@@ -680,16 +680,17 @@ enhancement:
680680The apiserver and kubelet feature gate enablement work fine in any combination:
681681
6826821 . If the apiserver has the feature gate enabled and the kubelet doesn't, then the pod will show
683- that field and the kubelet will ignore it. Then, the pod is created without user namespaces.
683+ that field and the kubelet will reject it (see more details about how it is rejected on section
684+ "What specific metrics should inform a rollback?").
6846852 . If the apiserver has the feature gate disabled and the kubelet enabled, the pod won't show this
685686 field and therefore the kubelet won't act on a field that isn't shown. The pod is created without
686687 user namespaces.
687688
688689The kubelet can still create pods with user namespaces if static-pods are configured with
689690pod.spec.hostUsers and has the feature gate enabled.
690691
691- If the kube-apiserver doesn't support the feature at all (< 1.25), a pod with userns will be
692- rejected .
692+ If the kube-apiserver doesn't support the feature at all (< 1.25), the unknown field will be dropped and
693+ the pod will be created without a userns .
693694
694695If the kubelet doesn't support the feature (< 1.25), it will ignore the pod.spec.hostUsers field.
695696
@@ -850,7 +851,8 @@ upgraded one, the pod will be accepted (if the apiserver is >= 1.25, rejected if
850851If it is scheduled to a node where the kubelet has the feature flag activated
851852and the node meets the requirements to use user namespaces, then the pod will be
852853created with the namespace. If it is scheduled to a node that has the feature
853- disabled, it will be created without the user namespace.
854+ disabled, it will be rejected (see more details about how it is rejected on
855+ section "What specific metrics should inform a rollback?").
854856
855857On a rollback, pods created while the feature was active (created with user
856858namespaces) will have to be re-created to run without user namespaces. If those
0 commit comments