[v2.9][v1.29] Rancher K8s v1.29.0 update

[krunalhinguu]

Issue:

• [Feature] K8s 1.29 Support #43110

Problem

• To support Kubernetes 1.29 we need to bump all the k8s libraries to 1.29

Solution

• Bumping all Kubernetes libraries to 1.29
• Removed all dependencies related to PodSecurityPolicy
• Removed all dependencies related to PodSecurityPolicyTemplateProjectBinding
• Removed all dependencies related to PodSecurityPolicyTemplateName
• Removed code to enable PSP
• forceAdopt is renamed to takeOwnership as part of helm 3.14.3
• Bumped golangci-lint version. go1.22 support golangci/golangci-lint#4273

Testing

Engineering Testing

Manual Testing

Automated Testing

• Test types added/modified:
  • Unit
  • Integration (Go Framework)
  • Integration (v2prov Framework)
  • Validation (Go Framework)
  • Other - Explain: EXPLAIN
  • None
  • REMOVE NOT APPLICABLE BULLET POINTS ABOVE
• If "None" - Reason: EXPLAIN THE REASON
• If "None" - GH Issue/PR: LINK TO GH ISSUE/PR TO ADD TESTS

Summary: TODO

QA Testing Considerations

Regressions Considerations

TODO

Existing / newly added automated tests that provide evidence there are no regressions:

• TODO

[kinarashah]

@krunalhinguu We also need to update kubeVersion in Chart.yaml to add support for 1.29

rancher/chart/Chart.yaml

Line 6 in 3c48a19

kubeVersion: < 1.29.0-0

[jiaqiluo]

Such a huge PR, good job!
It looks good to me overall, and I have a few suggestions and questions.

[jiaqiluo]

This will be switched back to rancher/shepherd, right?

[krunalhinguu]

Yup, once this pull request is merged, automation team will proceed to update rancher/shepherd, which has a dependency on rancher/apis. Afterward, I'll ensure that this is updated with the appropriate rancher/shepherd tag.

[krunalhinguu]

Just to keep track of this : #45564

[jiaqiluo]

Cool, it sounds good to me.

[kinarashah]

Need @maxsokolovsky's review around PSP removal before merging.

[snasovich]

@krunalhinguu , thank you for updating the PR. Unfortunately CI is failing after latest force-push that updated error handling packages usage - https://drone-pr.rancher.io/rancher/rancher/39365/6/2. Could you please resolve this?

[krunalhinguu]

@snasovich looks like all the builds are failing in release-v2.9, I have to check the reason

[maxsokolovsky]

A couple of questions:

1. Are there any ClusterRoles and ClusterRoleBindings with permissions to perform actions on PSPs that may need to be removed?
2. If yes, do we know if these bindings only act on PSP objects and no others?

I am not seeing any cleanup of these remaining objects, and we might want that.

Cleanup is usually done by running custom code or Job when the agent starts up. See this example: #42325

[maxsokolovsky]

Another question is about CRDs, CRs, and PSP resources themselves.

In case of CRDs, any deletions will trigger K8s to delete custom resources of that kind. So those PSP Bindings will get deleted when the CRD for them is deleted. But what about PSPs themselves? Those are not strictly CRDs but resources of a K8s group. Are they treated the same as CRs when a CRD is deleted? If the K8s API server doesn't know about PSPs, does it delete them all?

[snasovich]

@maxsokolovsky , thank you for the feedback.
I'll let @krunalhinguu respond materially but if there are non-trivial changes that need to be done (like creating migration that cleans up CRs/CRBs and any other objects referencing PSPs) we may want to split it into a separate issue to unblock progress and testing on base 1.29 support and unblock work on 1.30 support. That issue will still target the same v2.9-Next1 milestone so it won't get missed. Having a separate issue will also ensure we have more specific test cases for these scenarios.

@krunalhinguu (cc: @mitulshah-suse ), please let us know if in fact we require these non-trivial changes to address @maxsokolovsky's concerns.