maintain_kubeusers has been creating roles for Toolforge tools referencing PSP in the extension API group rather than policy.
We may need to 'backfill' existing resources to refresh this.
See also:
maintain_kubeusers has been creating roles for Toolforge tools referencing PSP in the extension API group rather than policy.
We may need to 'backfill' existing resources to refresh this.
See also:
Patch file:
[ { "op": "replace", "path": "/rules/0/apiGroups/0", "value": "policy" } ]
Command to find affected roles:
root@tools-k8s-control-5:~/psp-patch# kubectl get role -A -o json | jq '.items[] | select(.rules[0].apiGroups[0] == "extensions") | select(.rules[0].resources[0] == "podsecuritypolicies") | [.metadata.namespace, .metadata.name]'
Final command line:
root@tools-k8s-control-5:~/psp-patch# kubectl get role -A -o json | jq -r '.items[] | select(.rules[0].apiGroups[0] == "extensions") | select(.rules[0].resources[0] == "podsecuritypolicies") | .metadata.namespace + " role " + .metadata.name' | xargs -L 1 kubectl patch --type=json --patch-file=patch.json -n
Mentioned in SAL (#wikimedia-cloud) [2023-04-10T10:46:38Z] <taavi> patch existing PSP roles to use policy/v1beta1 T331619