Add graduation plan

kubernetes · Jan 28, 2025 · b993cf3 · b993cf3
1 parent 0caaba0
commit b993cf3
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/keps/sig-storage/1710-selinux-relabeling/README.md b/keps/sig-storage/1710-selinux-relabeling/README.md
@@ -680,10 +680,13 @@ All these e2e tests use only CSI volumes. All in-tree volume types that support
 * Alpha of Phase 2 + 3:
   * Implemented `SELinuxChangePolicy` **with a separate alpha feature gate `SELinuxChangePolicy`** as preparation for `SELinuxMount` feature gate graduation.
   * Implemented SELinuxController.
-* Beta of Phase 2, alpha of phase 3:
+* Beta of Phase 2 + 3 (`SELinuxChangePolicy` is beta and enabled by default; `SELinuxMount` is beta, but disabled by default).
   * Telemetry numbers from OpenShift show that <5% of clusters would need to change any of their Pods.
-* GA:
+  * This phase signalizes that the feature is ready for real testing. Only non-breaking parts (`SELinuxChangePolicy`) are enabled by default.
+* GA of Phase 2 (`SELinuxChangePolicy` + `SELinuxMountReadWriteOncePod` are GA and locked to default):
   * All known issues fixed. Otherwise, we will GA Phase 1 only.
+* GA of Phase 3 (`SELinuxMount` is GA and locked to default):
+  * At least 1 release after `SELinuxChangePolicy` is GA to give cluster admins enough time to apply `SELinuxChangePolicy` to their Pods.
   * Telemetry numbers from OpenShift show that <2% of clusters would need to change any of their Pods (i.e. most clusters already applied opt-out).
 
 ### Upgrade / Downgrade Strategy

diff --git a/keps/sig-storage/1710-selinux-relabeling/kep.yaml b/keps/sig-storage/1710-selinux-relabeling/kep.yaml
@@ -18,16 +18,17 @@ approvers:
   - "@saad-ali"
 see-also:
   - /keps/sig-storage/695-skip-permission-change/README.md
-stage: alpha
-latest-milestone: "v1.32"
+stage: beta
+latest-milestone: "v1.33"
 milestone:
   alpha: "v1.24"  # SELinuxMountReadWriteOncePod
   beta: "v1.27"   # SELinuxMountReadWriteOncePod
   stable: "v1.34" # Very optimistic plan for SELinuxMountReadWriteOncePod GA, needs SELinuxMount very close to GA
 
   # alpha: "v1.30"  # SELinuxMount
   # alpha: "v1.32"  # SELinuxChangePolicy
-
+  # beta: "v1.33"   # SELinuxChangePolicy (enabled by default)
+  # beta: "v1.33"   # SELinuxMount (disabled by default)
 feature-gates:
   - name: SELinuxMountReadWriteOncePod
     components: