Migrate from `PodSecurityPolicy` to Pod Security Admission
snay2 opened this issue · 6 comments
Describe the bug
When running the end-to-end tests on Kubernetes server version 1.23, I get the following warning:
policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
Steps to reproduce
Run the following command on your local machine from the root of the repo:
test/k8s-local-cluster-test/run-test -v 1.23 -d
Then wait for it to build the image and start the cluster. After the first test starts running (e.g., "Running assertion script asg-lifecycle-sqs-test"), you'll see the warning above.
Expected outcome
We need to add support for Pod Security Admission before we can support Kubernetes server 1.25 (expected release date August 2022). However, if we wish to maintain support for the most recent 6 Kubernetes versions (which would include 1.20 and 1.21 at that time), we will need to keep the existing PodSecurityPolicy specs or use a third-party solution, because support for built-in Pod Security Admission began in 1.22.
The migration guide is here: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
PodSecurityPolicy is used in several places throughout the repository: https://github.com/aws/aws-node-termination-handler/search?q=PodSecurityPolicy
Application Logs
See above.
Environment
- NTH App Version: 1.16.3
- NTH Mode (IMDS/Queue processor): N/A
- OS/Arch: MacOS 12.3.1
- Kubernetes version: 1.23
- Installation method: Source code
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you want this issue to never become stale, please ask a maintainer to apply the "stalebot-ignore" label.
Kubernetes v1.25 was released 3 weeks ago on 2022-08-23: https://kubernetes.io/releases/#release-v1-25
Included in the v1.19.0 release of AWS Node Termination Handler, Helm chart v0.21.0
Was the intention only to fix this in the Helm chart? Because the all-resources.yaml and all-resources-queue-processor.yaml for the v1.19.0 release here:
https://github.com/aws/aws-node-termination-handler/releases/tag/v1.19.0
still have those values. I see the conditional here in the Helm templates:
Given the number of historical versions that already support the pod security admissions as mentioned by @snay2
support for built-in Pod Security Admission began in 1.22.
and the short lifecycle of Kubernetes versions, is the intention for these yaml file assets to be leading or lagging these cycles?
Any guidance on what considerations I should be making regarding these release artifacts in my own cluster management would be greatly appreciated.