Release Exception for KEP-3104

[Peter Engelbert]

• Enhancement name:
• Add client-go credential plugin to kuberc
• Enhancement status (alpha/beta/stable):
• beta
• SIG:
• sig-cli, sig-auth, sig-api-machinery
• k/enhancements repo issue #:
• #3104
• PR #’s:
• https://github.com/kubernetes/kubernetes/pull/134870
• Additional time needed (in calendar days, due end of day AoE):
• 5 (depending on reviewer availability)
• Reason this enhancement is critical for this milestone: 
• Not critical - Beta feature launch
• Risks from adding code late:
• Low: All feature code is behind a Beta API
• Risks from cutting enhancement:
• Lengthened timeline on useful user security knob
• Enhancement proposal approved for 1.35

Additional time will be used by reviewers from sig-auth and sig-api-machinery who need to weigh in, as well as myself in addressing feedback from the additional reviews.

[Peter Engelbert]

I am resending this since one of the email addresses had a typo, thereby splitting the thread.

• Enhancement name:
• Add client-go credential plugin allowlist to kuberc

[Monis Khan]

+1 from me, this is off by default behavior that fixes a long standing security issue with client-go credential plugins.

[Maciej Szulik]

As one of sig-cli leads I'm also supportive of this exception +1. 

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-release" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-re...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubernetes-sig-release/213a2b44-2e6b-4105-8e39-5c93708afeafn%40kubernetes.io.

[Jordan Liggitt]

I think the exception request is reasonable:

• impactful functionality to make available
• off-by-default / opt-in, ~no risk to users who don't opt into the new feature, no change in default behavior
• a bounded timeline for the exception (EOD Tuesday, 11/11)
• several rounds of detailed reviews from sig-cli, sig-auth, and API reviewers have already been completed; I suspect we're down to one more round of updates required

That said, I am not confident I'll have review time to give the updates it between now and Tuesday.

I'm +1 on approving the exception and trying to get it in, but if it isn't merged by EOD Tuesday, it will just miss (we wouldn't extend the exception because of reviewer availability).

[Jordan Liggitt]

The PR is updated, re-review is complete and the PR is ready to merge once this exception request is confirmed

[Drew Hagen]

Hi all,

The release team is APPROVING this exception request based on the discussion in the Slack thread[0]. Your updated deadline to merge code+test PRs for this KEP is: end of Day AoE Thurday Nov 13th / 12:00 UTC  Nov 14th.
If you need any clarification, please feel free to reach out to us in the #sig-release Slack channel.

Thanks,
Drew Hagen
v1.35 Release Team Lead

[0] https://kubernetes.slack.com/archives/C2C40FMNF/p1762644118283009