Exception request for KEP-127: Add support for user namespaces

[Rodrigo Campos]

Here are the details for our request.

Enhancement name: Add support for user namespaces
Enhancement status (alpha/beta/stable): alpha (merging this release)
SIG: sig-node
k/enhancements repo issue #: 127
PR #’s: https://github.com/kubernetes/kubernetes/pull/111090
Additional time needed (in days): 4
Reason this enhancement is critical for this milestone:
This feature needs to be implemented in k8s and container runtimes.
If we don't make it for k8s 1.25 release, we will not be able to merge
in containerd 1.7 (scheduled to ~October 2022). The next containerd
minor release (new features can't be merged in patch releases) is not
clear when it is, but at least several months in 2023 (probably more
than just "a few").
This means users adoption will be very much delayed. And as this
enhancement increases the security of k8s deployments significantly when
used, this is far from ideal.

This first phase also allows us to work on next phases soon (as phase
II doesn't need changes on container runtimes). Also, we are planning to
use this feature in Azure.

Risks from adding code late: (to k8s stability, testing, etc.)
Low, it is an alpha feature disabled by default. Unit tests are
passing since the PR was open 20+ days ago. e2e tests are ignored on CI,
so no risks there, although we provided good e2e tests that we verified
locally. It is disabled on CI because we need support in container
runtimes to test this. As this is not yet merged on container runtimes
(as it is present in a container final release yet), CI doesn't run
these e2e tests.

Risks from cutting enhancement: (partial implementation, critical
customer usecase, etc.)
We risk delaying significant benefits to users security, as we will
miss merging into containerd 1.7, this means significant (6-8+ months)
slow down of adoption and slowing down also the graduation of the
feature (we need user feedback to graduate with confidence).

[Rodrigo Campos]

On 8/2/22 18:53, Rodrigo Campos wrote:
> Here are the details for our request.
>
> Enhancement name: Add support for user namespaces
> Enhancement status (alpha/beta/stable): alpha (merging this release)

We've also discussed with Derek and Mrunal to reduce the scope of the
KEP, to remove all the concerns that come up about future phases (not
phase 1, that is what is implemented in 1.25)

Will update here with the details of that in a few minutes.


Thanks!

[Rodrigo Campos]

We just discussed this on SIG-node and decided to reduce the scope of
the KEP to just stateless pods. I'll update the KEP with this info too
(8:30pm here, will do it tomorrow).

There are several reasons to do this:

1. We expect this will remove most of the concerns some reviewers
expressed about how this feature can graduate to beta and GA.

2. Removing stateful pods from the scope doesn't change the
implementation PR of stateless pods (PR linked in the exception request).

3. Having support for userns in stateless pods is an end on itself and
very valuable. Red Hat already allows this with annotations today and
Derek mentioned it is very valuable to allow this across all the
runtimes too.

4. This buys us more time to figure out the details that reviewers want
to see for volumes support. This will be pursued in a different KEP,
when those details are finalized.


With that in mind, we ask for exception so the pending reviews can
happen with this scope change and changes needed are addressed in the
coming days.



Best,
Rodrigo

[Michael Taufen]

> If we don't make it for k8s 1.25 release, we will not be able to merge
> in containerd 1.7 (scheduled to ~October 2022). 

It looks like the PR covers implementation in Kubelet too? Would it facilitate the review/exception

to scope the PR to just the CRI changes that are needed to make progress in runtimes?

(Or at least to help GitHub display the files, instead of errors ;)

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-release" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-re...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-release/8f4ec999-b1a5-3d29-82ad-0225fa8d4eb8%40sdfg.com.ar.

--

NO TO WAR. go/give-ukraine

Michael Taufen

Google SWE

[Rodrigo Campos]

On 8/2/22 21:47, 'Michael Taufen' via kubernetes-sig-node wrote:
> > If we don't make it for k8s 1.25 release, we will not be able to merge
> > in containerd 1.7 (scheduled to ~October 2022).
>
> It looks like the PR covers implementation in Kubelet too? Would it
> facilitate the review/exception
> to scope the PR to just the CRI changes that are needed to make progress
> in runtimes?
> (Or at least to help GitHub display the files, instead of errors ;)

Thanks! But the CRI changes were already merged:
https://github.com/kubernetes/kubernetes/pull/110535 :)

I'm not sure that will help runtimes, it really depends on the reason
this is rejected.

I had merged the CRI update in containerd already
(https://github.com/containerd/containerd/pull/7114), but depending the
reason this is rejected the most sensible thing might be to revert that
containerd patch and just try again if Kubernetes merges userns in the
future.

The cost of that, due to release timing, would be lot of delay for users
as I mentioned in the exception.

Thanks anyways for the idea! :)


Best,
Rodrigo

[Michael Taufen]

> the CRI changes were already merged

nice! :)

> depending the reason this is rejected the most 

> sensible thing might be to revert that containerd 

> patch and just try again if Kubernetes merges 

> userns in the future

Was there anything we're especially concerned 

about needing to change in the existing CRI API, or 

we're mostly confident but considering the possibility 

that something comes up?

Thanks for the additional details :)

Mike

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-release" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-re...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-release/9128a94e-8954-970a-caca-84ddb4edb4cc%40sdfg.com.ar.

[Cici Huang]

Hi all,

Following discussion in Slack the release team is APPROVING this exception request. Your updated deadline to make any changes to your PR is 10:00 AM PST Monday 8th August 2022, which is four working days from the exception filed.

If you have any questions, please reach out to us in the #sig-release Slack channel.

Thanks,

Cici Huang,

1.25 Release Team Lead

[Rodrigo Campos]

On 8/3/22 20:43, Michael Taufen wrote:
> > depending the reason this is rejected the most
> > sensible thing might be to revert that containerd
> > patch and just try again if Kubernetes merges
> > userns in the future
>
> Was there anything we're especially concerned
> about needing to change in the existing CRI API, or
> we're mostly confident but considering the possibility
> that something comes up?

No, the CRI API is completely fine for stateless pods.

All the concerns are already solved, PR is lgtm and approved.

The exception has been granted too:
https://github.com/kubernetes/kubernetes/pull/111090#issuecomment-1204349069


Thanks again to everyone! :)

[Michael Taufen]

Woohoo! Congrats, great to see this merge and move forward :D

[Rodrigo Campos]

On 8/4/22 00:48, 'Michael Taufen' via kubernetes-sig-release wrote:
> Woohoo! Congrats, great to see this merge and move forward :D

Thanks! :-D