Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate away from google.com gcp project k8s-testimages #1523

Open
62 of 77 tasks
spiffxp opened this issue Jan 13, 2021 · 51 comments
Open
62 of 77 tasks

Migrate away from google.com gcp project k8s-testimages #1523

spiffxp opened this issue Jan 13, 2021 · 51 comments
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing.

Comments

@spiffxp
Copy link
Member

spiffxp commented Jan 13, 2021

Part of umbrella issue to migrate away from google.com gcp projects: #1469

At least some of this is part of the umbrella to migrate kubernetes e2e test images/registries to community-owned infrastructure: #1458

We should migrate away from the google.com-owned gcr.io/k8s-testimages repository and instead use a community-owned repository.

k8s-testimages hosts a variety of images that are built from source in kubernetes/test-infra. They fall broadly into two classes:

  • images used to run prowjobs (e.g. kubekins)
  • images for sundry components, experiments, services and tools that live in test-infra

/wg k8s-infra
/sig release
/sig testing
/area release-eng


EDIT(spiffxp): Went through and exhaustively identified images that need to be migrated from the repo, or can be left behind.

Images that are used and need migration, have already migrated, or are unused and need source deleted:

Images that appear to be unused:

  • gcr.io/k8s-testimages/bootstrap-dind - unused
  • gcr.io/k8s-testimages/boskosctl-base - unused
  • gcr.io/k8s-testimages/cherrypick - unused
  • gcr.io/k8s-testimages/dind-test-base-amd64 - unused
  • gcr.io/k8s-testimages/e2e-kubeadm - unused
  • gcr.io/k8s-testimages/experiment - unused
  • gcr.io/k8s-testimages/fake-server - unused
  • gcr.io/k8s-testimages/fedtidy - unused
  • gcr.io/k8s-testimages/gcp-controller-manager - unused
  • gcr.io/k8s-testimages/gcr.io - unused
  • gcr.io/k8s-testimages/generic_autobump - unused
  • gcr.io/k8s-testimages/github-fetcher - unused
  • gcr.io/k8s-testimages/github-token-counter - unused
  • gcr.io/k8s-testimages/github-transform - unused
  • gcr.io/k8s-testimages/gob-test - unused
  • gcr.io/k8s-testimages/heapster-test - unused
  • gcr.io/k8s-testimages/janitor-aws - unused
  • gcr.io/k8s-testimages/kube-deploy - unused
  • gcr.io/k8s-testimages/kubekins-node - unused
  • gcr.io/k8s-testimages/kubekins-senlu-hack - unused
  • gcr.io/k8s-testimages/kubemark - unused
  • gcr.io/k8s-testimages/kubernetes-node - unused
  • gcr.io/k8s-testimages/leaker - unused
  • gcr.io/k8s-testimages/levee-test - unused
  • gcr.io/k8s-testimages/misc-mungers - unused
  • gcr.io/k8s-testimages/nursery - unused
  • gcr.io/k8s-testimages/planter - unused
  • gcr.io/k8s-testimages/pohly - unused
  • gcr.io/k8s-testimages/prow-test-image - unused
  • gcr.io/k8s-testimages/queue-health-base - unused
  • gcr.io/k8s-testimages/queue-health-graph - unused
  • gcr.io/k8s-testimages/queue-health-poll - unused
  • gcr.io/k8s-testimages/redis - unused
  • gcr.io/k8s-testimages/resultstore - unused
  • gcr.io/k8s-testimages/submit-queue - unused
  • gcr.io/k8s-testimages/test-infra-go-test - unused
  • gcr.io/k8s-testimages/test-infra-py-test - unused
@k8s-ci-robot k8s-ci-robot added wg/k8s-infra sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing. area/release-eng Issues or PRs related to the Release Engineering subproject labels Jan 13, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Jan 21, 2021

/milestone v1.21

@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jan 21, 2021
@spiffxp spiffxp added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jan 22, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Feb 5, 2021

I am open to suggestions on where we should move these images.

