Explain use of pod os field

[ravisantoshgudimetla]

Identify OS authoritatively during pod admission time using pod.OS field

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	266d6c3
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/63eebba2e5bf40000807dcd1
😎 Deploy Preview	https://deploy-preview-35439--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[sftim]

/retitle [WIP] Explain use of pod os field

[katcosgrove]

Hi from the Comms team! Just a reminder that the Ready to Review deadline for feature blogs is Tuesday, August 16. You will also be assigned a publication date post-release. Is there anything we can do to help you right now?

[jsturtevant]

Suggested change

	alpha feature and it graduated to stable in 1.25.`PodSecurity` admission plugin has been updated to use the `OS` field.
	alpha feature and it graduated to stable in 1.25. In addition, the `PodSecurity` admission plugin has been updated to use the `OS` field.

Or something like that

Mabye a link to the admission plugin?

[sftim]

The field is os. In the Golang code the capitalization is different, but to a Kubernetes end user the field name is all-lowercase.

[jsturtevant]

Suggested change

	Today, the `kube-apiserver` and `kubelet` while admitting pods have no notion of the OS on which the pod can run.
	Today, at pod admission time the `kube-apiserver` and `kubelet` have no notion of the OS on which the pod can run.

[sftim]

Suggested change

	Today, the `kube-apiserver` and `kubelet` while admitting pods have no notion of the OS on which the pod can run.
	In the first releases of Kubernetes the `kube-apiserver` did not have record any detail
	about which operating system a Pod should run on. Initially, Kubernetes only supported Linux
	nodes; later, Kubernetes added support for Windows nodes (stable since Kubernetes v1.14).
	You could use [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
	to give the scheduler a hint about where to place your Pod, but the actual Pod API didn't track that
	OS at all.

[sftim]

Some early feedback.

/hold
as valid a publication date isn't assigned yet

[sftim]

Suggested change

# Identify Pod Operating System authoritatively during pod admission time

[sftim]

Suggested change

	slug: Identifying pod operating system authoritatively during pod admission time
	slug: pod-os-field-explained

[sftim]

Suggested change

	This blog describes how to identify pod's operating system authoritatively using the `OS` field in the pod spec and how it
	This article describes how to identify pod's operating system authoritatively using the `os` field in the pod spec, and how that

[sftim]

Suggested change

	Today, the `kube-apiserver` and `kubelet` while admitting pods have no notion of the OS on which the pod can run.
	In the first releases of Kubernetes the `kube-apiserver` did not have record any detail
	about which operating system a Pod should run on. Initially, Kubernetes only supported Linux
	nodes; later, Kubernetes added support for Windows nodes (stable since Kubernetes v1.14).
	You could use [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
	to give the scheduler a hint about where to place your Pod, but the actual Pod API didn't track that
	OS at all.

[sftim]

Suggested change

	As a result, the end user of the kubernetes cluster can set Linux specific security constraints onto Windows pods or vice-versa.
	As a result, the end user of a Kubernetes cluster can specify Linux specific security constraints onto Windows pods, or vice-versa.

[sftim]

Suggested change

	A new field called `OS` has been added to the pod spec. Every object in kubernetes is validated before it
	Pods now have an optional `.spec.os` field (and this is a stable feature, available in every cluster running
	Kubernetes v1.25 or later). Every object in Kubernetes is validated before it

[sftim]

Suggested change

	gets persisted to etcd during API admission time, including pod object. Using the `OS` field in pod spec,
	we introduced new validation which forbids Linux specific constraints to be set on Windows pods and vice-versa.
	gets persisted to etcd during API admission time, including pod object. Kubernetes v1.25 also introduced
	new validation which forbids you from setting Linux specific constraints on Windows pods and vice-versa.
	``

[sftim]

Suggested change

	when `pod.Spec.OS.Name` is set to `Windows`
	when you set `.spec.os.name` for a Pod to `Windows`.

[sftim]

Please consider providing an example manifest for a Pod.

[sftim]

Once https://kubernetes.io/docs/concepts/workloads/pods/ mentions the new field (see #35590), please link there.

[katcosgrove]

Hi there! Your assigned publication date is September 5. Thank you!

[sftim]

@ravisantoshgudimetla it'd be great to get this PR ready for review. Would you like help with that?

