🟢 :k8s: O2 - community ownership of the Kubernetes Conformance Bot

[hh]

ii folks the only people maintaining the k8s-conformance-bot, this needs to change. It will require buy in from #sig-k8s-infra

Key Results:

• KR1 - k8s-conformance-bot is donated to #sig-k8s-infra
• KR2 - the workflow happens completely within the k8s community repositories
• KR3 - the AWS Resources are moved from CNCF to Kubernetes community account

Remaining Steps:

• 1. move repo for verify-conformance to kubernetes-sigs org
• 2. rename GitHub to Kubernetes Conformance, change profile picture and name
• 3. move GitHub app to kubernetes-sigs
• 4. add image build for verify-conformance in test-infra: Add building of verify conformance image kubernetes/test-infra#31804 (maybe?)

In order to have community ownership of the Kubernetes Conformance Verification Bot
As a #sig-k8s-infra maintainer
I want the k8s-conformance-bot to be fully accessible and maintainable by the community

As a vendor
I want have easy to understand feedback if my submission is incorrect

As Taylor Wagoner
I want to easy interactions with the cncf/k8s-conformance submissions

Given a request to change the k8s-conformance-bot code
When I create a PR to change the logic
Then the workflow happens completely within the k8s community repositories and AWS accounts

[BobyMCbobs]

k8s-conformance-bot is donated to #sig-k8s-infra

Do you possibly mean sig-arch?

[BobyMCbobs]

kubernetes/org#4706

[hh]

@BobyMCbobs can you write up documentation for all the accounts and services required for the Conformance Bot
#sig-arch will need a way to provide self-management of those accounts and resources (and how they are deployed and managed)

[BobyMCbobs]

@hh, I'm not sure what those accounts or services would be other than GitHub and the GitHub app used for installing on a repo. Those aren't required since the kubernetes-sigs org has it's own Prow instance which should be nearly ready to go.

Thinking right now, the most we might need to coordinate is

• with Taylor or Jorge on the k8s-conformance repo having prow.k8s.io installed onto it
• ensuring the verify-conformance app gets deployed

[hh]

Probably need to migrate from prow.cncf.io to prow.k8s.io Do you have the deployment configuration?

…

On Sun, 28 Jan 2024 at 13:24, Caleb Woodbine ***@***.***> wrote: @hh <https://github.com/hh>, I'm not sure what those accounts or services would be other than GitHub and the GitHub app used for installing on a repo. Those aren't required since the kubernetes-sigs org has it's own Prow instance which should be nearly ready to go. Thinking right now, the most we might need to coordinate is - with Taylor or Jorge on the k8s-conformance repo having prow.k8s.io installed onto it - ensuring the verify-conformance app gets deployed — Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAHUY22KU4HZNSEA3ZNDTTYQ2XYZAVCNFSM6AAAAAA25ZDYRKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTG4YTCOBWGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[BobyMCbobs]

Probably need to migrate from prow.cncf.io to prow.k8s.io
Do you have the deployment configuration?

@hh, it is currently configured here
https://github.com/cncf-infra/verify-conformance/tree/main/config
and shouldn't need to see much change

[hh]

Noting there is another project tracking this Objective:
https://github.com/orgs/ii/projects/11

[hh]

I think the other document I was looking for is here:
https://github.com/cncf-infra/verify-conformance/blob/main/docs/resources.md

[hh]

Let's prioritize the AWS Infrastructure migration first from CNCF AWS accounts to Kubernetes.

[BobyMCbobs]

There is no fast path on this, due to timezone coordination and verify-conformance app deployment.

Updated migration todos are in the top comment now.

Some notes

• it appears as though given RBAC config, write access may be granted for the specific resources (https://github.com/kubernetes/k8s.io/blob/main/running-in-community-clusters.md#create-a-google-group-for-each-namespace). Continuous integration is not apart of current infrastructure in AAA
• I estimate roughly two weeks to achieve migration
• unsure about webhook access. As Prow is managed separately, a HTTPS Ingress with a ManagedCertificated could be used for exposing

[BobyMCbobs]

Looking at which pieces will need to be teared down outta AWS and it looks like cncf-infra/prow-config//infra/aws and cncf-infra/aws-infra//terraform/iam are the two repos. These two repos in cncf-infra and several others will be likely candidates for repo archival.

[BobyMCbobs]

Looking at https://github.com/cncf-infra/aws-infra/blob/main/terraform/iam/providers.tf#L20-L55

IMPORTANT: the cncf-infra/aws-infra repo should not be entirely teared down. Only the following type of resources should be destroyed:

• verify-conformance related
• prow-config repo related

There's three providers for aws into the follow respective accounts

• registry-k8s-io: now under Kubernetes AWS OU -> k8s-infra-aws-admins+registry-k8s-io
• k8s-infra-accounts: now under Kubernetes AWS OU -> transitional OU -> k8s-infra-aws-admins+accounts
• apisnoop
  • I have access

Given the IAM role changes which had previously allowed access, I may now not have access to after the migration the two accounts: registry-k8s-io, k8s-infra-accounts. This meaning that others will need to delete some of the resources instead of me.

[BobyMCbobs]

As verify-conformance is now running in GitHub Actions, several PRs will now be closed due to change in requirements.
https://github.com/cncf/k8s-conformance/actions/workflows/verify-conformance.yml

[BobyMCbobs]

The branding for the conformance bot has been updated to reflect the conformance program and imminent Kubernetes ownership with:

• name: Kubernetes Conformance bot
• display image: certified Kubernetes

[BobyMCbobs]

verify-conformance has been turned off in the old EKS cluster, seen here: https://github.com/cncf-infra/prow-config/tree/master/infra/aws
The program is now running on a cron schedule in GitHub. The cluster will be removed in a few days to confirm stability.