KEP-2033: KubeletInUserNamespace: update the template; promote to beta #5388
Conversation
AkihiroSuda
commented
Jun 8, 2025
AkihiroSuda
commented
- One-line PR description: Rootless Kubernetes
- Issue link: sig-node: Kubelet-in-UserNS, aka Rootless mode #2033
- Other comments: The first commit only updates the template. The actual content is updated in the second commit.
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
sig/node
This comment was marked as resolved.
This comment was marked as resolved.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: AkihiroSuda The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -15,7 +15,7 @@ reviewers: | |||
| - "@dims" | |||
| - "@sftim" | |||
| approvers: | |||
| - TBD | |||
| - "@ehashman" | |||
There was a problem hiding this comment.
Elena was approving the PRR section, so she's a separate entry in 2033.yaml. Here you'll need someone who actually approved this document. It seems last time it was Derek, not sure who will be approving it this time, but it has to be someone from sig-node.
There was a problem hiding this comment.
May I add your name tentatively ?
| extending the production code to implement this enhancement. | ||
| --> | ||
|
|
||
| N/A, as unit tests do not make sense here. |
There was a problem hiding this comment.
Since you're touching kubelet, at minimum I'd expect information about current unit coverage for the affected area.
There was a problem hiding this comment.
No unit test, as the relevant code depends on sysctl:
https://github.com/kubernetes/kubernetes/blob/168e02fb3513231c80601ad7a5f873278eda1022/pkg/kubelet/cm/container_manager_linux.go#L445-L448
https://github.com/kubernetes/kubernetes/blob/168e02fb3513231c80601ad7a5f873278eda1022/pkg/kubelet/kubelet.go#L557-L562
The feature can be tested only by running the entire node components in UserNS.
| ``` | ||
|
|
||
| - Prow manifest: https://github.com/kubernetes/test-infra/blob/4b7824ff1cfe00c36062035ab6aea3bb6c2e6ba2/config/jobs/kubernetes/sig-testing/kubernetes-kind.yaml#L615-L678 | ||
| - Logs: https://prow.k8s.io/job-history/gs/kubernetes-ci-logs/logs/ci-kubernetes-e2e-kind-rootless |
There was a problem hiding this comment.
The lack of integration and/or e2e residing in k8s repository makes me worry about the stability of this functionality. How can we ensure this is working correctly, if there are no tests? This introduces a risk that if someone introduces a breaking change we won't notice it until somewhere else that test is being run.
There was a problem hiding this comment.
The test is covered by running the entire NodeConformance test with the node components running in UserNS.
There was a problem hiding this comment.
FYI, this feature gate doesn't really add a new "feature".
This gate only touches a few lines of kubelet so as to ignore permission denied errors related to sysctl running in UserNS.
https://github.com/kubernetes/kubernetes/blob/168e02fb3513231c80601ad7a5f873278eda1022/pkg/kubelet/cm/container_manager_linux.go#L445-L448
https://github.com/kubernetes/kubernetes/blob/168e02fb3513231c80601ad7a5f873278eda1022/pkg/kubelet/kubelet.go#L557-L562
So I'm not sure what kind of integration/e2e test you want to see here.
|
Thanks for review and sorry for my delay in addressing the comments. |
AkihiroSuda
force-pushed
the
rootless2
branch
4 times, most recently
from
9c29ef0 to
e064467
Compare
Only the template is updated in this commit. The actual content will be updated in follow-up commits. Signed-off-by: Akihiro Suda <[email protected]>
Signed-off-by: Akihiro Suda <[email protected]>
