Update standard K8s version policy #334
Conversation
cah-hbaum
added
Container
cah-hbaum
force-pushed
the
issue/386
branch
2 times, most recently
from
d4af8fc to
31324f5
Compare
There was a problem hiding this comment.
Two points on language:
- Standards should not make extensive use of "probably" or "we believe". We need to clarify these things until we are convinced. And then just make statements what is expected.
- relative clause "The reason that XYZ can be done is ..." do not have commas in English
Two on the content:
- This has been toned down into mere recommendations while the original intention was to have stronger language MUST. Did we agree as a team to really make it so soft? How much value remains then if customers can not rely on anything even if the container SCS-compatible cert has been granted?
- There seems to be confusion about support period for minor versions that puzzles me. Let's clarify this!
|
Answering to #334 (review) and #334 (comment) since they ask the same things: So I had a misunderstanding on how this K8s providing should work, since I thought that would be the provided version for things like managed K8s clusters.
I think what I would want to know here to clear that up: I would continue here if these things are cleared up, since I think they're essential to continuing. |
I assume that even in managed k8s offerings, the k8s version updates are normally done only with the user's consent. So, looking at a cluster and determine its level of outdatedness may be useful, but does not provide important insight into standards compliance. (Well, if it is recent, we may be able to conclude that the operator is SCS-compatible, but the outdatedness does not mean that he's not.) Instead, we need to ensure that the latest patchlevel (with a delay of less than a week) is available. I agree that testing this is difficult.
Now, this is all specific to our reference implementation, unfortunately. |
Ok I think I understand the intention behind all of this, but doesn't this still make the first test for k8s cluster recency incorrect, since the test is only applied to a cluster and we shouldn't look for a version recency in a cluster, since this is seemingly up to the user? |
|
Made an update to the text. |
anjastrunk
requested review from
anjastrunk
and removed request for
anjastrunk
| More information can be found under [Kubernetes Support Period]. | ||
|
|
||
| The Kubernetes releases are planned for about 4 months, which usually results in about | ||
| **3 minor** releases per year [Kubernetes Release Cycle]. |
There was a problem hiding this comment.
| **3 minor** releases per year [Kubernetes Release Cycle]. | |
| **3 minor** releases per year [Kubernetes Release Cycle](https://kubernetes.io/releases/release/). |
There was a problem hiding this comment.
I just recognized, that links are listed at the end of the document. Is this a common practice in SCS standards?
There was a problem hiding this comment.
No. Linking docs that explain a statement or term is best be done in place. A link I would click if I need an explanation or definition or want to see the source of truth for a statement.
A references section at the end is more for further reading or background reading (in case I'm new to the topic).
Also link to related content, e.g. related standards.
There was a problem hiding this comment.
Should we really put links in different locations depending on their relation to the standard? I would rather try to put everything in the final section and check if the link nevertheless works in the document itself.
There was a problem hiding this comment.
In favor of readability, I would add links in place. And put, as @garloff mentioned, additional documents, not related to a special term, at the bottom of the document.
There was a problem hiding this comment.
Put the links in the text.
Right. The mere existence of a cluster with outdated k8s version in it does not indicate a failure to comply with the SCS-compatibility. (For a managed k8s scenario, I would expect a provider to push customers to agree to upgrading at some point though, but we have no recommended let alone mandatory policies for this at this point.) A test would look like this:
|
Well ... we currently don't offer k8s-v1.28.x officially yet, as capo does not officially support k8s-v1.28 yet. |
|
@garloff thanks for your comments, they make this issue and standard more clear to me. |
|
Update the text a bit more and rebased the whole branch in order to include the latest changes from main. |
cah-hbaum
force-pushed
the
issue/386
branch
2 times, most recently
from
8d3ccba to
f3c45de
Compare
cah-hbaum
force-pushed
the
issue/386
branch
2 times, most recently
from
247fa57 to
5ffca2c
Compare
cah-hbaum
added
the
standards
cah-hbaum
force-pushed
the
issue/386
branch
2 times, most recently
from
2302730 to
bd7c6df
Compare
There was a problem hiding this comment.
