Feature gates page mentions Docker runtime

[sftim]

This is a Bug Report

Problem:

Some of the feature gates mention Docker. Docker integration (via dockershim) is deprecated

Proposed Solution: For the one deprecated gate where the description mentions Docker:

• Accelerators (deprecated)

then revise the feature gate description to explain that it provided an early form of device plugin support, that it's no longer available, and link to https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/

For each other gate name where the docs mention Docker:

• AppArmor (beta)
• ExperimentalHostUserNamespaceDefaulting (beta)

establish whether the feature gate makes sense after the dockershim is removed. If the feature gate still makes sense, reword the description to be neutral to the container runtime. If the gate is in use but no longer makes sense, file an issue against Kubernetes itself to make sure that the gate is removed.

:information_source: Note that in the feature gates page, deprecated really means “out of use”. Turning on any available deprecated feature gate has no effect; Kubernetes behaves as if you turned the feature off. Many “deprecated” feature gates aren't settable at all in current Kubernetes.

Page to Update: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/

Additional Information: /sig node

[jihoon-seo]

/triage accepted

[SubhasmitaSw]

/assign

[SubhasmitaSw]

In order to proceed with the docs dockershim removal, the docker mentions in the feature gates specifically ExperimentalHostUserNamespaceDefaulting (beta) shows an obsolete feature flag, see #76982, to be able to use this particular feature, this issue must be addressed.

[chris-short]

Hey @SubhasmitaSw the last message is a little confusing to me. If they're ripping out ExperimentalHostUserNamespaceDefaulting at some point in the future, can we just add 'beta/to be obsoleted' to the docs or should we wait on engineers to pull the docs out at the appropriate time?

cc @nate-double-u @sftim

[SubhasmitaSw]

Hey @SubhasmitaSw the last message is a little confusing to me. If they're ripping out ExperimentalHostUserNamespaceDefaulting at some point in the future, can we just add 'beta/to be obsoleted' to the docs or should we wait on engineers to pull the docs out at the appropriate time?

cc @nate-double-u @sftim

@chris-short I believe I don't have enough knowledge to answer this but for the above message I was specifically referring to the Docker 'ExperimentalHostUserNamespaceDefaulting' feature alternative, for containerd, which has an existing PR to add it but lack of operations rendered it obsolete and the feature was not added. That may have an impact when people switch from Docker to other container runtimes.

[sftim]

ExperimentalHostUserNamespaceDefaulting still has this description that, yep, still mentions Docker:

Enabling the defaulting user namespace to host. This is for containers that are using other host namespaces, host mounts, or containers that are privileged or using specific non-namespaced capabilities (e.g. MKNODE, SYS_MODULE etc.). This should only be enabled if user namespace remapping is enabled in the Docker daemon.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[vaibhav2107]

/remove-lifecycle stale

[sftim]

Can I check if somebody is working on this?

[sftim]

One more thing to fix, as far as I can see:

`ExperimentalHostUserNamespaceDefaulting`: Enabling the defaulting user namespace
to host. This is for containers that are using other host namespaces, host mounts, or
containers that are privileged or using specific non-namespaced capabilities
(e.g. `MKNODE`, `SYS_MODULE` etc.). This should only be enabled if user namespace
remapping is enabled in the Docker daemon.

I think the fix is to change “Docker daemon” to “container runtime”, but I'm not sure.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[vaibhav2107]

/remove-lifecycle stale

[vaibhav2107]

@SubhasmitaSw Are you still working on this issue?

[SubhasmitaSw]

@vaibhav2107 You can take it up, not having the bandwidth to come back to this.

/unassign

[sftim]

Help is welcome.

[Aaina26]

For App Armor I think the AppArmor(beta) can be removed. This feature is still in use and is stable from this release.

[Aaina26]

For ExperimentalHostUserNamespaceDefaulting feature flag, I see that there is an issue raised through which a PR to deprecate the flag has been merged. So, I think it is safe to remove it as well.

I can work on this issue @sftim once the issue for this flag has been closed. It will be a confirmation for me. I can confirm in sig node as well if you suggest.