aws-node-termination-handler
aws-node-termination-handler copied to clipboard
aws
Migrate from `PodSecurityPolicy` to Pod Security Admission
Describe the bug When running the end-to-end tests on Kubernetes server version 1.23, I get the following warning:
policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
Steps to reproduce Run the following command on your local machine from the root of the repo:
test/k8s-local-cluster-test/run-test -v 1.23 -d
Then wait for it to build the image and start the cluster. After the first test starts running (e.g., "Running assertion script asg-lifecycle-sqs-test"), you'll see the warning above.
Expected outcome We need to add support for Pod Security Admission before we can support Kubernetes server 1.25 (expected release date August 2022). However, if we wish to maintain support for the most recent 6 Kubernetes versions (which would include 1.20 and 1.21 at that time), we will need to keep the existing PodSecurityPolicy specs or use a third-party solution, because support for built-in Pod Security Admission began in 1.22.
The migration guide is here: https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
PodSecurityPolicy is used in several places throughout the repository: https://github.com/aws/aws-node-termination-handler/search?q=PodSecurityPolicy
Application Logs See above.
Environment
- NTH App Version: 1.16.3
- NTH Mode (IMDS/Queue processor): N/A
- OS/Arch: MacOS 12.3.1
- Kubernetes version: 1.23
- Installation method: Source code
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you want this issue to never become stale, please ask a maintainer to apply the "stalebot-ignore" label.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Kubernetes v1.25 was released 3 weeks ago on 2022-08-23: https://kubernetes.io/releases/#release-v1-25
Included in the v1.19.0 release of AWS Node Termination Handler, Helm chart v0.21.0
Was the intention only to fix this in the Helm chart? Because the all-resources.yaml and all-resources-queue-processor.yaml for the v1.19.0 release here:
https://github.com/aws/aws-node-termination-handler/releases/tag/v1.19.0
still have those values. I see the conditional here in the Helm templates:
https://github.com/aws/aws-node-termination-handler/blob/main/config/helm/aws-node-termination-handler/templates/psp.yaml#L1
Given the number of historical versions that already support the pod security admissions as mentioned by @snay2
support for built-in Pod Security Admission began in 1.22.
and the short lifecycle of Kubernetes versions, is the intention for these yaml file assets to be leading or lagging these cycles?
Any guidance on what considerations I should be making regarding these release artifacts in my own cluster management would be greatly appreciated.
Hi @sernst, thanks for pointing this out. It was not an intentional decision. Please create a new issue.
Thanks for clarification. New issue has been created: https://github.com/aws/aws-node-termination-handler/issues/799