Add user-friendly error message + standardize PSP flag.

* Substitute global.rbac.psp.enabled and global.psp.enabled uses for global.cattle.psp.enabled.
* Remove previous usages of the capabilities check to determine if PSPs and PSP-related resources are applied.
* Add a new validation file (validate-psp-install.yaml) to make the capabilities check when PSP installation is requested and issue a user-friendly message if unable to install PSP.
* Update app-readme.md to include details of this change.
* Bump chart version to 102.0.0.
* Change default value for PSP installation from true to false.

packages/rancher-logging/generated-changes/overlay/app-readme.md

@@ -2,7 +2,25 @@
 
 This chart is based off of the upstream [Banzai Logging Operator](https://banzaicloud.com/docs/one-eye/logging-operator/) chart. The chart deploys a logging operator and CRDs, which allows users to configure complex logging pipelines with a few simple custom resources. There are two levels of logging, which allow you to collect all logs in a cluster or from a single namespace.
 
-For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/logging/v2.5/).
+For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/logging/v2.7/).
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
 
 ## Namespace-level logging
 
@@ -22,6 +40,6 @@ To collect logs from an entire cluster, users create cluster flows and cluster o
 For more information on how to configure the Helm chart, refer to the Helm README.
 
 ## Systemd Configuration
-Some kubernetes distributions log to journald.  In order to collect these logs the `systemdLogPath` needs to be defined.  While the `/run/log/journal` directory is used by default, some Linux distributions do not default to this path. For example Ubuntu defaults to `/var/log/journal`.  To determine your `systemdLogPath` run `cat /etc/systemd/journald.conf | grep -E ^\#?Storage | cut -d"=" -f2` on one of your nodes.  If `persistent` is returned your `systemdLogPath` should be `/var/log/journal`.  If `volatile` is returned  `systemdLogPath` should be `/run/log/journal`.  If `auto` is returned check if `/var/log/journal` exists, and if it does then use `/var/log/journal`, otherwise use `/run/log/journal`.
+Some Kubernetes distributions log to journald.  In order to collect these logs the `systemdLogPath` needs to be defined. While the `/run/log/journal` directory is used by default, some Linux distributions do not default to this path. For example Ubuntu defaults to `/var/log/journal`.  To determine your `systemdLogPath` run `cat /etc/systemd/journald.conf | grep -E ^\#?Storage | cut -d"=" -f2` on one of your nodes.  If `persistent` is returned your `systemdLogPath` should be `/var/log/journal`.  If `volatile` is returned  `systemdLogPath` should be `/run/log/journal`. If `auto` is returned check if `/var/log/journal` exists, and if it does then use `/var/log/journal`, otherwise use `/run/log/journal`.
 
 If any value not described here is returned, Rancher Logging will not be able to collect control plane logs. To address this issue set `Storage=volatile` in  journald.conf, reboot your machine, and set `systemdLogPath` to `/run/log/journal`.

packages/rancher-logging/generated-changes/overlay/templates/_generic_logging.yaml

@@ -19,10 +19,10 @@ spec:
     bufferStorageVolume: {{- toYaml . | nindent 6 }}
     {{- end }}
     {{- end }}
-    {{- if or (and .Values.global.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy")) .Values.global.seLinux.enabled }}
+    {{- if or .Values.global.cattle.psp.enabled .Values.global.seLinux.enabled }}
     security:
     {{- end }}
-    {{- if and .Values.global.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+    {{- if .Values.global.cattle.psp.enabled }}
       podSecurityPolicyCreate: true
       roleBasedAccessControlCreate: true
     {{- end }}
@@ -73,7 +73,7 @@ spec:
     scaling:
       replicas: {{ .Values.fluentd.replicas }}
     {{- end }}
-    {{- if and .Values.global.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+    {{- if .Values.global.cattle.psp.enabled }}
     security:
       podSecurityPolicyCreate: true
       roleBasedAccessControlCreate: true

packages/rancher-logging/generated-changes/overlay/templates/loggings/k3s/daemonset.yaml

@@ -57,7 +57,7 @@ kind: ServiceAccount
 metadata:
   name: "{{ .Release.Name }}-k3s-journald-aggregator"
   namespace: "{{ .Release.Namespace }}"
-{{- if and .Values.global.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.global.cattle.psp.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

packages/rancher-logging/generated-changes/overlay/templates/loggings/rke/daemonset.yaml

@@ -62,7 +62,7 @@ kind: ServiceAccount
 metadata:
   name: "{{ .Release.Name }}-rke-aggregator"
   namespace: "{{ .Release.Namespace }}"
-{{- if and .Values.global.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.global.cattle.psp.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

packages/rancher-logging/generated-changes/overlay/templates/loggings/rke2/daemonset.yaml

@@ -63,7 +63,7 @@ kind: ServiceAccount
 metadata:
   name: "{{ .Release.Name }}-rke2-journald-aggregator"
   namespace: "{{ .Release.Namespace }}"
-{{- if and .Values.global.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.global.cattle.psp.enabled }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

packages/rancher-logging/generated-changes/overlay/templates/validate-psp-install.yaml

@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}

packages/rancher-logging/generated-changes/patch/templates/psp.yaml.patch

@@ -0,0 +1,8 @@
+--- charts-original/templates/psp.yaml
++++ charts/templates/psp.yaml
+@@ -1,4 +1,4 @@
+-{{ if and .Values.rbac.enabled .Values.rbac.psp.enabled  (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
++{{ if and .Values.global.cattle.psp.enabled }}
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:

packages/rancher-logging/generated-changes/patch/values.yaml.patch

@@ -26,17 +26,24 @@
  
  affinity: {}
  
-@@ -60,6 +65,9 @@
+@@ -63,7 +68,6 @@
-     # Labels to query http service
-     labels: {}
- 
-+# These "rbac" settings match the upstream defaults. For only using psp in the overlay files, which
-+# include the default Logging CRs created, see the "global.psp" setting. To enable psp for the entire
-+# chart, enable both "rbac.psp" and "global.psp" (this may require further changes to the chart).
  rbac:
    enabled: true
    psp:
-@@ -102,3 +110,139 @@
+-    enabled: true
+     annotations:
+       seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
+       seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
+@@ -75,7 +79,7 @@
+ 
+ 
+ ## SecurityContext holds pod-level security attributes and common container settings.
+-## This defaults to non root user with uid 1000 and gid 2000.	*v1.PodSecurityContext	false
++## This defaults to non-root user with uid 1000 and gid 2000.	*v1.PodSecurityContext	false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ##
+ podSecurityContext: {}
+@@ -102,3 +106,135 @@
  
  serviceAccount:
    annotations: {}
@@ -63,16 +70,12 @@
 +    # set the value below to "false".
 +    # windows:
 +    #   enabled: true
++    psp:
++      enabled: false
 +
 +  # Change the "dockerRootDirectory" if the default Docker directory has changed.
 +  dockerRootDirectory: ""
 +
-+  # This psp setting differs from the upstream "rbac.psp" by only enabling psp settings for the
-+  # overlay files, which include the Logging CRs created, whereas the upstream "rbac.psp" affects the
-+  # logging operator.
-+  psp:
-+    enabled: true
-+
 +  rkeWindowsPathPrefix: "c:\\"
 +
 +  seLinux:

packages/rancher-logging/package.yaml

@@ -1,5 +1,5 @@
 url: https://kubernetes-charts.banzaicloud.com/charts/logging-operator-3.17.10.tgz
-version: 101.1.0
+version: 102.0.0
 additionalCharts:
   - workingDir: charts-crd
     crdOptions:

release.yaml

@@ -52,8 +52,10 @@ rancher-istio:
 - 101.1.0+up1.15.3
 rancher-logging:
 - 101.1.0+up3.17.10
+- 102.0.0+up3.17.10
 rancher-logging-crd:
 - 101.1.0+up3.17.10
+- 102.0.0+up3.17.10
 rancher-monitoring:
 - 100.2.0+up40.1.2
 - 101.1.0+up40.1.2