-
Notifications
You must be signed in to change notification settings - Fork 411
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Installing Kubecost on K8s v1.25 clusters fails due to PodSecurityPolicy #1773
Comments
|
+1. was coming to create a bug too. |
My suggestion is we document and make clear the workaround for v1.98 and implement it seamlessly in v1.99 since we probably need to give folks adequate warning before turning off PSPs, and most people on cloud providers are not yet on v1.25. |
We've also had a request that we place PSPs with SecurityContext constraints where appropriate, but I'm not sure how applicable they are -- I'm not familiar with our existing PSPs. Just noting for the record! Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ cc @srpomeroy |
There is also an alternative workaround that (might?) not disable Grafana in the process: helm upgrade \
-i \
--create-namespace kubecost \
kubecost/cost-analyzer \
--namespace kubecost \
--version "1.98.0-rc.3" \
--set "podSecurityPolicy.enabled=false" \
--set "networkCosts.podSecurityPolicy.enabled=false" \
--set "prometheus.podSecurityPolicy.enabled=false" \
--set "grafana.rbac.pspEnabled=false" Haven't tested personally yet. |
I have and it works well. Thanks. |
Installation of Kubecost on Kubernetes 1.25 still fails when installing without Helm:
|
Thanks for this heads up @zioproto , I think we generate that file from a template where we assume we're on helm less than 1.25. Let's modify the template. |
To reproduce
Create a K8s v1.25 cluster with K3d:
Confirm version:
Try to install the latest version of Kubecost (v1.98.0-rc.3):
helm upgrade \ -i \ --create-namespace kubecost \ kubecost/cost-analyzer \ --namespace kubecost \ --version "1.98.0-rc.3"
Error: unable to build kubernetes objects from release manifest: unable to recognize "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"
Expected behavior
Kubecost installs successfully on the K8s v1.25 cluster without any modification to default values.
Workaround
This can be worked around by disabling PSPs. Unfortunately, Grafana also must be disabled to remove its PSP.
Note that the Grafana proxy option has to be disabled because otherwise the Kubecost frontend container errors out due to the Grafana upstream being unavailable.
Fix ideas
cost-analyzer-helm-chart/cost-analyzer/charts/grafana/templates/podsecuritypolicy.yaml
Lines 1 to 4 in 56b880c
The text was updated successfully, but these errors were encountered: