-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update standard K8s version policy #334
Conversation
d4af8fc
to
31324f5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two points on language:
- Standards should not make extensive use of "probably" or "we believe". We need to clarify these things until we are convinced. And then just make statements what is expected.
- relative clause "The reason that XYZ can be done is ..." do not have commas in English
Two on the content:
- This has been toned down into mere recommendations while the original intention was to have stronger language MUST. Did we agree as a team to really make it so soft? How much value remains then if customers can not rely on anything even if the container SCS-compatible cert has been granted?
- There seems to be confusion about support period for minor versions that puzzles me. Let's clarify this!
Answering to #334 (review) and #334 (comment) since they ask the same things: So I had a misunderstanding on how this K8s providing should work, since I thought that would be the provided version for things like managed K8s clusters.
I think what I would want to know here to clear that up: I would continue here if these things are cleared up, since I think they're essential to continuing. |
I assume that even in managed k8s offerings, the k8s version updates are normally done only with the user's consent. So, looking at a cluster and determine its level of outdatedness may be useful, but does not provide important insight into standards compliance. (Well, if it is recent, we may be able to conclude that the operator is SCS-compatible, but the outdatedness does not mean that he's not.) Instead, we need to ensure that the latest patchlevel (with a delay of less than a week) is available. I agree that testing this is difficult.
Now, this is all specific to our reference implementation, unfortunately. |
Ok I think I understand the intention behind all of this, but doesn't this still make the first test for k8s cluster recency incorrect, since the test is only applied to a cluster and we shouldn't look for a version recency in a cluster, since this is seemingly up to the user? |
Made an update to the text. |
More information can be found under [Kubernetes Support Period]. | ||
|
||
The Kubernetes releases are planned for about 4 months, which usually results in about | ||
**3 minor** releases per year [Kubernetes Release Cycle]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**3 minor** releases per year [Kubernetes Release Cycle]. | |
**3 minor** releases per year [Kubernetes Release Cycle](https://kubernetes.io/releases/release/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just recognized, that links are listed at the end of the document. Is this a common practice in SCS standards?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Linking docs that explain a statement or term is best be done in place. A link I would click if I need an explanation or definition or want to see the source of truth for a statement.
A references section at the end is more for further reading or background reading (in case I'm new to the topic).
Also link to related content, e.g. related standards.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we really put links in different locations depending on their relation to the standard? I would rather try to put everything in the final section and check if the link nevertheless works in the document itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In favor of readability, I would add links in place. And put, as @garloff mentioned, additional documents, not related to a special term, at the bottom of the document.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Put the links in the text.
Right. The mere existence of a cluster with outdated k8s version in it does not indicate a failure to comply with the SCS-compatibility. (For a managed k8s scenario, I would expect a provider to push customers to agree to upgrading at some point though, but we have no recommended let alone mandatory policies for this at this point.) A test would look like this:
|
Well ... we currently don't offer k8s-v1.28.x officially yet, as capo does not officially support k8s-v1.28 yet. |
@garloff thanks for your comments, they make this issue and standard more clear to me. |
Update the text a bit more and rebased the whole branch in order to include the latest changes from main. |
8d3ccba
to
f3c45de
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
247fa57
to
5ffca2c
Compare
2302730
to
bd7c6df
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry if I have missed a prior answer or discussion.
But I believe that we've had discussed mandatory requirements for version recency before. These are useful, as it allows users to know which versions she can rely on as available on all KaaS platforms that are certified as SCS-compatible on the container layer. As user, it would make my live easier, as I can then decide for validating my workload on a k8s versions that I know must be available on all SCS-compatible KaaS solutions. A should does not provide this guarantee.
So were there reasons for watering this down where I missed a discussion?
Was there a discussion that resulted in g=convincing reasons that we are really
In order to keep up-to date with the latest Kubernetes features, bug fixes and security improvements, | ||
the provided Kubernetes versions should be kept up to date with the upstream. | ||
|
||
- The latest minor version SHOULD be provided no later than 4 months after release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this not a MUST?
4 months is plenty of time to get the latest minor release built, validated, fixed (if needed, which is normally not the case) and published.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To answer all of the MUST questions, I had a grave misunderstanding with the way how MUST and SHOULD are used. In my mind, they were equal, but after reading the RFC document regarding MUST / SHOULD / ... I can see my mistake.
And you're right, all of the ones you pointed out should be MUST.
the provided Kubernetes versions should be kept up to date with the upstream. | ||
|
||
- The latest minor version SHOULD be provided no later than 4 months after release. | ||
- The latest patch version SHOULD be provided no later than 1 week after release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we can make this a MUST as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #334 (comment)
- The latest patch version SHOULD be provided no later than 1 week after release. | ||
- This time period MUST be even shorter for patches that target critical CVEs (CVSS >= 8). | ||
It is RECOMMENDED to provide a new patch version in a 2 day time period after their release. | ||
- New versions SHOULD be tested before being rolled out on productive infrastructure; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MUST?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #334 (comment)
- This time period MUST be even shorter for patches that target critical CVEs (CVSS >= 8). | ||
It is RECOMMENDED to provide a new patch version in a 2 day time period after their release. | ||
- New versions SHOULD be tested before being rolled out on productive infrastructure; | ||
at least the CNCF E2E tests should be passed beforehand. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could be a MUST as well (and if we want to be generous, we could allow failed e2e tests to be listed in a release note rather than requiring 100% pass rate).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #334 (comment)
Also I think you're right about the generosity of passed tests, but I'm not really sure how to properly display this in Release notes.
- New versions SHOULD be tested before being rolled out on productive infrastructure; | ||
at least the CNCF E2E tests should be passed beforehand. | ||
|
||
At the same time, provider should support Kubernetes versions at least as long as the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, I would make this a MUST.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #334 (comment)
At the same time, provider should support Kubernetes versions at least as long as the | ||
official sources as mentioned in the [Kubernetes Support Period](https://kubernetes.io/releases/patch-releases/#support-period). | ||
|
||
- Kubernetes versions SHOULD be supported as long as the official sources support them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, looks duplicate to the sentence before.
And should be MUST from my PoV.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The first sentence was just a short introduction for the decision underneath it, but I can change that if it should be written another way.
The standard for the K8s version policy is updated in order to add the support period for Kubernetes versions into it. Since this is a bit contradictive with the K8s version recency, this part needed to be updated as well. Signed-off-by: Hannes Baum <hannes.baum@cloudandheat.com>
Since this issue is now open for 3 months and it got one Approval by @anjastrunk and I fixed all issues opened by @garloff, I'm gonna merge this now. |
Thanks, @cah-hbaum! |
The standard for the K8s version policy is updated in order to add the support period for Kubernetes versions into it. Since this is a bit contradictive with the K8s version recency, the whole standard needed to be updated.