Canno't install CS on Kubernetes 1.25: `no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"`

Question

Canno't install CS on Kubernetes 1.25: `no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"`

mathieu-benoit opened this issue 2 years ago · 7 comments

When installing CS:

kubectl apply -f https://github.com/GoogleContainerTools/kpt-config-sync/releases/download/v1.13.0/config-sync-manifest.yaml

on Kubernetes 1.25:

kind create cluster --image kindest/node:v1.25.2

We get this error:

error: resource mapping not found for name: "acm-psp" namespace: "" from "https://github.com/GoogleContainerTools/kpt-config-sync/releases/download/v1.13.0/config-sync-manifest.yaml": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"

And CS is not installed.

If I do that on Kubernetes 1.24, no issues, CS installed successfully.

When running this locally:

k apply -f https://github.com/GoogleContainerTools/kpt-config-sync/releases/download/v1.13.0/config-sync-manifest.yaml --dry-run client

We could see this warning:

Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+

JFYI: GKE recently got 1.25 in the rapid channel. Also I just tested to install CS on GKE 1.25 via the gcloud beta container fleet config-management apply command, and I don't seem to have any issues.

Answer 1 · 2022-10-03T16:56:19.000Z

This was added back in with #59

/cc @janetkuo

Answer 2 · 2022-10-03T17:05:55.000Z

Gotcha, great to know, closing this issue accordingly. Do you know which version of CS will get that? 1.13.1 or 1.14?

Answer 3 · 2022-10-03T17:19:15.000Z

The change I linked is what actually added the PSP to the OSS manifest, so I don't think we can close this yet. IIRC @janetkuo asked for the PSP to be included in the OSS manifest so I'll give her a chance to weigh in.

Answer 4 · 2022-10-03T17:22:53.000Z

Oh ok, makes sense, I misunderstood what you meant in #167 (comment).

Answer 5 · 2022-10-03T18:25:51.000Z

Root cause: PSP feature was deprecated in K8s, and removed in K8s 1.25.

We should still include the PSP configuration in Config Sync manifests for K8s versions before 1.25. ACM Operator handles that by dynamically determining whether to install PSP configuration based on K8s versions. @sdowell can we publish another Config Sync manifest that doesn't include PSP configuration for K8s 1.25+?

Answer 6 · 2022-10-04T23:50:33.000Z

The release assets now include a separate config-sync-manifest.yaml and acm-psp.yaml.

Answer 7 · 2022-10-05T02:40:17.000Z

I confirm that deploying CS 1.13 on a Kind cluster now works:

kind create cluster --image kindest/node:v1.25.2
kubectl apply -f https://github.com/GoogleContainerTools/kpt-config-sync/releases/download/v1.13.0/config-sync-manifest.yaml

Thanks @sdowell!