Unable to upgrade downstream cluster from kubernetes 1.24 to 1.25 du to PSP-issue

Elling · July 26, 2024, 8:43am

When trying to upgrade a downstream-cluster from v1.24.17-rancher1-1 to v1.25.16-rancher2-3 we get the error admission webhook “rancher.cattle.io.clusters.management.cattle.io” denied the request: cannot enable PodSecurityPolicy(PSP) or use PSP Template in cluster which k8s version is 1.25 and above

The following is the cluster-yaml we are trying to apply;


answers: {}
default_pod_security_admission_configuration_template_name: rancher-privileged
docker_root_dir: /var/lib/docker
enable_cluster_alerting: false
enable_cluster_monitoring: false
enable_network_policy: true
fleet_workspace_name: fleet-nogi
local_cluster_auth_endpoint:
  enabled: true
name: nogi-staging
rancher_kubernetes_engine_config:
  addon_job_timeout: 45
  authentication:
    strategy: x509|webhook
  authorization: {}
  bastion_host:
    ignore_proxy_env_vars: false
    ssh_agent_auth: false
  cloud_provider: {}
  dns:
    linear_autoscaler_params:
      cores_per_replica: 128
      max: 0
      min: 1
      nodes_per_replica: 4
      prevent_single_point_failure: true
    node_selector: null
    nodelocal:
      node_selector: null
      update_strategy:
        rolling_update: {}
    options: null
    reversecidrs: null
    stubdomains: null
    tolerations: null
    update_strategy:
      rolling_update: {}
    upstreamnameservers: null
  enable_cri_dockerd: true
  ignore_docker_version: false
  ingress:
    default_backend: false
    default_ingress_class: true
    http_port: 0
    https_port: 0
    options:
      allow-snippet-annotations: 'false'
      enable-underscores-in-headers: 'true'
      use-forwarded-headers: 'true'
    provider: nginx
  kubernetes_version: v1.25.16-rancher2-3
  monitoring:
    provider: metrics-server
    replicas: 1
  network:
    mtu: 0
    options:
      flannel_backend_type: vxlan
    plugin: canal
  restore:
    restore: false
  rotate_encryption_key: false
  services:
    etcd:
      backup_config:
        enabled: true
        interval_hours: 12
        retention: 6
        safe_timestamp: false
        timeout: 300
      creation: 12h
      extra_args:
        election-timeout: '5000'
        heartbeat-interval: '500'
      gid: 0
      retention: 72h
      snapshot: false
      uid: 0
    kube-api:
      admission_configuration:
        api_version: apiserver.config.k8s.io/v1
        kind: AdmissionConfiguration
        plugins:
          - configuration:
              apiVersion: pod-security.admission.config.k8s.io/v1beta1
              defaults:
                audit: privileged
                audit-version: latest
                enforce: privileged
                enforce-version: latest
                warn: privileged
                warn-version: latest
              exemptions: {}
              kind: PodSecurityConfiguration
            name: PodSecurity
            path: ''
      always_pull_images: false
      event_rate_limit:
        enabled: true
      pod_security_policy: false
      secrets_encryption_config:
        enabled: true
      service_node_port_range: 30000-32767
    kube-controller: {}
    kubelet:
      extra_args:
        protect-kernel-defaults: 'true'
      fail_swap_on: false
      generate_serving_certificate: false
    kubeproxy: {}
    scheduler: {}
  ssh_agent_auth: false
  upgrade_strategy:
    drain: true
    max_unavailable_controlplane: '1'
    max_unavailable_worker: '1'
    node_drain_input:
      delete_local_data: true
      force: true
      grace_period: 900
      ignore_daemon_sets: true
      timeout: 10800

We have removed all PSPs from the cluster and there are no PSP templates.

> kubectl get psp -A
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
No resources found
>

bpedersen2 · July 29, 2024, 9:35am

Check the rancher release notes( you need to go way back as you are running quite old versions), there upgrading past k8s 1.24 is described .

Elling · July 31, 2024, 10:37am

Did follow the release notes the first time around but also found that pod_security_policy_template_id specifically has to be set to null insted of just removed from the cluster.yaml from this post

github.com/rancher/rancher

[BUG] Rancher Terraform Provider: Unable to remove pod_security_policy from projects

opened 03:02PM - 10 Feb 23 UTC

closed 08:04AM - 23 Feb 23 UTC

samjustus

kind/bug release-note status/release-blocker team/area1 JIRA

SURE-5795 Terraform Provider for SUSE Rancher 1.22.2 Removing psp seems ea…sy, by just disabling the psp in the cluster config. pod_security_policy = false And then remove the [pod_security_policy_template_id](https://registry.terraform.io/providers/rancher/rancher2/latest/docs/resources/project#pod_security_policy_template_id) of each project. However this does not work and leads to errors when making changes to the projects (e.g. increasing the storage limits): # rancher2_project.pr["demo"] will be updated in-place ~ resource "rancher2_project" "pr" { id = "c-xxx:p-xxx" name = "Demo" - pod_security_policy_template_id = "restricted" -> null # (6 unchanged attributes hidden) # (3 unchanged blocks hidden) } This does not work and terraform apply fails │ Error: Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [baseType=error, code=ServerError, message=error parse/validate action body: podSecurityPolicyTemplateId=MissingRequired 422: ] from [https://rancher.intra/v3/projects/c-xxxx:p-xxxx?action=setpodsecuritypolicytemplate] │ │ with rancher2_project.pr["demo"], │ on projects_namespaces.tf line 14, in resource "rancher2_project" "pr": │ 14: resource "rancher2_project" "pr" Neither removing the whole attribute pod_security_policy_template_id nor setting it to null or "" works. So how can I disable the psp and remove associated psp from the projects. Only disabling the pod_security_policy and not removing the psps of the projects, will lead to errors when changing projects (e.g. increasing storage limits). Error: Bad response statusCode [422]. Status [422 Unprocessable Entity]. Body: [baseType=error, code=InvalidAction, message=cluster [c-xxxx] does not have Pod Security Policies enabled] from [https://rancher.intra/v3/projects/c-xxxx:p-xxxx?action=setpodsecuritypolicytemplat While it looks like while on existing projects the pod_security_policy_template_id cannot be removed, I however can create new projects where pod_security_policy_template_id = null. Hence the conclusion is if psp is disabled, I can create projects where the pod_security_policy_template_id is not set I can't remove the psp association of existing projects, cause setting pod_security_policy_template_id to null, gives me the error above I still believe one should be able to remove the psp association of existing projects, it tend not to have any side-effects when it is not removed, but pod_security_policy = false is set Workaround- I actually in the UI I can set the psp manually to "Cluster Default", after that I can use pod_security_policy_template_id = null And I will not get Error: Bad response statusCode [422]

Topic		Replies	Views
Rancher Release v2.7.5 Announcements	1	4018	June 29, 2023
Rancher Release v2.7.3 Announcements	1	1994	April 24, 2023
Rancher Release v2.7.2 Announcements	3	2242	April 24, 2023
Rancher v2.6.7 ImagePullBackOff	0	701	August 26, 2022
Rancher Release v2.5.8 Announcements	1	3198	July 15, 2021

Unable to upgrade downstream cluster from kubernetes 1.24 to 1.25 du to PSP-issue

Related Topics