Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KEP-2568] Production Readiness Review. #2620

Merged
merged 1 commit into from
Apr 29, 2021
Merged

[KEP-2568] Production Readiness Review. #2620

merged 1 commit into from
Apr 29, 2021

Conversation

vinayakankugoyal
Copy link
Contributor

KEP-2568 proposes that we run the kubeadm control-plane as non-root and follow other security best practices.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 13, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @vinayakankugoyal. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 13, 2021
@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Apr 13, 2021
@vinayakankugoyal
Copy link
Contributor Author

/cc @neolit123

@vinayakankugoyal
Copy link
Contributor Author

/assign prod-readiness-approvers

@k8s-ci-robot
Copy link
Contributor

@vinayakankugoyal: GitHub didn't allow me to assign the following users: prod-readiness-approvers.

Note that only kubernetes members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign prod-readiness-approvers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vinayakankugoyal
Copy link
Contributor Author

/cc prod-readiness-approvers

@vinayakankugoyal
Copy link
Contributor Author

Adding @ehashman for the PRR review.

@vinayakankugoyal
Copy link
Contributor Author

/cc @ehashman

@vinayakankugoyal vinayakankugoyal mentioned this pull request Apr 15, 2021
Open
18 tasks
@ehashman
Copy link
Member

/assign
/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 15, 2021
@vinayakankugoyal
Copy link
Contributor Author

vinayakankugoyal commented Apr 16, 2021
edited
Loading

@ehashman - I am new to the PRR process, so not sure how it goes. Does the PRR questionnaire seem ok? I am happy to provide more details. Thank you so much for looking at this KEP.

ehashman
ehashman requested changes Apr 19, 2021
View reviewed changes
Copy link
Member

@ehashman ehashman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vinayakankugoyal, not sure why the verify script isn't catching this. You will need to add a file to the keps/prod-readiness directory for this KEP marking me as the approver. Because the KEP already merged I can't comment line-by-line. I'll do a review in my next comment.

@ehashman
Copy link
Member

Alpha -> Beta Graduation

Are these graduation criteria for alpha or beta? From the kep.yaml this appears to be a net new feature. I'm curious what the roadmap is supposed to look like for each of Alpha, Beta, and Graduated. (the latter two stages can be TBD/tentative)

(Version Skew Strategy) Nothing in the design of this feature is tied to the version of the control-plane.

Below I see there's a feature gate for all the control plane components to enable them to run as non-root, so I don't think this is correct. I don't think it's supported to run as non-root in version <1.22. If you have a mixed deployment X and X-1 (e.g. 1.22 and 1.21), it's possible you end up with some control plane components still running as root.

Can you update this answer to clarify how that works?

Does enabling the feature change any default behavior?

Yes it will change the default behavior of kubeadm from running the control-plane components as root to non-root.

The feature flags control the behaviour of each component. A feature flag in kube-apiserver won't affect kubeadm. How do the feature flags on each component affect their behaviour? What impact could it have on a cluster that wasn't deployed by kubeadm?

Additionally, can you talk a little bit more about how enabling the feature flag will change kubeadm's behaviour, and what users should expect?

Are there any tests for feature enablement/disablement?

This question is missing an answer.

Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?

Yes, in kubeadm control-plane bootstrap process when we create files and directories we would have to change the permissions and the owners of these files. So there will be a minute increase in bootstrap time for control-plane.

Is it possible to block or fail on the creation of users/groups? Should this be called out as a possible delay?

@vinayakankugoyal
Copy link
Contributor Author

Hi @vinayakankugoyal, not sure why the verify script isn't catching this. You will need to add a file to the keps/prod-readiness directory for this KEP marking me as the approver. Because the KEP already merged I can't comment line-by-line. I'll do a review in my next comment.

Done. Thanks!

