Code Freeze Exception for KEP-2535
24 views
Skip to first unread message
Standa Láznička
Nov 5, 2025, 8:56:58 AM (6 days ago) Nov 5
to sig-...@kubernetes.io, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com
Enhancement name: Ensure secret pulled images
Enhancement status (alpha/beta/stable): alpha->beta
SIG: sig-node
k/enhancements repo issue #: https://github.com/kubernetes/enhancements/issues/2535
PR #’s: :
- https://github.com/kubernetes/kubernetes/pull/133114 - bugfix, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132812 - metrics, lgtm-ed before, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/134931 - e2e tests, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132579 - type move to beta, lgtm-ed, waiting for all other PRs
- https://github.com/kubernetes/kubernetes/pull/134971 - FG move to Beta, waiting for all PRs above
Additional time needed (in calendar days): 14 (5 + 9 for KubeCon)
Reason this enhancement is critical for this milestone: This feature fixes a security concern that was originally reported at the end of 2015 - https://github.com/kubernetes/kubernetes/issues/18787, and has been originally drafted in 2021. Delaying the Beta further delays the time it takes for the security fix this feature represents to land.
Risks from adding code late: (to k8s stability, testing, etc.): Low - all the in-fligh code has gone thorough reviews and has high and targetted unit test coverage, e2e tests are part of the code to be merged.
Risks from cutting enhancement: (partial implementation, critical customer usecase, etc.) We need all of the code to merge in order to be able to move to Beta successfully, otherwise we're facing the risk of a further security fix delay as described in `Reason this enhancement is critical for this milestone`.
Enhancement status (alpha/beta/stable): alpha->beta
SIG: sig-node
k/enhancements repo issue #: https://github.com/kubernetes/enhancements/issues/2535
PR #’s: :
- https://github.com/kubernetes/kubernetes/pull/133114 - bugfix, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132812 - metrics, lgtm-ed before, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/134931 - e2e tests, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132579 - type move to beta, lgtm-ed, waiting for all other PRs
- https://github.com/kubernetes/kubernetes/pull/134971 - FG move to Beta, waiting for all PRs above
Additional time needed (in calendar days): 14 (5 + 9 for KubeCon)
Reason this enhancement is critical for this milestone: This feature fixes a security concern that was originally reported at the end of 2015 - https://github.com/kubernetes/kubernetes/issues/18787, and has been originally drafted in 2021. Delaying the Beta further delays the time it takes for the security fix this feature represents to land.
Risks from adding code late: (to k8s stability, testing, etc.): Low - all the in-fligh code has gone thorough reviews and has high and targetted unit test coverage, e2e tests are part of the code to be merged.
Risks from cutting enhancement: (partial implementation, critical customer usecase, etc.) We need all of the code to merge in order to be able to move to Beta successfully, otherwise we're facing the risk of a further security fix delay as described in `Reason this enhancement is critical for this milestone`.
Standa Láznička
Nov 6, 2025, 11:20:12 AM (4 days ago) Nov 6
to sig-node, Standa Láznička, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com
Correcting the title, this is an exception request
Monis Khan
Nov 7, 2025, 10:01:33 AM (4 days ago) Nov 7
to sig-auth, stan...@gmail.com, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com, sig-node
+1 from me, this a long standing security issue that impacts every multi tenant cluster using any private images. PRs have already been reviewed by SIG Auth folks (and some SIG node leads) and mostly need reviews from SIG node approvers.
Jordan Liggitt
Nov 7, 2025, 10:19:32 AM (4 days ago) Nov 7
to sig-auth, i...@monis.app, stan...@gmail.com, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com, sig-node
I'm +1 on the exception, but not a 14-day extension. Beta would default on a behavior we want to ensure we have several weeks of soak to observe before release.
It looks like the only PR needing review at this point is https://github.com/kubernetes/kubernetes/pull/134931, the e2e test PR?
The other two (config API promotion and gate promotion are already reviewed, just need rebase and are waiting for the e2e PR to merge).
If the e2e PR can be reviewed today, and all three PRs can be merged by Monday, that seems more reasonable to me.
Kat Cosgrove
Nov 7, 2025, 10:27:24 AM (4 days ago) Nov 7
to Jordan Liggitt, sig-auth, i...@monis.app, stan...@gmail.com, releas...@kubernetes.io, kubernetes-...@googlegroups.com, sig-node
A 14 day extension is not reasonable IMO. That would have this landing the week before we start cutting RCs. I agree with Jordan, Monday is a reasonable target. It's unfortunate that Kubecon interacts with releases, but it is not something we can avoid.
To unsubscribe from this group and stop receiving emails from it, send an email to release-team...@kubernetes.io.
Reply all
Reply to author
Forward
0 new messages