Add KEP-5502 for EmptyDir volume sticky bit support#5857
Add KEP-5502 for EmptyDir volume sticky bit support#5857oliverguenther wants to merge 1 commit intokubernetes:masterfrom
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: oliverguenther The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Welcome @oliverguenther! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @oliverguenther. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
kind/kep
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| @@ -0,0 +1,3 @@ | |||
| # PRR approval file for alpha | |||
| # To be filled by prod-readiness team | |||
| approver: TBD | |||
There was a problem hiding this comment.
Please post on #prod-readiness on k8s slack and ask for an approver.
This KEP proposes adding an optional `stickyBit` field to EmptyDirVolumeSource that sets directory permissions to 01777 instead of 0777, preventing users from deleting files they don't own. References: Enhancement issue: kubernetes#5502 Implementation PR: kubernetes/kubernetes#130277
oliverguenther
force-pushed
the
kep-5502-emptydir-stickybit
branch
from
5dffd6e to
26795c3
Compare
| milestone: | ||
| alpha: "v1.36" | ||
|
|
||
| feature-gates: [] |
There was a problem hiding this comment.
Please add the feature gate here you are adding.
| status: provisional | ||
| creation-date: 2026-01-30 | ||
| reviewers: | ||
| - TBD |
There was a problem hiding this comment.
Do you have reviewers from sig-storage
| ###### How can this feature be enabled / disabled in a live cluster? | ||
|
|
||
| - [ ] Feature gate (also fill in values in `kep.yaml`) | ||
| - Feature gate name: |
There was a problem hiding this comment.
API changes require feature gates.
There was a problem hiding this comment.
|
|
||
| ## Alternatives | ||
|
|
||
| ### Alternative 1: Provide more flexible mount options on emptyDir |
There was a problem hiding this comment.
I was curious on this actually.
Can you expand why this was rejected?
| status: provisional | ||
| creation-date: 2026-01-30 | ||
| reviewers: | ||
| - TBD |
There was a problem hiding this comment.
I'm honestly a little confused on who should review this.
Looks like @haircommander opt in for this for sig-node but I'm unclear if storage has acknowledged this KEP.
| - Implementing this feature for volume types other than emptyDir | ||
| - Supporting this feature on platforms that don't support Unix-style file permissions (e.g., Windows) |
There was a problem hiding this comment.
What validation are we going to protect against a windows user specifying this stickyBit?
kannon92
left a comment
kannon92
left a comment
There was a problem hiding this comment.
This needs a feature gate to proceed and I ask that you please get acknowledge from a SIG to review.
The KEP seems straightforward.
I did not finish the PRR review because of the feature gate issue and the questions I have about sigs.
| } | ||
| ``` | ||
|
|
||
| 3. Apply the appropriate permissions when creating the directory |
There was a problem hiding this comment.
emptydir volumes undergo recursive chown/chmod via https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/volume_linux.go before being exposed to the pods. IIRC - that code automatically sets sticky bit on directories.
There was a problem hiding this comment.
This file should have a basename after the KEP number, not alpha.yaml. That is, it should be 5502.yaml, and the yaml format of this file is wrong (the approver needs to be nested under the stage).
5 participants
This KEP proposes adding an optional
stickyBitfield to EmptyDirVolumeSource that sets directory permissions to 01777 instead of 0777, preventing users from deleting files they don't own.References
Enhancement issue: #5502
Implementation PR: kubernetes/kubernetes#130277