Skip to content

KEP-4006: Updated KEP for 1.35 #5524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

KEP-4006: Updated KEP for 1.35 #5524

wants to merge 1 commit into from
+32 −28

Conversation

seans3
Copy link
Contributor

@seans3 seans3 commented Sep 9, 2025
edited
Loading

  • Updates KEP to reflect moving WebSockets functionality to GA in v1.35
  • Removes stale requirement to add WebSockets communication leg from the API Server to the Kubelet.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 9, 2025
@k8s-ci-robot k8s-ci-robot requested a review from jpbetz September 9, 2025 19:20
@k8s-ci-robot k8s-ci-robot added the kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory label Sep 9, 2025
@k8s-ci-robot k8s-ci-robot requested a review from sttts September 9, 2025 19:20
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 9, 2025
@seans3 seans3 changed the title Updated WebSockets KEP to move to GA in 1.35 KEP-4006: Updated KEP to move to GA in 1.35 Sep 9, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: seans3
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@seans3 seans3 mentioned this pull request Sep 9, 2025
Open
12 tasks
@seans3
Copy link
Contributor Author

seans3 commented Sep 9, 2025

/assign @liggitt
/assign @aojea

aojea
aojea reviewed Sep 9, 2025
View reviewed changes
keps/sig-api-machinery/4006-transition-spdy-to-websockets/README.md
-->

1. We will not make *any* changes to current WebSocket based browser/javascript clients.
2. We will not extend the WebSockets communication leg from the API Server to Kubelet (in
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think is reasonable in order to avoid keeping this KEP and feature gate for longer, this has already an immediate positive impact by allowing the entire ecosystem to use websockets against the apiserver instead of a deprecated protocol like SPDY, with almost zero support for most of the load balancers causing a lot of friction.

@aojea
Copy link
Member

aojea commented Sep 9, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 9, 2025
@liggitt
Copy link
Member

liggitt commented Sep 10, 2025

I do think we should resolve the user-visible permissions change related to kubectl exec / attach / portforward - see kubernetes/kubernetes#133515 (comment)

The permissions required by kubectl changed from create to get ... I think we should consider adding a second authz check for create permission specifically to exec / attach / portforward when entering via the GET path.

@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 15, 2025
aojea
aojea reviewed Sep 15, 2025
View reviewed changes
keps/sig-api-machinery/4006-transition-spdy-to-websockets/README.md Outdated

- `kubectl` environment variables and API Server feature gates are locked to on by default.
- Deprecate `kubectl` environment variables and API Server feature gates for future removal.
- Address RBAC authorization for WebSocket upgrades. The mechanism must be compatible with existing authorization rules for subresources (e.g., `pods/exec`) that are typically enforced on POST requests.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt for your comment in kubernetes/kubernetes#133515 (comment) and your code there is unclear to me if you want to rollout this authoritzation compatibility as a separate gate or making this GA but not locked by default during one cycle.

Copy link
Member

@liggitt liggitt Sep 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need a separate gate, but we can add a few sentences in this KEP about that gate and it's purpose, since it's sort of prompted by the kubectl switch to websockets.

I'd like to get that merged as a prereq for indicating work on this KEP is complete / GA

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. I have updated the KEP to indicate GA in 1.36.
  2. I have added a separate feature gate ForceRBACCreateCheck for the additional CREATE authz check. This functionality is a prerequisite for GA.

Please let me know what you think.

@seans3 seans3 changed the title KEP-4006: Updated KEP to move to GA in 1.35 KEP-4006: Updated KEP for 1.35 Sep 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@aojea aojea aojea left review comments

@jpbetz jpbetz Awaiting requested review from jpbetz

@sttts sttts Awaiting requested review from sttts

Assignees

@liggitt liggitt

@aojea aojea

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@seans3 @k8s-ci-robot @aojea @liggitt