Version Skew Policy (original) (raw)

The maximum version skew supported between various Kubernetes components.

This document describes the maximum version skew supported between various Kubernetes components. Specific cluster deployment tools may place additional restrictions on version skew.

Supported versions

Kubernetes versions are expressed as x.y.z, where x is the major version,y is the minor version, and z is the patch version, followingSemantic Versioning terminology. For more information, seeKubernetes Release Versioning.

The Kubernetes project maintains release branches for the most recent three minor releases (1.33, 1.32, 1.31). Kubernetes 1.19 and newer receive approximately 1 year of patch support. Kubernetes 1.18 and older received approximately 9 months of patch support.

Applicable fixes, including security fixes, may be backported to those three release branches, depending on severity and feasibility. Patch releases are cut from those branches at aregular cadence, plus additional urgent releases, when required.

The Release Managers group owns this decision.

For more information, see the Kubernetes patch releases page.

Supported version skew

kube-apiserver

In highly-available (HA) clusters, the newest and oldest kube-apiserver instances must be within one minor version.

Example:

• newest kube-apiserver is at 1.33
• other kube-apiserver instances are supported at 1.33 and 1.32

kubelet

• kubelet must not be newer than kube-apiserver.
• kubelet may be up to three minor versions older than kube-apiserver (kubelet < 1.25 may only be up to two minor versions older than kube-apiserver).

Example:

• kube-apiserver is at 1.33
• kubelet is supported at 1.33, 1.32,1.31, and 1.30

Example:

• kube-apiserver instances are at 1.33 and 1.32
• kubelet is supported at 1.32, 1.31, and 1.30 (1.33 is not supported because that would be newer than the kube-apiserver instance at version 1.32)

kube-proxy

• kube-proxy must not be newer than kube-apiserver.
• kube-proxy may be up to three minor versions older than kube-apiserver(kube-proxy < 1.25 may only be up to two minor versions older than kube-apiserver).
• kube-proxy may be up to three minor versions older or newer than the kubelet instance it runs alongside (kube-proxy < 1.25 may only be up to two minor versions older or newer than the kubelet instance it runs alongside).

Example:

• kube-apiserver is at 1.33
• kube-proxy is supported at 1.33, 1.32,1.31, and 1.30

Example:

• kube-apiserver instances are at 1.33 and 1.32
• kube-proxy is supported at 1.32, 1.31, and 1.30 (1.33 is not supported because that would be newer than the kube-apiserver instance at version 1.32)

kube-controller-manager, kube-scheduler, and cloud-controller-manager

kube-controller-manager, kube-scheduler, and cloud-controller-manager must not be newer than thekube-apiserver instances they communicate with. They are expected to match the kube-apiserver minor version, but may be up to one minor version older (to allow live upgrades).

Example:

• kube-apiserver is at 1.33
• kube-controller-manager, kube-scheduler, and cloud-controller-manager are supported at 1.33 and 1.32

Example:

• kube-apiserver instances are at 1.33 and 1.32
• kube-controller-manager, kube-scheduler, and cloud-controller-manager communicate with a load balancer that can route to any kube-apiserver instance
• kube-controller-manager, kube-scheduler, and cloud-controller-manager are supported at1.32 (1.33 is not supported because that would be newer than the kube-apiserver instance at version 1.32)

kubectl

kubectl is supported within one minor version (older or newer) of kube-apiserver.

Example:

• kube-apiserver is at 1.33
• kubectl is supported at 1.34, 1.33, and 1.32

Example:

• kube-apiserver instances are at 1.33 and 1.32
• kubectl is supported at 1.33 and 1.32(other versions would be more than one minor version skewed from one of the kube-apiserver components)

Supported component upgrade order

The supported version skew between components has implications on the order in which components must be upgraded. This section describes the order in which components must be upgraded to transition an existing cluster from version1.32 to version 1.33.

Optionally, when preparing to upgrade, the Kubernetes project recommends that you do the following to benefit from as many regression and bug fixes as possible during your upgrade:

• Ensure that components are on the most recent patch version of your current minor version.
• Upgrade components to the most recent patch version of the target minor version.

For example, if you're running version 1.32, ensure that you're on the most recent patch version. Then, upgrade to the most recent patch version of 1.33.

kube-apiserver

Pre-requisites:

• In a single-instance cluster, the existing kube-apiserver instance is 1.32
• In an HA cluster, all kube-apiserver instances are at 1.32 or1.33 (this ensures maximum skew of 1 minor version between the oldest and newest kube-apiserver instance)
• The kube-controller-manager, kube-scheduler, and cloud-controller-manager instances that communicate with this server are at version 1.32(this ensures they are not newer than the existing API server version, and are within 1 minor version of the new API server version)
• kubelet instances on all nodes are at version 1.32 or 1.31(this ensures they are not newer than the existing API server version, and are within 2 minor versions of the new API server version)
• Registered admission webhooks are able to handle the data the new kube-apiserver instance will send them:
  • ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects are updated to include any new versions of REST resources added in 1.33(or use the matchPolicy: Equivalent option available in v1.15+)
  • The webhooks are able to handle any new versions of REST resources that will be sent to them, and any new fields added to existing versions in 1.33

Upgrade kube-apiserver to 1.33

kube-controller-manager, kube-scheduler, and cloud-controller-manager

Pre-requisites:

• The kube-apiserver instances these components communicate with are at 1.33(in HA clusters in which these control plane components can communicate with any kube-apiserverinstance in the cluster, all kube-apiserver instances must be upgraded before upgrading these components)

Upgrade kube-controller-manager, kube-scheduler, andcloud-controller-manager to 1.33. There is no required upgrade order between kube-controller-manager, kube-scheduler, andcloud-controller-manager. You can upgrade these components in any order, or even simultaneously.

kubelet

Pre-requisites:

• The kube-apiserver instances the kubelet communicates with are at 1.33

Optionally upgrade kubelet instances to 1.33 (or they can be left at1.32, 1.31, or 1.30)

kube-proxy

Pre-requisites:

• The kube-apiserver instances kube-proxy communicates with are at 1.33

Optionally upgrade kube-proxy instances to 1.33(or they can be left at 1.32, 1.31, or 1.30)