This task is to track the work to outline a migration plan from PSP to Kyverno.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T362869 [k8s,infra] Upgrade Toolforge to Uwubernetes (1.30) | |||
| Open | None | T362868 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.29 | |||
| Open | None | T362867 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.28 | |||
| Open | None | T359641 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.27 | |||
| Open | None | T327025 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.26 | |||
| Open | None | T316107 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.25 | |||
| In Progress | aborrero | T279110 [infra] Replace PodSecurityPolicy in Toolforge Kubernetes | |||
| In Progress | aborrero | T364297 toolforge: create a PSP migration plan | |||
| Open | aborrero | T364312 toolforge: introduce some logic to backfill maintain-kubeuser resources (like per-tool kyverno policies) |
Event Timeline
Comment Actions
the plan could be this:
- finish T362872: Decision Request - Toolforge policy agent enforcement model
- finish T362050: toolforge: review pod templates for PSP replacement
- finish T364113: toolforge: identify and cache in our container registry all kyverno images
- deploy kyverno (with policies in audit mode) -- https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/238
- deploy updated maintain-kubeusers -- https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/18
- mutate existing workloads to add missing pod template elements (!)
- re-deploy kyverno (with policies in validation mode)
- drop PSP
if we don't want to mutate existing workloads (!) by hand (script or something) we will need to carefully craft the kyverno policies so the templates produced in the PSP days are valid on kyverno's eyes.
Comment Actions
Updated T362050: toolforge: review pod templates for PSP replacement to make sure our pod templates are updated accordingly.
Another point to consider: how to back-fill per-tool kyverno policies for existing tools.