2 minute read  

Migrating From PodSecurityPolicys To PodSecurity Admission Controller

Kubernetes has deprecated the PodSecurityPolicy API in v1.21 and it will be removed in v1.25. With v1.23, a new feature called PodSecurity was promoted to beta. From v1.25 onwards, there will be no API serving PodSecurityPolicys, so you have to cleanup all the existing PSPs before upgrading your cluster. Detailed migration steps are described here.

After migration, you should disable the PodSecurityPolicy admission plugin. To do so, you have to add:

admissionPlugins:
- name: PodSecurityPolicy
  disabled: true

in spec.kubernetes.kubeAPIServer.admissionPlugins field in the Shoot resource. Please refer the example Shoot manifest here.

Only if the PodSecurityPolicy admission plugin is disabled the cluster can be upgraded to v1.25.

⚠️ You should disable the admission plugin and wait until Gardener finish at least one Shoot reconciliation before upgrading to v1.25. This is to make sure all the PodSecurityPolicy related resources deployed by Gardener are cleaned up.

Admission Configuration For The PodSecurity Admission Plugin

If you wish to add your custom configuration for the PodSecurity plugin and your cluster version is v1.23+, you can do so in the Shoot spec under .spec.kubernetes.kubeAPIServer.admissionPlugins by adding:

admissionPlugins:
- name: PodSecurity
  config:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    # Defaults applied when a mode label is not set.
    #
    # Level label values must be one of:
    # - "privileged" (default)
    # - "baseline"
    # - "restricted"
    #
    # Version label values must be one of:
    # - "latest" (default) 
    # - specific version like "v1.24"
    defaults:
      enforce: "privileged"
      enforce-version: "latest"
      audit: "privileged"
      audit-version: "latest"
      warn: "privileged"
      warn-version: "latest"
    exemptions:
      # Array of authenticated usernames to exempt.
      usernames: []
      # Array of runtime class names to exempt.
      runtimeClasses: []
      # Array of namespaces to exempt.
      namespaces: []

If your cluster version is v1.22, use apiVersion: pod-security.admission.config.k8s.io/v1alpha1. Please note that in v1.22 the feature gate PodSecurity is not enabled by default. You have to add:

featureGates:
  PodSecurity: true

under .spec.kubernetes.kubeAPIServer. For proper functioning of Gardener, kube-system namespace will also be automatically added to the exemptions.namespaces list.

.spec.kubernetes.allowPrivilegedContainers in the Shoot spec

If this field is set to true then all authenticated users can use the “gardener.privileged” PodSecurityPolicy, allowing full unrestricted access to Pod features. However, the PodSecurityPolicy admission plugin is removed in Kubernetes v1.25 and PodSecurity has taken its place as its successor. Therefore, this field doesn’t have any relevance in versions >= v1.25 anymore. If you need to set a default pod admission level for your cluster, follow this documentation.