From 1da56f7a02285d242e8660f8939266eda96134b6 Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:10:19 +0900
Subject: [PATCH 1/8] KEP-3619: set implemented in kep.yaml

---
 keps/sig-node/3619-supplemental-groups-policy/kep.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
index 2ea92fdb8ab..344950604b5 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
+++ b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
@@ -5,7 +5,7 @@ authors:
 owning-sig: sig-node
 participating-sigs:
   - sig-node
-status: implementable
+status: implemented
 creation-date: 2022-10-14
 reviewers:
   - "@thockin"

From b12a8120af402fb6a13e1889e69b69b6edaba573 Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:17:55 +0900
Subject: [PATCH 2/8] KEP-3619: added beta promotion in "Implementation
 History"

---
 keps/sig-node/3619-supplemental-groups-policy/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md
index d4f8382c160..c81b6d26178 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/README.md
+++ b/keps/sig-node/3619-supplemental-groups-policy/README.md
@@ -1216,6 +1216,7 @@ Major milestones might include:
 
 - 2023-02-10: Initial KEP published.
 - v1.31.0(2024-08-13): Alpha
+- v1.33.0(2025-04-23): Beta
 
 ## Drawbacks
 

From e4899fedf4dff15b5dfa8eb2f4057fafd01e1f0d Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:17:02 +0900
Subject: [PATCH 3/8] KEP-3619: fix typo: "RutimeClass" -> "RuntimeClass"

---
 keps/sig-node/3619-supplemental-groups-policy/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md
index c81b6d26178..f464cc21609 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/README.md
+++ b/keps/sig-node/3619-supplemental-groups-policy/README.md
@@ -57,7 +57,7 @@ tags, and then generate with `hack/update-toc.sh`.
 - [Implementation History](#implementation-history)
 - [Drawbacks](#drawbacks)
 - [Alternatives](#alternatives)
-  - [Introducing <code>RutimeClass</code>](#introducing-rutimeclass)
+  - [Introducing <code>RuntimeClass</code>](#introducing-runtimeclass)
   - [Adjusting container image by users](#adjusting-container-image-by-users)
   - [Just fixing CRI implementations](#just-fixing-cri-implementations)
 - [Infrastructure Needed (Optional)](#infrastructure-needed-optional)
@@ -1228,7 +1228,7 @@ N/A
 
 ## Alternatives
 
-### Introducing `RutimeClass`
+### Introducing `RuntimeClass`
 
 As described in the [Motivation](#motivation) section, cluster administrators would need to deploy a custom low-level container runtime(e.g., [pfnet-research/strict-supplementalgroups-container-runtime](https://github.com/pfnet-research/strict-supplementalgroups-container-runtime)) that modifies OCI container runtime spec(`config.json`) produced by CRI implementations (e.g., containerd, cri-o). A custom `RuntimeClass` would be introduced for it.
 

From f15edab844a51d53a165687c3de1220aa1c2c5ed Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:12:16 +0900
Subject: [PATCH 4/8] KEP-3619: added 'kubelet_admission_rejections_total' as
 rollback information metric

---
 keps/sig-node/3619-supplemental-groups-policy/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md
index f464cc21609..d43eb91a0fe 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/README.md
+++ b/keps/sig-node/3619-supplemental-groups-policy/README.md
@@ -859,12 +859,15 @@ $ kubectl get events -o json -w
 {
     ...
     "kind": "Event",
+    "reason": "SupplementalGroupsPolicyNotSupported",
     "message": "Error: SupplementalGroupsPolicy is not supported in this node.",
     ...
 }
 ...
 ```
 
+So, you can follow `kubelet_admission_rejections_total{reason='SupplementalGroupsPolicyNotSupported'}` metrics to track such events.
+
 Also, the following kubelet metrics are also useful to check:
 
 - `kubelet_running_pods`: Shows the actual number of pods running

From 83787012ce76176c5561f15b15b360fd7ca5148f Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:14:51 +0900
Subject: [PATCH 5/8] KEP-3619: update GA criteria

- Removing gVisor, Kata Containers criteria because they are low-level container runtime, it's not relevant to this KEP.
- Removing conformance tests criteria because we can't add this currently because this feature is Container Runtime dependent feature.
---
 keps/sig-node/3619-supplemental-groups-policy/README.md | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md
index d43eb91a0fe..14f2554f7ff 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/README.md
+++ b/keps/sig-node/3619-supplemental-groups-policy/README.md
@@ -662,11 +662,7 @@ Because this KEP's core implementation(i.e. `SupplementalGroupsPolicy` handling)
 
 #### GA
 
-- At least one of Container Runtimes which is not based on the classic container, gVisor for example, supports the updated CRI and released
-- Assuming no negative user feedback based on production experience, promote after 2 releases in beta.
-- [conformance tests] are added for `SupplementalGroupsPolicy` and `ContainerStatus.User` APIs
-
-[conformance tests]: https://git.k8s.io/community/contributors/devel/sig-architecture/conformance-tests.md
+- No negative user feedback based on production experience, promote after 2 releases in beta.
 
 ### Upgrade / Downgrade Strategy
 

From d86a0d94069c22e0fe9d54cc493233c1ce0d9d2c Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:29:19 +0900
Subject: [PATCH 6/8] KEP-3619: added note about this feature can not be
 disabled after GA

---
 keps/sig-node/3619-supplemental-groups-policy/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/keps/sig-node/3619-supplemental-groups-policy/README.md b/keps/sig-node/3619-supplemental-groups-policy/README.md
index 14f2554f7ff..108ec2d8a8a 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/README.md
+++ b/keps/sig-node/3619-supplemental-groups-policy/README.md
@@ -781,12 +781,14 @@ feature.
 NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`.
 -->
 
-Yes. It can be disabled after enabled.
+Yes. It can be disabled after enabled until Beta.
 When disabled, you can not create pods with `SupplementalGroupsPolicy` fields and no `.status.containerStatuses[*].user` will be reported in pod status.
 Please note if there are pods that have been created with `Strict` policy, the policy of the containers in such pods will keep enforced even after its disablement.
 
 See ["Version Skew Strategy"](#version-skew-strategy) for more complex cases (including upgrading/downgrading).
 
+But, starting v1.35, this feature graduates to GA, the `SupplementalGroupsPolicy` feature gate will be locked to true and will no longer be disable-able.
+
 ###### What happens if we reenable the feature if it was previously rolled back?
 
 The `SupplementalGroupsPolicy` field in pod spec and `.status.containerStatuses[*].user` in pod status will be available again.

From bd3d30442b1efecb7b665c8810709c70e5b4a440 Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:18:40 +0900
Subject: [PATCH 7/8] KEP-3619: set the milestone to GA

---
 keps/sig-node/3619-supplemental-groups-policy/kep.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
index 344950604b5..8b577adfd71 100644
--- a/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
+++ b/keps/sig-node/3619-supplemental-groups-policy/kep.yaml
@@ -19,18 +19,18 @@ see-also: []
 replaces: []
 
 # The target maturity stage in the current dev cycle for this KEP.
-stage: beta
+stage: stable
 
 # The most recent milestone for which work toward delivery of this KEP has been
 # done. This can be the current (upcoming) milestone, if it is being actively
 # worked on.
-latest-milestone: "v1.33"
+latest-milestone: "v1.35"
 
 # The milestone at which this feature was, or is targeted to be, at each stage.
 milestone:
   alpha: "v1.31"
   beta: "v1.33"
-  stable: "v1.yy"
+  stable: "v1.35"
 
 # The following PRR answers are required at alpha release
 # List the feature gate name and the components for which it must be enabled

From 71dea5365aae0f3b4972e6a27fb51466e1653501 Mon Sep 17 00:00:00 2001
From: Shingo Omura <everpeace@gmail.com>
Date: Sat, 4 Oct 2025 12:20:01 +0900
Subject: [PATCH 8/8] KEP-3619: updated PRR approval request file for GA

---
 keps/prod-readiness/sig-node/3619.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/keps/prod-readiness/sig-node/3619.yaml b/keps/prod-readiness/sig-node/3619.yaml
index 0483f7351dc..1b115199f64 100644
--- a/keps/prod-readiness/sig-node/3619.yaml
+++ b/keps/prod-readiness/sig-node/3619.yaml
@@ -6,3 +6,5 @@ alpha:
   approver: "@johnbelamaric"
 beta:
   approver: "@johnbelamaric"
+stable:
+  approver: "@johnbelamaric"