Sorry if I have missed a prior answer or discussion.
But I believe that we've had discussed mandatory requirements for version recency before. These are useful, as it allows users to know which versions she can rely on as available on all KaaS platforms that are certified as SCS-compatible on the container layer. As user, it would make my live easier, as I can then decide for validating my workload on a k8s versions that I know must be available on all SCS-compatible KaaS solutions. A should does not provide this guarantee.
So were there reasons for watering this down where I missed a discussion?
Was there a discussion that resulted in g=convincing reasons that we are really
| In order to keep up-to date with the latest Kubernetes features, bug fixes and security improvements, | ||
| the provided Kubernetes versions should be kept up to date with the upstream. | ||
|
|
||
| - The latest minor version SHOULD be provided no later than 4 months after release. |
There was a problem hiding this comment.
Why is this not a MUST?
4 months is plenty of time to get the latest minor release built, validated, fixed (if needed, which is normally not the case) and published.
There was a problem hiding this comment.
To answer all of the MUST questions, I had a grave misunderstanding with the way how MUST and SHOULD are used. In my mind, they were equal, but after reading the RFC document regarding MUST / SHOULD / ... I can see my mistake.
And you're right, all of the ones you pointed out should be MUST.
| the provided Kubernetes versions should be kept up to date with the upstream. | ||
|
|
||
| - The latest minor version SHOULD be provided no later than 4 months after release. | ||
| - The latest patch version SHOULD be provided no later than 1 week after release. |
There was a problem hiding this comment.
I believe we can make this a MUST as well.
There was a problem hiding this comment.
See #334 (comment)
| - The latest patch version SHOULD be provided no later than 1 week after release. | ||
| - This time period MUST be even shorter for patches that target critical CVEs (CVSS >= 8). | ||
| It is RECOMMENDED to provide a new patch version in a 2 day time period after their release. | ||
| - New versions SHOULD be tested before being rolled out on productive infrastructure; |
There was a problem hiding this comment.
See #334 (comment)
| - This time period MUST be even shorter for patches that target critical CVEs (CVSS >= 8). | ||
| It is RECOMMENDED to provide a new patch version in a 2 day time period after their release. | ||
| - New versions SHOULD be tested before being rolled out on productive infrastructure; | ||
| at least the CNCF E2E tests should be passed beforehand. |
There was a problem hiding this comment.
could be a MUST as well (and if we want to be generous, we could allow failed e2e tests to be listed in a release note rather than requiring 100% pass rate).
There was a problem hiding this comment.
See #334 (comment)
Also I think you're right about the generosity of passed tests, but I'm not really sure how to properly display this in Release notes.
| - New versions SHOULD be tested before being rolled out on productive infrastructure; | ||
| at least the CNCF E2E tests should be passed beforehand. | ||
|
|
||
| At the same time, provider should support Kubernetes versions at least as long as the |
There was a problem hiding this comment.
Again, I would make this a MUST.
There was a problem hiding this comment.
See #334 (comment)
| At the same time, provider should support Kubernetes versions at least as long as the | ||
| official sources as mentioned in the [Kubernetes Support Period](https://kubernetes.io/releases/patch-releases/#support-period). | ||
|
|
||
| - Kubernetes versions SHOULD be supported as long as the official sources support them. |
There was a problem hiding this comment.
Hmm, looks duplicate to the sentence before.
And should be MUST from my PoV.
There was a problem hiding this comment.
The first sentence was just a short introduction for the decision underneath it, but I can change that if it should be written another way.
The standard for the K8s version policy is updated in order to add the support period for Kubernetes versions into it. Since this is a bit contradictive with the K8s version recency, this part needed to be updated as well. Signed-off-by: Hannes Baum <[email protected]>
|
Since this issue is now open for 3 months and it got one Approval by @anjastrunk and I fixed all issues opened by @garloff, I'm gonna merge this now. |
|
Thanks, @cah-hbaum! |
The standard for the K8s version policy is updated in order to add the support period for Kubernetes versions into it. Since this is a bit contradictive with the K8s version recency, the whole standard needed to be updated.