, 3:41:24 PMMar 18
to Patrick Ohly, Antonio Ojea, sig-node, sig-n...@kubernetes.io, release-team, kubernetes-sig-release
+1 from sig-node.
On Wed, Mar 18, 2026 at 11:24 AM Patrick Ohly <patric...@intel.com> wrote:
Antonio Ojea <antonio.o...@gmail.com> writes:
> - Reason this enhancement is critical for this milestone: This
> enhancement is critical for 1.36 because there are downstream features
> actively depending on these standardized network attributes to build upon.
> We originally planned to graduate this feature to stable in 1.35, but late
> in that cycle, SIG Auth identified a security gap in the underlying DRA
> design regarding how the status object is updated. We must address this DRA
> security issue in 1.36 so we can safely graduate the feature to stable
> without security issues, and consequently unblock the dependent features
> waiting on this standard.
+1
--
Best Regards
Patrick Ohly
Cloud Software Architect
--
You received this message because you are subscribed to the Google Groups "sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sig-node+u...@kubernetes.io.
To view this discussion visit https://groups.google.com/a/kubernetes.io/d/msgid/sig-node/yrjh7br9uhbh.fsf%40pohly-mobl1.fritz.box.
Patrick Ohly
Mar 18, 2026, 3:41:24 PMMar 18
to Antonio Ojea, sig-node, sig-n...@kubernetes.io, release-team, kubernetes-sig-release
Antonio Ojea <antonio.o...@gmail.com> writes:
> - Reason this enhancement is critical for this milestone: This
> - Reason this enhancement is critical for this milestone: This
> enhancement is critical for 1.36 because there are downstream features
> actively depending on these standardized network attributes to build upon.
> We originally planned to graduate this feature to stable in 1.35, but late
> in that cycle, SIG Auth identified a security gap in the underlying DRA
> design regarding how the status object is updated. We must address this DRA
> security issue in 1.36 so we can safely graduate the feature to stable
> without security issues, and consequently unblock the dependent features
> waiting on this standard.
> actively depending on these standardized network attributes to build upon.
> We originally planned to graduate this feature to stable in 1.35, but late
> in that cycle, SIG Auth identified a security gap in the underlying DRA
> design regarding how the status object is updated. We must address this DRA
> security issue in 1.36 so we can safely graduate the feature to stable
> without security issues, and consequently unblock the dependent features
> waiting on this standard.
Ryota
Mar 20, 2026, 11:10:16 PMMar 20
to release-team, Mrunal, Antonio Ojea, sig-node, sig-n...@kubernetes.io, release-team, kubernetes-sig-release, Patrick Ohly
Hi all,
The release team is APPROVING this exception request for KEP-4817 based on the discussion in the Slack thread[0].
Given KubeCon EU is taking place in the week of 23rd March, we are accepting longer extension than usual.
Based on the 7 calendar day extension, your updated deadline to merge code + test PRs for this KEP is:
Wednesday, 25th March, 2026 (Anywhere-on-Earth) / 12:00 UTC on Thursday, 26th March, 2026
Thanks,
Ryota Sawada
v1.36 Release Team Lead
[0]: https://kubernetes.slack.com/archives/C2C40FMNF/p1773913381542249
The release team is APPROVING this exception request for KEP-4817 based on the discussion in the Slack thread[0].
Given KubeCon EU is taking place in the week of 23rd March, we are accepting longer extension than usual.
Based on the 7 calendar day extension, your updated deadline to merge code + test PRs for this KEP is:
Wednesday, 25th March, 2026 (Anywhere-on-Earth) / 12:00 UTC on Thursday, 26th March, 2026
Thanks,
Ryota Sawada
v1.36 Release Team Lead
[0]: https://kubernetes.slack.com/archives/C2C40FMNF/p1773913381542249
Antonio Ojea
Mar 26, 2026, 10:23:58 AM (14 days ago) Mar 26
to Ryota, release-team, Mrunal, sig-node, sig-n...@kubernetes.io, kubernetes-sig-release, Patrick Ohly
Hi folks,
I'd like to ask if we can extend the exception one day more, just until tomorrow Friday 27th March, 2026 20.00 CET.
I honestly underestimated my availability during kubecon.
Please let me know
Jordan Liggitt
Mar 26, 2026, 10:28:37 AM (14 days ago) Mar 26
to Antonio Ojea, Ryota, release-team, Mrunal, sig-node, sig-n...@kubernetes.io, kubernetes-sig-release, Patrick Ohly
+1 to the one day extension request, both @enj and I are fully engaged in the review, and the PR is down to one last behavioral tweak and finalizing the added test. I'm confident it will be ready for merge today.
You received this message because you are subscribed to the Google Groups "kubernetes-sig-release" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-re...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubernetes-sig-release/CABhP%3DtaO0ZUe9NiEngsGnSDs9LT9Mw%3DkNy8jxW1LtDKQEOascg%40mail.gmail.com.
Jordan Liggitt
Mar 26, 2026, 8:31:28 PM (13 days ago) Mar 26
to Ryota, release-team, Mrunal, sig-node, sig-n...@kubernetes.io, kubernetes-sig-release, Patrick Ohly, Antonio Ojea
Thanks, the code PR merged earlier today and the docs PR is open, has tech lgtm and is being reviewed by docs reviewers now.
On Thu, Mar 26, 2026 at 8:02 PM Ryota <ryt...@gmail.com> wrote:
Hi Antonio, Jordan,As discussed on the Slack thread, we are making a 24 hour extension as an exception.Please note that, as mentioned, we will not accept any further exception, including the Docs deadline to get PR ready for review, which is coming up on Tuesday next week.Thanks,Ryota
Ryota
Mar 27, 2026, 2:08:38 PM (12 days ago) Mar 27
to release-team, Jordan Liggitt, Ryota, release-team, Mrunal, sig-node, sig-n...@kubernetes.io, kubernetes-sig-release, Patrick Ohly, Antonio Ojea
Hi Antonio, Jordan,
As discussed on the Slack thread, we are making a 24 hour extension as an exception.
Please note that, as mentioned, we will not accept any further exception, including the Docs deadline to get PR ready for review, which is coming up on Tuesday next week.
Thanks,
Ryota
On Thursday, 26 March 2026 at 14:28:33 UTC Jordan Liggitt wrote:
Reply all
Reply to author
Forward
0 new messages