@vinayakankugoyal
Copy link
Contributor Author

Alpha -> Beta Graduation

Are these graduation criteria for alpha or beta? From the kep.yaml this appears to be a net new feature. I'm curious what the roadmap is supposed to look like for each of Alpha, Beta, and Graduated. (the latter two stages can be TBD/tentative)

These are graduation criteria for alpha. I think we'd come up with the Beta and Graduated criteria later, once we have hit alpha. (There wasn't a section for dev -> Alpha graduation criteria, so I put it under this section.)

(Version Skew Strategy) Nothing in the design of this feature is tied to the version of the control-plane.

Below I see there's a feature gate for all the control plane components to enable them to run as non-root, so I don't think this is correct. I don't think it's supported to run as non-root in version <1.22. If you have a mixed deployment X and X-1 (e.g. 1.22 and 1.21), it's possible you end up with some control plane components still running as root.

Can you update this answer to clarify how that works?

The featuregate mentioned below is not a featuregate for the control-plane components but is a featuregate passed to kubeadm itself. It will control how kubeadm deploys the control-plane. Nothing in this design updates the feturegate flags passed to the control-plane binaries, the featuregate flag will be passed to the kubeadm binary itself and it will control how kubeadm updates the Pod config/manifest of the control-plane components. Sorry if this was not clear from my documentation.

Does enabling the feature change any default behavior?
Yes it will change the default behavior of kubeadm from running the control-plane components as root to non-root.

The feature flags control the behaviour of each component. A feature flag in kube-apiserver won't affect kubeadm. How do the feature flags on each component affect their behaviour? What impact could it have on a cluster that wasn't deployed by kubeadm?

Additionally, can you talk a little bit more about how enabling the feature flag will change kubeadm's behaviour, and what users should expect?

The feature flag will not change the behavior of the control-plane components, it will change the behavior of kubeadm. kubeadm will configure the Pods of the components differently when this featuregate is enabled.

Are there any tests for feature enablement/disablement?

This question is missing an answer.

Added. Thanks!

Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?
Yes, in kubeadm control-plane bootstrap process when we create files and directories we would have to change the permissions and the owners of these files. So there will be a minute increase in bootstrap time for control-plane.

Is it possible to block or fail on the creation of users/groups? Should this be called out as a possible delay?

Yes, it is possible to fail on the creation of users and groups. I'll call this out.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Apr 20, 2021
@vinayakankugoyal
Copy link
Contributor Author

@ehashman - Are there any more questions/concerns? I am happy to provide more details. Thank you so much for looking at this KEP.

@ehashman
Copy link
Member

Because it appears that this enhancement is 100% out of tree (i.e. all changes made in k/kubeadm, no changes to k/kubernetes) I do not believe PRR approval is applicable. Pending confirmation from PRR team.

ehashman
ehashman approved these changes Apr 29, 2021
View reviewed changes
Copy link
Member

@ehashman ehashman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per @johnbelamaric, please add a note that the PRR fields are not applicable, as this KEP is out of tree.

/approve
for PRR

@vinayakankugoyal
Copy link
Contributor Author

Per @johnbelamaric, please add a note that the PRR fields are not applicable, as this KEP is out of tree.

/approve
for PRR

Added the note in the check list and the PRR questionnaire section.

@vinayakankugoyal
Copy link
Contributor Author

/assign @neolit123

@neolit123
Copy link
Member

/lgtm
/approve
after PRR

lets move the discussion to the other PR that sets this KEP to implementable.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 29, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ehashman, neolit123, vinayakankugoyal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 29, 2021
@k8s-ci-robot k8s-ci-robot merged commit 0ce9a00 into kubernetes:master Apr 29, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Apr 29, 2021
@neolit123 neolit123 mentioned this pull request May 10, 2021
Open
1 task
@vinayakankugoyal vinayakankugoyal mentioned this pull request Jun 3, 2021
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehashman ehashman ehashman approved these changes

@justinsb justinsb Awaiting requested review from justinsb

@timothysc timothysc Awaiting requested review from timothysc

@neolit123 neolit123 Awaiting requested review from neolit123

Assignees

@neolit123 neolit123

@ehashman ehashman

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
4 participants
@vinayakankugoyal @k8s-ci-robot @ehashman @neolit123