-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.14: Bump minor_min
to 4.13.19 to pickup the SCC gate
#4295
4.14: Bump minor_min
to 4.13.19 to pickup the SCC gate
#4295
Conversation
/hold We want to only merge once 4.13.19 is actually validated and released. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LalatenduMohanty, petr-muller The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Feel free to remove the hold once we are sure about openshift/cluster-version-operator#969 is in 4.13.19 |
/hold cancel |
@petr-muller: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
We'd raised the floor for 4.13-to-4.19 in 1db9474 (4.14: Bump `minor_min` to 4.13.19 to pickup the SCC gate, 2023-10-25, openshift#4295), but that only applies to automatically generated new releases. ART created the 4.14.0 metadata by hand, and included 4.13.17 and 4.13.18. But we do not recommend folks update from those to 4.14 without passing through 4.13.19 or later to get the SCC Upgradeable checker. There are some trade offs between this commit's silent drop vs. declaring an Always risk: * A silent drop simplifies update graphs, not even presenting the not-recommended updates which could distract customers that don't care about those updates. * A silent drop may mean we do not need to support customers who update from 4.13.17 or 18 directly to 4.14.0 and have some mutated SCCs stomped. Or at least, there are not explicit docs one way or the other about whether customers who do this will be supported. And with the updates silently dropped, the number of customers who do this update is expected to be very low. * An Always risk might have more customers thing "I probably didn't mutate my SCCs", accept the risk, and then be surprised when they actually had mutated their SCCs and the SCCs got stomped. * An Always risk would reduce the chances that folks saw: $ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.14.0-x86_64 | jq -r '.metadata.previous[]' | grep '^4[.]13[.]' 4.13.17 4.13.18 4.13.19 and then opened support cases about why they didn't see 4.14.0 as a direct-hop update target in their 4.13.17 or 18 cluster (the transparency issues that conditional update risks was designed to address). Whether Always or silent-drops are better for customers is unclear. But soon 4.14.1 will come out, and after that, folks caring about updates to 4.14.0 will likely be very rare, so it doesn't seem like it's worth pinning down a technological winner, and we're going with silent-drop.
We'd raised the floor for 4.13-to-4.14 in 1db9474 (4.14: Bump `minor_min` to 4.13.19 to pickup the SCC gate, 2023-10-25, openshift#4295), but that only applies to automatically generated new releases. ART created the 4.14.0 metadata by hand, and included 4.13.17 and 4.13.18. But we do not recommend folks update from those to 4.14 without passing through 4.13.19 or later to get the SCC Upgradeable checker. There are some trade offs between this commit's silent drop vs. declaring an Always risk: * A silent drop simplifies update graphs, not even presenting the not-recommended updates which could distract customers that don't care about those updates. * A silent drop may mean we do not need to support customers who update from 4.13.17 or 18 directly to 4.14.0 and have some mutated SCCs stomped. Or at least, there are not explicit docs one way or the other about whether customers who do this will be supported. And with the updates silently dropped, the number of customers who do this update is expected to be very low. * An Always risk might have more customers thing "I probably didn't mutate my SCCs", accept the risk, and then be surprised when they actually had mutated their SCCs and the SCCs got stomped. * An Always risk would reduce the chances that folks saw: $ oc adm release info -o json quay.io/openshift-release-dev/ocp-release:4.14.0-x86_64 | jq -r '.metadata.previous[]' | grep '^4[.]13[.]' 4.13.17 4.13.18 4.13.19 and then opened support cases about why they didn't see 4.14.0 as a direct-hop update target in their 4.13.17 or 18 cluster (the transparency issues that conditional update risks was designed to address). Whether Always or silent-drops are better for customers is unclear. But soon 4.14.1 will come out, and after that, folks caring about updates to 4.14.0 will likely be very rare, so it doesn't seem like it's worth pinning down a technological winner, and we're going with silent-drop.
Yet-nonexistent 4.13.19 is likely to be the 4.13 patch release picking up openshift/cluster-version-operator#969 which adds the
Upgradeable=False
gate when modified SCC resources are detected in the cluster. We will want everyone to go through the CVO with this change, to prevent workloads from breaking if they depend on modified system SCC resources.