Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

PodSecurityPolicy removed in Kubernetes 1.25 #1447

Closed
SQLExceptionPhil opened this issue Sep 13, 2022 · 4 comments · Fixed by #1477
Closed

PodSecurityPolicy removed in Kubernetes 1.25 #1447

SQLExceptionPhil opened this issue Sep 13, 2022 · 4 comments · Fixed by #1477
Assignees
@dibyom
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
Triggers v0.22.0

Comments

@SQLExceptionPhil
Copy link

Expected Behavior

The released deployment manifest doesn't have deprecated resources listed in it.

Actual Behavior

PodSecurityPolicy tekton-pipelines is listed in the deployment manifest which is a deprecated resource as of 1.21 and will be deleted in 1.25.

Steps to Reproduce the Problem

  1. download the latest release.yaml (tested v0.20.2 - is also included in v0.21.0)

Additional Info

  • Kubernetes version: 1.24

    Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.4", GitCommit:"95ee5ab382d64cfe6c28967f36b53970b8374491", GitTreeState:"clean", BuildDate:"2022-08-17T18:54:23Z", GoVersion:"go1.18.5", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:15:38Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}


- Tekton Pipeline version: v0.37.3

**Output of `tkn version` or `kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'`**
Client version: 0.25.0
Pipeline version: v0.37.3
Triggers version: v0.20.2
Dashboard version: v0.28.0
@SQLExceptionPhil SQLExceptionPhil added the kind/bug Categorizes issue or PR as related to a bug. label Sep 13, 2022
@dibyom
Copy link
Member

dibyom commented Sep 14, 2022

We are tracking our alternative to PSP deprecation in tektoncd/pipeline#4112

@dibyom dibyom added this to the Triggers v0.22.0 milestone Sep 21, 2022
@dibyom
Copy link
Member

dibyom commented Oct 4, 2022

We need to port tektoncd/pipeline#5536 to Triggers

@savitaashture savitaashture self-assigned this Nov 2, 2022
@dibyom
Copy link
Member

dibyom commented Nov 3, 2022

tektoncd/pipeline#5652 added PSA restricted to the entire tekton-pipelines namespace which means triggers controllers will fail to come up with Pipeline v0.41

dibyom added a commit to dibyom/triggers that referenced this issue Nov 3, 2022
@dibyom
Replace PodSecurityPolicy with PodSecurityAdmission
c0f697d 
This commit drops the Triggers PodSecurityPolicy since its deprecated and is
going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission.

In addition, it adds the `securityContext` required for the "restricted"
PodSecurityAdmission levels. These changes are necessary for Triggers to work
with Pipelines v0.41 and higher because tektoncd/pipeline#5652  started
enforcing the restricted pod security level for all pods in the
`tekton-pipelines` namespace (which includes the triggers controller, webhook,
and core interceptor deployments).

Fixes tektoncd#1447 and required for tektoncd#1475

Signed-off-by: Dibyo Mukherjee <dibyo@google.com>
@dibyom dibyom mentioned this issue Nov 3, 2022
Merged
4 tasks
@savitaashture savitaashture assigned dibyom and unassigned savitaashture Nov 3, 2022
@savitaashture
Copy link
Contributor

@dibyom I see your PR for this issue so assigned to you

dibyom added a commit to dibyom/triggers that referenced this issue Nov 3, 2022
@dibyom
Replace PodSecurityPolicy with PodSecurityAdmission
28bfb0f 
This commit drops the Triggers PodSecurityPolicy since its deprecated and is
going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission.

In addition, it adds the `securityContext` required for the "restricted"
PodSecurityAdmission levels. These changes are necessary for Triggers to work
with Pipelines v0.41 and higher because tektoncd/pipeline#5652  started
enforcing the restricted pod security level for all pods in the
`tekton-pipelines` namespace (which includes the triggers controller, webhook,
and core interceptor deployments).

Fixes tektoncd#1447 and required for tektoncd#1475

Signed-off-by: Dibyo Mukherjee <dibyo@google.com>
tekton-robot pushed a commit that referenced this issue Nov 4, 2022
@dibyom @tekton-robot
Replace PodSecurityPolicy with PodSecurityAdmission
ce7b976 
This commit drops the Triggers PodSecurityPolicy since its deprecated and is
going to be removed in Kubernetes 1.25 in favor of PodSecurityAdmission.

In addition, it adds the `securityContext` required for the "restricted"
PodSecurityAdmission levels. These changes are necessary for Triggers to work
with Pipelines v0.41 and higher because tektoncd/pipeline#5652  started
enforcing the restricted pod security level for all pods in the
`tekton-pipelines` namespace (which includes the triggers controller, webhook,
and core interceptor deployments).

Fixes #1447 and required for #1475

Signed-off-by: Dibyo Mukherjee <dibyo@google.com>
Repository owner moved this from Todo to Done in Tekton Community Roadmap Nov 4, 2022
@AlanGreene AlanGreene mentioned this issue Nov 5, 2022
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@dibyom dibyom

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Tekton Community Roadmap
Status: Done
Milestone
Triggers v0.22.0
Development

Successfully merging a pull request may close this issue.

Fixes for running on k8s 1.23 and restricted PodSecurityAdmission level dibyom/triggers
3 participants
@dibyom @savitaashture @SQLExceptionPhil