From 34888b554c303d2335a35af95b633a7678e38ac8 Mon Sep 17 00:00:00 2001 From: "Adam D. Cornett" Date: Thu, 9 Jan 2025 11:35:20 -0700 Subject: [PATCH] adding k8s 1.31 change document Signed-off-by: Adam D. Cornett --- .../01-document-k8s-1-31-changes.yaml | 164 ++++++++++++++++++ 1 file changed, 164 insertions(+) create mode 100644 changelog/fragments/01-document-k8s-1-31-changes.yaml diff --git a/changelog/fragments/01-document-k8s-1-31-changes.yaml b/changelog/fragments/01-document-k8s-1-31-changes.yaml new file mode 100644 index 00000000000..1415f08e9f5 --- /dev/null +++ b/changelog/fragments/01-document-k8s-1-31-changes.yaml @@ -0,0 +1,164 @@ +# entries is a list of entries to include in +# release notes and/or the migration guide +entries: + - description: > + For Go-based, Helm-based and Ansible-based operators this release moves to Kubernetes 1.31 API's and Kubebuilder + v4 Scaffolding, specifically utilizing the v4.2.0 version. The update to Kubebuiler results in some scaffolding + changes which more information can be found below: + - Add support to protect project with [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) ([#3853](https://github.com/kubernetes-sigs/kubebuilder/pull/3853)) + + # kind is one of: + # - addition + # - change + # - deprecation + # - removal + # - bugfix + kind: "change" + + # Is this a breaking change? + breaking: false + + # NOTE: ONLY USE `pull_request_override` WHEN ADDING THIS + # FILE FOR A PREVIOUSLY MERGED PULL_REQUEST! + # + # The generator auto-detects the PR number from the commit + # message in which this file was originally added. + # + # What is the pull request number (without the "#")? + # pull_request_override: 0 + + + # Migration can be defined to automatically add a section to + # the migration guide. This is required for breaking changes. + migration: + header: Upgrade K8s versions to use 1.31 and Kubebuilder network-policy scaffolding + body: | + This release contains a decent amount of migrations, but not nearly as many as the [previous versions migrations](https://sdk.operatorframework.io/docs/upgrading-sdk-version/v1.38.0/) + so this release should be easier to follow. + + 1) [helm/v1, ansible/v1] Update the kustomize version in your Makefile + ```diff + - curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.3.2/kustomize_v5.3.0_$(OS)_$(ARCH).tar.gz | \ + + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v5.4.3/kustomize_v5.4.2_$(OS)_$(ARCH).tar.gz | \ + ``` + + 2) [go/v4] Update your `go.mod` file to upgrade the dependencies and run `go mod tidy` to download them + ```go + github.com/onsi/ginkgo/v2 v2.17.1 + github.com/onsi/gomega v1.32.0 + k8s.io/api v0.30.1 + k8s.io/apimachinery v0.30.1 + k8s.io/client-go v0.30.1 + sigs.k8s.io/controller-runtime v0.18.4 + github.com/onsi/ginkgo/v2 v2.19.0 + github.com/onsi/gomega v1.33.1 + k8s.io/api v0.31.0 + k8s.io/apimachinery v0.31.0 + k8s.io/client-go v0.31.0 + sigs.k8s.io/controller-runtime v0.19.0 + ``` + + 3) [go/v4] Update your `Makefile` with the below changes: + ```diff + - ENVTEST_K8S_VERSION = 1.30.0 + + ENVTEST_K8S_VERSION = 1.31.0 + ``` + + ```diff + - KUSTOMIZE_VERSION ?= v5.4.2 + - CONTROLLER_TOOLS_VERSION ?= v0.15.0 + - ENVTEST_VERSION ?= release-0.18 + + KUSTOMIZE_VERSION ?= v5.4.3 + + CONTROLLER_TOOLS_VERSION ?= v0.16.1 + + ENVTEST_VERSION ?= release-0.19 + ``` + + 4) [go/v4] Update your `main.go` file with the below changes: + ```diff + - // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/server + + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/server + + - // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.4/pkg/metrics/filters#WithAuthenticationAndAuthorization + + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization + ``` + + 5) [go/v4, helm/v1, ansible/v1] Update your `/config/default/kustomization.yaml` file with the below changes: + ```diff + +# [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. + +# Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. + +# Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will + +# be able to communicate with the Webhook Server. + +#- ../network-policy + ``` + + 6) [go/v4, helm/v1, ansible/v1] Add `/config/network-policy/allow-metrics-traffic.yaml` + ```diff + + # This NetworkPolicy allows ingress traffic + + # with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those + + # namespaces are able to gathering data from the metrics endpoint. + + apiVersion: networking.k8s.io/v1 + + kind: NetworkPolicy + + metadata: + + labels: + + app.kubernetes.io/name: memcached-operator + + app.kubernetes.io/managed-by: kustomize + + name: allow-metrics-traffic + + namespace: system + + spec: + + podSelector: + + matchLabels: + + control-plane: controller-manager + + policyTypes: + + - Ingress + + ingress: + + # This allows ingress traffic from any namespace with the label metrics: enabled + + - from: + + - namespaceSelector: + + matchLabels: + + metrics: enabled # Only from namespaces with this label + + ports: + + - port: 8443 + + protocol: TCP + ``` + + 7) [helm/v1, ansible/v1] Add `/config/network-policy/kustomization.yaml` + ```diff + + resources: + + - allow-metrics-traffic.yaml + + 8) [go/v4] Add `/config/network-policy/allow-webhook-traffic.yaml` + ```diff + + # This NetworkPolicy allows ingress traffic to your webhook server running + + # as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks + + # will only work when applied in namespaces labeled with 'webhook: enabled' + + apiVersion: networking.k8s.io/v1 + + kind: NetworkPolicy + + metadata: + + labels: + + app.kubernetes.io/name: memcached-operator + + app.kubernetes.io/managed-by: kustomize + + name: allow-webhook-traffic + + namespace: system + + spec: + + podSelector: + + matchLabels: + + control-plane: controller-manager + + policyTypes: + + - Ingress + + ingress: + + # This allows ingress traffic from any namespace with the label webhook: enabled + + - from: + + - namespaceSelector: + + matchLabels: + + webhook: enabled # Only from namespaces with this label + + ports: + + - port: 443 + + protocol: TCP + ``` + + 9) [go/v4] Add `/config/network-policy/kustomization.yaml` + ```diff + + resources: + + - allow-webhook-traffic.yaml + + - allow-metrics-traffic.yaml + ```