[DDO-3475] Attempting to Fix TDR in Bees following upgrade to GKE 1.25 #249
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nmalfroy
approved these changes
Feb 12, 2024
nmalfroy
reviewed
Feb 12, 2024
| {{- if .Values.rbac.pspEnabled -}} | ||
| ======= | ||
| {{- if .Values.rbac.create | and .Values.pspEnabled -}} | ||
| >>>>>>> 43912b03 (separate values) |
There was a problem hiding this comment.
looks like the conflict got merged?
There was a problem hiding this comment.
I'm cleaning it up, thanks!
okotsopoulos
approved these changes
Feb 12, 2024
choover-broad
changed the title
okotsopoulos
added a commit
that referenced
this pull request
Mar 6, 2024
…cies This is a follow-on to #249 which only made the necessary changes for TDR Bees to be compatible with GKE 1.25. TDR Bees don't use the gcloud-sqlproxy, and the existing rbac.create flag enabled more than just resources associated with PodSecurityPolicies, so I've added an additional rbac.pspEnabled flag to toggle only those resources without impacting other necessary operations (such as SA creation). Defaulted this value to true to keep existing behavior the same: we will then disable it for each environment, and likely cut it out altogether once everything is stable. Bumped the gcloud-sqlproxy chart patch version.
okotsopoulos
added a commit
that referenced
this pull request
Mar 6, 2024
…sqlproxy-psp-flag [PROD-934] TDR gcloud-sqlproxy conditionally disables PodSecurityPolicies This is a follow-on to #249 which only made the necessary changes for TDR Bees to be compatible with GKE 1.25. TDR Bees don't use the gcloud-sqlproxy, and the existing rbac.create flag enabled more than just resources associated with PodSecurityPolicies, so I've added an additional rbac.pspEnabled flag to toggle only those resources without impacting other necessary operations (such as SA creation). Defaulted this value to true to keep existing behavior the same. We will then disable it for each environment starting with Dev in terra-helmfile, and likely cut it out altogether once everything is stable.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The old rbac enabled flag wrapped both both pod security policy associated resources and also tdr's permission to talk to the k8s api. This separates them so that we can disable pod security policy without breaking tdrs ability to talk to k8s.
All bee creations are currently failing because of this.