Introduce WG Checkpoint Restore #8508
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Welcome @adrianreber! |
k8s-ci-robot
added
sig/api-machinery
|
Hi @adrianreber. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
sig/node
k8s-ci-robot
added
the
do-not-merge/invalid-owners-file
adrianreber
force-pushed
the
2025-07-03-wg-cr
branch
from
33e97fb to
abc1c26
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
Looking at #8519, I see that we are missing a charter. |
In https://github.com/kubernetes/community/blob/master/sig-wg-lifecycle.md#GitHub is says to add a charter once this initial PR has been merged. That's why is skipped it. |
sigs.yaml
Outdated
| the integration of Checkpoint/Restore functionality into Kubernetes. | ||
| charter_link: charter.md | ||
| stakeholder_sigs: |
There was a problem hiding this comment.
sig auth may have a big say in security of this whole restoration pipeline
There was a problem hiding this comment.
Thank you for pointing this out! Security is definitely an important topic that we need to discuss with sig-auth, both for the checkpoint API and the restoration pipeline. The following paper and master thesis describe our recent work on this topic:
There was a problem hiding this comment.
I added sig auth to the list of stakeholder sigs
There was a problem hiding this comment.
this showed up in the sig-auth meeting, we may have missed the discussion around this WG
if this WG is contemplating taking state from a running pod / saving it / letting it be consumed on another node or from another pod or another namespace, then sig-auth is definitely interested in making sure the permissions model around that exists and is ~consistent with similar things Kubernetes does elsewhere (like PVC / snapshots)
We're happy to consult on that, I'm not sure our awareness / involvement rises to the level of sponsoring the WG :)
cc @kubernetes/sig-auth-leads
There was a problem hiding this comment.
nod.. definitely needs an extra level of security due to customer data being serialized and available in the checkpoint, esp if not encrypted, but also due to windows of opportunity to do transactions/data manipulation.. then "undo" them by restoring a checkpoint
adrianreber
force-pushed
the
2025-07-03-wg-cr
branch
from
abc1c26 to
8bc6968
Compare
k8s-ci-robot
added
committee/steering
k8s-ci-robot
added
the
needs-rebase
|
Is there a slack channel where we can discuss C/R related ideas? Thanks |
You are not the first to ask. We kind of are waiting for the proposal to be accepted to have a slack channel. Not sure if there is a another way to have a slack channel without having the proposal merged. |
@lujinda Please reach out to us in the Kubernetes slack. You can find Viktoria, Adrian, and myself there :) |
|
@rst0git @viktoriaas are currently trying to bring this WG up in all the mentioned SIGs. Which SIGs haven't been officially informed about this? |
We attended SIG Node (16.9) and SIG Scheduling (18.9.), so SIG API Machinery, SIG Auth, SIG Apps are left. |
|
For SIG Apps I think we have @janetkuo and @soltysh on this thread, cc @kow3ns. For auth @ritazh @liggitt have commented here but I think we also need to discuss with others, x-ref https://github.com/kubernetes/community/pull/8508/files#r2274401485 Going to the meeting is a good approach, but you could also try raising to the mailinglists / slacks for earlier feedback. |
adrianreber
force-pushed
the
2025-07-03-wg-cr
branch
from
da35847 to
69c0f4f
Compare
k8s-ci-robot
removed
the
needs-rebase
|
After hearing the presentation SIG Apps is +1. We don't anticipate this work, in the near term, impacting the in tree components that fall under SIG Apps. However, we think we can be advocates for users that run workloads and applications that use the infrastructure to ensure that it meets their use cases. |
| * [SIG Apps](/sig-apps) | ||
| * [SIG Auth](/sig-auth) | ||
| * [SIG Node](/sig-node) | ||
| * [SIG Scheduling](/sig-scheduling) |
There was a problem hiding this comment.
I see SIG Apps +1 on the comments, do we have +1 from the other 3 SIGs in the comments
There was a problem hiding this comment.
@haircommander Are you the right person to +1 from SIG Node?
@viktoriaas Who at SIG scheduling did you talk to. Can they +1 here?
@rst0git plans to present at the SIG-Auth meeting on Wednesday, October 22nd.
There was a problem hiding this comment.
Who at SIG scheduling did you talk to. Can they +1 here?
@dom4ha As a follow-up on the discussion we had at the SIG-Scheduling meeting on September 18th, would you be able to add +1 for our working group?
There was a problem hiding this comment.
I think an ack from sig-scheduling is still needed.
There was a problem hiding this comment.
+1 from sig-scheduling. We discussed it on our sig meeting and looking forward for any integration with the scheduler logic.
Co-authored-by: Viktória Spišaková <spisakova@ics.muni.cz> Co-authored-by: Antonio Ojea <antonio.ojea.garcia@gmail.com> Co-authored-by: Sergey Kanzhelev <S.Kanzhelev@live.com> Signed-off-by: Adrian Reber <areber@redhat.com>
adrianreber
force-pushed
the
2025-07-03-wg-cr
branch
from
69c0f4f to
cef6a0d
Compare
| - SIG Node | ||
| - SIG Scheduling | ||
| - SIG Auth | ||
| - SIG Apps |
There was a problem hiding this comment.
is SIG networking a stakeholder, given details around checkpoint/restoring the network of a container?
There was a problem hiding this comment.
There was some discussion above #8508 (comment)
|
At this point we presented our idea at all possibly involved SIGs. (I think). Anything missing to create this WG? |
|
cc @kubernetes/steering-committee I think all of the SIG ACKs are done and there don't seem to be suggestions / concerns raised from the related SIGs. /lgtm Holding for review + ACK from other steering members. |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adrianreber, BenTheElder The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
+1 (steering) |
20 participants
As described in sig-wg-lifecycle.md this PR is the next step after sending an email to dev@kubernetes.io about the creation of the Working Group Checkpoint Restore.
CC: @rst0git, @viktoriaas, @xhejtman