[Other] Test scs-compatible K8S Standards with Gardener

[anjastrunk]

We defined as set of standards for SCS compatible K8S certificate v1 in https://github.com/SovereignCloudStack/standards/issues/615 and want check, if these standard apply to k8s implementation with Gardener, too.

Tasks

• [x] Setup k8s with Gardener
• [ ] Run Compliance Tests, from https://github.com/SovereignCloudStack/standards/issues/615
• [ ] In case of failing tests, document reasons as well as what has to be adjusted in k8s be SCS compatible

Standards to be to checked:

• [x] SCS K8S Version Policy v2
• [x] SCS KaaS default storage class v2
• ~[ ] Requirements for container registries v1~ see https://github.com/SovereignCloudStack/standards/issues/794#issuecomment-2485735537
• [ ] Kubernetes Nodes Anti Affinity v1
• [ ] Kubernetes Node Distribution and Availability v2
• [ ] Robustness features for Kubernetes clusters
• [ ] Kubernetes cluster hardening

[berendt]

@michal-gubricky If you need access to a Gardener test project please ping me on Matrix.

[michal-gubricky]

@michal-gubricky If you need access to a Gardener test project please ping me on Matrix.

Thank you @berendt. I've already sent you a DM on Matrix chat.

[michal-gubricky]

I have successfully set up a Gardener-managed k8s cluster (a "shoot cluster") locally. I hope it is enough to run the tests against it.

SCS K8S Version Policy v2:

• Gardener does not support yet k8s version 1.31.2, which is the latest. Therefore I must change this file to be able to spawn shoot cluster with k8s 1.31.2 version.
• I found that k8s-eol-data.yml file isn't up-to-date, https://github.com/SovereignCloudStack/standards/pull/814

[mbuechse]

How long has it been since 1.31.2 got released? The standard says

The latest minor version MUST be provided no later than 4 months after release.

So, if we are still inside this 4-month window, we can of course use 1.31.1.

[mbuechse]

Another question. Now that you have created a shoot cluster -- how hard do you think it would be to make a Gardener plugin for our compliance tests, similar to your ClusterStacks plugin?

[michal-gubricky]

How long has it been since 1.31.2 got released? The standard says

The latest minor version MUST be provided no later than 4 months after release.

So, if we are still inside this 4-month window, we can of course use 1.31.1.

The version 1.31.2 was released on 2024-10-22, which was about 17 days ago.

But this is a patch version, not a minor one and standard says

The latest patch version MUST be provided no later than 2 weeks after release.

[michal-gubricky]

Another question. Now that you have created a shoot cluster -- how hard do you think it would be to make a Gardener plugin for our compliance tests, similar to your ClusterStacks plugin?

Hmmm, it's really hard to say since the Gardener project is still new to me. But I would say a very rough estimate for spawning a gardener cluster locally would be at least 4 days if not more. And also based on docs, you need at least 8 CPUs and 8Gi memory.

[berendt]

@michal-gubricky If you need access to a Gardener test project please ping me on Matrix.

Thank you @berendt. I've already sent you a DM on Matrix chat.

Sorry, I think you wrote to an old account of me, unfortunately I didn't get anything on my active account.

[berendt]

How long has it been since 1.31.2 got released? The standard says

The latest minor version MUST be provided no later than 4 months after release.

So, if we are still inside this 4-month window, we can of course use 1.31.1.

Gardener is currently using 1.30 and 1.31 will come with the next release of Gardener.

[michal-gubricky]

@michal-gubricky If you need access to a Gardener test project please ping me on Matrix.

Thank you @berendt. I've already sent you a DM on Matrix chat.

Sorry, I think you wrote to an old account of me, unfortunately I didn't get anything on my active account.

I wrote you at @cberendt:matrix.org

[michal-gubricky]

SCS KaaS default storage class v2:

• Test passed
• Found an error, see https://github.com/SovereignCloudStack/standards/pull/818

Kubernetes Node Distribution and Availability v2:

• Currently testing. It seems that a locally deployed Gardener may not be sufficient for this purpose.
• @berendt could you please provide me access to a Gardener test project?

[michal-gubricky]

Yesterday afternoon and this morning, I was trying to deploy the Gardener cluster on top of OpenStack (gx-scs infra) since I still don't have access to the Gardener test project. However, one or two nodes continue to encounter this error: No valid host was found. There are not enough hosts available.

Requirements for container registries v1:

• In my opinion, we don't need to test this standard because it is related to the registries themselves, not to how the k8s cluster was deployed.
• @anjastrunk can I remove this point from the issue?

[anjastrunk]

Yesterday afternoon and this morning, I was trying to deploy the Gardener cluster on top of OpenStack (gx-scs infra) since I still don't have access to the Gardener test project. However, one or two nodes continue to encounter this error: No valid host was found. There are not enough hosts available.

Requirements for container registries v1:

* In my opinion, we don't need to test this standard because it is related to the registries themselves, not to how the k8s cluster was deployed.

* @anjastrunk can I remove this point from the issue?

Yes, I think so as

1. All requirements are recommended
2. There is no conformance test related to scs-0212-v1-requirements-for-container-registries

[michal-gubricky]

On hold, as I still haven't been able to get access to the Gardener test project.