From c43f6d64c92abc63c267f46a3d6bc69e2fa5f5be Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Mon, 26 Sep 2022 11:54:20 +0200 Subject: [PATCH] Update for 1.26 --- .../1710-selinux-relabeling/README.md | 36 +++++++++++++------ .../1710-selinux-relabeling/kep.yaml | 13 ++++--- 2 files changed, 35 insertions(+), 14 deletions(-) diff --git a/keps/sig-storage/1710-selinux-relabeling/README.md b/keps/sig-storage/1710-selinux-relabeling/README.md index 833265d1fd6..4b513e705c9 100644 --- a/keps/sig-storage/1710-selinux-relabeling/README.md +++ b/keps/sig-storage/1710-selinux-relabeling/README.md @@ -55,18 +55,18 @@ Items marked with (R) are required *prior to targeting to a milestone / release*. - [x] (R) Enhancement issue in release milestone, which links to KEP dir in [kubernetes/enhancements] (not the initial KEP PR) -- [ ] (R) KEP approvers have approved the KEP status as `implementable` -- [ ] (R) Design details are appropriately documented -- [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors) +- [x] (R) KEP approvers have approved the KEP status as `implementable` +- [x] (R) Design details are appropriately documented +- [x] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors) - [ ] e2e Tests for all Beta API Operations (endpoints) - [ ] (R) Ensure GA e2e tests for meet requirements for [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) - [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free -- [ ] (R) Graduation criteria is in place +- [x] (R) Graduation criteria is in place - [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md) - [ ] (R) Production readiness review completed - [ ] (R) Production readiness review approved -- [ ] "Implementation History" section is up-to-date for milestone -- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io] +- [x] "Implementation History" section is up-to-date for milestone +- [x] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io] - [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes ## Summary @@ -508,10 +508,24 @@ _This section must be completed when targeting beta graduation to a release._ * **What are the SLIs (Service Level Indicators) an operator can use to determine the health of the service?** + - [ ] Metrics - - Metric name: - - [Optional] Aggregation method: - - Components exposing the metric: + - All `errors_total` metrics below cover real errors when a Pod can't start. + It applies to `ReadWriteOncePod` volumes. + - All `warnings_total` metrics below cover **future** errors that would appear if this feature was extended to all volumes. + This will be evaluated in Phase 2. + - 1. `volume_manager_selinux_container_errors_total` + `volume_manager_selinux_container_warnings_total`: Number of errors when kubelet cannot compute SELinux context for a container. + This indicates an error converting SELinux context into SELinux label by github.com/opencontainers/selinux/go-selinux library. + Reading its source code, this should never happen, but one never knows. + 1. `volume_manager_selinux_pod_context_mismatch_errors_total` + `volume_manager_selinux_pod_context_mismatch_warnings_total`: Number of errors when a Pod defines different SELinux contexts for its containers that use the same volume. + Before this feature, only one container in such a Pod could access the volume. + With this feature, the Pod won't even start. + This metric captures nr. of failed Pod starts, including periodic retries. + 1. `volume_manager_selinux_volume_context_mismatch_errors_total` + `volume_manager_selinux_volume_context_mismatch_warnings_total`: Number of errors when a Pod uses a volume that is already mounted with a different SELinux context than the Pod needs. + Before this feature, both pods would start, but only one such pod could access the volume. + With this feature, one of the Pods won't even start. + - Components exposing the metric: KCM + - [ ] Other (treat as last resort) - Details: @@ -653,7 +667,9 @@ _This section must be completed when targeting beta graduation to a release._ ## Implementation History -* 1.25: Alpha +* 1.25: Partial implementation of alpha. + * Volume reconstruction after kubelet start does not reconstruct SELinux contexts. +* 1.26: Alpha with everything implemented. ## Drawbacks [optional] diff --git a/keps/sig-storage/1710-selinux-relabeling/kep.yaml b/keps/sig-storage/1710-selinux-relabeling/kep.yaml index 8da467b6d21..bc9e0b713fd 100644 --- a/keps/sig-storage/1710-selinux-relabeling/kep.yaml +++ b/keps/sig-storage/1710-selinux-relabeling/kep.yaml @@ -19,11 +19,11 @@ approvers: see-also: - /keps/sig-storage/695-skip-permission-change/README.md stage: alpha -latest-milestone: "v1.24" +latest-milestone: "v1.26" milestone: alpha: "v1.24" - beta: "v1.25" - stable: "v1.27" + beta: "v1.27" + stable: "v1.29" feature-gates: - name: SELinuxMountReadWriteOncePod components: @@ -31,4 +31,9 @@ feature-gates: - kubelet disable-supported: true metrics: - # TODO: fill at beta + - volume_manager_selinux_container_errors_total + - volume_manager_selinux_container_warnings_total + - volume_manager_selinux_pod_context_mismatch_errors_total + - volume_manager_selinux_pod_context_mismatch_warnings_total + - volume_manager_selinux_volume_context_mismatch_errors_total + - volume_manager_selinux_volume_context_mismatch_warnings_total