I was thinking instead of a straight rename, take the time to break up the two classes:

  • k8s-testimages/kettle -> k8s.gcr.io/test-infra/kettle (k8s-staging-test-infra)
  • k8s-testimages/kubekins -> k8s.gcr.io/job-images/kubekins (k8s-staging-job-images)

Or, if we're just doing a lift-and-shift... then k8s-staging-test-infra

@justaugustus
Copy link
Member

@spiffxp -- Maybe a few different ownership levels to consider here:

  • common test-infra images
  • restricted access test-infra images (this may not be a required category)
  • shared access

In the shared access "tier" would be kubekins-e2e and maybe krte.
https://github.com/kubernetes/test-infra/blob/master/images/kubekins-e2e/OWNERS

I have approver on kubekins-e2e and I think this IAM group covers that case:

- email-id: k8s-infra-google-build-admins@kubernetes.io
name: k8s-infra-google-build-admins
description: |-
ACL for Google Build Admins (edit access to Docker Hub mirror, view
access to Release GCP projects)
https://git.k8s.io/sig-release/release-managers.md#build-admins
settings:
ReconcileMembers: "true"
members:
- k8s-infra-release-editors@kubernetes.io
- amwat@google.com
- bentheelder@google.com
- mushuee@google.com
- spiffxp@google.com

I think the closest existing staging project would be k8s-infra-staging-build-image and I'd be happy to have y'all have access to that one.

@spiffxp
Copy link
Member Author

spiffxp commented Mar 5, 2021

@spiffxp -- Maybe a few different ownership levels to consider here:

  • common test-infra images

  • restricted access test-infra images (this may not be a required category)

  • shared access

In the shared access "tier" would be kubekins-e2e and maybe krte.

https://github.com/kubernetes/test-infra/blob/master/images/kubekins-e2e/OWNERS

I have approver on kubekins-e2e and I think this IAM group covers that case:

- email-id: k8s-infra-google-build-admins@kubernetes.io
name: k8s-infra-google-build-admins
description: |-
ACL for Google Build Admins (edit access to Docker Hub mirror, view
access to Release GCP projects)
https://git.k8s.io/sig-release/release-managers.md#build-admins
settings:
ReconcileMembers: "true"
members:
- k8s-infra-release-editors@kubernetes.io
- amwat@google.com
- bentheelder@google.com
- mushuee@google.com
- spiffxp@google.com

I think the closest existing staging project would be k8s-infra-staging-build-image and I'd be happy to have y'all have access to that one.

I agree with putting kubekins-e2e somewhere shared / under releng purview.

I don't think it should be build-images though. Thinking toward applying policies for build provenance and security audit for the build chain of k8s releases. The kubekins-e2e image is an organically evolved mess, easier to keep it out of that repo than attempt to filter policy on certain image names.

I'm thinking of:

  • gcr.io/k8s-staging-test-infra/images for all images built from kubernetes/test-infra/images
  • give releng access to test-infra for now
  • choose somewhere else for eventual destination for kubekins-e2e and its ilk
    • releng? Is for "releng tooling" but these are more about ci for kubernetes
    • ci-images? Is for ci releases of kubernetes components, still not the best fit, but prow can push directly to it (admittedly a special case for now that could be generalized later)
  • for each image
    • push to both old k8s-testimages and new destination repo (default to test-infra/images for everything but kubekins-e2e)
    • backfill for at least kubekins-e2e
    • migrate job configs to use new repo
    • stop pushing to k8s-testimages
  • revoke releng push access to test-infra when we've migrated remaining shared images out

My preference for shared repo would be releng, you've started moving some kubernetes job images there already IIRC

But ci-images also sounds like a better name, so not a strong preference

Hold on migrating kubekins until after code freeze but move on everything else, and see what else makes sense to move to shared from there

WDYT?

@spiffxp
Copy link
Member Author

spiffxp commented Mar 5, 2021

Ping @BenTheElder and @kubernetes/release-managers for comment

@spiffxp
Copy link
Member Author

spiffxp commented Mar 5, 2021

Another bit of followup to consider, setup auto bumping of images used in jobs: kubernetes/test-infra#21137

@BenTheElder
Copy link
Member

I think we should continue to have CI images in a dedicated registry. They're not the same as, say, GCB images (e.g. docker in docker setup, bootstrap.py, you name it). I also think staging registries should map to a single git repo so it's easier to locate the git source for any given image. (And that's the pattern we have right now in k8s.io pretty consistently).

CI images should continue to be pushed by automation, which is working well. We don't need to and should not grant humans push access (far less auditable than automation pushing from image sources in public git).

Definitely do not move anything in the middle of code freeze, please. This is not a worthwhile diversion from reviewing code changes before freeze.

@ameukam
Copy link
Member

ameukam commented Apr 15, 2021

Opened #1908.
We can start with common test-infra images
/milestone v1.22

@ameukam
Copy link
Member

ameukam commented May 4, 2021

Followup of #1908, add a canary ProwJob that push a test-infra image. Kettle ?

@spiffxp
Copy link
Member Author

spiffxp commented Jul 27, 2021

/milestone v1.23
So, lift-and-shift to k8s-staging-test-infra.

I think it's perfectly acceptable to start pushing images to the staging project @ameukam setup and keep pushing to k8s-testimages for now. Maybe even start switching over some of the non-kubernetes/kubernetes jobs.

But let's wait until after v1.22 releases to change images on the high traffic release-blocking / merge-blocking jobs.

@spiffxp
Copy link
Member Author

spiffxp commented Sep 2, 2021

Going to take a stab at kubekins over the next few days:

@cpanato
Copy link
Member

cpanato commented Jun 7, 2023

all missing repo is done now, waiting approval
cc @ameukam

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 22, 2024
@ameukam
Copy link
Member

ameukam commented Jan 22, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 22, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 21, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 21, 2024
@BenTheElder
Copy link
Member

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label May 21, 2024
@BenTheElder
Copy link
Member

All of these images will go away when GCR shuts down ... there's currently no owner / intention to migrate to AR and I'm not sure we should.

I think we should use this code search for the current list and burn it down until there are no results:
https://cs.k8s.io/?q=gcr.io%2Fk8s-testimages&i=nope&files=&excludeFiles=&repos=

It looks like two images still publish to k8s-testimages but I'm not sure we're actually using them at all.

@puerco
Copy link
Member

puerco commented Jun 21, 2024

I suspect some of those are the image promoter's test images. I did a quick search and it still has references to gcr.io in the documentation and hardcoded everywhere 😢

I can check what is still current after Cloud Native SecurityCon (in about a week).

@BenTheElder
Copy link
Member

We need to finish this ASAP, GCR shutdown => google projects turning down earlier => these images are at risk.

I'm in a thread about if we can keep them but I have some OOO coming up and these remain a liability anyhow.

@michelle192837
Copy link
Contributor

michelle192837 commented Aug 23, 2024

List of images (or 'images') used in https://cs.k8s.io/?q=gcr.io%2Fk8s-testimages&i=nope&files=&excludeFiles=&repos=:

Image Uses Handled?
gcr.io/k8s-testimages/perf-tests-util/containerd Uses N
gcr.io/k8s-testimages/netperfbenchmark Uses N
gcr.io/k8s-testimages/probes Uses N
gcr.io/k8s-testimages/quay.io/prometheus-operator/prometheus-config-reloader Uses N
gcr.io/k8s-testimages/quay.io/prometheus-operator/prometheus-operator Uses N
gcr.io/k8s-testimages/quay.io/prometheus/node-exporter Uses N
gcr.io/k8s-testimages/grafana/grafana Uses N
gcr.io/k8s-testimages/quay.io/prometheus/prometheus Uses N
gcr.io/k8s-testimages/perf-tests-util/access-tokens Uses N
gcr.io/k8s-testimages/perf-tests-util/request-benchmark Uses N
gcr.io/k8s-testimages/kube-cross-amd64 Uses N
gcr.io/k8s-testimages/launcher.gcr.io/google/bazel Uses N
gcr.io/k8s-testimages/gubernator Uses N
gcr.io/k8s-testimages/boskos Uses Y (no-op)
gcr.io/k8s-testimages/kubekins-e2e-prow Uses N
gcr.io/k8s-testimages/logexporter Uses N
gcr.io/k8s-testimages/krte Uses N
gcr.io/k8s-testimages/admission Uses N
gcr.io/k8s-testimages/branchprotector Uses N
gcr.io/k8s-testimages/peribolos Uses N
gcr.io/k8s-testimages/pipeline Uses N
gcr.io/k8s-testimages/gcb-docker-gcloud Uses N
gcr.io/k8s-testimages/kubekins-e2e Uses N
gcr.io/k8s-testimages/image-builder Uses Y (no-op)
gcr.io/k8s-testimages/bootstrap Uses Y (no-op)

There's also some examples, tests, or docs mentions that aren't as relevant:

  • gcr.io/k8s-testimages/
  • gcr.io/k8s-testimages/some-image
  • gcr.io/k8s-testimages/foo
  • gcr.io/k8s-testimages/<image-name>

@michelle192837
Copy link
Contributor

michelle192837 commented Aug 23, 2024

For comparison, the actual list of images in k8s-testimages:

  • gcr.io/k8s-testimages/alpine-bash
  • gcr.io/k8s-testimages/aws-janitor
  • gcr.io/k8s-testimages/bazel-krte
  • gcr.io/k8s-testimages/bazelbuild
  • gcr.io/k8s-testimages/benchmarkjunit
  • gcr.io/k8s-testimages/bigquery
  • gcr.io/k8s-testimages/bootstrap
  • gcr.io/k8s-testimages/bootstrap-dind
  • gcr.io/k8s-testimages/boskos
  • gcr.io/k8s-testimages/boskosctl-base
  • gcr.io/k8s-testimages/branchprotector
  • gcr.io/k8s-testimages/cherrypick
  • gcr.io/k8s-testimages/ci_fuzz
  • gcr.io/k8s-testimages/cluster-api
  • gcr.io/k8s-testimages/clusterfuzzlite
  • gcr.io/k8s-testimages/commenter
  • gcr.io/k8s-testimages/dind-test-base-amd64
  • gcr.io/k8s-testimages/e2e-kubeadm
  • gcr.io/k8s-testimages/e2e-kubemci
  • gcr.io/k8s-testimages/experiment
  • gcr.io/k8s-testimages/fake-server
  • gcr.io/k8s-testimages/fedtidy
  • gcr.io/k8s-testimages/gcb-docker-gcloud
  • gcr.io/k8s-testimages/gcloud-bazel
  • gcr.io/k8s-testimages/gcloud-in-go
  • gcr.io/k8s-testimages/gcloud-terraform
  • gcr.io/k8s-testimages/gcp-controller-manager
  • gcr.io/k8s-testimages/gcr.io
  • gcr.io/k8s-testimages/gencred
  • gcr.io/k8s-testimages/generic_autobump
  • gcr.io/k8s-testimages/ghproxy
  • gcr.io/k8s-testimages/github-fetcher
  • gcr.io/k8s-testimages/github-token-counter
  • gcr.io/k8s-testimages/github-transform
  • gcr.io/k8s-testimages/gob-test
  • gcr.io/k8s-testimages/grafana
  • gcr.io/k8s-testimages/greenhouse
  • gcr.io/k8s-testimages/gubernator
  • gcr.io/k8s-testimages/heapster-test
  • gcr.io/k8s-testimages/image-builder
  • gcr.io/k8s-testimages/issue-creator
  • gcr.io/k8s-testimages/janitor
  • gcr.io/k8s-testimages/janitor-aws
  • gcr.io/k8s-testimages/kettle
  • gcr.io/k8s-testimages/krte
  • gcr.io/k8s-testimages/kube-deploy
  • gcr.io/k8s-testimages/kubekins-e2e
  • gcr.io/k8s-testimages/kubekins-e2e-prow
  • gcr.io/k8s-testimages/kubekins-node
  • gcr.io/k8s-testimages/kubekins-senlu-hack
  • gcr.io/k8s-testimages/kubekins-test
  • gcr.io/k8s-testimages/kubemark
  • gcr.io/k8s-testimages/kubernetes-node
  • gcr.io/k8s-testimages/label_sync
  • gcr.io/k8s-testimages/launcher.gcr.io
  • gcr.io/k8s-testimages/leaker
  • gcr.io/k8s-testimages/levee-test
  • gcr.io/k8s-testimages/logexporter
  • gcr.io/k8s-testimages/metrics
  • gcr.io/k8s-testimages/misc-mungers
  • gcr.io/k8s-testimages/netperfbenchmark
  • gcr.io/k8s-testimages/nursery
  • gcr.io/k8s-testimages/perf-tests-util
  • gcr.io/k8s-testimages/perfdash
  • gcr.io/k8s-testimages/planter
  • gcr.io/k8s-testimages/pohly
  • gcr.io/k8s-testimages/polinux
  • gcr.io/k8s-testimages/probes
  • gcr.io/k8s-testimages/prow-test-image
  • gcr.io/k8s-testimages/quay.io
  • gcr.io/k8s-testimages/queue-health-base
  • gcr.io/k8s-testimages/queue-health-graph
  • gcr.io/k8s-testimages/queue-health-poll
  • gcr.io/k8s-testimages/reaper
  • gcr.io/k8s-testimages/redis
  • gcr.io/k8s-testimages/resultstore
  • gcr.io/k8s-testimages/submit-queue
  • gcr.io/k8s-testimages/test-infra-go-test
  • gcr.io/k8s-testimages/test-infra-py-test
  • gcr.io/k8s-testimages/triage

A lot of these were migrated previously or as part of the move off the default build cluster in Prow and shouldn't be in use anymore.

@ameukam
Copy link
Member

ameukam commented Aug 26, 2024

/milestone v1.32

@k8s-ci-robot k8s-ci-robot added this to the v1.32 milestone Aug 26, 2024
@ameukam
Copy link
Member

ameukam commented Nov 21, 2024

We should ensure the one we need are pushed to Artifact Registry and drop the rest.

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.32 milestone Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing.
Projects
Status: In Progress
Development

No branches or pull requests