Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[logstash] PodSecurityPolicy - no policy/v1, deprecation since k8s 1.22+

See original GitHub issue

Chart version: 7.17.1

Kubernetes version: 1.22+

Kubernetes provider: E.g. GKE (Google Kubernetes Engine) EKS

Helm Version: 3.8.1

Describe the bug: https://github.com/elastic/helm-charts/pull/1420 introduced this

 apiVersion: policy/v1
{{- else}}
apiVersion: policy/v1beta1
{{- end }}
kind: PodSecurityPolicy

but there is no policy/v1 for PodSecurityPolicy, this will be removed completely. The change was done in the context of PodDisruptionBudget, which has a policy/v1, but PodSecurityPolicy has not.

Futher reading:

https://kubernetes.io/docs/reference/using-api/deprecation-guide/#psp-v125 PodSecurityPolicy in the policy/v1beta1 API version will no longer be served in v1.25, and the PodSecurityPolicy admission controller will be removed. PodSecurityPolicy replacements are still under discussion, but current use can be migrated to 3rd-party admission webhooks now.

https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/ Kubernetes 1.21 starts the deprecation process for PodSecurityPolicy. As with all feature deprecations, PodSecurityPolicy will continue to be fully functional for several more releases. The current plan is to remove PSP from Kubernetes in the 1.25 release.

Expected behavior: evaluate and switch to alternatives until k8s v1.25 arrives - this is just meant as a heads-up

Issue Analytics

State:
Created a year ago
Reactions:5
Comments:5 (1 by maintainers)

Top GitHub Comments

4reactions

bsundsrudcommented, May 9, 2022

Bumping this, there is no kind: PodSecurityPolicy in apiVersion: policy/v1 which means that latest chart versions don’t work. Server version here is v1.22.7-gke.1500.

2reactions

Karma-Yeticommented, Jul 7, 2022

Just adding that the 6.8.22 helm chart is currently unusable on Kubernetes 1.22 due to this problem (At least in a default EKS 1.22 setup).

I unfortunately lack the technical know-how to propose a fix, but just wanted to mention it is currently affecting up-to-date Kubernetes installs such as those on AWS EKS.

Top Results From Across the Web

PodSecurityPolicy Deprecation: Past, Present, and Future

PodSecurityPolicy (PSP) is being deprecated in Kubernetes 1.21, to be released later this week. This starts the countdown to its removal, ...

plans for podSecurityPolicy given deprecated status #1420

Pod security polices are deprecated since 1.21. However, k0s still allows configuring a default PodSecurityPolicy and the security model seems to depend on ......

Kubernetes 1.22 - What's new? - New features and deprecations

If declared, a newly created Pod won't be considered available until their containers stay ready without crashing for the specified number of ...

Package v1beta1 contains API schema definitions for ... - Elastic

MaxUnavailable is the maximum number of pods that can be unavailable (not ready) during the update due to circumstances under the control of...

PodSecurityPolicy deprecation | Google Kubernetes Engine ...

As of Kubernetes version 1.21, PodSecurityPolicy (beta) is deprecated. The Kubernetes project aims to shut the feature down in version 1.25.