maintain_kubeusers has been creating roles for Toolforge tools referencing PSP in the extension API group rather than policy.
We may need to 'backfill' existing resources to refresh this.
See also:
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T327025 Upgrade Toolforge Kubernetes to version 1.26 | |||
| Open | None | T316107 Upgrade Toolforge Kubernetes to version 1.25 | |||
| Open | None | T307651 Upgrade Toolforge Kubernetes to version 1.24 | |||
| Open | taavi | T298005 Upgrade Toolforge Kubernetes to version 1.23 | |||
| Resolved | taavi | T286856 Upgrade Toolforge Kubernetes to latest 1.22 | |||
| Resolved | BUG REPORT | taavi | T331572 maintain-kubeusers container in CrashLoopBackoff preventing new tool creation after 'user-maintainer' ClusterRole changes | ||
| Resolved | taavi | T331619 toolforge: rbac: change existing roles to reference PSP in the policy group |
Event Timeline
Comment Actions
Patch file:
[ { "op": "replace", "path": "/rules/0/apiGroups/0", "value": "policy" } ]
Command to find affected roles:
root@tools-k8s-control-5:~/psp-patch# kubectl get role -A -o json | jq '.items[] | select(.rules[0].apiGroups[0] == "extensions") | select(.rules[0].resources[0] == "podsecuritypolicies") | [.metadata.namespace, .metadata.name]'
Comment Actions
Final command line:
root@tools-k8s-control-5:~/psp-patch# kubectl get role -A -o json | jq -r '.items[] | select(.rules[0].apiGroups[0] == "extensions") | select(.rules[0].resources[0] == "podsecuritypolicies") | .metadata.namespace + " role " + .metadata.name' | xargs -L 1 kubectl patch --type=json --patch-file=patch.json -n
Comment Actions
Mentioned in SAL (#wikimedia-cloud) [2023-04-10T10:46:38Z] <taavi> patch existing PSP roles to use policy/v1beta1 T331619