Helm: PodSecurityPolicy not created when templating or deploying the chart

[QuantumEnigmaa]

Describe the bug

There is a PodSecurityPolicy template in operations/helm/charts/mimir-distributed/templates which creation condition is the following :

{{- if eq (include "mimir.rbac.usePodSecurityPolicy" .) "true" }}

In the _helpers.tpl file, its is defined as such :

{{- define "mimir.rbac.usePodSecurityPolicy" -}}
{{- and
      (
        or (semverCompare "< 1.24-0" (include "mimir.kubeVersion" .))
           (and (semverCompare "< 1.25-0" (include "mimir.kubeVersion" .)) .Values.rbac.forcePSPOnKubernetes124)
      )
      (and .Values.rbac.create (eq .Values.rbac.type "psp"))
-}}
{{- end -}}

So my understanding is that if you have the following in your values.yaml file :

rbac:
  create: true
  type: psp
  forcePSPOnKubernetes124: true

then the chart should generate the PodSecurityPolicy (let's call it PSP) resource whenever you template it or deploy it on a Kubernetes cluster with version <= 1.25.0

However, even after setting my values as shown above and templating the chart, I don't get the PSP generated. I tried using the --api-versions 'policy/v1beta1/PodSecurityPolicy' flag but it didn't change the result.
I also tried with the --kubeconfig and the --dry-run flags (note that my kubeconfig was pointing to a Kubernetes cluster having PSPs deployed) and it also didn't change the result.

Moreover, I have deployed mimir on a cluster which version is <1.24.0 without changing the default rbac field which has create set to true and type: psp and it also didn't deployed the PSP.

To Reproduce

Steps to reproduce the behavior:

1. Template the chart
2. Look for a PodSecurityPolicy resource

Expected behavior

I expect a PodSecurityPolicy resource to be created whenever I'm templating or deploying the chart with the following values :

rbac:
  create: true
  type: psp
  forcePSPOnKubernetes124: true

Environment

• Kubernetes <=1.25.0
• helm v3.10.1

[narqo]

Relates to #2870

PodSecurityPolicy feature was removed from Kubernetes in v1.25 (deprecated since 1.21).

That is, the chart's template renders a PSP object only for:

• kube-version < 1.24
• kube-version = 1.24 (i.e. <1.25) when forcePSPOnKubernetes124 is set.

[QuantumEnigmaa]

Yes, that's why I ddon't understand why the PSP is not rendered for the clusters I am working with which are all < 1.24

[narqo]

@QuantumEnigmaa could you show the output of the kubectl version?

To double-check about the problem: are you installing / upgrading the chart to the cluster, or do you see the problem in the output of helm template?

One potential thing I can think about, is that helm template might be using the client version of your kubectl as the Kubernetes version, while your client might be newer than your server. Refer to kubeVersionOverride in the chart's default values.yaml.

You may also check the output the helm template --kube-version 1.23 ....

[QuantumEnigmaa]

Output of kubectl version (I cut some of the output that was not interesting for this case) :

Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.16", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}

When trying with helm template --kube-version 1.23 I do get the resource generated so that's already good news :)

[narqo]

With helm template --kube-version 1.24 ... the following chart's values should work

rbac:
  create: true
  # defaults to "false" to not render PodSecurityPolicy on kube server versions 1.24.x
  forcePSPOnKubernetes124: true
  type: psp

@QuantumEnigmaa from the linked giantswarm/roadmap#3088, you mentioned you made it create a PSP. Do you think there something that needs fixing for this issue still?

[QuantumEnigmaa]

No it's all good, thanks a lot for your help !