KEP-2008: Graduate "Forensic Container Checkpointing" to GA #5090
Conversation
As defined in the existing KEP the steps to graduate from Beta to GA are CRI-O as well as containerd have to have implemented the corresponding CRI APIs: - [x] CRI-O - [x] containerd Ensure that e2e tests are working with - [x] CRI-O - [x] containerd Both requirements are fulfilled. containerd supports the corresponding CRI APIs since 2.0 and CRI-O since 1.25. Tests are also running according to https://storage.googleapis.com/k8s-triage/index.html?test=checkpoint#a3361808c39a7eb28162 Signed-off-by: Adrian Reber <[email protected]>
k8s-ci-robot
added
cncf-cla: yes
|
Hi @adrianreber. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
kind/kep
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: adrianreber The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
sig/node
k8s-ci-robot
added
the
size/S
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| @@ -354,6 +359,14 @@ We expect no non-infra related flakes in the last month as a GA graduation crite | |||
| features enabled with CRI-O, no results have been collected and tests have | |||
| been skipped. | |||
|
|
|||
| - Since the release of containerd 2.0 and CRI-O 1.25 and since the graduation of | |||
There was a problem hiding this comment.
@SergeyKanzhelev @mikebrow @samuelkarp do you think containerd 2.0 is new enough to consider the checkpoint CRI API GA?
|
Let's add the changes discussed in sig-node weekly meeting to make this opt-in through config at GA. Thanks! |
|
cc @tallclair I guess making this opt in for GA would also help this CVE. As of now I read that the disablement of the checkpoint feature gate is the recommended approach to mitigate the CVE. |
The issue is already fixed in v1.33, so we don't need to worry about mitigation strategies for this specific issue going forward. There may still be general concerns with checkpoints filling up the disk though, so cluster provisioners may still want to disable it. |
As defined in the existing KEP the steps to graduate from Beta to GA are
CRI-O as well as containerd have to have implemented the corresponding CRI APIs:
Ensure that e2e tests are working with
Both requirements are fulfilled. containerd supports the corresponding CRI APIs since 2.0 and CRI-O since 1.25.
Tests are also running according to
https://storage.googleapis.com/k8s-triage/index.html?test=checkpoint#a3361808c39a7eb28162