-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve PodSecurityAdmission restrictions on 1.23+ for deprecated PodSecurityPolicy #5652
Conversation
/retest |
@JeromeJu I'm still getting the same error - I used this kind config YAML:
..and ran
|
@JeromeJu Ok, with the following diff (also updates
Yes, the Testing now on k8s 1.22... |
Ok, with that diff above applied to this branch, it works on k8s 1.22, 1.23, and 1.24. |
@JeromeJu Oops, my diff was missing this:
The resolvers deployment will still come online without it, but the |
ca24641
to
aab7dc3
Compare
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abayer The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@JeromeJu suggested rewording of the release notes: "Action required: If using Kubernetes 1.22, set PodSecurity flag to Also, a more descriptive commit title would be "Replace PodSecurityPolicy with PodSecurityAdmission". |
This commit fixes the issue where the securityContext are not restricted in PodSecurityAdmission(PSA). This removes the PodSeucrityPolicy, which is deprecated in Kubernetes v1.21 and removed from v1.25. This adds to the PSA restricted label with respective policies enforced by PSP but not covered by the restricted standard of PSA.
Thanks @lbernick , updated.
|
@abayer I know our CI runs e2e tests on kind w/ k8s version 1.23 now and I can see you've tested on 1.24 as well. Do we have a way of testing this on all the k8s versions we support via CI, or do you think it's OK to merge this? |
There's no easy way to test them all in CI, sadly, but yeah, this is good to merge, IMO. |
/lgtm |
This commit drops the Triggers PodSecurityPolicy since its deprecated and is going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission. In addition, it adds the `securityContext` required for the "restricted" PodSecurityAdmission levels. These changes are necessary for Triggers to work with Pipelines v0.41 and higher because tektoncd/pipeline#5652 started enforcing the restricted pod security level for all pods in the `tekton-pipelines` namespace (which includes the triggers controller, webhook, and core interceptor deployments). Fixes tektoncd#1447 and required for tektoncd#1475 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit drops the Triggers PodSecurityPolicy since its deprecated and is going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission. In addition, it adds the `securityContext` required for the "restricted" PodSecurityAdmission levels. These changes are necessary for Triggers to work with Pipelines v0.41 and higher because tektoncd/pipeline#5652 started enforcing the restricted pod security level for all pods in the `tekton-pipelines` namespace (which includes the triggers controller, webhook, and core interceptor deployments). Fixes tektoncd#1447 and required for tektoncd#1475 Signed-off-by: Dibyo Mukherjee <[email protected]>
This commit drops the Triggers PodSecurityPolicy since its deprecated and is going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission. In addition, it adds the `securityContext` required for the "restricted" PodSecurityAdmission levels. These changes are necessary for Triggers to work with Pipelines v0.41 and higher because tektoncd/pipeline#5652 started enforcing the restricted pod security level for all pods in the `tekton-pipelines` namespace (which includes the triggers controller, webhook, and core interceptor deployments). Fixes #1447 and required for #1475 Signed-off-by: Dibyo Mukherjee <[email protected]>
Changes
This commit fixes the issue where the securityContext are not restricted in PodSecurityAdmission(PSA). This removes the PodSeucrityPolicy, which is deprecated in Kubernetes v1.21 and removed from v1.25. This adds to the PSA restricted label with respective policies enforced by PSP but not covered by the restricted standard of PSA.
The previous settings in 101-podsecuritypolicy.yaml are restricting roles to be run as nonRoot, this is covered by the PodSecurityStandard of the restricted level.
/kind bug
Fixes #5603 #4112
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
/kind <type>
. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes