This document contains the SIG Release Roadmap for 2021 and beyond. More detailed information can be found on the SIG Release and Release Engineering project boards.
Establish a consumable, introspectable, and secure supply chain for Kubernetes. As a supply chain we understand the defining, building and publishing of Kubernetes related artifacts.
- Consumable: Improving the usability of artifacts by making their consumption easier. This includes being process independent of vendor, employer and individuals.
- Introspectable: It is clear for users at which point and how Kubernetes artifacts are being built. This includes the documentation of all deliverables as well as clarifying what we do not support. All official release artifacts will be built by a hermetic process that is impervious to human interference.
- Secure: The artifacts we produce are verified for their integrity. This applies to their functionality (we know what we deliver) as well as their software security (we know when CVEs occur).
The following deliverables are necessary to achieve the overall goal. Within the following listing, all deliverables are sorted by their priority.
-
SLSA compliance in the Kubernetes Release Process
Outcome: Ensure that our release process is SLSA compliant. We also intend to participate actively in the development of the framework.
-
Enhance Kubernetes binary artifact management (Consumable)
Outcome: Being able to promote files as artifacts and using this mechanism for Kubernetes releases.
-
Define and collect metrics about Kubernetes releases (Introspectable)
Outcome: Being able to measure and interpret a set of defined metrics about Kubernetes releases to associate actions with those.
-
Define and implement the release cadence survey (Introspectable)
Outcome: A regular survey evaluating the user experience of the current release cadence.
-
Simplify CVE process for release management (Secure)
Outcome: A documented and simple process for handling CVE information within Kubernetes releases.
-
Establish Cluster API as first-class signal for upstream releases (Consumable)
Outcome: Cluster API provides a CI signal for blocking release test jobs.
-
Enhance and simplify Kubernetes version markers (Consumable)
Outcome: Clear documentation about available version markers as well as their simplified automation.
-
Moving deb/rpm package builds to community infrastructure (Consumable)
Outcome: Automated builds of
deb
andrpm
Kubernetes packages within community infrastructure. -
Signing of release artifacts (Secure)
Outcome: Being able to GPG sign release artifacts, which also includes container images.
-
We rely on different SIGs for our work
We have a need to discuss our enhancements with different SIGs to get all required information and drive the change. This can lead into helpful, but maybe not expected input and delay the deliverable.
-
Some topics require initial research
We're not completely aware of all technical aspects for the changes. This means that there is a risk of delaying because of investing more time in pre-research.
-
SLSA framework is in earlier stages and changes to it can/may affect some of the direction of roadmap items.
-
SIG Architecture
For the formalization of the released platforms and input about the overall supply chain.
-
SIG Cluster Lifecycle
To get input for making Cluster API a first-class signal for upstream releases.
-
Formalize supported release platforms (Introspectable)
Outcome: Definition of the life cycle for currently supported Kubernetes artifacts and a guideline for the community about how to add new platforms.
-
Implement a Bill of Materials (BOM) for release artifacts (Introspectable / Secure)
Outcome: An automated formal verification of produced release artifacts for every future release.
-
Create releases landing page (Consumable)
Outcome: A releases page that is up to date and acts as canonical place for release related information, for example links to release notes and support timelines.