PodSecurityPolicy deprecation

Estimated time to read: 1 minute

Move to PodSecurity

Kubernetes has deprecated the PodSecurityPolicy API in v1.21 and it will be removed in v1.25. With v1.23, a new feature called PodSecurity was promoted to beta. From v1.25 onwards, there will be no API serving PodSecurityPolicys, so you have to cleanup all the existing PSPs before upgrading your cluster.

The field spec.kubernetes.allowPrivilegedContainers is defaulted by the Gardener API Server because if we allow the field to be removed when PodSecurityPolicy admission plugin is active, the existing pods running in the cluster which need privileges can fail.

Upgrade to Kubernetes v1.25

Steps to upgrade your EMK cluster to v1.25:

Alls steps can be executed from the Fuga Dashboard or using the Kubernetes command line client kubectl.

1. Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller, see Kubernetes documentation

2. Disable PodSecurityPolicy, add the following to the shoot spec:

   spec:
     kubernetes:
       kubeAPIServer:
         admissionPlugins:
         - name: PodSecurityPolicy
           disabled: true
   

3. Save YAML and wait for shoot to reconcile

4. Remove the field spec.kubernetes.allowPrivilegedContainers from the shoot spec

5. Save YAML and wait for your shoot to reconcile

6. Upgrade Kubernetes from the Fuga Dashboard or in the shoot spec

7. Wait for your shoot to reconcile

---

Sources:

• github.com/gardener
• kubernetes.io/docs