projectcalico
PodSecurity Policies in v3.24.1 Deployment
I deployed Calico v3.24.1 using the Tigera Operator Helm chart. The documentation says that this deployment should comply with Pod Security Standards.
Expected Behavior
I expect that there should not be any Pod Security Policies.
Current Behavior
I am seeing 3 Pod Security Policies. These are calico-kube-controllers, calico-node, and calico-typha. The are attached to similarly named pods in the calico-system namespace through Service Accounts, Cluster Role Bindings, and Cluster Roles.
Possible Solution
Steps to Reproduce (for bugs)
- helm repo add projectcalico https://projectcalico.docs.tigera.io/charts
- kubectl create namespace tigera-operator
- helm install calico projectcalico/tigera-operator --namespace tigera-operator
Context
This is blocking transition from Pod Security Policies to Pod Security Standards.
Your Environment
- Calico version: v3.24.1
- Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes 1.23
- Cloud provider: AWS EKS
Hey @cmukai-cisco , the operator only transitions away from pod security policies when your kubernetes version is 1.25+. If you update the kubernetes version, does the issue still persist?
Thanks for the information. I am using AWS EKS which currently only supports up to Kubernetes 1.23. I now understand that PSPs will not disappear until 1.25. How does Calico implement pod security standards in 1.25?
How does Calico implement pod security standards in 1.25?
Easiest way to see this is to deploy a 1.25 KinD cluster on your machine, deploy Calico and see :)
Otherwise, the code is available.
I think the 3 levels of the standards themselves are defined in k8s itself, tigera-operator just annotates the relevant namespaces with the correct level.
