Add a proposal to remove rootful VMs feature #248
Conversation
kubevirt-bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| # Overview | ||
|
|
||
| Currently, KubeVirt supports both rootful and non-root VMs. | ||
| Since [kubevirt/kubevirt#8563](https://github.com/kubevirt/kubevirt/pull/8563) was merged, non-root VMs are the default |
| ## Motivation | ||
|
|
||
| Rootful VMs are less secure, pose a maintenance burden and are not tested when PRs are submitted | ||
| since [kubevirt/project-infra#2646](https://github.com/kubevirt/project-infra/pull/2646). |
There was a problem hiding this comment.
Please, mention a Kubevirt version
|
|
||
| # Design | ||
|
|
||
| 1. Remove the `NonRootExperimental` feature gate. |
There was a problem hiding this comment.
I would expect "deprecation" phase
orelmisan
force-pushed
the
rootful-vms-support-removal
branch
from
66ded47
to
eb8ba7d
Compare
|
@mjudeikis FYI, we think you mentioned issues on your side with deprecation of the feature. Please chime in here. @alaypatel07 FYI too |
|
As mentioned during the community call, we just started looking to adopt Kubevirt. The main concern would be the ability to run legacy workloads (lift and shift). And for us it's too early to tell definitively if this will be a concern or not. And to be honest. Im wondering how my ex-team within your organization dealing with "hyper-converged infrastructure customers and migrations will take this one? Did you manage to get any feedback internally from field teams using this? Considering the timeline of how this is being proposed (1.1.0 rc already cut) and not blocking something on "what ifs" as of yet, would it be feasible to push this into the 1.3 release for depreciation and 1.4 for code removal? We might be able to get more feedback once the dust from Kubecon settles down and people get back to normal working hours. This would give the community (including us) more time to provide feedback on this and understand the impact. |
Signed-off-by: Orel Misan <omisan@redhat.com>
orelmisan
force-pushed
the
rootful-vms-support-removal
branch
from
eb8ba7d
to
a90465e
Compare
|
Change: Update deprecation version to 1.3.0, removal version to 1.4.0. |
|
/cc @rmohr |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
kubevirt-bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
kubevirt-bot
removed
the
lifecycle/stale
|
@jean-edouard @xpivarc @rmohr @fabiand |
|
@aburdenthehand hey I am considering the implications of what will break with removal of this feature. The usecase being considered is a KubeVirt stack installed with gpu-device plugins. The device plugins require the pods to mount certain node level devices/files which needs rootful feature. It is on my plate to experiment what will break when using the device plugins with non-root VMIs. Will updates this proposal with the experiments, but need some more time before merging this proposal |
Hello @mjudeikis, I wanted to check in with you regarding your previous concerns about the proposal. |
|
Can this wait until DRA (Dynamic Resource Allocation) reaches Beta? Root support allows end-users to work around the current device-plugin limitations that will go away with DRA, and I don't think Beta is too far away... kubernetes/enhancements#3063. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
kubevirt-bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
kubevirt-bot
removed
the
lifecycle/stale
Currently, KubeVirt supports both rootful and non-root VMs.
Since kubevirt/kubevirt#8563 was merged, non-root VMs are the default implementation.
Rootful VMs are less secure, pose a maintenance burden and are not tested when PRs are submitted
since kubevirt/project-infra#2646.