Add new PSP flag + add validation for capabilities.

* Remove previously added capabilities check. * Add new validation file validate-psp-install.yaml with capabilities and switch check to verify PSPs are installable in the target cluster. * Remove old PSP flags and replace them with the standardized global.cattle.psp.enabled. * Add explanation of the changes for Kubernetes v1.25 to app-readme.md.
2023-01-27 14:41:08 -05:00 · 2023-01-27 14:41:08 -05:00 · f50b5dc1f7
parent 8e0334ecfc
commit f50b5dc1f7
10 changed files with 67 additions and 6 deletions
--- a/packages/rancher-gatekeeper/generated-changes/overlay/app-readme.md
+++ b/packages/rancher-gatekeeper/generated-changes/overlay/app-readme.md
@ -12,3 +12,21 @@ The chart installs the following components:
 - [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to).

 For more information on how to configure the Helm chart, refer to the Helm README.
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
--- a/packages/rancher-gatekeeper/generated-changes/overlay/templates/validate-psp-install.yaml
+++ b/packages/rancher-gatekeeper/generated-changes/overlay/templates/validate-psp-install.yaml
@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
@ -12,7 +12,7 @@
 +{{- end -}}
 +{{- end -}}
 +
-+{{/*
+ {{/*
 +Windows cluster will add default taint for linux nodes,
 +add below linux tolerations to workloads could be scheduled to those linux nodes
 +*/}}
@ -27,7 +27,7 @@
 +kubernetes.io/os: linux
 +{{- end -}}
 +
- {{/*
+{{/*
 Output post install webhook probe container entry
 */}}
 {{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-podsecuritypolicy.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-podsecuritypolicy.yaml.patch
@ -0,0 +1,8 @@
+--- charts-original/templates/gatekeeper-admin-podsecuritypolicy.yaml
+++ charts/templates/gatekeeper-admin-podsecuritypolicy.yaml
+@@ -1,4 +1,4 @@
+-{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.global.cattle.psp.enabled }}
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
--- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch
@ -0,0 +1,11 @@
+--- charts-original/templates/gatekeeper-manager-role-clusterrole.yaml
+++ charts/templates/gatekeeper-manager-role-clusterrole.yaml
+@@ -99,7 +99,7 @@
+   - patch
+   - update
+   - watch
+-{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.global.cattle.psp.enabled }}
+ - apiGroups:
+   - policy
+   resourceNames:
--- a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
+++ b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
@ -74,16 +74,22 @@
   resources:
     limits:
       cpu: 1000m
-@@ -232,6 +235,12 @@
+@@ -232,10 +235,16 @@
 pdb:
   controllerManager:
     minAvailable: 1
 +global:
 +  cattle:
 +    systemDefaultRegistry: ""
+    psp:
+      enabled: false
 +  kubectl:
 +    repository: rancher/kubectl
 +    tag: v1.20.2
 service: {}
 disabledBuiltins: ["{http.send}"]
- psp:
+-psp:
+-  enabled: true
+ upgradeCRDs:
+   enabled: true
+   extraRules: []
--- a/packages/rancher-gatekeeper/templates/crd-template/templates/rbac.yaml
+++ b/packages/rancher-gatekeeper/templates/crd-template/templates/rbac.yaml
@ -10,7 +10,7 @@ rules:
  resources:
  - customresourcedefinitions
  verbs: ['create', 'get', 'patch', 'delete']
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 - apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
@ -41,7 +41,7 @@ metadata:
  labels:
    app: {{ .Chart.Name }}-manager
 ---
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
--- a/packages/rancher-gatekeeper/templates/crd-template/templates/validate-psp-install.yaml
+++ b/packages/rancher-gatekeeper/templates/crd-template/templates/validate-psp-install.yaml
@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}
--- a/packages/rancher-gatekeeper/templates/crd-template/values.yaml
+++ b/packages/rancher-gatekeeper/templates/crd-template/values.yaml
@ -5,6 +5,8 @@
 global:
  cattle:
    systemDefaultRegistry: ""
+    psp:
+      enabled: false

 image:
  repository: rancher/kubectl
--- a/release.yaml
+++ b/release.yaml
@ -42,8 +42,10 @@ rancher-eks-operator-crd:
 - 101.2.0+up1.2.0-rc2
 rancher-gatekeeper:
 - 101.1.0+up3.10.0
+- 102.0.0+up3.10.0
 rancher-gatekeeper-crd:
 - 101.1.0+up3.10.0
+- 102.0.0+up3.10.0
 rancher-gke-operator:
 - 101.0.1+up1.1.5
 rancher-gke-operator-crd: