charts: note on PSP deprecation, check k8s version if using PSP, migr…

…ate to proper usage of seccompProfile Change-Id: I199f0a141302a39f60beee388f3aa6a17a6bd715
Checkmk · Aug 29, 2023 · 924fd59 · 924fd59
1 parent c6506d7
commit 924fd59
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 4 deletions.
diff --git a/deploy/charts/checkmk/templates/cluster-collector-psp.yaml b/deploy/charts/checkmk/templates/cluster-collector-psp.yaml
@@ -1,4 +1,7 @@
 {{- if .Values.rbac.pspEnabled }}
+{{- if ge (int .Capabilities.KubeVersion.Minor) 25 }}
+{{- fail "PodSecurityPolicies (PSPs) were deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Please make sure to disable PSPs." }}
+{{- end }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy

diff --git a/deploy/charts/checkmk/templates/node-collector-container-metrics-psp.yaml b/deploy/charts/checkmk/templates/node-collector-container-metrics-psp.yaml
@@ -1,4 +1,7 @@
 {{- if .Values.rbac.pspEnabled }}
+{{- if ge (int .Capabilities.KubeVersion.Minor) 25 }}
+{{- fail "PodSecurityPolicies (PSPs) were deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Please make sure to disable PSPs." }}
+{{- end }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy

diff --git a/deploy/charts/checkmk/templates/node-collector-machine-sections-psp.yaml b/deploy/charts/checkmk/templates/node-collector-machine-sections-psp.yaml
@@ -1,4 +1,7 @@
 {{- if .Values.rbac.pspEnabled }}
+{{- if ge (int .Capabilities.KubeVersion.Minor) 25 }}
+{{- fail "PodSecurityPolicies (PSPs) were deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Please make sure to disable PSPs." }}
+{{- end }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy

diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml
@@ -29,6 +29,8 @@ image:
   tag: "main_2022.03.02" # main_<YYYY.MM.DD>
 
 rbac:
+  # PodSecurityPolicies (PSPs) were deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.
+  # This section will be removed as soon as we do not support versions below v1.25 anymore.
   pspEnabled: false
   pspAnnotations:
     ## Specify psp annotations
@@ -87,13 +89,14 @@ clusterCollector:
   # can be: "debug", "info", "warning" (default), "critical"
   logLevel: warning
 
-  podAnnotations:
-    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  podAnnotations: {}
 
   podSecurityContext: {}
     # fsGroup: 2000
 
   securityContext:
+    seccompProfile:
+      type: RuntimeDefault
     allowPrivilegeEscalation: false
     capabilities:
       drop:
@@ -162,8 +165,7 @@ nodeCollector:
   minReadySeconds: 15
 
   # Annotations to be added to node-collector pods
-  podAnnotations:
-    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  podAnnotations: {}
 
   podSecurityContext: {}
     # fsGroup: 2000
@@ -201,6 +203,8 @@ nodeCollector:
       - "--storage_duration=1m0s"
 
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       allowPrivilegeEscalation: false
       capabilities:
         drop:
@@ -223,6 +227,8 @@ nodeCollector:
       pullPolicy: IfNotPresent
 
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       allowPrivilegeEscalation: false
       capabilities:
         drop:
@@ -247,6 +253,8 @@ nodeCollector:
       pullPolicy: IfNotPresent
 
     securityContext:
+      seccompProfile:
+        type: RuntimeDefault
       allowPrivilegeEscalation: false
       capabilities:
         drop: