New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Partly remove support for seccomp annotations #109819
Partly remove support for seccomp annotations #109819
Conversation
/test pull-kubernetes-node-e2e-containerd |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
aec38c5
to
72d1e1c
Compare
Tests are green, this is ready for review. PTAL @kubernetes/api-reviewers @kubernetes/sig-node-pr-reviews |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mrunalp, saschagrunert, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
All of that looks correct, expect the last bit - Kubelet respects the fields on the pod and container, just not the annotations.
Yes, likely 1.27.
I just don't see much benefit to dropping that code and allowing in data that some API clients could be confused/broken by. |
From the release notes of kubernetes/kubernetes#109819, we have to update according to the following situation: ``` Action required: support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io`, deprecated since v1.19, has been partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead. ``` Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
From the release notes of kubernetes/kubernetes#109819, we have to update according to the following situation: ``` Action required: support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io`, deprecated since v1.19, has been partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead. ``` Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
From the release notes of kubernetes/kubernetes#109819, we have to update according to the following situation: ``` Action required: support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io`, deprecated since v1.19, has been partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead. ``` Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
From the release notes of kubernetes/kubernetes#109819, we have to update according to the following situation: ``` Action required: support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io`, deprecated since v1.19, has been partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead. ``` Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
From the release notes of kubernetes/kubernetes#109819, we have to update according to the following situation: ``` Action required: support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io`, deprecated since v1.19, has been partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead. ``` Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
From the release notes of kubernetes/kubernetes#109819, we have to update according to the following situation: ``` Action required: support for the alpha seccomp annotations `seccomp.security.alpha.kubernetes.io/pod` and `container.seccomp.security.alpha.kubernetes.io`, deprecated since v1.19, has been partially removed. Kubelets no longer support the annotations, use of the annotations in static pods is no longer supported, and the seccomp annotations are no longer auto-populated when pods with seccomp fields are created. Auto-population of the seccomp fields from the annotations is planned to be removed in 1.27. Pods should use the corresponding pod or container `securityContext.seccompProfile` field instead. ``` Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This cleanup has been planned to finish the corresponding KEP: kubernetes#91286 As follow-up on the partly removal of the seccomp annotations in kubernetes#109819, we now drop the version skew handling completely, but still warn as well as keep the validation in place if both (annotation and field) are set. The Pod Security Admission code has been already changed in kubernetes#114846. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
This cleanup has been planned to finish the corresponding KEP: kubernetes#91286 As follow-up on the partly removal of the seccomp annotations in kubernetes#109819, we now drop the version skew handling completely, but still warn as well as keep the validation in place if both (annotation and field) are set. The Pod Security Admission code has been already changed in kubernetes#114846. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
What type of PR is this?
/kind api-change
What this PR does / why we need it:
We now partly drop the support for seccomp annotations which is planned for v1.25 as part of the KEP:
Making the annotations fully non-functional will be deferred to a future release.
Which issue(s) this PR fixes:
Refers to kubernetes/enhancements#135
Docs PR: kubernetes/website#33524
Fixes #95171
Special notes for your reviewer:
Pod security policies are not touched by this change and therefore we have to keep the annotation key constants.
Warnings emitted for annotation-only use since 1.22 in #102491, and specific warnings about removal of support in 1.25 emitted since 1.23 in #104389
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: