https://rancher.com/ logo
Title
g

great-photographer-94826

11/18/2022, 12:28 PM
Hi! I would like to implement continuous Kubernetes version updates for my productive cluster, however I have not yet decided how long to wait before switching to the new version. How long should I wait with each new version until its initial bugs appear? Is it a good idea to test the new version in a non-prod environment for 30 days? After that, based on the experiences gained in the test environments and the reported Kubernetes errors (https://github.com/kubernetes/kubernetes/issues) decide to upgrade (GO/NOGO)? Of course, security issues (for example, Kubernetes containing a vulnerability with severity score of 7 or greater) and the apps running (need specific Kubernetes version) on the platform may influence this decision, but I want to set some baseline. Welcome any experience or help.
p

purple-pharmacist-31177

11/18/2022, 12:44 PM
In my opinion there are many factors 1. are you or your team going to make use of the newly added features, in other words what is the motivation behind upgrading to latest version 2. N-2 in Prod and N-1 in DEV could be a good idea, where N could be the latest version, given that the release cycle is that of 3 months , (But you might want to have the parity between your pre-prod and prod)
g

great-photographer-94826

11/18/2022, 12:52 PM
@purple-pharmacist-31177 Thanks for the good feedback, I try to follow the good practices recommended by OWASP (https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html#kubernetes-version) to reduce security risks. The primary consideration is to guarantee business continuity (running apps), if for some reason I can't switch, I'll stay with the old version. I would upgrade to the maximum patch level to reduce security issues.
đź‘Ť 1
m

modern-television-79263

11/18/2022, 2:19 PM
Generally speaking: the bleeding edge causes you to bleed. I’m just now getting on to K8s v1.20. Been running v1.18 for almost a couple of years now.
f

full-painter-23916

11/18/2022, 6:47 PM
That's, uh, fairly extreme on the other end of the spectrum… <=1.22 have no upstream support or patching for CVEs
m

modern-television-79263

11/18/2022, 7:34 PM
I agree it’s not ideal @full-painter-23916 - but considering we self-host, and how much of our underlying infrastructure is interwoven with Rancher/K8s, we can’t afford to just continually upgrade and hope nothing breaks, or that none of the other infra doesn’t need to be upgraded first.
We just got on vSphere 7, with the proper Netapp plugin upgrades, and are in the process of upgrading our Netapp storage heads and cluster next. That finally allowed me to get on a newer version of Rancher/K8s - because eventually I want to go with the out-of-tree storage provider. Though, we had issues with the in-tree provider post-upgrade to Rancher v2.5.16/K8s v1.20.15 - but I think @square-orange-60123 just helped me to solve those.