-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a proposal to remove rootful VMs feature #248
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM
Let`s state the timeline that we would like to achieve but is subject to change if any regression is found.
# Overview | ||
|
||
Currently, KubeVirt supports both rootful and non-root VMs. | ||
Since [kubevirt/kubevirt#8563](https://github.com/kubevirt/kubevirt/pull/8563) was merged, non-root VMs are the default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe mention version 0.59
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
## Motivation | ||
|
||
Rootful VMs are less secure, pose a maintenance burden and are not tested when PRs are submitted | ||
since [kubevirt/project-infra#2646](https://github.com/kubevirt/project-infra/pull/2646). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, mention a Kubevirt version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
# Design | ||
|
||
1. Remove the `NonRootExperimental` feature gate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would expect "deprecation" phase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
66ded47
to
eb8ba7d
Compare
@mjudeikis FYI, we think you mentioned issues on your side with deprecation of the feature. Please chime in here. @alaypatel07 FYI too |
As mentioned during the community call, we just started looking to adopt Kubevirt. The main concern would be the ability to run legacy workloads (lift and shift). And for us it's too early to tell definitively if this will be a concern or not. And to be honest. Im wondering how my ex-team within your organization dealing with "hyper-converged infrastructure customers and migrations will take this one? Did you manage to get any feedback internally from field teams using this? Considering the timeline of how this is being proposed (1.1.0 rc already cut) and not blocking something on "what ifs" as of yet, would it be feasible to push this into the 1.3 release for depreciation and 1.4 for code removal? We might be able to get more feedback once the dust from Kubecon settles down and people get back to normal working hours. This would give the community (including us) more time to provide feedback on this and understand the impact. |
Signed-off-by: Orel Misan <[email protected]>
eb8ba7d
to
a90465e
Compare
Change: Update deprecation version to 1.3.0, removal version to 1.4.0. |
/cc @rmohr |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
@jean-edouard @xpivarc @rmohr @fabiand |
@aburdenthehand hey I am considering the implications of what will break with removal of this feature. The usecase being considered is a KubeVirt stack installed with gpu-device plugins. The device plugins require the pods to mount certain node level devices/files which needs rootful feature. It is on my plate to experiment what will break when using the device plugins with non-root VMIs. Will updates this proposal with the experiments, but need some more time before merging this proposal |
Hello @mjudeikis, I wanted to check in with you regarding your previous concerns about the proposal. |
Can this wait until DRA (Dynamic Resource Allocation) reaches Beta? Root support allows end-users to work around the current device-plugin limitations that will go away with DRA, and I don't think Beta is too far away... kubernetes/enhancements#3063. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
@rthallisey @alaypatel07 are your concerns still valid? Any objection to moving forward with this? Thank you |
The concerns are still valid. DRA reached beta at the most recent KubeCon, so we're getting closer. Next, KubeVirt needs to adopt it in a release. The design proposal is in review - #331. |
@rthallisey please note that the root lanes are still on 1.29, not sure whether you folks are interested in maintaining that and keeping them by bumping? |
I opened a PR to bump the lanes to 1.31 - kubevirt/project-infra#3841 |
Currently, KubeVirt supports both rootful and non-root VMs.
Since kubevirt/kubevirt#8563 was merged, non-root VMs are the default implementation.
Rootful VMs are less secure, pose a maintenance burden and are not tested when PRs are submitted
since kubevirt/project-infra#2646.