Add information on supported version skew and upgrade order

liggitt · liggitt · commit 1237fe4fb64a · 2018-11-18T15:20:25.000-05:00
diff --git a/content/en/docs/reference/using-api/deprecation-policy.md b/content/en/docs/reference/using-api/deprecation-policy.md
@@ -87,7 +87,7 @@ no less than:**
    * **Beta: 9 months or 3 releases (whichever is longer)**
    * **Alpha: 0 releases**
 
-This covers the maximum supported version skew of 2 releases.
+This covers the [maximum supported version skew of 2 releases](/docs/setup/version-skew-policy/).
 
 {{< note >}}
 Until [#52185](https://github.com/kubernetes/kubernetes/issues/52185) is
diff --git a/content/en/docs/setup/independent/create-cluster-kubeadm.md b/content/en/docs/setup/independent/create-cluster-kubeadm.md
@@ -586,8 +586,10 @@ Due to that we can't see into the future, kubeadm CLI vX.Y may or may not be abl
 Example: kubeadm v1.8 can deploy both v1.7 and v1.8 clusters and upgrade v1.7 kubeadm-created clusters to
 v1.8.
 
-Please also check our [installation guide](/docs/setup/independent/install-kubeadm/#installing-kubeadm-kubelet-and-kubectl)
-for more information on the version skew between kubelets and the control plane.
+See these resources for more information on supported version skew between kubelets and the control plane, and other Kubernetes components:
+
+* Kubernetes [version and version-skew policy](/docs/setup/version-skew-policy/)
+* Kubeadm-specific [installation guide](/docs/setup/independent/install-kubeadm/#installing-kubeadm-kubelet-and-kubectl)
 
 ## kubeadm works on multiple platforms {#multi-platform}
 
diff --git a/content/en/docs/setup/independent/install-kubeadm.md b/content/en/docs/setup/independent/install-kubeadm.md
@@ -119,8 +119,10 @@ This is because kubeadm and Kubernetes require
 [special attention to upgrade](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-1-11/).
 {{</ warning >}}
 
-For more information on version skews, please read our
-[version skew policy](/docs/setup/independent/create-cluster-kubeadm/#version-skew-policy).
+For more information on version skews, see:
+
+* Kubernetes [version and version-skew policy](/docs/setup/version-skew-policy/)
+* Kubeadm-specific [version skew policy](/docs/setup/independent/create-cluster-kubeadm/#version-skew-policy)
 
 {{< tabs name="k8s_install" >}}
 {{% tab name="Ubuntu, Debian or HypriotOS" %}}
diff --git a/content/en/docs/setup/version-skew-policy.md b/content/en/docs/setup/version-skew-policy.md
@@ -0,0 +1,112 @@
+---
+reviewers:
+- sig-api-machinery
+- sig-architecture
+- sig-cli
+- sig-cluster-lifecycle
+- sig-node
+- sig-release
+title: Kubernetes Version and Version Skew Support Policy
+content_template: templates/concept
+weight: 70
+---
+
+{{% capture overview %}}
+This document describes the maximum version skew supported between various Kubernetes components.
+Specific cluster deployment tools may place additional restrictions on version skew.
+{{% /capture %}}
+
+{{% capture body %}}
+
+## Supported versions
+
+The Kubernetes project maintains release branches for the most recent three minor releases,
+and expects users to be running those versions in production.
+
+Applicable bug and security fixes may be backported to those three release branches, depending on severity and feasibility.
+Patch releases are cut from those branches at a regular cadence,
+or on an as-needed basis as determined by the [patch release manager](https://github.com/kubernetes/sig-release/blob/master/release-team/role-handbooks/patch-release-manager/README.md#release-timing).
+
+With minor releases happening approximately every three months,
+that means each minor release is maintained for approximately nine months.
+
+## Supported version skew
+
+### `kube-apiserver`
+
+In HA deployments, the newest and oldest `kube-apiserver` must be within one minor version.
+
+Example:
+
+* newest `kube-apiserver` is at `1.x`
+* other `kube-apiserver` components are supported at `1.x` and `1.x-1`
+
+### `kubelet`
+
+`kubelet` must not be newer than `kube-apiserver`, and may be up to two minor versions older.
+
+Example:
+
+* `kube-apiserver` is at `1.x`
+* `kubelet` is supported at `1.x`, `1.x-1`, and `1.x-2`
+
+Note that if `kube-apiserver` skew exists in a highly available (HA) control plane, this narrows the allowed `kubelet` versions.
+
+Example:
+
+* `kube-apiserver` components are at `1.x` and `1.x-1`
+* `kubelet` is supported at `1.x-1`, and `1.x-2` (`1.x` is not supported because that would be newer than the `kube-apiserver` at version `1.x-1`)
+
+### `kube-controller-manager` and `kube-scheduler`
+
+`kube-controller-manager` and `kube-scheduler` must not be newer than `kube-apiserver`. They are expected to match the `kube-apiserver` minor version, but may be one minor version older during upgrades.
+
+Example:
+
+* `kube-apiserver` is at `1.x`
+* `kube-controller-manager` and `kube-scheduler` are supported at `1.x` and `1.x-1`
+
+Note that if `kube-apiserver` skew exists in an HA control plane, this narrows the allowed `kube-controller-manager` versions.
+
+Example:
+
+* `kube-apiserver` components are at `1.x` and `1.x-1`
+* `kube-controller-manager` and `kube-scheduler` are supported at `1.x-1` (`1.x` is not supported because that would be newer than the `kube-apiserver` at version `1.x-1`)
+
+### `kubectl`
+
+`kubectl` is supported within one minor version (older or newer) of `kube-apiserver`.
+
+Example:
+
+* `kube-apiserver` is at `1.x`
+* `kubectl` is supported at `1.x+1`, `1.x`, and `1.x-1`
+
+Note that if `kube-apiserver` skew exists in an HA control plane, this narrows the supported `kubectl` versions.
+
+Example:
+
+* `kube-apiserver` components are at `1.x` and `1.x-1`
+* `kubectl` is supported at `1.x` and `1.x-1` (other versions would be more than one minor version skewed from one of the `kube-apiserver` components)
+
+## Supported component upgrade order
+
+The supported version skew between components has implications on the order in which components must be upgraded.
+This section describes the order in which components must be upgraded to transition an existing cluster from version `1.x` to version `1.x+1`.
+
+### Pre-requisites
+
+1. `kube-apiserver` components are at `1.x` (in an HA cluster, all `kube-apiserver` components are at the same version)
+2. `kube-controller-manager` and `kube-scheduler` are at version `1.x` (this ensures they are not newer than the existing API server, and are within 1 minor version of the new API server)
+3. `kubelet` components on all nodes are at version `1.x` or `1.x-1` (this ensures they are not newer than the existing API server, and are within 2 minor versions of the new API server)
+4. registered admission webhooks are capable of understanding all the versions of REST resources they are registered for (including any new versions available in `1.x+1`)
+
+### Upgrade order
+
+1. `kube-apiserver`
+  * Upgrade `kube-apiserver` to `1.x+1`
+  * In HA deployments, all API servers should be upgraded before upgrading other control plane components
+2. `kube-controller-manager` and `kube-scheduler`
+  * Upgrade `kube-controller-manager` and `kube-scheduler` to `1.x+1`
+3. `kubelet`
+  * Optionally upgrade `kubelet` components to `1.x+1` (or they can be left at `1.x` or `1.x-1`)
diff --git a/data/setup.yml b/data/setup.yml
@@ -135,3 +135,5 @@ toc:
 
 - title: Building High-Availability Clusters
   path: /docs/admin/high-availability/building/
+
+- docs/setup/skew-policy.md
