Code Freeze Exception for KEP-2535
35 views
Skip to first unread message
Standa Láznička
Nov 5, 2025, 9:20:44 AMNov 5
to sig-...@kubernetes.io, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com
Enhancement name: Ensure secret pulled images
Enhancement status (alpha/beta/stable): alpha->beta
SIG: sig-node
k/enhancements repo issue #: https://github.com/kubernetes/enhancements/issues/2535
PR #’s: :
- https://github.com/kubernetes/kubernetes/pull/133114 - bugfix, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132812 - metrics, lgtm-ed before, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/134931 - e2e tests, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132579 - type move to beta, lgtm-ed, waiting for all other PRs
- https://github.com/kubernetes/kubernetes/pull/134971 - FG move to Beta, waiting for all PRs above
Additional time needed (in calendar days): 14 (5 + 9 for KubeCon)
Reason this enhancement is critical for this milestone: This feature fixes a security concern that was originally reported at the end of 2015 - https://github.com/kubernetes/kubernetes/issues/18787, and has been originally drafted in 2021. Delaying the Beta further delays the time it takes for the security fix this feature represents to land.
Risks from adding code late: (to k8s stability, testing, etc.): Low - all the in-fligh code has gone thorough reviews and has high and targetted unit test coverage, e2e tests are part of the code to be merged.
Risks from cutting enhancement: (partial implementation, critical customer usecase, etc.) We need all of the code to merge in order to be able to move to Beta successfully, otherwise we're facing the risk of a further security fix delay as described in `Reason this enhancement is critical for this milestone`.
Enhancement status (alpha/beta/stable): alpha->beta
SIG: sig-node
k/enhancements repo issue #: https://github.com/kubernetes/enhancements/issues/2535
PR #’s: :
- https://github.com/kubernetes/kubernetes/pull/133114 - bugfix, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132812 - metrics, lgtm-ed before, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/134931 - e2e tests, lgtm-ed, needs an approver review
- https://github.com/kubernetes/kubernetes/pull/132579 - type move to beta, lgtm-ed, waiting for all other PRs
- https://github.com/kubernetes/kubernetes/pull/134971 - FG move to Beta, waiting for all PRs above
Additional time needed (in calendar days): 14 (5 + 9 for KubeCon)
Reason this enhancement is critical for this milestone: This feature fixes a security concern that was originally reported at the end of 2015 - https://github.com/kubernetes/kubernetes/issues/18787, and has been originally drafted in 2021. Delaying the Beta further delays the time it takes for the security fix this feature represents to land.
Risks from adding code late: (to k8s stability, testing, etc.): Low - all the in-fligh code has gone thorough reviews and has high and targetted unit test coverage, e2e tests are part of the code to be merged.
Risks from cutting enhancement: (partial implementation, critical customer usecase, etc.) We need all of the code to merge in order to be able to move to Beta successfully, otherwise we're facing the risk of a further security fix delay as described in `Reason this enhancement is critical for this milestone`.
Standa Láznička
Nov 6, 2025, 11:20:16 AMNov 6
to sig-node, Standa Láznička, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com
Correcting the title, this is an exception request
Monis Khan
Nov 7, 2025, 10:01:27 AMNov 7
to sig-auth, stan...@gmail.com, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com, sig-node
+1 from me, this a long standing security issue that impacts every multi tenant cluster using any private images. PRs have already been reviewed by SIG Auth folks (and some SIG node leads) and mostly need reviews from SIG node approvers.
Jordan Liggitt
Nov 7, 2025, 10:19:31 AMNov 7
to sig-auth, i...@monis.app, stan...@gmail.com, sig-...@kubernetes.io, releas...@kubernetes.io, kubernetes-...@googlegroups.com, sig-node
I'm +1 on the exception, but not a 14-day extension. Beta would default on a behavior we want to ensure we have several weeks of soak to observe before release.
It looks like the only PR needing review at this point is https://github.com/kubernetes/kubernetes/pull/134931, the e2e test PR?
The other two (config API promotion and gate promotion are already reviewed, just need rebase and are waiting for the e2e PR to merge).
If the e2e PR can be reviewed today, and all three PRs can be merged by Monday, that seems more reasonable to me.
Kat Cosgrove
Nov 7, 2025, 10:27:24 AMNov 7
to Jordan Liggitt, sig-auth, i...@monis.app, stan...@gmail.com, releas...@kubernetes.io, kubernetes-...@googlegroups.com, sig-node
A 14 day extension is not reasonable IMO. That would have this landing the week before we start cutting RCs. I agree with Jordan, Monday is a reasonable target. It's unfortunate that Kubecon interacts with releases, but it is not something we can avoid.
To unsubscribe from this group and stop receiving emails from it, send an email to release-team...@kubernetes.io.
Drew Hagen
Nov 9, 2025, 8:59:41 PMNov 9
to kubernetes-sig-release
Hi all,
We've discussed this more in Slack and decided to trim down this proposed extension period considerably: from 14 days down to 3 business days.
The release team is APPROVING this exception request based on the discussion in the Slack thread[0]. Your updated deadline to merge code+test PRs for this KEP is: end of Day AoE Tuesday Nov 11th / 12:00 UTC Nov 12th.
If you need any clarification, please feel free to reach out to us in the #sig-release Slack channel.
Thanks,
Drew Hagen
v1.35 Release Team Lead
[0] https://kubernetes.slack.com/archives/C2C40FMNF/p1762547634579149
We've discussed this more in Slack and decided to trim down this proposed extension period considerably: from 14 days down to 3 business days.
The release team is APPROVING this exception request based on the discussion in the Slack thread[0]. Your updated deadline to merge code+test PRs for this KEP is: end of Day AoE Tuesday Nov 11th / 12:00 UTC Nov 12th.
If you need any clarification, please feel free to reach out to us in the #sig-release Slack channel.
Thanks,
Drew Hagen
v1.35 Release Team Lead
[0] https://kubernetes.slack.com/archives/C2C40FMNF/p1762547634579149
Drew Hagen
Nov 12, 2025, 12:59:04 PMNov 12
to kubernetes-sig-release
Hello all 👋, v1.35 Release Lead here.
With all the following implementation (code-related) PRs merged per the KEP's issue description:
kubelet: add metrics for EnsureImageExists kubernetes#132644
KEP-2535: move objects to beta, add storage version migration to filesystem cache kubernetes#132579
Mark KubeletEnsureSecretPulledImages feature gate as beta kubernetes#135228
Enable image pull credential verification with service account–based credential providers kubernetes#132771
kubelet: add metrics related to image pull records kubernetes#132812
In-memory caching for node image access multitenancy kubernetes#131882
Benchmarks for node image access multitenancy kubernetes#131864
This enhancement is now marked as Tracked for code freeze for the v1.35 Code Freeze!
Please note that KEPs targeting stable need to have the status field marked as implemented in the kep.yaml file after code PRs are merged.
Docs PR Ready For Review deadline is on Tuesday Nov 18th, so please make sure the docs are ready to review by then. This exception request approval does NOT change/alter any of the docs deadlines.
Thanks,
Drew Hagen
v1.35 Release Team Lead
With all the following implementation (code-related) PRs merged per the KEP's issue description:
kubelet: add metrics for EnsureImageExists kubernetes#132644
KEP-2535: move objects to beta, add storage version migration to filesystem cache kubernetes#132579
Mark KubeletEnsureSecretPulledImages feature gate as beta kubernetes#135228
Enable image pull credential verification with service account–based credential providers kubernetes#132771
kubelet: add metrics related to image pull records kubernetes#132812
In-memory caching for node image access multitenancy kubernetes#131882
Benchmarks for node image access multitenancy kubernetes#131864
This enhancement is now marked as Tracked for code freeze for the v1.35 Code Freeze!
Please note that KEPs targeting stable need to have the status field marked as implemented in the kep.yaml file after code PRs are merged.
Docs PR Ready For Review deadline is on Tuesday Nov 18th, so please make sure the docs are ready to review by then. This exception request approval does NOT change/alter any of the docs deadlines.
Thanks,
Drew Hagen
v1.35 Release Team Lead
Reply all
Reply to author
Forward
0 new messages