Skip to content

KEP-5474: Introduce WritableCgroups option #5475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

KEP-5474: Introduce WritableCgroups option #5475

wants to merge 1 commit into from
+534 −0

Conversation

Divya063
Copy link

@Divya063 Divya063 commented Aug 13, 2025
edited
Loading

  • One-line PR description: KEP - Add support for writable cgroups field under container.SecurityContext
  • Other comments:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 13, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Divya063
Once this PR has been reviewed and has the lgtm label, please assign derekwaynecarr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/node Categorizes an issue or PR as relevant to SIG Node. labels Aug 13, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @Divya063!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 13, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @Divya063. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 13, 2025
@Divya063 Divya063 mentioned this pull request Aug 13, 2025
Open
4 tasks
@Divya063 Divya063 changed the title KEP-5474: Introduce cgroup_writable field KEP-5474: Introduce CgroupWritable option Aug 15, 2025
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 18, 2025
@Divya063 Divya063 marked this pull request as ready for review August 18, 2025 04:49
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 18, 2025
chrishenzie
chrishenzie suggested changes Aug 21, 2025
View reviewed changes
Copy link
Member

@chrishenzie chrishenzie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! Thank you for the work on this KEP. I'm requesting changes before this can be approved, primarily to address a security and resource isolation concern.

I strongly support the proposed direction of adding a field to the Pod SecurityContext and CRI API. This is the right approach for providing fine-grained control and is much more secure than relying on a broad, runtime-level configuration.

My primary concern, which I believe is a blocker for approval, is the risk of intra-pod resource starvation. Please see my comments under "Risks and Mitigations" for details.

I also left a couple of comments with suggestions to improve clarify, primarily around removing any potentially confusing references to the Runtime config field to make it unambiguous that the CRI-based API field is the sole proposed approach.

I'm happy to discuss these points further. Thank you!

@chrishenzie
Copy link
Member

/assign @chrishenzie

chrishenzie
chrishenzie reviewed Aug 21, 2025
View reviewed changes
@Divya063 Divya063 marked this pull request as draft August 22, 2025 11:52
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 22, 2025
@Divya063
Copy link
Author

Divya063 commented Aug 22, 2025
edited
Loading

Thank you @chrishenzie for providing the initial feedback! I'm changing the PR to draft state while I work on the doc. Once it's ready, I'll let you know.

@chrishenzie
Copy link
Member

Thanks for the update and taking my feedback into consideration. I look forward to the next version of the document.

As you might have gathered from my review, this is a feature I'm interested in and have spent a good deal of time researching independently. It seems we're aligned on the importance of this capability for the community and the need to get the API and security model right.

Given our mutual interest, I wanted to offer to partner with you on this KEP if you'd be open to it. I'd be happy to contribute my research and help however I can to move this forward.

If you're interested, please feel free to DM me on the Kubernetes Slack (@chrishenzie) or reach out via email so we can connect.

Regardless, I appreciate you driving this important work. Let me know if there is any way I can help.

@Divya063 Divya063 force-pushed the draft-5474-KEP branch 2 times, most recently from 60f61fc to bd0bdae Compare August 25, 2025 17:13
@Divya063
Copy link
Author

Divya063 commented Aug 25, 2025
edited
Loading

Thanks @chrishenzie for offering to partner on this KEP! I will be happy to collaborate. I have addressed your comments and would like to discuss a few things.

  • For this feature, would it be okay if we have the baseline profile of Pod security standards?
  • I have moved the alpha milestone to K8s 1.35. I think that once we finalize the design, we can make the necessary changes in both CRI and containerd before the containerd Release (Nov 2025).

Let me know what you think.

@Divya063 Divya063 changed the title KEP-5474: Introduce CgroupWritable option KEP-5474: Introduce WritableCgroups option Aug 25, 2025
@Divya063 Divya063 marked this pull request as ready for review August 25, 2025 17:35
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 25, 2025
@Divya063
Introduce CgroupWritable field to the container SecurityContext object
ca08278 
This commit introduces a KEP that proposes adding a `CgroupWritable`
field to the container SecurityContext in Kubernetes to allow
unprivileged containers to have writable access to cgroup interfaces on
cgroup v2 systems
@Divya063 Divya063 requested a review from chrishenzie August 26, 2025 04:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@mrunalp mrunalp Awaiting requested review from mrunalp

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@chrishenzie chrishenzie Awaiting requested review from chrishenzie

Assignees

@chrishenzie chrishenzie

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Divya063 @k8s-ci-robot @chrishenzie