KEP-127: Support userns in stateless pods with idmap mounts #3811
Conversation
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
cncf-cla: yes
|
If seems that you have removed the description of the phases but you still reference "phase 2" and "phase 3"? |
|
@remram44 Yes, phase 2 and 3 were about stateful workloads. As this KEP is now about stateless pods, those sections don't fit in this KEP anymore. This was decided last year and a reason on why an exception was granted for this KEP last year (https://groups.google.com/g/kubernetes-sig-release/c/ASWlhA-tIxE/m/mMWeXx_kAwAJ). Added this as a clarification on the PR description. Thanks! |
|
@rata What I mean is that you removed all definitions of the phases but you kept references to those phases like "See phase 3 for limitations" (line 129) and "Phase 2 (support for pods with volumes) is out of scope" (line 1062). I think if you are going to refer to those phases they should be described, in this document or in another. |
|
@rata please update the milestones in https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-user-namespaces/kep.yaml as part of the PR too. |
|
@marosset thanks, will do it. How is it, though? Should I update |
Did any code merge for this in v1.25? |
Yes, we did merge support for userns in 1.25 (without idmap mounts)
It targets alpha this re-work. So, I guess I should leave it as it is now, then :) |
We worked in the implementation and we add one function call here, definitely not a core package we are changing. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
We have implemented most checks as API validations and the pod limit as a runtime. No need to keep this as unresolved. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Volumes are out of scope now, so most of these concerns are solved. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Now there will be only one phase, and the regular alpha/beta/GA migration. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
We will add a new way to deal with stateless volumes using idmap mounts. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
While we are there, we move this section to the alternatives section and link appropriately. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@dchen1107 This is the userns PR we talked about in the sig-node meeting. PTAL, thanks! :) |
|
/approve |
|
@dchen1107: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, mrunalp, rata The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
FWIW - this LGTM for a second alpha from PRR perspective. |
The change to make this KEP about only stateless pods was discussed last year in sig-node and when we asked for an exception for the 1.25 release (https://groups.google.com/g/kubernetes-sig-release/c/ASWlhA-tIxE/m/mMWeXx_kAwAJ). The first commits of this PR just update the KEP to be about stateless pods, as was agreed, the rest of the commits re-work the KEP to rely on idmap mounts.
cc @thockin @mrunalp @derekwaynecarr @SergeyKanzhelev