SUBMARINE-1131. Remove deprecated API for k8s 1.25

### What is this PR for? `PodSecurityPolicy` will be removed in k8s 1.25 https://kubernetes.io/docs/reference/using-api/deprecation-guide/#psp-v125 So that we need to remove the `PodSecurityPolicy` support in 1.25 and try to use other ways to handle `runAsUser`. https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ https://kubernetes.io/docs/concepts/security/pod-security-admission/ ### What type of PR is it? Improvement ### Todos * [x] - Add k8s 1.25 in git workflow * [x] - Change `podSecurityPolicy.create` default value to false * [x] - Change`PodSecurityPolicy` to `Pod Security Admission` (PCA) in 1.25 ### What is the Jira issue? https://issues.apache.org/jira/browse/SUBMARINE-1131 ### How should this be tested? CI test ### Screenshots (if appropriate) ### Questions: * Do the license files need updating? No * Are there breaking changes for older versions? No * Does this need new documentation? No Author: cdmikechen <cdmikechen@apache.org> Signed-off-by: cdmikechen <cdmikechen@apache.org> Closes #1071 from cdmikechen/SUBMARINE-1131 and squashes the following commits: a9ed15d [cdmikechen] support PSA 2556d34 [cdmikechen] update master workflow k8s to 1.25.3 f993013 [cdmikechen] set kind to 1.25.3 0ed0131 [cdmikechen] set psp to false by default f85c3b9 [cdmikechen] update k8s version to 1.25
apache · Jul 15, 2023 · b0d96b3 · b0d96b3
1 parent 5d21ad5
commit b0d96b3
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 39 deletions.
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
@@ -33,7 +33,7 @@ jobs:
     steps:
       - id: set-matrix
         run: |
-          echo "::set-output name=matrix::[\"v1.22.17\", \"v1.23.17\", \"v1.24.12\"]"
+          echo "::set-output name=matrix::[\"v1.22.17\", \"v1.23.17\", \"v1.24.12\", \"v1.25.3\"]"
   submarine-operator-verify:
     runs-on: ubuntu-latest
     timeout-minutes: 10

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -19,7 +19,7 @@ name: python-sdk
 on: [push, pull_request]
 
 env:
-  KUBERNETES_VERSION: "v1.21.14"
+  KUBERNETES_VERSION: "v1.25.3"
 
 jobs:
   check-style:

diff --git a/helm-charts/submarine/README.md b/helm-charts/submarine/README.md
@@ -96,7 +96,7 @@ The following table lists the configurable parameters of the MySQL chart and the
 | `storageClass.provisioner`                   | Determine what volume plugin is used for provisioning PVs                                                                                      | `k8s.io/minikube-hostpath`                 |
 | `storageClass.parameters`                    | Describe volumes belonging to the storage class                                                                                                | `{}`                                       |
 | `clusterType`                                | k8s cluster type. can be: kubernetes or openshift                                                                                              | `kubernetes`                               |
-| `podSecurityPolicy.create`                   | Specifies whether a PodSecurityPolicy should be created, this configuration enables the database/minio/server to set securityContext.runAsUser | `true`                                     |
+| `podSecurityPolicy.create`                   | Specifies whether a PodSecurityPolicy should be created, this configuration enables the database/minio/server to set securityContext.runAsUser | `false`                                     |
 | `istio.enabled`                              | Use istio to expose the service                                                                                                                | `true`                                     |
 | `istio.gatewaySelector`                      | Gateway label selector                                                                                                                         | `istio: ingressgateway`                    |
 | `training-operator.enabled`                  | If we need to deploye a kubeflow training operator in this helm                                                                                | `true`                                     |

diff --git a/helm-charts/submarine/values.yaml b/helm-charts/submarine/values.yaml
@@ -43,7 +43,9 @@ clusterType: kubernetes
 podSecurityPolicy:
   # Specifies whether a PodSecurityPolicy should be created,
   # This configuration enables the database/minio/server to set securityContext.runAsUser
-  create: true
+  # If your kubernetes cluster version is 1.25+, please set false.
+  # reference: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#psp-v125
+  create: false
 
 # Istio configuration
 istio:

diff --git a/website/docs/devDocs/Dependencies.md b/website/docs/devDocs/Dependencies.md
@@ -1,6 +1,7 @@
 ---
 title: Dependencies for Submarine
 ---
+
 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
@@ -19,54 +20,64 @@ KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
-* These are the dependencies currently used by Apache Submarine.
+
+- These are the dependencies currently used by Apache Submarine.
 
 ## Kubernetes
-| Kubernetes Version  | Support?  |
-|---------------------|:-------------:|
-| 1.18.x (or earlier) | X |
-| 1.19.x - 1.21.x     | √ |
-| 1.22.x (or later)   | X |
+
+| Kubernetes Version  |    Support?    |
+| ------------------- | :------------: |
+| 1.18.x (or earlier) |       X        |
+| 1.19.x - 1.21.x     |   Not tested   |
+| 1.22.x - 1.25.x     |       √        |
+| 1.26.x (or later)   | To be verified |
 
 ## KinD
-| KinD Version       | Support?  |
-|--------------------|:-------------:|
-| 0.5.x (or earlier) | X |
-| 0.6.x - 0.17.x     | √ |
+
+| KinD Version       | Support? |
+| ------------------ | :------: |
+| 0.5.x (or earlier) |    X     |
+| 0.6.x - 0.17.x     |    √     |
 
 ## Java
-| JDK Version   | Support?  |
-| ------------- |:-------------:|
-| 8 | √ |
-| 11 | √ |
-| 17 | X |
+
+| JDK Version |    Support?    |
+| ----------- | :------------: |
+| 8           |       X        |
+| 11          |       √        |
+| 17          | To be verified |
 
 ## Maven
-* 3.3 or later ( < 3.8.1 )
+
+- 3.3 or later ( < 3.8.1 )
 
 ## Docker
-* Latest
+
+- Latest
 
 ## Helm
-* Version 3
+
+- Version 3
 
 ## NodeJS
-* 14 (or later)
+
+- 14 (or later)
 
 ## Go
-| Go Version      | Support?  |
-|-----------------|:-------------:|
-| 1.15            | X |
-| 1.16            | √ |
-| 1.17            | √ |
-| 1.18 (or later) | To be verified |
+
+| Go Version      | Support? |
+| --------------- | :------: |
+| 1.15            |    X     |
+| 1.16            |    √     |
+| 1.17            |    √     |
+| 1.18 (or later) |    X     |
 
 ## Python
 
-| Python Version   | Support?  |
-| ------------- |:-------------:|
-| 3.6 (or earlier) | X |
-| 3.7  | √ |
-| 3.8  | √ |
-| 3.9  | √ |
-| 3.10 | √ |
+| Python Version   | Support? |
+| ---------------- | :------: |
+| 3.6 (or earlier) |    X     |
+| 3.7              |    √     |
+| 3.8              |    √     |
+| 3.9              |    √     |
+| 3.10             |    √     |
diff --git a/website/docs/gettingStarted/quickstart.md b/website/docs/gettingStarted/quickstart.md
@@ -42,8 +42,12 @@ Start minikube
 # You can go to https://minikube.sigs.k8s.io/docs/start/ and follow the tutorial to install minikube.
 # Then you can start kubernetes with minikube:
 minikube start --vm-driver=docker --cpus 8 --memory 8192 --kubernetes-version v1.24.12
-# Or if you want to support Pod Security Policy (https://minikube.sigs.k8s.io/docs/tutorials/using_psp), you can use the following command to start cluster
-minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy --vm-driver=docker --cpus 8 --memory 8192 --kubernetes-version v1.24.12
+
+# The version of k8s can be adjusted to the range of your current minikube. 
+# For example, minikube v1.28.0 can provide versions from v1.25.0 to v1.25.3 in k8s 1.25
+
+# Or if you want to support Pod Security Policy (https://minikube.sigs.k8s.io/docs/tutorials/using_psp) in k8s 1.21 or 1.22, you can use the following command to start cluster
+minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy --vm-driver=docker --cpus 8 --memory 8192 --kubernetes-version v1.21.2
 ```
 
 Install Istio, there are two ways to install: Command-Istioctl-based, or Helm-based
@@ -78,10 +82,18 @@ cd submarine
 2. Create necessary namespaces
 
 ```bash
+# create namespace for submarine, training, notebook and seldon-core operators
 kubectl create namespace submarine
-kubectl create namespace submarine-user-test
 kubectl label namespace submarine istio-injection=enabled
+
+# create namespace for deploying submarine-server
+kubectl create namespace submarine-user-test
 kubectl label namespace submarine-user-test istio-injection=enabled
+
+# After k8s 1.25, we can turn on PSA (Pod Security Admission) labels for namespace.
+# We use a common PSA enforcement level. If you want to use a more detailed configuration, you can refer to
+# https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces
+kubectl label namespace submarine-user-test 'pod-security.kubernetes.io/enforce=privileged'
 ```
 
 3. Install the submarine operator and dependencies by helm chart