Disable psp by default #2944
Comments
|
👍 @cdenneen would you like to open a PR for this? |
|
@cdenneen this is only there for backwards compat. if your cluster doesn't have the necessary APIs for PSP, it will not be enabled. https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml#L1C40-L1C40 |
|
@sozercan while this might be how it should work I can confirm the Helm Release fails due to this. |
|
@cdenneen I am not familiar with Helm releases (assuming this the Terraform provider?). Can you paste your error? |
|
@sozercan Here is the error I have when trying to put pspenabled: false │ Error: resource mapping not found for name: "gatekeeper-admin" namespace: "" from "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"573 | │ ensure CRDs are installed first ` |
|
@sozercan |
The issue is actually the PSP wasn’t removed before Kubernetes was updated to 1.25. Sadly after the upgrade the resource is there but can’t be removed or seen since the CRD is no longer there. I had this problem after upgrading EKS and not disabling the PSP for gatekeeper before I did the upgrade. |
|
@cdenneen thanks for sharing this! Do you happen to have any hints on a fix? |
|
I do not. Believe I uninstalled gatekeeper (delete helmrelease) and reconciled again. I’ve since replaced the cluster with new so no issues on a new 1.26+ cluster. |
|
The issue appears to be due to Helm's diff-patch behavior. If a <1.25 cluster has a Helm release that contains the deprecated PSP resource, when the cluster is in-place upgraded to 1.25+ where the PSP is now removed, Helm tries to get the PSP resource from the existing release which is now removed and fails, and thus the state of the release is now failed. The mitigation is to remove the deprecated resource from the release if your cluster gets into this state so that the Helm get/reconciliation succeeds. You can use this Helm plugin to remove deprecated resources from the existing helm release: https://github.com/helm/helm-mapkubeapis |
|
Let's make a decision when to remove PSP. @sozercan @maxsmythe |
|
Do we want to just flip |
|
[like] Julien Boulanger reacted to your message:
…________________________________
From: Max Smythe ***@***.***>
Sent: Friday, November 17, 2023 9:12:15 PM
To: open-policy-agent/gatekeeper ***@***.***>
Cc: Julien Boulanger ***@***.***>; Manual ***@***.***>
Subject: Re: [open-policy-agent/gatekeeper] Disable psp by default (Issue #2944)
Do we want to just flip enabled to false, so users on older versions can manually re-enable it if they desire?
—
Reply to this email directly, view it on GitHub<#2944 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKWK5VX3U4YUAF6R3ZG35HDYE7HK7AVCNFSM6AAAAAA3LQZDUOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJXGEYTEMJWGU>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
sgtm. I will open a PR |
PSP's are no longer supported in Kubernetes so recommend making default value of chart false:
https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/values.yaml#L264C16-L264C16
The text was updated successfully, but these errors were encountered: