Unable to deploy Applications using Helm Chart due to PodSecurityPolicy kind removal in Kubernetes version 1.23
Environment
- Red Hat OpenShift Dedicated. (OSD)
- Red Hat OpenShift Service on AWS. (ROSA)
Issue
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
- Unable to Deploy Helm Chart Applications due to the introduction of
PodSecurityPolicyin Kubernetes v1.23 - While trying to deploy Grafana Instance using Helm Chart, giving the below error:
$ helm install grafana-pf -n grafana-pf -f values.yaml grafana/grafana --version=6.32.9
I0522 11:33:13.509933 12775 request.go:601] Waited for 1.187202958s due to client-side throttling, not priority and fairness, request: GET:https://api.ap-cp-001.azc0.p1.openshiftapps.com:6443/apis/automation.ibm.com/v1alpha1?timeout=32s
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "grafana-pf" namespace: "" from "": no matches for kind "PodSecurityPolicy" in version "extensions/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "grafana-pf-test" namespace: "" from "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"
ensure CRDs are installed first]
Resolution
- By applying the appropriate labels to the namespace where the deployment is taking place, the PodSecurityPolicy can be altered :
$ oc label ns/<NAME> pod-security.kubernetes.io/enforce=privileged
$ oc label ns/<NAME> pod-security.kubernetes.io/enforce-version=v1.24
Root Cause
As of Kubernetes version 1.23, Pod Security Standards is a built-in feature that can be used to enforce hardening policies in the cluster. This built-in admission controller allows users to set a consistent baseline by simply adding a label to a Kubernetes namespace. Additionally, this method is the new way to enforce restrictions instead of the (now deprecated) Pod Security Policies.
There are three different standards available with the built-in pod security admission controller described in the docs:
-
Privileged: Unrestricted policy, providing the broadest possible level of permissions. This policy allows for known privilege escalations.
-
Baseline: A minimally restrictive policy that prevents known privilege escalations. Allows the default (minimally specified) Pod configuration.
-
Restricted: Heavily restricted policy, following current Pod hardening best practices.
If we define the appropriate labels to the namespace according to the Pod Security Standards, we do not see such warnings further.
Diagnostic Steps
- Check the namespace YAML Definition and see if you have
pod-security.kubernetes.io/enforce=privilegedandpod-security.kubernetes.io/enforce-version=v1.24labels in place or not?
$ oc get ns/test-space -oyaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/sa.scc.mcs: s0:c47,c39
openshift.io/sa.scc.supplemental-groups: 1002240000/10000
openshift.io/sa.scc.uid-range: 1002240000/10000
creationTimestamp: "2023-05-22T10:32:50Z"
labels:
kubernetes.io/metadata.name: grafana-pf
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.24
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.24
name: test-space
resourceVersion: "558045767"
uid: 739300d1-3512-462d-8a83-746c4d7145ed
spec:
finalizers:
- kubernetes
status:
phase: Active
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments