Page MenuHomePhabricator

Switch PodSecurityPolicy API versioning in maintain-kubeusers from extensions/v1beta1 to
Closed, ResolvedPublic


This blocks upgrading the cluster to v1.17 definitely, and quite likely v1.16.

Basically, all the objects for PSPs should use this API instead:

If we are very lucky, this will include an upgrade to version 11.0 of kubernetes-client, but that's still in beta.

Event Timeline

Bstorm triaged this task as High priority.Feb 25 2020, 5:02 PM

Though there is no reason version 10.1 or 11.0 will not work for our current needs, it should be noted that 12.0 of kubernetes-client is the version tracking 1.16. That version is currently in alpha. As long as we aren't using the library to interact with ipv6 and things like that, we should be ok.

Change 588127 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[labs/tools/maintain-kubeusers@master] deprecations: Fix psp API group to work with k8s 1.16

Change 588127 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] deprecations: Fix psp API group to work with k8s 1.16

Mentioned in SAL (#wikimedia-cloud) [2020-04-14T17:32:20Z] <bstorm_> updating the maintain-kubeusers:beta image on tools-docker-imagebuilder-01 T246123

Testing in toolsbeta, it created credentials that did allow webservice shell to work, which suggests the toolchain functions. Moving along to deploy the new version in tools.

Mentioned in SAL (#wikimedia-cloud) [2020-04-14T18:19:55Z] <bstorm_> updating the maintain-kubeusers:latest image T246123

Mentioned in SAL (#wikimedia-cloud) [2020-04-14T18:26:12Z] <bstorm_> Deployed new code and RBAC for maintain-kubeusers T246123

Bstorm claimed this task.