drop UserNamespacesPodSecurityStandards feature gate #132157
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: haircommander The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| // This feature gate should only be enabled if all nodes in the cluster | ||
| // support the user namespace feature and have it enabled. The feature gate | ||
| // will not graduate or be enabled by default in future Kubernetes | ||
| // releases. |
There was a problem hiding this comment.
I worry this is no longer idiomatic but I am following the documented plan. If I should lock it to true and keep it around I'm happy to do so.
There was a problem hiding this comment.
f8903eb to
040ba6f
Compare
| @@ -53,16 +50,16 @@ func CheckProcMount() Check { | |||
| Level: api.LevelBaseline, | |||
| Versions: []VersionedCheck{ | |||
| { | |||
| MinimumVersion: api.MajorMinorVersion(1, 0), | |||
| CheckPod: procMount_1_0, | |||
There was a problem hiding this comment.
This shouldn't delete the old version, just add a newer version.
| // This feature gate should only be enabled if all nodes in the cluster | ||
| // support the user namespace feature and have it enabled. The feature gate | ||
| // will not graduate or be enabled by default in future Kubernetes | ||
| // releases. |
There was a problem hiding this comment.
|
Change log suggestion -drop UserNamespacesPodSecurityStandards feature gate, which was temporarily added to protect clusters with kubelets older than 1.30. Now that we are developing on kubernetes 1.34, and the version skew allowed is n-3, we are more than safe to unconditionally relax PSA if a pod is in a user namespace.
+Removed the `UserNamespacesPodSecurityStandards` feature gate. The minimum supported Kubernetes version for a kubelet is now v1.31, so the gate is not needed. |
040ba6f to
1685f44
Compare
this feature gate was meant to be ephemeral, and only was used for guaranteeing a cluster admin didn't accidentally relax PSA policies before the kubelet would deny a pod was created if it didn't support user namespaces. As of kube 1.33, the supported apiserver version skew of n-3 guarantees that all supported kubelets are of 1.30 or later, meaning they do this. Now, we can unconditionally relax PSA policy if a pod is in a user namespace. Signed-off-by: Peter Hunt <[email protected]>
1685f44 to
688a31e
Compare
|
@haircommander: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/triage accepted |
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hello @haircommander @liggitt |
this feature gate was meant to be ephemeral, and only was used for guaranteeing a cluster admin didn't accidentally relax PSA policies before the kubelet would deny a pod was created if it didn't support user namespaces. As of kube 1.33, the supported apiserver version skew of n-3 guarantees that all supported kubelets are of 1.30 or later, meaning they do this.
Now, we can unconditionally relax PSA policy if a pod is in a user namespace.
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Which issue(s) this PR is related to:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: