Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

[logstash] PodSecurityPolicy - no policy/v1, deprecation since k8s 1.22+ #1643

Closed
CompuGlobalHyperMegaNet-VP opened this issue Apr 8, 2022 · 5 comments · Fixed by #1661
Closed

[logstash] PodSecurityPolicy - no policy/v1, deprecation since k8s 1.22+ #1643

CompuGlobalHyperMegaNet-VP opened this issue Apr 8, 2022 · 5 comments · Fixed by #1661
Labels
bug Something isn't working elasticsearch logstash

Comments

@CompuGlobalHyperMegaNet-VP
Copy link

Chart version:
7.17.1

Kubernetes version:
1.22+

Kubernetes provider: E.g. GKE (Google Kubernetes Engine)
EKS

Helm Version:
3.8.1

Describe the bug:
#1420
introduced this

 apiVersion: policy/v1
{{- else}}
apiVersion: policy/v1beta1
{{- end }}
kind: PodSecurityPolicy

but there is no policy/v1 for PodSecurityPolicy, this will be removed completely.
The change was done in the context of PodDisruptionBudget, which has a policy/v1, but PodSecurityPolicy has not.

Futher reading:

https://kubernetes.io/docs/reference/using-api/deprecation-guide/#psp-v125
PodSecurityPolicy in the policy/v1beta1 API version will no longer be served in v1.25, and the PodSecurityPolicy admission controller will be removed.
PodSecurityPolicy replacements are still under discussion, but current use can be migrated to 3rd-party admission webhooks now.

https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/
Kubernetes 1.21 starts the deprecation process for PodSecurityPolicy. As with all feature deprecations, PodSecurityPolicy will continue to be fully functional for several more releases. The current plan is to remove PSP from Kubernetes in the 1.25 release.

Expected behavior:
evaluate and switch to alternatives until k8s v1.25 arrives - this is just meant as a heads-up
@faruryo
Copy link
Contributor

faruryo commented Apr 24, 2022

We are unable to upgrade due to a similar problem with elasticsearch.
Is it a problem if we fix the PodSecurityPolicy one to policy/v1beta1?

@bsundsrud
Copy link

Bumping this, there is no kind: PodSecurityPolicy in apiVersion: policy/v1 which means that latest chart versions don't work. Server version here is v1.22.7-gke.1500.

@framsouza framsouza added the enhancement New feature or request label May 18, 2022
@faruryo faruryo mentioned this issue May 30, 2022
Merged
4 tasks
@Karma-Yeti
Copy link

Karma-Yeti commented Jul 7, 2022
edited
Loading

Just adding that the 6.8.22 helm chart is currently unusable on Kubernetes 1.22 due to this problem (At least in a default EKS 1.22 setup).

I unfortunately lack the technical know-how to propose a fix, but just wanted to mention it is currently affecting up-to-date Kubernetes installs such as those on AWS EKS.

@botelastic
Copy link

botelastic bot commented Oct 5, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@CompuGlobalHyperMegaNet-VP
Copy link
Author

MR still not finally approved - not stale

@botelastic botelastic bot removed the triage/stale label Oct 5, 2022
@jmlrt jmlrt added bug Something isn't working elasticsearch logstash and removed enhancement New feature or request labels Oct 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working elasticsearch logstash
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[elasticsearch][logstash]Fix PodSecurityPolicy error in v1.22 faruryo/helm-charts
6 participants
@bsundsrud @faruryo @jmlrt @framsouza @CompuGlobalHyperMegaNet-VP @Karma-Yeti