Kubernetes has deprecated the PodSecurityPolicy
API in v1.21
and it will be removed in v1.25
. With v1.23
, a new feature called PodSecurity
was promoted to beta. From v1.25
onwards, there will be no API serving PodSecurityPolicy
s, so you have to cleanup all the existing PSPs before upgrading your cluster. Detailed migration steps are described in Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.
After migration, you should disable the PodSecurityPolicy
admission plugin. To do so, you have to add:
admissionPlugins:
- name: PodSecurityPolicy
disabled: true
in spec.kubernetes.kubeAPIServer.admissionPlugins
field in the Shoot
resource. Please refer the example Shoot
manifest in 90-shoot.yaml.
Only if the PodSecurityPolicy
admission plugin is disabled the cluster can be upgraded to v1.25
.
⚠️ You should disable the admission plugin and wait until Gardener finishes at least oneShoot
reconciliation before upgrading tov1.25
. This is to make sure all thePodSecurityPolicy
related resources deployed by Gardener are cleaned up.
If you wish to add your custom configuration for the PodSecurity
plugin and your cluster version is v1.23+
, you can do so in the Shoot spec under .spec.kubernetes.kubeAPIServer.admissionPlugins
by adding:
admissionPlugins:
- name: PodSecurity
config:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
# Defaults applied when a mode label is not set.
#
# Level label values must be one of:
# - "privileged" (default)
# - "baseline"
# - "restricted"
#
# Version label values must be one of:
# - "latest" (default)
# - specific version like "v1.25"
defaults:
enforce: "privileged"
enforce-version: "latest"
audit: "privileged"
audit-version: "latest"
warn: "privileged"
warn-version: "latest"
exemptions:
# Array of authenticated usernames to exempt.
usernames: []
# Array of runtime class names to exempt.
runtimeClasses: []
# Array of namespaces to exempt.
namespaces: []
pod-security.admission.config.k8s.io/v1
configuration requires v1.25
+. For v1.23
and v1.24
, use pod-security.admission.config.k8s.io/v1beta1
. For v1.22
, use pod-security.admission.config.k8s.io/v1alpha1
.
Also note that in v1.22
, the feature gate PodSecurity
is not enabled by default. You have to add:
featureGates:
PodSecurity: true
under .spec.kubernetes.kubeAPIServer
.
For proper functioning of Gardener, kube-system
namespace will also be automatically added to the exemptions.namespaces
list.
If this field is set to true
, then all authenticated users can use the "gardener.privileged" PodSecurityPolicy
, allowing full unrestricted access to Pod features. However, the PodSecurityPolicy
admission plugin is removed in Kubernetes v1.25
and PodSecurity
has taken its place as its successor. Therefore, this field doesn't have any relevance in versions >= v1.25
anymore. If you need to set a default pod admission level for your cluster, follow this documentation.
Note: You should remove this field from the
Shoot
spec forv1.24
clusters only after migrating to the newPodSecurity
admission controller, i.e. after disabling the oldPodSecurityPolicy
admission plugin (see Migrating fromPodSecurityPolicy
s to PodSecurity Admission Controller). Otherwise the field is defaulted by the Gardener API Server. This is intentional because if we allow the field to be removed whenPodSecurityPolicy
admission plugin is active, the existing pods running in the cluster which need privileges can fail.