-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-2008: changed to target 1.25 #3264
KEP-2008: changed to target 1.25 #3264
Conversation
Hi @adrianreber. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ok-to-test
/lgtm
5aea967
to
c0d84f0
Compare
c0d84f0
to
f820acc
Compare
/lgtm |
/lgtm |
/milestone v1.25 |
Signed-off-by: Adrian Reber <areber@redhat.com>
f820acc
to
645fee8
Compare
/lgtm |
@rphillips @mrunalp PTAL. I removed the unused ContainerRestore RPC as it was something many reviewers were uncomfortable with. I am able to restore a container going through Create/Start so that the Restore RPC is not needed anymore. This update of the PR only removes things which makes the whole KEP and code PR simpler. Please add your |
/lgtm |
``` | ||
with the following parameters: | ||
``` | ||
message CheckpointContainerRequest { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs a security statement / set of requirements for this service, validating the request and destination are authorized. see https://github.com/kubernetes/enhancements/pull/1990/files#r798031530
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mikebrow Thanks for helping with this KEP. Can you be more specific what you would expect here. Looking at @derekwaynecarr comment on the original KEP it says:
please add detail on checkpoint authorization, we will need to restrict access to the kubelet api resource.
on the container runtime, the actual checkpoint is stored in a location is restricted, but prior to beta, we need clear security practices documented.
Are there already other kubelet API resources which have this kind of authorization? Accessing the kubelet API is not possible without access to the certificates as far as I understand it. Do we need additional authorization? If there is an existing mechanism I am happy to include this. If there is any authorization available on the kubelet API I am not sure I have the necessary understanding of the kubelet to introduce something like that.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adrianreber, derekwaynecarr, rst0git The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@adrianreber thanks for the work, and look forward to refining the use case. |
@mrunalp @mikebrow @derekwaynecarr PTAL
Let me know if the KEP needs more details about the CRI API changes. Most of the discussion happened so far in the code PR (kubernetes/kubernetes#104907)