Skip to content

KEP-3619: Graduate "Fine-grained SupplementalGroups control" To GA #5613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
+16 −12
Open

KEP-3619: Graduate "Fine-grained SupplementalGroups control" To GA #5613

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1da56f7
KEP-3619: set implemented in kep.yaml
everpeace Oct 4, 2025
b12a812
KEP-3619: added beta promotion in "Implementation History"
everpeace Oct 4, 2025
e4899fe
KEP-3619: fix typo: "RutimeClass" -> "RuntimeClass"
everpeace Oct 4, 2025
f15edab
KEP-3619: added 'kubelet_admission_rejections_total' as rollback info…
everpeace Oct 4, 2025
8378701
KEP-3619: update GA criteria
everpeace Oct 4, 2025
d86a0d9
KEP-3619: added note about this feature can not be disabled after GA
everpeace Oct 4, 2025
bd3d304
KEP-3619: set the milestone to GA
everpeace Oct 4, 2025
71dea53
KEP-3619: updated PRR approval request file for GA
everpeace Oct 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions keps/prod-readiness/sig-node/3619.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@ alpha:
approver: "@johnbelamaric"
beta:
approver: "@johnbelamaric"
stable:
approver: "@johnbelamaric"
18 changes: 10 additions & 8 deletions keps/sig-node/3619-supplemental-groups-policy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ tags, and then generate with `hack/update-toc.sh`.
- [Implementation History](#implementation-history)
- [Drawbacks](#drawbacks)
- [Alternatives](#alternatives)
- [Introducing <code>RutimeClass</code>](#introducing-rutimeclass)
- [Introducing <code>RuntimeClass</code>](#introducing-runtimeclass)
- [Adjusting container image by users](#adjusting-container-image-by-users)
- [Just fixing CRI implementations](#just-fixing-cri-implementations)
- [Infrastructure Needed (Optional)](#infrastructure-needed-optional)
Expand Down Expand Up @@ -662,11 +662,7 @@ Because this KEP's core implementation(i.e. `SupplementalGroupsPolicy` handling)

#### GA

- At least one of Container Runtimes which is not based on the classic container, gVisor for example, supports the updated CRI and released
- Assuming no negative user feedback based on production experience, promote after 2 releases in beta.
- [conformance tests] are added for `SupplementalGroupsPolicy` and `ContainerStatus.User` APIs

[conformance tests]: https://git.k8s.io/community/contributors/devel/sig-architecture/conformance-tests.md
- No negative user feedback based on production experience, promote after 2 releases in beta.
Copy link
Contributor Author

@everpeace everpeace Oct 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated GA criteria in two points:

  • I removed "gVisor.." criteria because it is a low-level container runtime, which is not relevant to the feature. And two major CRI runtimes (containerd, CRI-O) already support this feature. I think it's enough to promote this feature to GA
  • I removed conformance test criteria. IIUC, CRI runtime dependent features can't be added to the conformance test. So, I removed it.


### Upgrade / Downgrade Strategy

Expand Down Expand Up @@ -785,12 +781,14 @@ feature.
NOTE: Also set `disable-supported` to `true` or `false` in `kep.yaml`.
-->

Yes. It can be disabled after enabled.
Yes. It can be disabled after enabled until Beta.
When disabled, you can not create pods with `SupplementalGroupsPolicy` fields and no `.status.containerStatuses[*].user` will be reported in pod status.
Please note if there are pods that have been created with `Strict` policy, the policy of the containers in such pods will keep enforced even after its disablement.

See ["Version Skew Strategy"](#version-skew-strategy) for more complex cases (including upgrading/downgrading).

But, starting v1.35, this feature graduates to GA, the `SupplementalGroupsPolicy` feature gate will be locked to true and will no longer be disable-able.

###### What happens if we reenable the feature if it was previously rolled back?

The `SupplementalGroupsPolicy` field in pod spec and `.status.containerStatuses[*].user` in pod status will be available again.
Expand Down Expand Up @@ -859,12 +857,15 @@ $ kubectl get events -o json -w
{
...
"kind": "Event",
"reason": "SupplementalGroupsPolicyNotSupported",
"message": "Error: SupplementalGroupsPolicy is not supported in this node.",
...
}
...
```

So, you can follow `kubelet_admission_rejections_total{reason='SupplementalGroupsPolicyNotSupported'}` metrics to track such events.

Also, the following kubelet metrics are also useful to check:

- `kubelet_running_pods`: Shows the actual number of pods running
Expand Down Expand Up @@ -1216,6 +1217,7 @@ Major milestones might include:

- 2023-02-10: Initial KEP published.
- v1.31.0(2024-08-13): Alpha
- v1.33.0(2025-04-23): Beta

## Drawbacks

Expand All @@ -1227,7 +1229,7 @@ N/A

## Alternatives

### Introducing `RutimeClass`
### Introducing `RuntimeClass`

As described in the [Motivation](#motivation) section, cluster administrators would need to deploy a custom low-level container runtime(e.g., [pfnet-research/strict-supplementalgroups-container-runtime](https://github.com/pfnet-research/strict-supplementalgroups-container-runtime)) that modifies OCI container runtime spec(`config.json`) produced by CRI implementations (e.g., containerd, cri-o). A custom `RuntimeClass` would be introduced for it.

Expand Down
8 changes: 4 additions & 4 deletions keps/sig-node/3619-supplemental-groups-policy/kep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ authors:
owning-sig: sig-node
participating-sigs:
- sig-node
status: implementable
status: implemented
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is done after the feature reaches stable (post code freeze)

creation-date: 2022-10-14
reviewers:
- "@thockin"
Expand All @@ -19,18 +19,18 @@ see-also: []
replaces: []

# The target maturity stage in the current dev cycle for this KEP.
stage: beta
stage: stable

# The most recent milestone for which work toward delivery of this KEP has been
# done. This can be the current (upcoming) milestone, if it is being actively
# worked on.
latest-milestone: "v1.33"
latest-milestone: "v1.35"

# The milestone at which this feature was, or is targeted to be, at each stage.
milestone:
alpha: "v1.31"
beta: "v1.33"
stable: "v1.yy"
stable: "v1.35"

# The following PRR answers are required at alpha release
# List the feature gate name and the components for which it must be enabled
Expand Down