Is this also relevant to SIG Security?

Is this also relevant to SIG Security?

Yes, I think so:
/sig security

Hi @saschagrunert

Enhancements Freeze is 2 days away, Feb 9th EOD PST

Enhancements team is aware that KEP update is currently in progress (PR #2414). Please make sure to work on missing requirements and get it merged before the freeze. For PRR related questions or to boost the PR for PRR review, please reach out in slack #prod-readiness

Any enhancements that do not complete the KEP requirements by the freeze will require an exception.

Hi @annajung, thank you for the reminder, I doubt that this enhancement will make it into the current cycle since we're too close to the deadlines now. This is not a big deal-we can shift the review to this cycle and target implementing it in the next one. WDYT, @mrunalp?

Hi @saschagrunert,

Thank you for the update! With Enhancements Freeze now in effect, I will clear the milestone to reflect that this enhancement is not being tracked for 1.21.

If you change your mind and like to be included in the 1.21 Release, please submit an Exception Request as soon as possible.

/milestone clear

/milestone v1.22

Greetings @saschagrunert!
Enhancement shadow checking and reviewing the KEP. Just one request to complete :

• Update this issue with the current milestone.

Friendly reminder that the Enhancement freeze is this Thursday 5/13.

Comment's been updated.

Greetings @saschagrunert!
Following up and after reviewing the KEP and approved PRR. This enhancement is now being tracked for the 1.22 milestone.
One additional question, SIG-security is tagged on this KEP. Is there anything that SIG-security needs to deliver for this KEP?

Thanks!

Greetings @saschagrunert!
Following up and after reviewing the KEP and approved PRR. This enhancement is now being tracked for the 1.22 milestone.
One additional question, SIG-security is tagged on this KEP. Is there anything that SIG-security needs to deliver for this KEP?

Thanks!

Hey @jrsapi 👋, I think SIG Security only needs to be aware that this KEP exists, so it's just informal. 😊

Greetings @saschagrunert,
Enhancement shadow checking with a reminder that we are 2 weeks away from code freeze (July 8, 2021). Can you confirm if the following k/k PR is all that is needed for the implementation of this enhancement for the 1.22 milestone?

• Add kubelet SeccompDefault alpha feature kubernetes#101943

Thanks!

@jrsapi thank you for the reminder, the alpha implementation is now done 😊

@saschagrunert is there a PR yet? (can't seem to find it)

@dims yep: #3718

thanks @saschagrunert

Hello @saschagrunert 👋, Enhancements team here.

Just checking in as we approach Enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage stable for 1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.27
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would need to update the following:

• Add response for this question in the Scalability questionnaire of the KEP readme

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

Hey again @saschagrunert
Please try to get the KEP PR #3718 (addressing the changes mentioned above), merged before tomorrow's Enhancement Freeze :)
The status of this enhancement is still marked as at risk

#3718 is merged. Can this be tracked?

Hey folks, I added a follow-up PR on top of the latest changes which add the missing question: #3864

Should be a no-op since we answer the question with "No".

@Atharva-Shinde this one should be good to go

This enhancement meets all the requirements to be tracked in the v1.27 release.
Thanks @saschagrunert !

I modified the title / description to clarify that this enhancement gives the kubelet an option to enable seccomp by default, but does not change default behavior unless the node administrator opts in by setting this kubelet option (xref initial PRR discussion about requiring an opt-in flag even in GA at kubernetes/kubernetes#101943 (comment))

Hello @saschagrunert 👋🏾 !

@katmutua 1.27 Release Docs shadow here. This enhancement is marked as ‘Needs Docs’ for 1.27 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.27 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by March 16. For more information, please take a look at Documenting for a release to familiarize yourself with the documentation requirements for the release.

If you already have existing open PRs please link them to the description so we can easily track them. Thanks!

Thank you @katmutua, the placeholder PR is now available in kubernetes/website#39906

Hey again @saschagrunert 👋 Enhancements team here,
Just checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023.

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are fully merged by the code freeze deadline.
  • Graduate SeccompDefault feature to stable / GA kubernetes#115719

Also please let me know if there are other PRs in k/k we should be tracking for this KEP.
As always, we are here to help if any questions come up. Thanks!

/stage stable

This is done

Is there any discussion about making it "literally" default?
i.e., Defaulting seccompDefault to true in KubeletConfiguration.

@AkihiroSuda unfortunately not, because it could implicitly break existing workloads on upgrades.

/remove-label lead-opted-in