Distribution Team Kubernetes and OpenShift release support policy
The Distribution team’s support policy for various Kubernetes and OpenShift releases for the GitLab Helm chart and Operator.
Definitions
Definitions for terms used in this policy.
Kubernetes release
An official minor number release of Kubernetes. Releases can be found at https://kubernetes.io/releases/. Kubernetes has official releases 3 times a year roughly 4 months apart which are supported with bug fixes and security patches for 1 year.
OpenShift release
An official minor number release of OpenShift. Releases can be found at https://access.redhat.com/support/policy/updates/openshift. OpenShift has official releases 3 times a year roughly 4 months apart which are supported with bug fixes and security patches for 1 year.
OpenShift is based on Kubernetes and is functionally very similar. Unless otherwise stated, we treat them as identical for this document.
Supported Kubernetes release
A Kubernetes release that is officially supported by GitLab.
Deprecated Kubernetes release
A Kubernetes release that was previously supported by GitLab and
for which we still run minimal testing in our CI/CD environment. For example,
with kubeval
, kubeconform
, or other similar tools. GitLab will likely work
on this Kubernetes release, although some features may not.
Qualifying Kubernetes release
A qualifying release is a release that we are testing (with possible porting work) and are adding to our end-to-end E2E testing in our CI/CD system. After a release is qualified, it then becomes an officially supported release. Over time, it will then proceed to a deprecated release.
Unsupported Kubernetes release
An unsupported release is either:
- A new release that has not yet been qualified.
- A previously-supported or deprecated release that is known to be broken.
Constraints
We have several constraints that limit the Kubernetes and OpenShift releases that we can support, either officially or as deprecated releases.
Kubectl
Version 1.X.Y
of kubectl
(where X
is the Kubernetes minor version and Y
is the Kubernetes patch level) is only supported on Kubernetes cluster versions
1.X-1
to 1.X+1
.
API support
Operator relies on backwards compatibility for the Kubernetes API. Kubernetes
guarantees backwards compatibility for N-3
versions, so this constraint is
less of an issue than for kubectl
support.
Kubernetes release schedule
Kubernetes releases 3 times a year with roughly 4 months between releases. Each Kubernetes release is supported for 12 months.
GitLab qualification
The work involved in creating a new cluster to support a new release and adding CI/CD support for it is significant. There is also work in adapting API changes in GitLab Chart and Operator. It takes roughly 3 months to qualify GitLab on a new Kubernetes release.
Cloud provider and Kubernetes flavor release schedules
Various Cloud providers that provide Kubernetes. We will test on only two, GKE and EKS, because of resource constraints and with the understanding that testing on these providers will likely allow us to extrapolate support on other providers running the same Kubernetes releases.
OpenShift is a Kubernetes flavor often run on on-premises infrastructure. There is enough demand and enough idiosyncrasies for OpenShift that we test, qualify, and support it similarly to the cloud providers.
Google Kubernetes Engine (GKE)
GKE is a Kubernetes cloud provider.
GKE supports each release in their Kubernetes release cycle for 14 months. These releases roughly correspond to the Kubernetes release cycle with some lag due to the need for GKE to qualify the release. There are generally 4-5 releases available in the rapid and regular channels with the oldest versions no longer getting patch release or security fixes. The stable channel does not have the newest Kubernetes minor version release so it generally has 4 versions with the oldest no longer receiving maintenance.
See GKE release schedule for details.
Elastic Kubernetes Service (EKS)
EKS is a Kubernetes cloud provider.
EKS follows the Kubernetes release schedule like GKE and Openshift. Each release is supported for 14 months.
See EKS version for details.
Azure Kubernetes Service (AKS)
AKS is a Kubernetes cloud provider.
AKS follows the Kubernetes release schedule like GKE and Openshift. Each release is supported for 12 months. The latest AKS release usually lags one release behind the latest Kubernetes release.
See AKS Kubernetes release calendar for details.
OpenShift
OpenShift is a Kubernetes flavor.
Openshift supports each release in their release cycle for 12-18 months. Like GKE, their releases are roughly 4 months apart and roughly correspond to the Kubernetes release cycle. The latest OpenShift release usually lags two releases behind the latest Kubernetes release.
See Openshift versioning for details.
GKE auto-upgrades
GKE will auto-upgrade clusters that are out of support.
Kubernetes and OpenShift release support policy
The distribution team’s support policy for GitLab Helm chart and Operator on Kubernetes and OpenShift releases.
Officially-supported releases
GitLab supports a moving subset of all releases of Kubernetes and OpenShift as new versions are released and old versions are no longer supported by the corresponding providers.
Kubernetes officially supported releases
GitLab will officially support three minor releases of Kubernetes: N
, N-1
,
and N-2
. N
is either:
- The latest released minor version of Kubernetes, if we have finished qualifying it.
- The next most recent version, if we have not finished or started qualifying the most recent version.
We use the term N+1
for the next upcoming release that may or may not yet be
under qualification. GitLab will officially support three minor releases of
Kubernetes – N
, N-1
, and N-2
. N
is either the latest released minor
version of Kubernetes (if we have finished qualifying it) or the next most
recent version (if we have not finished or started qualifying the most recent
version). We use the term N+1
for the next upcoming release that may or may
not yet be under qualification. For example, if the current releases available
are 1.28
, 1.27
, 1.26
, 1.25
and we have not qualified release 1.28
, then
N
would be 1.27
and we would officially support releases 1.25
, 1.26
, and
1.27
as shown in this table.