[reylejano]

Suggested change

	date: 2022-07-27
	date: 2022-09-05

Also please rename the file to 2022-09-05-pod-os-field.md

[reylejano]

Hi @ravisantoshgudimetla , this blog post is scheduled to be published next week on Sept 5.
Please have this PR at a "ready-state" (remove [WIP] from the title) and take a look at comments and suggestions

[sftim]

(if this is ready for review, please edit the PR title or add a comment to make it clear that this work should move forward)

[sftim]

Thanks. Some feedback that I recommend applying.

[sftim]

@katcosgrove let's postpone this one a week - does that work?

[katcosgrove]

@sftim We can do September 12!

[sftim]

@ravisantoshgudimetla we're happy to have a version of this article for the blog, but it has missed the timings for post-release blogs. Even though the timing didn't work out, I'd like to make use of the work that has gone in.

Let's aim for a new date. How about the 19th of October? Does that work.

You need to make two changes: one to the filename, and another to the date in the front matter.
Could you also recommend someone who can review the content for technical accuracy? We need to review this before we publish it, and that review needs to cover the technical side.

[reylejano]

The proposed published date has passed, the filename also needs to be changed

Suggested change

	date: 2022-09-20
	date: 2022-10-19

[reylejano]

Hi @kubernetes/sig-windows-leads, can we get a technical review for this blog
Thank you

[marosset]

/sig windows

[marosset]

Maybe we should just say there are many different ways to give the scheduler a hint?
One of the more common ways is to use a nodeSelector.

[ravisantoshgudimetla]

I'll reword it to While Kubernetes has multiple ways to hint scheduler about the node on which pod needs to run, a more common way is to use nodeSelector, WDYT?

[marosset]

One of the big motivating factors of having this pod os field is so that windows pods can still be scheduled with Restricted policies which require things like "containers must drop ALL capabilities".
This is called out https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

I think it would be good to highlight this in the blog post.

[sftim]

@ravisantoshgudimetla would you be willing to to revise this in light of #35439 (comment) ?

[tengqm]

@ravisantoshgudimetla Ready to give this another stab?

[nitishfy]

@ravisantoshgudimetla Ping!

[claudiubelu]

Ping @ravisantoshgudimetla . If you're not available, we can take over this PR and address the necessary changes.

[ravisantoshgudimetla]

Hey all, I was out for the past few weeks, I can address the changes and will update this PR this week.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign onlydole for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/blog/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ravisantoshgudimetla]

One of the big motivating factors of having this pod os field is so that windows pods can still be scheduled with Restricted policies which require things like "containers must drop ALL capabilities".
This is called out https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
I think it would be good to highlight this in the blog post.

I have added it here - https://github.com/kubernetes/website/pull/35439/files#diff-f2f020ab42d6a660ddb4835f70a43f8a64f9f50204e7ab49d0f275d76af4345cR31. PTAL

[sftim]

@ravisantoshgudimetla how about a new publication date - perhaps the 14th of March 2023? If you would like to aim for that, we can see if we can get reviews to happen on the blog team side.

[natalisucks]

Adding another friendly ping here @ravisantoshgudimetla 🙂

@sftim Lets choose a new publication date – perhaps a couple of months or so away from today? That way Ravi has enough time to address feedback and the blog team have enough time in parallel to review.

[marosset]

@ravisantoshgudimetla - can you make me a collaborator on your k/webite fork and then I can help push this through?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[divya-mohan0209]

/remove-lifeycycle stale

[divya-mohan0209]

@ravisantoshgudimetla : Please advise if you'd like to continue work on this PR and also, let us know of a realistic target date for publication. Additionally, it'd be great if you could grant collaborator access to @marosset as requested in the above comments. This has been in the works for a year and I'm sure you'd appreciate that we'd like to see this merged sooner rather than later.

[divya-mohan0209]

Hey @ravisantoshgudimetla , thank you for all your hard work on this! However, since there has been no activity on addressing the feedback despite repeated reminders we'll be closing the PR. Please feel free to reopen the PR whenever you have the bandwidth to work together so that we can get this blog published.
/close

[k8s-ci-robot]

@divya-mohan0209: Closed this PR.

In response to this:

Hey @ravisantoshgudimetla , thank you for all your hard work on this! However, since there has been no activity on addressing the feedback despite repeated reminders we'll be closing the PR. Please feel free to reopen the PR whenever you have the bandwidth to work together so that we can get this blog published.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.