-
Notifications
You must be signed in to change notification settings - Fork 1.8k
/
Copy path01-document-k8s-1-31-changes.yaml
164 lines (148 loc) · 7.23 KB
/
01-document-k8s-1-31-changes.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# entries is a list of entries to include in
# release notes and/or the migration guide
entries:
- description: >
For Go-based, Helm-based and Ansible-based operators this release moves to Kubernetes 1.31 API's and Kubebuilder
v4 Scaffolding, specifically utilizing the v4.2.0 version. The update to Kubebuiler results in some scaffolding
changes which more information can be found below:
- Add support to protect project with [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) ([#3853](https://github.com/kubernetes-sigs/kubebuilder/pull/3853))
# kind is one of:
# - addition
# - change
# - deprecation
# - removal
# - bugfix
kind: "change"
# Is this a breaking change?
breaking: false
# NOTE: ONLY USE `pull_request_override` WHEN ADDING THIS
# FILE FOR A PREVIOUSLY MERGED PULL_REQUEST!
#
# The generator auto-detects the PR number from the commit
# message in which this file was originally added.
#
# What is the pull request number (without the "#")?
# pull_request_override: 0
# Migration can be defined to automatically add a section to
# the migration guide. This is required for breaking changes.
migration:
header: Upgrade K8s versions to use 1.31 and Kubebuilder network-policy scaffolding
body: |
This release contains a decent amount of migrations, but not nearly as many as the [previous versions migrations](https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.38.0/)
so this release should be easier to follow.
1) [helm/v1, ansible/v1] Update the kustomize version in your Makefile
```diff
- curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.3.2/kustomize_v5.3.0_$(OS)_$(ARCH).tar.gz | \
+ curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.3/kustomize_v5.4.2_$(OS)_$(ARCH).tar.gz | \
```
2) [go/v4] Update your `go.mod` file to upgrade the dependencies and run `go mod tidy` to download them
```go
github.com/onsi/ginkgo/v2 v2.17.1
github.com/onsi/gomega v1.32.0
k8s.io/api v0.30.1
k8s.io/apimachinery v0.30.1
k8s.io/client-go v0.30.1
sigs.k8s.io/controller-runtime v0.18.4
github.com/onsi/ginkgo/v2 v2.19.0
github.com/onsi/gomega v1.33.1
k8s.io/api v0.31.0
k8s.io/apimachinery v0.31.0
k8s.io/client-go v0.31.0
sigs.k8s.io/controller-runtime v0.19.0
```
3) [go/v4] Update your `Makefile` with the below changes:
```diff
- ENVTEST_K8S_VERSION = 1.30.0
+ ENVTEST_K8S_VERSION = 1.31.0
```
```diff
- KUSTOMIZE_VERSION ?= v5.4.2
- CONTROLLER_TOOLS_VERSION ?= v0.15.0
- ENVTEST_VERSION ?= release-0.18
+ KUSTOMIZE_VERSION ?= v5.4.3
+ CONTROLLER_TOOLS_VERSION ?= v0.16.1
+ ENVTEST_VERSION ?= release-0.19
```
4) [go/v4] Update your `main.go` file with the below changes:
```diff
- // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server
+ // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/server
- // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization
+ // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization
```
5) [go/v4, helm/v1, ansible/v1] Update your `/config/default/kustomization.yaml` file with the below changes:
```diff
+# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy.
+# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics.
+# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will
+# be able to communicate with the Webhook Server.
+#- ../network-policy
```
6) [go/v4, helm/v1, ansible/v1] Add `/config/network-policy/allow-metrics-traffic.yaml`
```diff
+ # This NetworkPolicy allows ingress traffic
+ # with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those
+ # namespaces are able to gathering data from the metrics endpoint.
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ labels:
+ app.kubernetes.io/name: memcached-operator
+ app.kubernetes.io/managed-by: kustomize
+ name: allow-metrics-traffic
+ namespace: system
+ spec:
+ podSelector:
+ matchLabels:
+ control-plane: controller-manager
+ policyTypes:
+ - Ingress
+ ingress:
+ # This allows ingress traffic from any namespace with the label metrics: enabled
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ metrics: enabled # Only from namespaces with this label
+ ports:
+ - port: 8443
+ protocol: TCP
```
7) [helm/v1, ansible/v1] Add `/config/network-policy/kustomization.yaml`
```diff
+ resources:
+ - allow-metrics-traffic.yaml
8) [go/v4] Add `/config/network-policy/allow-webhook-traffic.yaml`
```diff
+ # This NetworkPolicy allows ingress traffic to your webhook server running
+ # as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks
+ # will only work when applied in namespaces labeled with 'webhook: enabled'
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ labels:
+ app.kubernetes.io/name: memcached-operator
+ app.kubernetes.io/managed-by: kustomize
+ name: allow-webhook-traffic
+ namespace: system
+ spec:
+ podSelector:
+ matchLabels:
+ control-plane: controller-manager
+ policyTypes:
+ - Ingress
+ ingress:
+ # This allows ingress traffic from any namespace with the label webhook: enabled
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ webhook: enabled # Only from namespaces with this label
+ ports:
+ - port: 443
+ protocol: TCP
```
9) [go/v4] Add `/config/network-policy/kustomization.yaml`
```diff
+ resources:
+ - allow-webhook-traffic.yaml
+ - allow-metrics-traffic.yaml
```