Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.
Endigest AI Core Summary
This post announces the graduation of fine-grained supplemental groups control to General Availability (GA) in Kubernetes v1.35.
•By default, Kubernetes merges group memberships from /etc/group in the container image with Pod-specified groups, potentially adding implicit GIDs unknown to policy engines.
•The new supplementalGroupsPolicy field in Pod spec offers two policies: Merge (default, backward-compatible) and Strict (only explicitly declared group IDs are attached).
•With Strict policy, implicit groups from /etc/group are excluded, preventing unexpected volume access control issues.
•The feature also exposes the actual process identity via .status.containerStatuses[].user.linux for improved transparency.
•Strict policy requires containerd v2.0+ or CRI-O v1.31+; runtime support can be verified via Node status.features.supplementalGroupsPolicy.
This summary was automatically generated by AI based on the original article and may not be fully accurate.
Kubernetes
Google Cloud
AWS