PodSecurityPolicy deprecated in k8s 1.25

[joeholley]

What happened:
Installing on GKE using the currently supported k8s versions displays a deprecation notice for this resource type.

What you expected to happen
Need to update these to use the new PodSecurity admission controller.
https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement

How to reproduce it (as minimally and precisely as possible):
Start a new GKE cluster, follow the OM installation instructions.

Cloud Provider/Platform (AKS, GKE, Minikube etc.):
GKE (although any platform using k8s will display this, it's a k8s deprecation)

Open Match Release Version:
Latest (altthough affects previous versions too)

Install Method(yaml/helm)::
Both

[Bardin08]

At k8s 1.21+, it causes an annoying warning.

$ helm install open-match --create-namespace --namespace open-match open-match/open-match
W0427 17:59:26.949963   17468 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
W0427 17:59:27.081508   17468 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
W0427 17:59:31.371102   17468 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
W0427 17:59:31.372102   17468 warnings.go:70] policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME: open-match
LAST DEPLOYED: Wed Apr 27 17:59:26 2022
NAMESPACE: open-match
STATUS: deployed
REVISION: 1
TEST SUITE: None

@joeholley, maybe you know, can this impact PROD, or it's okay to ignore this warning temporarily?

[mridulji]

Hi @joeholley and OM contributors, I found this issue pod-security-admission which contains a link to documentation of migrating PSP to Pod security admission controller. The thing I am still not getting is how do we actually use PSA controller in helm because there is an k8s apiVersion using which we create PSP objects

open-match/install/helm/open-match/templates/podsecuritypolicy.yaml

Lines 18 to 19 in 4d6da16

	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy

But I haven't yet came across similar implementation of PSA controller or maybe it is applied some different way. Though there are some resources which may be useful in resolving this issue are:

1. https://cloud.google.com/kubernetes-engine/docs/how-to/migrate-podsecuritypolicy
2. https://kubernetes.io/docs/concepts/security/pod-security-admission/
3. https://kubernetes.io/docs/concepts/security/pod-security-standards/
4. https://cloud.google.com/kubernetes-engine/docs/how-to/podsecurityadmission

PS - Currently GKE's stable kubernetes version is 1.21 and going forward with version 1.23, pod security admission controller will be available to replace with PSP

[mikeseese]

PodSecurityPolicy was removed in Kubernetes v1.25+, so installing via Helm fails (I'm guessing other methods of installation also fail). Since 1.25 (Aug 2022), this is no longer a nuisance warning, but an installation failure.

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [resource mapping not found for name: "open-match-redis-podsecuritypolicy" namespace: "open-match" from "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"
ensure CRDs are installed first, resource mapping not found for name: "open-match-core-podsecuritypolicy" namespace: "open-match" from "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"
ensure CRDs are installed first]

I'm using Docker Desktop on Windows 11 with the WSL2 engine and Kubernetes enabled via Docker Desktop. Kubernetes is v1.25.2.

[syntxerror]

Hi @seesemichaelj. We are aware of it and have been migrating to Pod Security Admission Controller. Expect this to be resolved in the upcoming week.

[mikeseese]

Awesome! Thanks!

[feliperyan]

Hey @seesemichaelj has work been done on this one yet?

[mikeseese]

@feliperyan I haven't done any work on it, but I'm not sure about the team's progress.

[feliperyan]

Thanks for getting back to me @seesemichaelj ,

IMHO the tl;dr is:
Remove PSP all together. Use PSA to assign a enforce=baseline level of security to the namespace. Assume a naïve deployment for Redis and de-scope trying to make it super performant from this project.

I'm no expert on Kubernetes security but I did some digging today and it seems like there are a few moving parts:

1. Pod security Policy (PSP) is deprecated. Pod Security Admission (PSA) has replaced it, it's simpler but more limited.

2. PSP is being used for 2 reasons :

   1. For the Redis pods: Allow privileged, the "unsafe" sysctl to increase net.core.somaxconn and disable transparent huge pages for Redis.
   2. For everything else, make sure that nothing runs privileged, restrict port ranges being used and allow chown.

3. PSA wants to apply pod security to a whole namespace on a pretty coarse 3-tier level. There's no easy way to (within the same namespace) allow "god mode" for Redis and "safe mode" for the rest.

4. The most relevant PSA sec tier seems to be baseline as described here. It'll prevent privileged, allow chown etc.

5. I think restricting hostPorts would take a custom "validating admission webhook" , a 3rd party tool or a similar effect could be achieved with NetworkPolicies.

Happy holidays 🎄 !

[janLindner]

Hey @syntxerror, @seesemichaelj :) How is the current status and progress of the transition from PSP to PSA?

[mikeseese]

As of now, it seems we're waiting for a v1.8.0 release to get #1540 released. Since k8s 1.24.x is getting EOL/End of Support on some cloud providers, I went ahead and published a personal v1.7.1 that includes the latest changes from main (98e7a02). I've tested this on a local k3s cluster running v1.27.3 and a DigitalOcean cluster running v1.27.4.

repo: https://incantagames.github.io/open-match/chart
chart: open-match
version: 1.7.1
The containers the chart uses can be found here: https://github.com/orgs/IncantaGames/packages?tab=packages&q=openmatch