-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PSP Deprecation on Vintage #2533
Comments
Check with Shield on the state of their kyverno rolloutKyverno is rolled out with policies in
Overview of Apps Turtles need to fixBased on This Dashboard for the set of workloads owned by Turtles defined in This Doc
|
Investigate and document what effect this deprecation and new component will have for our V1.25.0 rollout
|
ISSUE Check that the
|
I am moving this to blocked since
Once that is done and deployed everywhere we can proceed with the removal of PSP in 1.24 clusters and then start testing upgrade to 1.25 |
As discussed in slack we will focus on vintage and don't worry about CAPI for now , this means the task is easier and can be summarized in for Vintage MC and WC
I will put this in blocked until we are ready to start removing PSPs |
The compatibility matrix lays out the current understanding of when to use PSP vs Kyverno: https://github.com/giantswarm/security-bundle#compatibility-matrix Basically, GS v20 == k8s v1.25 == kyverno in enforce mode, use security bundle v1.0.0 or above |
@stone-z, @alex-dabija, @T-Kukawka and me had a meeting about the PSP Migration Plan and here's the notes for it:
|
Closing the issue for now. From turtles side we updated all apps/components to prepare for PSS |
Motivation
With the upgrade to Kubernetes 1.25.0 PodSecurityPolicy is being deprecated and we need to replace it. For the replacement we already decided to go for Kyverno which is owned by shield. Here we need to clarify and moderate that this is already rolled out everywhere and we are safe to get rid of PSP with the upgrade.
Todo
Related Issues
Outcome
The text was updated successfully, but these errors were encountered: