Security Self Assessment: [STRIDE-INFODISCLOSE-1] RFE cluster addons #5491
Description
User Story
As a user/operator I would like Cluster API to get a comprehensive solution for Cluster addons lifecycle
Detailed Description
This builds up on #4166 and from recent discussions at SIG level.
There is a set of addons that have a lifecycle strictly linked to the cluster lifecycle managed by CAPI, afterwards Cluster addons.
Some of this addons should be lifecycle managed according with a combination of following requirements that can differ from addon to addon:
- They inherits some configurations from cluster configuration (e.g service or pod CIDR)
- They should be created during cluster creation (e.g immediately after the API server is installed)
- They should be upgraded before/during/after cluster (and more specifically control plane) upgrade
- There should be support support for out-of band upgrade, e.g. for CVE fix (not linked to the cluster lifecycle)
- They should be deleted before/during cluster deletion
- Possibly more...
Current answer for this problem space is CustomResourceSets, but this covers only some of the requirements above.
However this is falling short now that the number and the needs of Cluster addons are growing due to CSI/CPI plugins being moved out of three.
On top of that, most users have their own solution for addon management, and we should consider if/how to integrate with those solutions too
IMPORTANT: we are not seeking to reinvent an addon management solution with this issue, but instead we should focus on finding a way to lifecycle manage addons within the context of CAPI Cluster lifecycle
/kind feature