{"id":37123550,"url":"https://github.com/keikoproj/upgrade-manager","last_synced_at":"2026-01-14T14:15:56.710Z","repository":{"id":37397043,"uuid":"201178435","full_name":"keikoproj/upgrade-manager","owner":"keikoproj","description":"Reliable, extensible rolling-upgrades of Autoscaling groups in Kubernetes","archived":false,"fork":false,"pushed_at":"2025-08-15T01:16:37.000Z","size":23266,"stargazers_count":141,"open_issues_count":47,"forks_count":46,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-08-15T02:15:53.440Z","etag":null,"topics":["autoscaling-groups","aws","kubernetes","kubernetes-controller","kubernetes-tools","rolling-upgrades"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/keikoproj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-08-08T04:31:40.000Z","updated_at":"2025-08-15T00:08:25.000Z","dependencies_parsed_at":"2023-09-30T17:32:27.684Z","dependency_job_id":"cafd9003-ddfb-4b4e-929d-f168a719979c","html_url":"https://github.com/keikoproj/upgrade-manager","commit_stats":null,"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"purl":"pkg:github/keikoproj/upgrade-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fupgrade-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fupgrade-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fupgrade-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fupgrade-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/keikoproj","download_url":"https://codeload.github.com/keikoproj/upgrade-manager/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keikoproj%2Fupgrade-manager/sbom","scorecard":{"id":64143,"data":{"date":"2025-08-04","repo":{"name":"github.com/keikoproj/upgrade-manager","commit":"d82a7a469c96acff887996740a615498dbf66034"},"scorecard":{"version":"v5.2.1-28-gc1d103a9","commit":"c1d103a9bb9f635ec7260bf9aa0699466fa4be0e"},"score":4.2,"checks":[{"name":"Code-Review","score":3,"reason":"Found 1/3 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/bdd.yaml:1","Warn: no topLevel permission defined: .github/workflows/ci.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/bdd.yaml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/bdd.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/bdd.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/bdd.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/keikoproj/upgrade-manager/ci.yaml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:2","Warn: containerImage not pinned by hash: Dockerfile:22","Warn: containerImage not pinned by hash: Dockerfile:26: pin your Docker image by updating gcr.io/distroless/static:nonroot to gcr.io/distroless/static:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   9 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#branch-protection"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yaml:15"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c1d103a9bb9f635ec7260bf9aa0699466fa4be0e/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T02:16:06.267Z","repository_id":37397043,"created_at":"2025-08-15T02:16:06.267Z","updated_at":"2025-08-15T02:16:06.267Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28422453,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T13:30:50.153Z","status":"ssl_error","status_checked_at":"2026-01-14T13:29:08.907Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["autoscaling-groups","aws","kubernetes","kubernetes-controller","kubernetes-tools","rolling-upgrades"],"created_at":"2026-01-14T14:15:56.035Z","updated_at":"2026-01-14T14:15:56.673Z","avatar_url":"https://github.com/keikoproj.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RollingUpgrade\n\n![Build Status](https://github.com/keikoproj/upgrade-manager/workflows/Build-Test/badge.svg) ![Build Status](https://github.com/keikoproj/upgrade-manager/workflows/BDD/badge.svg) [![codecov](https://codecov.io/gh/keikoproj/upgrade-manager/branch/master/graph/badge.svg)](https://codecov.io/gh/keikoproj/upgrade-manager)\n\n\u003e Reliable, extensible rolling-upgrades of Autoscaling groups in Kubernetes\n\nRollingUpgrade provides a Kubernetes native mechanism for doing rolling-updates of instances in an AutoScaling group using a CRD and a controller.\n\n## What does it do?\n\n- RollingUpgrade is highly inspired by the way kops does rolling-updates.\n\n- It provides similar options for the rolling-updates as kops and more.\n\n- The RollingUpgrade Kubernetes custom resource has the following options in the spec:\n  - `asgName`: Name of the autoscaling group to perform the rolling-update.\n  - `preDrain.script`: The script to run before draining a node.\n  - `postDrain.script`: The script to run after draining a node. This allows for performing actions such as quiescing network traffic, adding labels, etc.\n  - `postDrain.waitSeconds`: The seconds to wait after a node is drained.\n  - `postDrain.postWaitScript`: The script to run after the node is drained and the waitSeconds have passed. This can be used for ensuring that the drained pods actually were able to start elsewhere.\n  - `nodeIntervalSeconds`: The amount of time in seconds to wait after each node in the ASG is terminated.\n  - `postTerminate.script`: Optional bash script to execute after the node has terminated.\n  - `strategy.mode`: This field is optional and allows for two possible modes\n    - `lazy` - this is the default mode, upgrade will terminate an instance first.\n    - `eager` - upgrade will launch an instance prior to terminating.\n  - `strategy.type`: This field is optional and currently two strategies are supported\n    - `randomUpdate` - Default is type is not specified. Picks nodes randomly for updating. Refer to [random_update_strategy.yaml](examples/random_update_strategy.yaml) for sample custom resource definition.\n    - `uniformAcrossAzUpdate` - Picks same number of nodes or same percentage of nodes from each AZ for update. Refer to [uniform_across_az_update_strategy.yaml](examples/uniform_across_az_update_strategy.yaml) for sample custom resource definition.\n  - `strategy.maxUnavailable`: Optional field. The number of nodes that can be unavailable during rolling upgrade, can be specified as number of nodes or the percent of total number of nodes. Default is \"1\".\n  - `strategy.drainTimeout`: Optional field. Node will be terminated after drain timeout even if `kubectl drain` has not been completed and value has to be specified in seconds. Default is -1.\n  - `ignoreDrainFailures` : Optional field. Default value is false. If this field is set to true, drain failures will be ignored and the instances will proceed to termination.\n\n- After performing the rolling-update of the nodes in the ASG, RollingUpgrade puts the following data in the \"Status\" field.\n  - `currentStatus`: Whether the rolling-update completed or errored out.\n  - `startTime`: The RFC3339 timestamp when the rolling-update began. E.g. 2019-01-15T23:51:10Z\n  - `endTime`: The RFC3339 timestamp when the rolling-update completed. E.g. 2019-01-15T00:35:10Z\n  - `nodesProcessed`: The number of ec2 instances that were processed.\n  - `conditions`: Conditions describing the lifecycle of the rolling-update.\n\n## Design\n\nFor each RollingUpgrade custom resource that is submitted, the following flowchart shows the sequence of actions taken to perform the rolling-update. [part-1](docs/reconcile.png), [part-2](docs/replaceNodeBatch.png)\n\n## Dependencies\n\n- Kubernetes cluster on AWS with nodes in AutoscalingGroups. rolling-upgrades have been tested with Kubernetes clusters v1.12+.\n- An IAM role with at least the policy specified below. The upgrade-manager should be run with that IAM role.\n\n## Installing\n\n### Complete step by step guide to create a cluster and run rolling-upgrades\n\nFor a complete, step by step guide for creating a cluster with kops, editing it and then running rolling-upgrades, please see [this](docs/step-by-step-example.md)\n\n### Existing cluster in AWS\n\nIf you already have an existing cluster created using kops, follow the instructions below.\n\n- Ensure that you have a Kubernetes cluster on AWS.\n- Install the CRD using: `kubectl apply -f https://raw.githubusercontent.com/keikoproj/upgrade-manager/master/config/crd/bases/upgrademgr.keikoproj.io_rollingupgrades.yaml`\n- Install the controller using:\n`kubectl create -f https://raw.githubusercontent.com/keikoproj/upgrade-manager/master/deploy/rolling-upgrade-controller-deploy.yaml`\n\n- Note that the rolling-upgrade controller requires an IAM role with the following policy\n\n``` json\n{\n    \"Effect\": \"Allow\",\n    \"Action\": [\n        \"ec2:CreateTags\",\n        \"ec2:DescribeInstances\",\n        \"autoscaling:EnterStandby\",\n        \"autoscaling:DescribeAutoScalingGroups\",\n        \"autoscaling:TerminateInstanceInAutoScalingGroup\"\n    ],\n    \"Resource\": [\n        \"*\"\n    ]\n}\n```\n\n- If the rolling-upgrade controller is directly using the IAM role of the node it runs on, the above policy will have to be added to the IAM role of the node.\n- If the rolling-upgrade controller is using it's own role created using KIAM, that role should have the above policy in it.\n\n## For more details and FAQs, refer to [this](docs/faq.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeikoproj%2Fupgrade-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeikoproj%2Fupgrade-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeikoproj%2Fupgrade-manager/lists"}