Add a proposal to remove rootful VMs feature

[orelmisan]

Currently, KubeVirt supports both rootful and non-root VMs. Since kubevirt/kubevirt#8563 was merged, non-root VMs are the default implementation.

Rootful VMs are less secure, pose a maintenance burden and are not tested when PRs are submitted since kubevirt/project-infra#2646.

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign rmohr for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/kubevirt/community/blob/main/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[orelmisan]

/cc @acardace @xpivarc @enp0s3

[dhiller]

@mjudeikis FYI, we think you mentioned issues on your side with deprecation of the feature. Please chime in here.

@alaypatel07 FYI too

[mjudeikis]

As mentioned during the community call, we just started looking to adopt Kubevirt. The main concern would be the ability to run legacy workloads (lift and shift). And for us it's too early to tell definitively if this will be a concern or not. And to be honest. Im wondering how my ex-team within your organization dealing with "hyper-converged infrastructure customers and migrations will take this one? Did you manage to get any feedback internally from field teams using this?

Considering the timeline of how this is being proposed (1.1.0 rc already cut) and not blocking something on "what ifs" as of yet, would it be feasible to push this into the 1.3 release for depreciation and 1.4 for code removal? We might be able to get more feedback once the dust from Kubecon settles down and people get back to normal working hours.

This would give the community (including us) more time to provide feedback on this and understand the impact.

[orelmisan]

Change: Update deprecation version to 1.3.0, removal version to 1.4.0.

[orelmisan]

/cc @rmohr

[kubevirt-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[orelmisan]

/remove-lifecycle stale

[aburdenthehand]

@jean-edouard @xpivarc @rmohr @fabiand It looks like there's nothing outstanding for this proposal. Are we okay to merge?

[alaypatel07]

@aburdenthehand hey I am considering the implications of what will break with removal of this feature. The usecase being considered is a KubeVirt stack installed with gpu-device plugins. The device plugins require the pods to mount certain node level devices/files which needs rootful feature. It is on my plate to experiment what will break when using the device plugins with non-root VMIs. Will updates this proposal with the experiments, but need some more time before merging this proposal

[orelmisan]

As mentioned during the community call, we just started looking to adopt Kubevirt. The main concern would be the ability to run legacy workloads (lift and shift). And for us it's too early to tell definitively if this will be a concern or not. And to be honest. Im wondering how my ex-team within your organization dealing with "hyper-converged infrastructure customers and migrations will take this one? Did you manage to get any feedback internally from field teams using this?

Considering the timeline of how this is being proposed (1.1.0 rc already cut) and not blocking something on "what ifs" as of yet, would it be feasible to push this into the 1.3 release for depreciation and 1.4 for code removal? We might be able to get more feedback once the dust from Kubecon settles down and people get back to normal working hours.

This would give the community (including us) more time to provide feedback on this and understand the impact.

Hello @mjudeikis, I wanted to check in with you regarding your previous concerns about the proposal. Have they been resolved?

[rthallisey]

Can this wait until DRA (Dynamic Resource Allocation) reaches Beta? Root support allows end-users to work around the current device-plugin limitations that will go away with DRA, and I don't think Beta is too far away... https://github.com/kubernetes/enhancements/issues/3063.

[kubevirt-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[orelmisan]

/remove-lifecycle stale

[jean-edouard]

@rthallisey @alaypatel07 are your concerns still valid? Any objection to moving forward with this? Thank you