Configurable machine replacement

[Meecr0b]

What would you like to be added (User Story)?

As a operator i would like to be able to configure a time after machines are getting replaced automatically for testing and security reasons.

Detailed Description

Problem Statement:

Regularly replacing machines help in testing application behavior during rolling updates and ensures machines are refreshed periodically, especially important after security incidents.

Proposed Solution:

Implement rolloutBefore.machineExpiry{Minutes,Hours,Days} parameter within the Cluster API (like rolloutBefore.certificatesExpiryDays implemented for KCP), allowing users to specify the maximum time a machine should exist before being automatically replaced.

Benefits:

• Testing Rolling Updates: Simplifies the process of regularly testing how applications behave during rolling updates.
• Security and Compliance: Ensures machines are periodically replaced, reducing the risk of lingering vulnerabilities and ensuring machines are clean post-security incidents.
• Operational Efficiency: Automates a routine maintenance task, reducing manual workload and the potential for human error.

Impact:

• This feature would be highly valuable for IT operations teams managing Kubernetes clusters, particularly those with strict compliance and security requirements.
• It enhances cluster maintenance workflows, contributing to overall system reliability and security.

Anything else you would like to add?

Current workarounds:

• setting spec.rolloutAfter periodically via CronJob for MachineDeployment
• running clusterctl alpha rollout restart machinedeployment/my-md-0 periodically

Label(s) to be applied

/kind feature
One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels.

[sbueringer]

/triage accepted

/cc @fabriziopandini @chrischdi

[fabriziopandini]

q: is this about replacing nodes (the node at Kubernetes level) or the entire machine where the node is hosted?

[Meecr0b]

Hi @fabriziopandini it's about machines, i'll update the issue.

[fabriziopandini]

ACK, thanks for the clarification
We need to think a bit about API modeling, but this is a nice feature to have
/help

[k8s-ci-robot]

@fabriziopandini:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

ACK, thanks for the clarification
We need to think a bit about API modeling, but this is a nice feature to have
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.