Page MenuHomePhabricator
Create Task
Maniphest T364293

[infra,k8s] Move to kubernetes VAPs and drop kyverno
Open, HighPublic
Actions

Description

From the decision request in:
https://phabricator.wikimedia.org/T362233

This should be done after the upgrade to v1.30

Upstream docs: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/

Related Objects
Search...

Event Timeline

dcaro created this task.May 6 2024, 8:09 AM
dcaro triaged this task as High priority.May 6 2024, 8:19 AM
dcaro moved this task from Backlog to Ready to be worked on on the Toolforge board.
dcaro updated the task description. (Show Details)May 6 2024, 9:18 AM
dcaro added a comment.Jul 15 2024, 1:21 PM

The validating admission policy is not stable until 1.30 (1.26/27 -> beta, 1.28/29 -> alpha, 1.30 -> stable)

dcaro edited parent tasks, added: T362869: [k8s,infra] Upgrade Toolforge to Uwubernetes (1.30); removed: T327025: [infra,k8s] Upgrade Toolforge Kubernetes to version 1.26.Jul 15 2024, 1:22 PM
dcaro updated the task description. (Show Details)
taavi removed a parent task: T362869: [k8s,infra] Upgrade Toolforge to Uwubernetes (1.30).Jul 20 2024, 10:56 AM
taavi added a subtask: T362869: [k8s,infra] Upgrade Toolforge to Uwubernetes (1.30).
dcaro added a subtask: T335131: [infra,k8s] replace admission controllers with an existing policy admin project.Sep 30 2024, 1:56 PM
dcaro removed a subtask: T335131: [infra,k8s] replace admission controllers with an existing policy admin project.Sep 30 2024, 1:59 PM
dcaro added a parent task: T335131: [infra,k8s] replace admission controllers with an existing policy admin project.
fnegri renamed this task from [infra,k8s] Move to kubernetes PAVs and drop kyverno to [infra,k8s] Move to kubernetes VAPs and drop kyverno.Apr 15 2025, 3:39 PM
dcaro changed the status of subtask T362869: [k8s,infra] Upgrade Toolforge to Uwubernetes (1.30) from Open to In Progress.May 7 2025, 12:13 PM
dcaro mentioned this in T401684: [kyverno] upgrade to 3.3.9 in tools failed leaving a half-upgraded system.Aug 12 2025, 12:37 PM
dcaro closed subtask T362869: [k8s,infra] Upgrade Toolforge to Uwubernetes (1.30) as Resolved.Sep 18 2025, 1:44 PM
dcaro added a comment.Sep 18 2025, 2:25 PM

For mutating policies we might have to wait a few versions (in 1.34 is in beta): https://kubernetes.io/docs/reference/access-authn-authz/mutating-admission-policy/

dcaro added a comment.EditedSep 18 2025, 2:30 PM

This is useful to test the expressions https://playcel.undistro.io/

dcaro added a comment.Sep 18 2025, 2:31 PM

I'll start adding it to jobs-api, as they don't need to be created on each namespace, instead they are cluster-wide and matching namespaces by labels.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits