@@ -590,14 +590,10 @@ use container runtime versions that have the needed changes.
590590
591591##### Beta
592592
593- - Make plans on whether, when, and how to enable by default
594-
595- ###### Open Questions
596-
597- - Should we reconsider making the mappings smaller by default?
598- - Should we allow any way for users to for "more" IDs mapped? If yes, how many more and how?
599- - Should we allow the user to ask for specific mappings?
600- - Get review from VM container runtimes maintainers
593+ - Gather and address feedback from the community
594+ - Be able to configure UID/GID ranges to use for pods
595+ - Get review from VM container runtimes maintainers (not blocker, as VM runtimes should just ignore
596+ the field, but nice to have)
601597
602598##### GA
603599
@@ -1288,15 +1284,23 @@ KEPs can explore this path if they so want to.
12881284
12891285### 64k mappings?
12901286
1291- We will start with mappings of 64K. Tim Hockin, however, has expressed
1292- concerns. See more info on [ this Github discussion] ( https://github.com/kubernetes/enhancements/pull/3065#discussion_r781676224 )
1293- SergeyKanzhelev [ suggested a nice alternative] ( https://github.com/kubernetes/enhancements/pull/3065#discussion_r807408134 ) ,
1294- to limit the number of pods so we guarantee enough spare host UIDs in case we
1295- need them for the future. There is no final decision yet on how to handle this.
1296- For now we will limit the number of pods, so the wide mapping is not
1297- problematic, but [ there are downsides to this too] ( https://github.com/kubernetes/enhancements/pull/3065#discussion_r812806223 )
1287+ We discussed using shorter or even allowing for longer mappings in the past. The decision is to use
1288+ 64k mappings (IDs from 0-65535 are mapped/valid in the pod).
12981289
1299- For stateless pods this is of course not an issue.
1290+ The reasons to consider smaller mappings were valid only before idmap mounts was merged into the
1291+ kernel. However, idmap mounts is merged for some years now and we require it, making those reasons
1292+ void.
1293+
1294+ The issues without idmap mounts in previous iterations of this KEP, is that the IDs assigned to a
1295+ pod had to be unique for every pod in the cluster, easily reaching a limit when the cluster is "big
1296+ enough" and the UID space runs out. However, with idmap mounts the IDs assigned to a pod just needs
1297+ to be unique within the node (and with 64k ranges we have 64k pods possible in the node, so not
1298+ really an issue). IOW, by using idmap mounts, we changed the IDs limit to be node-scoped instead of
1299+ cluster-wide/cluster-scoped.
1300+
1301+ There are no known use cases for longer mappings that we know of. The 16bit range (0-65535) is what
1302+ is assumed by all POSIX tools that we are aware of. If the need arises, longer mapping can be
1303+ considered in a future KEP.
13001304
13011305### Allow runtimes to pick the mapping?
13021306
@@ -1305,7 +1309,11 @@ mapping and have different runtimes pick different mappings. While KEP authors
13051309disagree on this, we still need to discuss it and settle on something. This was
13061310[ raised here] ( https://github.com/kubernetes/enhancements/pull/3065#discussion_r798760382 )
13071311
1308- This is not a blocker for the KEP, but it is something that can be changed later on.
1312+ Furthermore, the reasons mentioned by Tim (some nodes having CRIO, some others having containerd,
1313+ etc.) are handled correctly now. Different nodes can use different container runtimes, if a custom
1314+ range needs to be used by the kubelet, that can be configured per-node.
1315+
1316+ Therefore, this old concerned is now resolved.
13091317
13101318<!--
13111319What other approaches did you consider, and why did you rule them out? These do
0 commit comments