Release | Reference | Supported |
---|---|---|
1.28 | N+1 |
No |
1.27 | N |
Yes |
1.26 | N-1 |
Yes |
1.25 | N-2 |
Yes |
Once 1.28
is qualified, 1.29
becomes N+1
and we add 1.28
to the
list of officially supported releases. The latest existing supported release
(1.25
) becomes deprecated (or possibly unsupported).
Release | Reference | Supported |
---|---|---|
1.29 | N+1 |
No |
1.28 | N |
Yes |
1.27 | N-1 |
Yes |
1.26 | N-2 |
Yes |
1.25 | N/A | Deprecated |
Officially-supported OpenShift releases
GitLab will officially support four minor releases of OpenShift – N
, N-1
,
and N-2
and N-3
. Like Kubernetes, N
is either:
- The latest released minor version of OpenShift, if we have finished qualifying it.
- The next most recent version, if we have not finished or started qualifying the most recent version.
Again, we use the term N+1
for the next upcoming release that may or may not
yet be under qualification. For example, if the current releases available are
4.14
, 4.13
, 4.12
, 4.11
and we have not qualified release 4.15
, then
N
would be 4.14
and we would officially support releases 4.14
, 4.13
,
4.12
, and 4.11
as shown in this table.
Release | Reference | Supported |
---|---|---|
4.15 | N+1 |
No |
4.14 | N |
Yes |
4.13 | N-1 |
Yes |
4.12 | N-2 |
Yes |
4.11 | N-2 |
Yes |
Deprecated releases
We will accept community contributions to fix issues in deprecated releases as long as those fixes do not break supported versions. We may also provide unofficial support for these releases as time and resources allow.
Note that GitLab does not strictly follow the Kubernetes project deprecation schedule.
Kubernetes release support life-cycle
A Kubernetes release goes through the following distribution Kubernetes release support life-cycle:
graph TD A[New release] B[In qualification] C[Supported] D[Deprecated] E[Unsupported] A-->B B-->C C-->D D-->E
New release
A new Kubernetes release that has not yet started qualification for GitLab support.
In qualification
The GitLab distribution team has started qualification of a new release. Qualification includes:
- Conforming to API changes where needed
- Provisioning infrastructure
- Adding CI/CD pipeline
- Adding E2E tests
A complete list of qualification tasks can be found at Kubernetes release qualification issue template
Supported
Qualification is complete.
Deprecated
A previously supported release can become deprecated for the following reasons:
- The Kubernetes release reaches end-of-life.
- It is the oldest supported release and we have more than three supported releases.
Deprecated releases are supported as a best effort as time and resources allowed
by the Distribution team. Releases continue as deprecated as long as they
continue to pass kubeval
, kubeconform
, or other validation tool testing in
our CI system and have no known breaking issues. We will consider community
contributions as long as these changes do not break support for officially
supported and newer deprecated releases.
Unsupported
A release becomes unsupported for the following reasons:
- The release is deprecated and known to be broken (usually because it no longer passes our validation tests).
- The release has been end-of-life for more than one year.
New Kubernetes release support timeline
Newer (N+1
) Kubernetes releases will be supported within 3 months of
their release.
Kubernetes patch level
We assume that GitLab is backwards and forwards-compatible with patch-level
releases of a given Kubernetes minor-level release. That is, if we qualify
Kubernetes release 1.N.3
, then we can assume qualification for all releases of
1.N.x
.
Architectures
Kubernetes can run on several physical architectures. GitLab supports a subset of these architectures due to resource constraints.
x86-64
Our base architecture is x86-64. We support this architecture for all supported Kubernetes releases.
arm64
We do not currently do E2E testing on ARM64. We should add this test on at least one Kubernetes release before making ARM64 officially supported.
kubectl
version
Where practical, the latest GitLab Helm charts should ship with N-1
version of
kubectl
. This will allow us to officially support both N
and N-2
Kubernetes release.
CI/CD testing requirements
End-to-End (E2E) testing
The N
Kubernetes release gets E2E testing for both x86-64 and ARM64
(when we decide to support it). E2E testing is currently done using our current
charts and operator pipelines with the review__<cluster_version>
,
review_specs_<cluster_version>
(charts only), and qa_<cluster_version>
jobs.
Smoke testing
We do smoke testing for our N
, N-1
, and N-2
Kubernetes releases. Smoke
testing is done in our pipelines with the review_vcluster_<cluster_version>
jobs. This test deploys the GitLab Helm chart or Operator to a virtual cluster.
Validation testing
Validation testing is done using
kubeconform
or a similar validation
tool. GitLab chart pipelines runs kubconform
in the Validate <cluster_version>
jobs.
GitLab Operator does not currently have a validation test that we can use for this purpose. We will add a corresponding validation test for deprecated releases once we stop doing E2E testing for all releases.
Deprecated release testing
Deprecated releases are tested for regressions using validation testing. As new releases are qualified, a new validation test job is created. Supporting deprecated release then consist of not removing older versions of the validation testing jobs. Once a validation test job breaks due to some incompatibility, we either fix the incompatibility if the deprecation policy allows, or remove that release from the list making it an unsupported Kubernetes release.
Public-facing documentation
We document supported and deprecated Kubernetes releases in tables at:
These tables are updated every time we change the list of our supported and/or deprecated releases for both GitLab Helm chart and Operator.
New release process
The process used to add support for a new release and to deprecate older releases is detailed in the issue template.
af33af46
)