You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-node/3619-supplemental-groups-policy/README.md
+26-17Lines changed: 26 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -84,17 +84,17 @@ Items marked with (R) are required *prior to targeting to a milestone / release*
84
84
-[x] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR)
85
85
-[x] (R) KEP approvers have approved the KEP status as `implementable`
86
86
-[x] (R) Design details are appropriately documented
87
-
-[] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
88
-
-[] e2e Tests for all Beta API Operations (endpoints)
87
+
-[x] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors)
88
+
-[x] e2e Tests for all Beta API Operations (endpoints)
89
89
-[ ] (R) Ensure GA e2e tests meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
90
90
-[ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
91
-
-[] (R) Graduation criteria is in place
91
+
-[x] (R) Graduation criteria is in place
92
92
-[ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
93
93
-[x] (R) Production readiness review completed
94
94
-[x] (R) Production readiness review approved
95
95
-[x] "Implementation History" section is up-to-date for milestone
96
-
-[] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
97
-
-[] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
96
+
-[x] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
97
+
-[x] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
98
98
99
99
<!--
100
100
**Note:** This checklist is iterative and should be reviewed and updated every time this enhancement is being considered for a milestone.
@@ -600,8 +600,9 @@ This can inform certain test coverage improvements that we want to do before
600
600
extending the production code to implement this enhancement.
- When `SupplementalGroupsPolicy=Strict`, groups of the container process must be ones specified by API: <link to test coverage(t.b.d.)>
618
-
- When `SupplementalGroupsPolicy=Merge`, groups of the container process contains both groups specified by API and groups of the primary user from the image: <link to test coverage(t.b.d.)>
619
-
- For running pods, `ContainerStatus.User` contains the correct identities of the containers: <link to test coverage(t.b.d.)>
620
-
- CRI
621
-
- I will also add symmetrical integration tests to https://github.com/kubernetes-sigs/cri-tools
We expect no non-infra related flakes in the last month as a GA graduation criteria.
633
629
-->
634
630
635
-
- When creating a Pod with `SupplementalGroupsPolicy=Strict`, the pods will run with only groups specified by API: <link to test coverage(t.b.d.)>
636
-
- When creating a Pod with `SupplementalGroupsPolicy=Merge`, the pods will run with groups specified by API and groups from the image: <link to test coverage(t.b.d.)>
637
-
- When creating a Pod and it starts, each `ContainerStatus.User` contain the correct identities of the containers: <link to test coverage(t.b.d.)>
- When creating a Pod with `SupplementalGroupsPolicy=Strict`
633
+
- the containers in the pod will run with only groups specified by the API, and
634
+
- once it starts, `ContainerStatus.User` contains the correct identities of the containers
635
+
- When creating a Pod with `SupplementalGroupsPolicy=Merge`
636
+
- the containers in the pod will run with groups specified by API and groups from the container image, and
637
+
- once it starts, `ContainerStatus.User` contains the correct identities of the containers, and
638
+
- When creating a Pod without `SupplementalGroupsPolicy` (equivalent behaviour with `Merge`)
639
+
- the pod will run with with groups specified by API and groups from the image
640
+
- once it starts, `ContainerStatus.User` contains the correct identities of the containers
641
+
-_Note: above e2e tests will self-skip if the node does not support `SupplementalGroupsPolicyFeature` detected by `Node.Status.Featuers.SupplementalGroupsPolicy` field._
- Symmetric test cases with Kubernetes e2e tests except for the case of _without `SupplementalGroupsPolicy`_ because `SupplementalGroupsPolicy` always has value(default is `Merge`).
644
+
-_Note: above tests will self-skip if the runtime does not support `SupplementalGroupsPolicyFeature` detected by `StatusResponse.features.supplemental_groups_policy` field._
645
+
638
646
639
647
### Graduation Criteria
640
648
@@ -762,7 +770,7 @@ You can take a look at one potential example of such test in:
0 commit comments