config/v1/types_cluster_version: Add ClusterVersionSpec.AutomaticUpdates #326
Conversation
openshift-ci-robot
added
the
size/XS
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wking If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Give cluster admins a knob for turning these on and off. You could conceivably build a bunch of logic in here, like an update-schedule schema configuring allowed upgrade times [1]. But it's going to be hard to get a spec schema that supports all the upgrade-gating logic that users will need. Instead, we have a simple boolean switch here and very basic logic in the cluster-version operator. Users who want more control can run their own Cincinnati proxy/mirrors with Policy Engines [2] that add their desired behavior (e.g. removing all edges during times when they don't want clusters auto-upgrading). [1]: openshift#326 (comment) [2]: https://github.com/openshift/cincinnati/blob/1777fc45cefaab3c8c0e870ef1dfc29564d2d37b/docs/design/cincinnati.md#policy-engine
|
|
||
| // automaticUpdates enables automatic updates. | ||
| // +optional | ||
| AutomaticUpdates bool `json:"automaticUpdates,omitempty"` |
There was a problem hiding this comment.
We want people to opt-out, this API is opt-in.
There was a problem hiding this comment.
We want people to opt-out, this API is opt-in.
Existing users will need to opt in. How do we do that with an opt-out API? Can we have an opt-in API here and have an opt-out API in the install-config, so new installers will generate ClusterVersion with this set true by default?
There was a problem hiding this comment.
The zero value of a bool is false so "auto-updates=false" means "no auto updates by default", thus it's opt in.
There was a problem hiding this comment.
It's opt in here, and I think we want that for compat with existing clusters (which are all manual-update). If/when we add an installer knob that feeds this property, that installer knob should be opt out. Are we all on the same page, or am I missing something?
I've pushed d3cfead -> 0b9690b to go with a boolean after all. Talking this over with @abhinavdahiya and @crawford, I think getting a spec structure that makes most users happy is going to be hard, and it diverges from the "simple CVO, complex logic in Cincinnati" approach we've followed so far. With a boolean "should I auto-upgrade?" switch for the CVO, users that need more complicated logic can implement that by pointing clusters at their own Cincinnati proxy that slurps the graph from our upstream Cincinnati (or wherever) and applies the logic they want (e.g. removing all upgrade edges during times when they don't want clusters auto-upgrading). If we find there's a lot of demand for specific logic (like your cron schedule schema), we can ship images for Policy Engine Cincinnati proxies like that to make it easy for users to set them up locally. But we don't need to bake that logic into the cluster itself. Thoughts? |
|
I disagree. I think Cincinnati should be responsible for a single job -
telling a cluster which versions it can update to. Given the disagreement,
this needs to go to a design doc where we can describe the use cases we're
trying to solve. For example, we should never allow a compromise of
Cincinnati to force updates to a known bad version, or to allow an attacker
to take advantage of a temporary mistake.
…On Thu, May 30, 2019 at 12:37 PM W. Trevor King ***@***.***> wrote:
I meant it to be a boolean. Schedule structure sounds good; I'll reroll
tonight.
I've pushed d3cfead
<d3cfead>
-> 0b9690b
<0b9690b>
to go with a boolean after all. Talking this over with @abhinavdahiya
<https://github.com/abhinavdahiya> and @crawford
<https://github.com/crawford>, I think getting a spec structure that
makes most users happy is going to be hard, and it diverges from the
"simple CVO, complex logic in Cincinnati" approach we've followed so far.
With a boolean "should I auto-upgrade?" switch for the CVO, users that need
more complicated logic can implement that by pointing clusters at their own
Cincinnati proxy that slurps the graph from our upstream Cincinnati (or
wherever) and applies the logic they want (e.g. removing all upgrade edges
during times when they don't want clusters auto-upgrading). If we find
there's a lot of demand for specific logic (like your cron schedule
schema), we can ship images for Policy Engine Cincinnati proxies like that
to make it easy for users to set them up locally. But we don't need to bake
that logic into the cluster itself. Thoughts?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#326?email_source=notifications&email_token=AAI37JYTTYY4YG7CZXIBFALPX77D3A5CNFSM4HQTF7L2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWS2PRI#issuecomment-497395653>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAI37J6CS55RFJECPBZWD3DPX77D3ANCNFSM4HQTF7LQ>
.
|
|
/hold
…On Thu, May 30, 2019 at 3:22 PM Clayton Coleman ***@***.***> wrote:
I disagree. I think Cincinnati should be responsible for a single job -
telling a cluster which versions it can update to. Given the disagreement,
this needs to go to a design doc where we can describe the use cases we're
trying to solve. For example, we should never allow a compromise of
Cincinnati to force updates to a known bad version, or to allow an attacker
to take advantage of a temporary mistake.
On Thu, May 30, 2019 at 12:37 PM W. Trevor King ***@***.***>
wrote:
> I meant it to be a boolean. Schedule structure sounds good; I'll reroll
> tonight.
>
> I've pushed d3cfead
> <d3cfead>
> -> 0b9690b
> <0b9690b>
> to go with a boolean after all. Talking this over with @abhinavdahiya
> <https://github.com/abhinavdahiya> and @crawford
> <https://github.com/crawford>, I think getting a spec structure that
> makes most users happy is going to be hard, and it diverges from the
> "simple CVO, complex logic in Cincinnati" approach we've followed so far.
> With a boolean "should I auto-upgrade?" switch for the CVO, users that need
> more complicated logic can implement that by pointing clusters at their own
> Cincinnati proxy that slurps the graph from our upstream Cincinnati (or
> wherever) and applies the logic they want (e.g. removing all upgrade edges
> during times when they don't want clusters auto-upgrading). If we find
> there's a lot of demand for specific logic (like your cron schedule
> schema), we can ship images for Policy Engine Cincinnati proxies like that
> to make it easy for users to set them up locally. But we don't need to bake
> that logic into the cluster itself. Thoughts?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#326?email_source=notifications&email_token=AAI37JYTTYY4YG7CZXIBFALPX77D3A5CNFSM4HQTF7L2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWS2PRI#issuecomment-497395653>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAI37J6CS55RFJECPBZWD3DPX77D3ANCNFSM4HQTF7LQ>
> .
>
|
openshift-ci-robot
added
the
do-not-merge/hold
|
I'll try to get my thoughts into a doc early next week. |
|
I've got my proposed big picture down here: https://docs.google.com/document/d/1i4srAn3exEHWBjQmVE0Vz4V5gB8n7eOJi4MUm1rDhFo. (sorry OKD. We'll be right back) I think we should adopt something similar to this: apiVersion: config.openshift.io/v1
kind: ClusterVersion
spec:
channel: stable-4.1
clusterID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
upstream: https://api.openshift.com/api/upgrades_info/v1/graph
automaticUpdates:
schedule:
- Mon..Fri *-2..10-* 10:00,14:00
- Tues..Thurs *-11..1-* 11:00
|
|
/close closing without prejudice due to age. Please open an enhancement in openshift/enhancements |
|
@deads2k: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Is it written down somewhere an example "best practice" for basic enablement of automatic updates today? Just something like a cron job pod that runs |
Opened: openshift/enhancements#124
Probably |
8 participants
Give cluster admins a knob for turning these on and off.
This is part of addressing openshift/cluster-version-operator#99.
CC @abhinavdahiya, @smarterclayton.