Forbid setting AllAlpha FeatureGate with Kubernetes 1.31

[dimityrmirchev]

How to categorize this issue?

/area security
/kind enhancement

What would you like to be added:
I propose that we forbid setting the feature gate AllAlpha with Kubernetes version >= 1.31. Users will still be able to explicitly enable alpha feature gates if they want to. See https://github.com/kubernetes/kubernetes/blob/b8dcc2c983ab93440c4ad598f51ce2ab5bcf3cce/staging/src/k8s.io/component-base/featuregate/feature_gate.go#L49

Why is this needed:
Setting AllAlpha to true is not recommended and should be avoided especially in production environments. This change is in sync with rule 242400 of DISA Kubernetes STIG.

[LucaBernstein]

@dimityrmirchev Do you still plan to follow up on this topic?
@rfranzke Any further opinions from your side on this?

[dimityrmirchev]

In an internal discussion colleagues presented arguments against disallowing the AllAlpha feature gate. Mainly the fact that users can still enable Alpha features even if AllAlpha is forbidden.

I am fine with closing the issue, but will leave it open so others can also share their opinion if they want to do so. For the sake of completeness I am adding my additional findings regarding how some of the big cloud providers handle this topic:

• Google have Alpha Clusters (that expire in 30 days and have limitations w.r.t upgrades and security patches) that enable all feature gates - https://cloud.google.com/kubernetes-engine/docs/concepts/alpha-clusters
• AWS EKS seems to not allow setting feature gates at all on control plane components - [EKS] [request]: Allow feature gates to be set on master components aws/containers-roadmap#512
• Azure AKS have an opened issue to support similar to GKE's Alpha Clusters - [Feature Request] Alpha Clusters Azure/AKS#2058

It seems that Gardener offers more flexibility in comparison to the mentioned Kubernetes offerings.

[JordanJordanov]

From security point of view AllAlpha is a nightmare. Explicitly enabling alpha features one by one seems to be the more reasonable approach. AllAlpha feature gate is even not documented on the feature gates page.
I see the risk it introduces as bigger compared to the value it brings (just a security inclined opinion).

[rfranzke]

I don't think this has much value unless we disallow alpha features in general. Hence, I vote for doing nothing and closing the issue.

[dimityrmirchev]

OK, let's close this for now.

/close

[gardener-prow]

@dimityrmirchev: Closing this issue.

In response to this:

OK, let's close this for now.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.