-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helm: PodSecurityPolicy not created when templating or deploying the chart #7158
Comments
Relates to #2870 PodSecurityPolicy feature was removed from Kubernetes in v1.25 (deprecated since 1.21). That is, the chart's template renders a PSP object only for:
|
Yes, that's why I ddon't understand why the PSP is not rendered for the clusters I am working with which are all < 1.24 |
@QuantumEnigmaa could you show the output of the To double-check about the problem: are you installing / upgrading the chart to the cluster, or do you see the problem in the output of One potential thing I can think about, is that You may also check the output the |
Output of
When trying with |
With rbac:
create: true
# defaults to "false" to not render PodSecurityPolicy on kube server versions 1.24.x
forcePSPOnKubernetes124: true
type: psp @QuantumEnigmaa from the linked giantswarm/roadmap#3088, you mentioned you made it create a PSP. Do you think there something that needs fixing for this issue still? |
No it's all good, thanks a lot for your help ! |
Describe the bug
There is a
PodSecurityPolicy
template inoperations/helm/charts/mimir-distributed/templates
which creation condition is the following :In the
_helpers.tpl
file, its is defined as such :So my understanding is that if you have the following in your
values.yaml
file :then the chart should generate the
PodSecurityPolicy
(let's call it PSP) resource whenever you template it or deploy it on a Kubernetes cluster with version <= 1.25.0However, even after setting my values as shown above and templating the chart, I don't get the PSP generated. I tried using the
--api-versions 'policy/v1beta1/PodSecurityPolicy'
flag but it didn't change the result.I also tried with the
--kubeconfig
and the--dry-run
flags (note that my kubeconfig was pointing to a Kubernetes cluster having PSPs deployed) and it also didn't change the result.Moreover, I have deployed mimir on a cluster which version is <1.24.0 without changing the default
rbac
field which hascreate
set totrue
andtype: psp
and it also didn't deployed the PSP.To Reproduce
Steps to reproduce the behavior:
PodSecurityPolicy
resourceExpected behavior
I expect a
PodSecurityPolicy
resource to be created whenever I'm templating or deploying the chart with the following values :Environment
The text was updated successfully, but these errors were encountered: