Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate from PodSecurityPolicy to Pod Security Admission #638

Closed
snay2 opened this issue May 13, 2022 · 6 comments
Closed

Migrate from PodSecurityPolicy to Pod Security Admission #638

snay2 opened this issue May 13, 2022 · 6 comments
Assignees
@cjerad
Labels
Priority: Medium This issue will be seen by about half of users stalebot-ignore To NOT let the stalebot update or close the Issue / PR
Milestone
August 2022

Comments

@snay2
Copy link
Contributor

snay2 commented May 13, 2022

Describe the bug
When running the end-to-end tests on Kubernetes server version 1.23, I get the following warning:

policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+

Steps to reproduce
Run the following command on your local machine from the root of the repo:

test/k8s-local-cluster-test/run-test -v 1.23 -d

Then wait for it to build the image and start the cluster. After the first test starts running (e.g., "Running assertion script asg-lifecycle-sqs-test"), you'll see the warning above.

Expected outcome
We need to add support for Pod Security Admission before we can support Kubernetes server 1.25 (expected release date August 2022). However, if we wish to maintain support for the most recent 6 Kubernetes versions (which would include 1.20 and 1.21 at that time), we will need to keep the existing PodSecurityPolicy specs or use a third-party solution, because support for built-in Pod Security Admission began in 1.22.

The migration guide is here: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/

PodSecurityPolicy is used in several places throughout the repository: https://github.com/aws/aws-node-termination-handler/search?q=PodSecurityPolicy

Application Logs
See above.

Environment

  • NTH App Version: 1.16.3
  • NTH Mode (IMDS/Queue processor): N/A
  • OS/Arch: MacOS 12.3.1
  • Kubernetes version: 1.23
  • Installation method: Source code
@jillmon jillmon added the Priority: Medium This issue will be seen by about half of users label May 18, 2022
@jillmon jillmon added this to the August 2022 milestone May 25, 2022
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you want this issue to never become stale, please ask a maintainer to apply the "stalebot-ignore" label.

@github-actions github-actions bot added the stale Issues / PRs with no activity label Jun 25, 2022
@snay2 snay2 added stalebot-ignore To NOT let the stalebot update or close the Issue / PR and removed stale Issues / PRs with no activity labels Jun 27, 2022
@snay2
Copy link
Contributor Author

snay2 commented Sep 13, 2022

Kubernetes v1.25 was released 3 weeks ago on 2022-08-23: https://kubernetes.io/releases/#release-v1-25

@snay2 snay2 self-assigned this Sep 13, 2022
snay2 added a commit to snay2/aws-node-termination-handler that referenced this issue Nov 11, 2022
@snay2
Remove bespoke Prometheus helm chart and use the latest public releas…
ce5692c 
…e instead

This more or less reverts aws#294.
Besides simplifying our ongoing maintenance, this will also serve to make deprecating PodSecurityPolicy easier (aws#638)
snay2 added a commit to snay2/aws-node-termination-handler that referenced this issue Nov 11, 2022
@snay2
Remove bespoke Prometheus helm chart and use the latest public releas…
3c9792c 
…e instead

This more or less reverts aws#294.
Besides simplifying our ongoing maintenance, this will also serve to make deprecating PodSecurityPolicy easier (aws#638)
@snay2 snay2 mentioned this issue Nov 11, 2022
Merged
@snay2 snay2 mentioned this issue Nov 21, 2022
Closed
@snay2 snay2 mentioned this issue Nov 29, 2022
Closed
@jillmon jillmon assigned cjerad and unassigned snay2 Jan 17, 2023
@cjerad cjerad mentioned this issue Jan 25, 2023
Merged
@cjerad cjerad added the Pending-Release Pending an NTH or eks-charts release label Jan 26, 2023
@cjerad
Copy link
Contributor

cjerad commented Mar 8, 2023
edited
Loading

Included in the v1.19.0 release of AWS Node Termination Handler, Helm chart v0.21.0

@cjerad cjerad closed this as completed Mar 8, 2023
@cjerad cjerad removed the Pending-Release Pending an NTH or eks-charts release label Mar 8, 2023
@sernst
Copy link

sernst commented Mar 20, 2023

Was the intention only to fix this in the Helm chart? Because the all-resources.yaml and all-resources-queue-processor.yaml for the v1.19.0 release here:

https://github.com/aws/aws-node-termination-handler/releases/tag/v1.19.0

still have those values. I see the conditional here in the Helm templates:

https://github.com/aws/aws-node-termination-handler/blob/main/config/helm/aws-node-termination-handler/templates/psp.yaml#L1

Given the number of historical versions that already support the pod security admissions as mentioned by @snay2

support for built-in Pod Security Admission began in 1.22.

and the short lifecycle of Kubernetes versions, is the intention for these yaml file assets to be leading or lagging these cycles?

Any guidance on what considerations I should be making regarding these release artifacts in my own cluster management would be greatly appreciated.

@cjerad
Copy link
Contributor

cjerad commented Mar 21, 2023

Hi @sernst, thanks for pointing this out. It was not an intentional decision. Please create a new issue.

@sernst sernst mentioned this issue Mar 21, 2023
Closed
@sernst
Copy link

sernst commented Mar 21, 2023

Thanks for clarification. New issue has been created: #799

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cjerad cjerad

Labels
Priority: Medium This issue will be seen by about half of users stalebot-ignore To NOT let the stalebot update or close the Issue / PR
Projects
None yet
Milestone
August 2022
Development

No branches or pull requests
4 participants
@snay2 @sernst @jillmon @cjerad