-
Notifications
You must be signed in to change notification settings - Fork 216
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] Add support for PodSecurityAdmissionConfigurationTemplate #1112
Comments
Anyone working on that? I noticed that setting profile So updating to 1.25 would require Without a CIS profile it will work of course, but the RKE2 default under |
Q3? This will be to late, can this issue be moved to Q2? |
I configured a PSA template manually on a RKE1 test cluster by using the Rancher UI. After the PSA template change, the next time I did a "terraform apply -refresh-only", i got an error returned by Terraform.
I think this means that if you configure a PSA template on your cluster manually by using the Rancher UI, it may cause issues with existing Terraform deployments. |
pull request #1119, maybe someone can review this. |
Thus would be really urgent for me cause it basically blocks us from upgrading AND using terraform, especially also cause the use of
So we either have to wait for a fix or we have to remove the cluster from tf state and manually manage them again |
QA Test TemplateRKE is ready to test and RKE2 is still being worked on. Test the RKE case using this test plan and TF rc v3.1.0-rc5. Critical test case: please also verify that not setting the tfstate on previous tfp version:
tfstate with updated tfp version:
Verify no errors whatsoever are seen. Doing this will verify that the state migration logic to change the |
Ticket #1112 - Test Results - ✅ - [for RKE implementation only]Verified w/ HA Helm on Rancher
Scenario 1 -
Scenario 2 -
Scenario 3 -
Scenario 4 -
Scenario 5 -
|
RKE test cases pass 🎉 Will close out this ticket once RKE2 has been tested + validated |
@Josh-Diamond New rc v3.1.0-rc6 has been cut for PSA on rke2 clusters, waiting on build. Will add a test template shortly, stand by |
QA Test Template@Josh-Diamond Please test this issue using this test plan on both an RKE2 1.25 and 1.26 cluster. It might also be a good idea to provision a 1.24 cluster with Terraform, upgrade it to 1.25 and then define the PSA template and |
Ticket #1112 - Test Results - ✅ - [for RKE2/K3s implementation]Verified with HA Helm on Rancher
Scenario 1 -
Scenario 2 -
Scenario 3 -
|
In addition to the above outlined test cases, I've verified that w/ a downstream RKE cluster, you are able to successfully update the PSA using tfp-rancher2 |
All test cases pass 🎉 closing out this issue |
Per the requested RFE, we have done
This means PSACT support for RKE and RKE2 clusters in Terraform is currently available where a user can configure an If you wish to configure PSACT in Terraform with a custom admission configuration template, an easy workaround is to create the template in Rancher and then set the template name in your Terraform config file. Plans to implement the new resource will be logged in a separate issue. |
Is your feature request related to a problem? Please describe.
Rancher v2.7.2 now comes w/ a new CRD for Pod Security Admission (PSA) Configuration Templates that can only be provisioned manually.
Describe the solution you'd like
rancher2_pod_security_admission_configuration_template
.defaultPodSecurityAdmissionConfigurationTemplateName
to therancher_cluster
andrancher_cluster_v2
resources.Describe alternatives you've considered
Additional context
SURE-6290
The text was updated successfully, but these errors were encountered: