Skip to content

[CIS] Check for PSP compatibility in target cluster #39851

New issue
New issue
Closed
Closed
[CIS] Check for PSP compatibility in target cluster#39851
Assignees
rayandasmitulshah-suse
Labels
area/chartsfeature/charts-cis-benchmarkkind/enhancementIssues that improve or augment existing functionalitypriority/0release-noteNote this issue in the milestone's release notesteam/infracloud
Milestone
v2.7.2
@MKlimuszka

Description

@MKlimuszka
MKlimuszka
opened on Dec 9, 2022

Parent ticket: #39366

Kubernetes 1.25 drops support for PSP, so additional checks need to be added.

Rancher team 3 is following the proposal outlined in "Kubernetes v1.25 PSP to PSA migration proposal document"

Every chart that ships with a PSP must be changed to add a new condition checking for the PSP capability in the target cluster:

Capabilities check for Helm

{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}

This change allows the charts to still work with PSPs in Kubernetes versions prior to v1.25, and work in Kubernetes v1.25 or higher by skipping installation of PSPs.

Charts that need updating:

  • rancher-cis-benchmark 

If a cluster role in a chart contains PSP's along with other permissions extra work may be needed to achieve the intended behavior of that role.

Metadata

Metadata

Assignees

Labels

area/chartsfeature/charts-cis-benchmarkkind/enhancementIssues that improve or augment existing functionalitypriority/0release-noteNote this issue in the milestone's release notesteam/infracloud

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions