Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forbid setting AllAlpha FeatureGate with Kubernetes 1.31 #10356

Closed
dimityrmirchev opened this issue Aug 20, 2024 · 6 comments
Closed

Forbid setting AllAlpha FeatureGate with Kubernetes 1.31 #10356

dimityrmirchev opened this issue Aug 20, 2024 · 6 comments
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension triage/needs-information Indicates an issue needs more information in order to work on it.

Comments

@dimityrmirchev
Copy link
Member

How to categorize this issue?

/area security
/kind enhancement

What would you like to be added:
I propose that we forbid setting the feature gate AllAlpha with Kubernetes version >= 1.31. Users will still be able to explicitly enable alpha feature gates if they want to. See https://github.com/kubernetes/kubernetes/blob/b8dcc2c983ab93440c4ad598f51ce2ab5bcf3cce/staging/src/k8s.io/component-base/featuregate/feature_gate.go#L49

Why is this needed:
Setting AllAlpha to true is not recommended and should be avoided especially in production environments. This change is in sync with rule 242400 of DISA Kubernetes STIG.

@gardener-prow gardener-prow bot added area/security Security related kind/enhancement Enhancement, improvement, extension labels Aug 20, 2024
@LucaBernstein LucaBernstein added the triage/needs-information Indicates an issue needs more information in order to work on it. label Nov 6, 2024
@LucaBernstein
Copy link
Member

@dimityrmirchev Do you still plan to follow up on this topic?
@rfranzke Any further opinions from your side on this?

@dimityrmirchev
Copy link
Member Author

In an internal discussion colleagues presented arguments against disallowing the AllAlpha feature gate. Mainly the fact that users can still enable Alpha features even if AllAlpha is forbidden.

I am fine with closing the issue, but will leave it open so others can also share their opinion if they want to do so. For the sake of completeness I am adding my additional findings regarding how some of the big cloud providers handle this topic:

It seems that Gardener offers more flexibility in comparison to the mentioned Kubernetes offerings.

@JordanJordanov
Copy link
Member

From security point of view AllAlpha is a nightmare. Explicitly enabling alpha features one by one seems to be the more reasonable approach. AllAlpha feature gate is even not documented on the feature gates page.
I see the risk it introduces as bigger compared to the value it brings (just a security inclined opinion).

@rfranzke
Copy link
Member

rfranzke commented Nov 7, 2024

I don't think this has much value unless we disallow alpha features in general. Hence, I vote for doing nothing and closing the issue.

@dimityrmirchev
Copy link
Member Author

OK, let's close this for now.

/close

@gardener-prow gardener-prow bot closed this as completed Nov 11, 2024
Copy link
Contributor

gardener-prow bot commented Nov 11, 2024

@dimityrmirchev: Closing this issue.

In response to this:

OK, let's close this for now.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension triage/needs-information Indicates an issue needs more information in order to work on it.
Projects
None yet
Development

No branches or pull requests

4 participants