From 06628d67e79af4a2b0ffb9c44aa3f35053d3e8ec Mon Sep 17 00:00:00 2001 From: Dimitar Dimitrov Date: Mon, 26 Jun 2023 15:58:59 +0200 Subject: [PATCH 1/2] Helm: don't render PodSecurityPolicy on kubernetes 1.24 and above unless forced Signed-off-by: Dimitar Dimitrov --- .../helm/charts/mimir-distributed/templates/_helpers.tpl | 8 +++++++- operations/helm/charts/mimir-distributed/values.yaml | 5 ++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/operations/helm/charts/mimir-distributed/templates/_helpers.tpl b/operations/helm/charts/mimir-distributed/templates/_helpers.tpl index 31cfd9d6a54..ab7f61b1331 100644 --- a/operations/helm/charts/mimir-distributed/templates/_helpers.tpl +++ b/operations/helm/charts/mimir-distributed/templates/_helpers.tpl @@ -477,7 +477,13 @@ Get the no_auth_tenant from the configuration Return if we should create a PodSecurityPolicy. Takes into account user values and supported kubernetes versions. */}} {{- define "mimir.rbac.usePodSecurityPolicy" -}} -{{- and (semverCompare "< 1.25-0" (include "mimir.kubeVersion" .)) (and .Values.rbac.create (eq .Values.rbac.type "psp")) -}} +{{- and + ( + or (semverCompare "< 1.24-0" (include "mimir.kubeVersion" .)) + (and (semverCompare "< 1.25-0" (include "mimir.kubeVersion" .)) .Values.rbac.forcePSPOnKubernetes124) + ) + (and .Values.rbac.create (eq .Values.rbac.type "psp")) +-}} {{- end -}} {{/* diff --git a/operations/helm/charts/mimir-distributed/values.yaml b/operations/helm/charts/mimir-distributed/values.yaml index 013d2e32ce3..96a44774d44 100644 --- a/operations/helm/charts/mimir-distributed/values.yaml +++ b/operations/helm/charts/mimir-distributed/values.yaml @@ -415,7 +415,10 @@ runtimeConfig: {} # RBAC configuration rbac: create: true - # For GKE/EKS/AKS use 'type: psp'. For OpenShift use 'type: scc' + # -- If true, PodSecurityPolicy will be rendered by the chart on Kuberentes 1.24. + # By default the PodSecurityPolicy is not rendered on version 1.24. + forcePSPOnKubernetes124: false + # -- For GKE/EKS/AKS use 'type: psp'. For OpenShift use 'type: scc' type: psp # -- podSecurityContext is the default pod security context for Mimir, GEM, gateway, and cache components. # When installing on OpenShift, override podSecurityContext settings with From 6d247efce6d88b81cda2acc14444b1694bc749ed Mon Sep 17 00:00:00 2001 From: Dimitar Dimitrov Date: Mon, 26 Jun 2023 16:04:42 +0200 Subject: [PATCH 2/2] Add CHANGELOG.md entry Signed-off-by: Dimitar Dimitrov --- operations/helm/charts/mimir-distributed/CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/operations/helm/charts/mimir-distributed/CHANGELOG.md b/operations/helm/charts/mimir-distributed/CHANGELOG.md index 4f6736cd75a..9407855e6e7 100644 --- a/operations/helm/charts/mimir-distributed/CHANGELOG.md +++ b/operations/helm/charts/mimir-distributed/CHANGELOG.md @@ -28,6 +28,7 @@ Entries should include a reference to the Pull Request that introduced the chang ## main / unreleased +* [CHANGE] Don't render PodSecurityPolicy on Kubernetes >=1.24. (was >= 1.25). This helps with upgrades between 1.24 and 1.25. To use a PSP in 1.24, toggle `rbac.forcePSPOnKubernetes124: true`. #5357 * [ENHANCEMENT] Ruler: configure the ruler storage cache when the metadata cache is enabled. #5326 ## 4.5.0