Add support for newer Docker versions

[hakman]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Updates supported Docker versions to latest stable. Previous versions for Docker CE are EOL.

Which issue(s) this PR fixes:
Fixes #7463
Fixes #7853

Special notes for your reviewer:
At the moment the default Docker version in Kops is 18.06.3, quite old and EOL. Docker version 18.09 has been officially validated since k8s 1.14, but it's EOL also at the moment also.

Docker 19.03 has been stable for some time and has been validated for k8s 1.14+ since June, just not documented. kubernetes/kubernetes#82326 (comment)
Test infrastructure has been moved to Docker 19.03 also. kubernetes/test-infra#14784
Website should be getting updated instructions for installing Docker soon. kubernetes/website#17405

IMHO, adding support Docker 19.03 and 18.09 should be a useful from stability and security point of view.

Hash check passed for all packages:

$ VERIFY_HASHES=1 go test ./nodeup/pkg/model
ok  	k8s.io/kops/nodeup/pkg/model	191.029s

I tested the changes with Debian Stretch and Buster, Ubuntu Bionic, RHEL 7 and 8.
The only issue I noticed was the iptables-legacy setup that will be addressed by #7379.

$ kubectl get nodes -o wide

NAME                     STATUS   ROLES    AGE   VERSION    INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                                      KERNEL-VERSION                  CONTAINER-RUNTIME
ip-10-2-1-85.internal    Ready    node     46m   v1.11.10   10.2.1.85     <none>        Debian GNU/Linux 9 (stretch)                  4.9.0-11-amd64                  docker://19.3.4
ip-10-2-1-104.internal   Ready    node     56m   v1.11.10   10.2.1.104    <none>        Debian GNU/Linux 10 (buster)                  4.19.0-6-amd64                  docker://19.3.4
ip-10-2-1-122.internal   Ready    node     10m   v1.11.10   10.2.1.122    <none>        Ubuntu 18.04.3 LTS                            4.15.0-1051-aws                 docker://19.3.4
ip-10-2-1-15.internal    Ready    node     12h   v1.11.10   10.2.1.15     <none>        Red Hat Enterprise Linux Server 7.7 (Maipo)   3.10.0-1062.1.2.el7.x86_64      docker://19.3.4
ip-10-2-1-79.internal    Ready    node     1m    v1.11.10   10.2.1.79     <none>        Red Hat Enterprise Linux 8.0 (Ootpa)          4.18.0-80.4.2.el8_0.x86_64      docker://19.3.4

Does this PR introduce a user-facing change?:

Default Docker version will change to 18.09.9 for k8s >= 1.14 and 19.03.4 for k8s >= 1.17.
Users will be able to manually select version 19.03.4.

spec:
  docker:
    version: 19.03.4

[k8s-ci-robot]

Hi @hakman. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hakman]

/assign @justinsb

[k8s-ci-robot]

@hakman: Re-titling can only be requested by trusted users, like repository collaborators.

In response to this:

/retitle Add support for newer Docker versions

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hakman]

/cc @mikesplain

[zetaab]

Seems ok for me.

/lgtm
/ok-to-test

[justinsb]

While this might be a good idea, we do have a policy of not changing the defaults on existing clusters, and we have shipped kops 1.14. Would you mind making this >= 15, therefore?

(And we'll have to cherry-pick back to 1.15...)

Otherwise I cross checked and the versions look good, k8s 1.15 supports 18.09, k8s 1.17 adds support for 19.03 - thank you!

[hakman]

I still haven't figured out the support policy for Docker, but I have nothing against bumping to >= 15.

From security point of view, it is hard to tell if there are any issues with 18.06.3. Not being an EE release, it is unmaintained since Feb. I didn't see anything that caught my eye in the Docker release notes, but Contained seems to have many "notable updates" including CVE fixes since then.

[hakman]

One idea would be to cherry-pick only the package definitions to released versions. This way, any user can upgrade Docker at its own risk.

[justinsb]

Thank you so much for doing this @hakman - this is great, except that we really shouldn't change the behaviour for k8s/kops 1.14 (now that we've released kops 1.14.0). If there's a really important security issue we can consider it, but I'm not aware of one, so I just proposed changing >= 1.15 instead?

[hakman]

/test pull-kops-bazel-test

[hakman]

/test pull-kops-e2e-kubernetes-aws

[hakman]

Thank you @justinsb. I appreciate you taking the time to review this and considering it for the 1.15 release.
I updated the changes to apply only to >= 1.15. Please let me know if I need to do anything for the cherry-pick back to 1.15, still new here.

[hakman]

/test pull-kops-e2e-kubernetes-aws

[hakman]

@justinsb minimum version to apply defaults changed to 1.16 as discussed during Office Hours. Thanks again!

[mikesplain]

Thanks @hakman! This looks great and thank you for adjusting things for 1.16. Since that looks like the only issue, lets get this in.

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hakman, mikesplain

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mikesplain]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mikesplain]

I also confirmed that these are the validated docker version from release docs. Thanks! 👍

[hakman]

Thanks @mikesplain @justinsb.
Should this still be cherry-picked to 1.15?

[jhohertz]

Not sure this is working, set the version per the above w/ 1.15.0 final, and still end up with 18.06-ce.

[hakman]

@jhohertz I already have a cluster upgraded with Docker 19.03.4. No clues in kops output during the upgrade?

[jhohertz]

I'd forgotten that the docker version management is a no-op for CoreOS @hakman, sorry for any confusion.

[hakman]

No problem @jhohertz. I see some Flatcar has some 19.03.4 in their Edge channel. I guess it will take a bit longer to get to their stable release.