Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
g
great-photographer-94826
11/18/2022, 12:28 PMHi! I would like to implement continuous Kubernetes version updates for my productive cluster, however I have not yet decided how long to wait before switching to the new version. How long should I wait with each new version until its initial bugs appear? Is it a good idea to test the new version in a non-prod environment for 30 days? After that, based on the experiences gained in the test environments and the reported Kubernetes errors (https://github.com/kubernetes/kubernetes/issues) decide to upgrade (GO/NOGO)?
Of course, security issues (for example, Kubernetes containing a vulnerability with severity score of 7 or greater) and the apps running (need specific Kubernetes version) on the platform may influence this decision, but I want to set some baseline. Welcome any experience or help.
p
purple-pharmacist-31177
11/18/2022, 12:44 PMIn my opinion there are many factors
1. are you or your team going to make use of the newly added features, in other words what is the motivation behind upgrading to latest version
2. N-2 in Prod and N-1 in DEV could be a good idea, where N could be the latest version, given that the release cycle is that of 3 months , (But you might want to have the parity between your pre-prod and prod)
g
great-photographer-94826
11/18/2022, 12:52 PM@purple-pharmacist-31177 Thanks for the good feedback, I try to follow the good practices recommended by OWASP (https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html#kubernetes-version) to reduce security risks. The primary consideration is to guarantee business continuity (running apps), if for some reason I can't switch, I'll stay with the old version. I would upgrade to the maximum patch level to reduce security issues.
đź‘Ť 1
m
modern-television-79263
11/18/2022, 2:19 PMGenerally speaking: the bleeding edge causes you to bleed. I’m just now getting on to K8s v1.20. Been running v1.18 for almost a couple of years now.
f
full-painter-23916
11/18/2022, 6:47 PMThat's, uh, fairly extreme on the other end of the spectrum… <=1.22 have no upstream support or patching for CVEs
m
modern-television-79263
11/18/2022, 7:34 PMI agree it’s not ideal @full-painter-23916 - but considering we self-host, and how much of our underlying infrastructure is interwoven with Rancher/K8s, we can’t afford to just continually upgrade and hope nothing breaks, or that none of the other infra doesn’t need to be upgraded first.
We just got on vSphere 7, with the proper Netapp plugin upgrades, and are in the process of upgrading our Netapp storage heads and cluster next. That finally allowed me to get on a newer version of Rancher/K8s - because eventually I want to go with the out-of-tree storage provider. Though, we had issues with the in-tree provider post-upgrade to Rancher v2.5.16/K8s v1.20.15 - but I think @square-orange-60123 just helped me to solve those.