[EXCEPTION REQUEST] DRA: Resource Claim Status with possible standardized network interface data

[Antonio Ojea]

• Enhancement name: DRA: Resource Claim Status with possible standardized network interface data
  
• Enhancement status (alpha/beta/stable): beta
• SIG: Node , Network
• k/enhancements repo issue #: https://github.com/kubernetes/enhancements/issues/4817
• PR #’s: https://github.com/kubernetes/kubernetes/pull/134947
• Additional time needed (in calendar days, due end of day AoE): 7 days to handle the roundtrip of reviews during kubecon on the existing PR.
• Reason this enhancement is critical for this milestone: This enhancement is critical for 1.36 because there are downstream features actively depending on these standardized network attributes to build upon. We originally planned to graduate this feature to stable in 1.35, but late in that cycle, SIG Auth identified a security gap in the underlying DRA design regarding how the status object is updated. We must address this DRA security issue in 1.36 so we can safely graduate the feature to stable without security issues, and consequently unblock the dependent features waiting on this standard.
• Risks from adding code late: (to k8s stability, testing, etc.): The risk to Kubernetes stability is low. The code is focused on the authorization logic required to modify the status object. There are no changes to functional behavior, and the code is localized to this specific object, minimizing the blast radius.
• Risks from cutting enhancement: (partial implementation, critical customer usecase, etc.): Because this feature is Beta and enabled by default, cutting it can cause a backward compatibility risk. If third-party projects and DRA drivers start depending on the current permissive behavior, making the authorization stricter later will cause breaking changes across the ecosystem.

[Mo Khan]

+1 from me, this is an important security gap to resolve before GA.

--
You received this message because you are subscribed to the Google Groups "sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sig-node+u...@kubernetes.io.
To view this discussion visit https://groups.google.com/a/kubernetes.io/d/msgid/sig-node/CABhP%3DtbYGLGxANYJ%3DPqZKdEh0_M%3DcU_WfaHyxNStgZPF7RP07Q%40mail.gmail.com.

[Patrick Ohly]

Antonio Ojea <antonio.o...@gmail.com> writes:
> - Reason this enhancement is critical for this milestone: This

> enhancement is critical for 1.36 because there are downstream features
> actively depending on these standardized network attributes to build upon.
> We originally planned to graduate this feature to stable in 1.35, but late
> in that cycle, SIG Auth identified a security gap in the underlying DRA
> design regarding how the status object is updated. We must address this DRA
> security issue in 1.36 so we can safely graduate the feature to stable
> without security issues, and consequently unblock the dependent features
> waiting on this standard.

+1

--
Best Regards

Patrick Ohly
Cloud Software Architect

[Mrunal]

+1 from sig-node.

--
You received this message because you are subscribed to the Google Groups "sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sig-node+u...@kubernetes.io.

To view this discussion visit https://groups.google.com/a/kubernetes.io/d/msgid/sig-node/yrjh7br9uhbh.fsf%40pohly-mobl1.fritz.box.