Page MenuHomePhabricator
Create Task
Maniphest T364297

[k8s,infra] track PSP migration plan
Closed, ResolvedPublic
Actions

Description

This task is to track the work to migration from PSP to Kyverno.

Plan:

Related Objects
Search...

StatusSubtypeAssignedTask
 In ProgressRaymond_NdibeT362867 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.28
 ResolvedRaymond_NdibeT359641 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.27
Restricted Task
 ResolvedSlst2020T327025 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.26
 ResolvedaborreroT316107 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.25
 ResolvedaborreroT279110 [infra] Replace PodSecurityPolicy in Toolforge Kubernetes
 ResolvedaborreroT364297 [k8s,infra] track PSP migration plan
 ResolvedaborreroT364312 [maintain-kubeusers,infra,k8s]: introduce some logic to backfill maintain-kubeuser resources (like per-tool kyverno policies)
 ResolvedaborreroT366564 toolforge: new maintain-kubeusers takes long time to loop over all the accounts to reconcile them
 ResolvedaborreroT366598 maintain-kubeusers: metrics, monitoring and alerting
 ResolvedaborreroT367332 toolforge maintain-kubeusers backtrace
 ResolvedAndrewT367348 Incident: 2024-06-12 toolforge k8s control plane
 DuplicatedcaroT367349 Fix HA proxy load-balancer health check monitor to not poll nodes where the API is not responding
 ResolvedaborreroT367350 [k8s,infra] Verify that kyverno policies are evaluated only for namespaced resources
 ResolvedaborreroT367386 [k8s,infra] kyverno has a track record of overloading the cluster, maybe on new ways
 ResolvedaborreroT367388 [k8s,infra] consider scaling the k8s control plane
 ResolvedaborreroT367389 [k8s,infra,alerting] improve HAproxy and k8s apiserver interaction
 DeclinedaborreroT367950 Decision Request - Toolforge pod security via custom admission webhook
 DeclinedaborreroT367952 toolforge: drop kyverno
 DeclinedaborreroT367985 toolforge: create a new custom admission webhook to handle pod security settings
 ResolvedaborreroT368044 Toolforge: redeploy kyverno after the outage
 ResolvedaborreroT368141 toolforge: kyverno: change policies to Enforce
 ResolvedaborreroT368142 Toolforge: drop PodSecurityPolicy

Event Timeline

aborrero created this task.May 6 2024, 8:47 AM
aborrero added a comment.May 6 2024, 12:27 PM

the plan could be this:

if we don't want to mutate existing workloads (!) by hand (script or something) we will need to carefully craft the kyverno policies so the templates produced in the PSP days are valid on kyverno's eyes.

aborrero changed the task status from Open to In Progress.May 6 2024, 12:50 PM
aborrero triaged this task as Medium priority.
aborrero moved this task from Backlog to Doing on the User-aborrero board.
aborrero added a comment.May 6 2024, 2:06 PM

Updated T362050: toolforge: review pod templates for PSP replacement to make sure our pod templates are updated accordingly.

Another point to consider: how to back-fill per-tool kyverno policies for existing tools.

aborrero changed the status of subtask T364312: [maintain-kubeusers,infra,k8s]: introduce some logic to backfill maintain-kubeuser resources (like per-tool kyverno policies) from Open to In Progress.May 22 2024, 1:34 PM
aborrero moved this task from Doing to Next on the User-aborrero board.May 22 2024, 1:42 PM
aborrero added a comment.Jun 3 2024, 11:16 AM

updated plan:

aborrero closed subtask T364312: [maintain-kubeusers,infra,k8s]: introduce some logic to backfill maintain-kubeuser resources (like per-tool kyverno policies) as Resolved.Jun 4 2024, 1:22 PM
aborrero renamed this task from toolforge: create a PSP migration plan to toolforge: track PSP migration plan.Jun 6 2024, 2:32 PM
aborrero updated the task description. (Show Details)
aborrero moved this task from Next to Doing on the User-aborrero board.Jun 7 2024, 3:46 PM
aborrero added a comment.Jun 7 2024, 3:55 PM

on the latest tests I've conducted, I detected that the kyverno mutation rule somehow clashes with the PSP mutations.

  • kyverno mutation rule adding hostIPC: false
  • then PSP removing it
  • then the kyverno validation rule requiring it being set
  • therefore kyverno validation failing

This temporal conflict between the Kyverno pod policy and PSP is something that needs to be carefully tested, and configured, for the cluster to be happy during the -hopefully brief- period in which the 2 mechanisms are alive together.

aborrero updated the task description. (Show Details)Jun 10 2024, 10:22 AM
aborrero added a comment.Jun 10 2024, 1:02 PM
In T364297#9871364, @aborrero wrote:

on the latest tests I've conducted, I detected that the kyverno mutation rule somehow clashes with the PSP mutations.

  • kyverno mutation rule adding hostIPC: false
  • then PSP removing it
  • then the kyverno validation rule requiring it being set
  • therefore kyverno validation failing

This temporal conflict between the Kyverno pod policy and PSP is something that needs to be carefully tested, and configured, for the cluster to be happy during the -hopefully brief- period in which the 2 mechanisms are alive together.

Making optional in the kyverno policy the fields that PSP is deleting works fine!

This should also be a valid solution when we drop PSP.

aborrero updated the task description. (Show Details)Jun 13 2024, 8:57 AM
aborrero added a subtask: T367348: Incident: 2024-06-12 toolforge k8s control plane.
dcaro renamed this task from toolforge: track PSP migration plan to [k8s,infra] track PSP migration plan.Jun 13 2024, 9:47 AM
aborrero added a subtask: T367950: Decision Request - Toolforge pod security via custom admission webhook.Jun 19 2024, 8:59 AM
aborrero updated the task description. (Show Details)Jun 19 2024, 3:13 PM
aborrero updated the task description. (Show Details)Jun 20 2024, 12:00 PM
aborrero updated the task description. (Show Details)Jun 20 2024, 12:47 PM
aborrero closed subtask T367950: Decision Request - Toolforge pod security via custom admission webhook as Declined.Jun 20 2024, 1:12 PM
aborrero closed subtask T367332: toolforge maintain-kubeusers backtrace as Resolved.
aborrero updated the task description. (Show Details)Jun 20 2024, 1:14 PM
aborrero closed subtask T368044: Toolforge: redeploy kyverno after the outage as Resolved.Jun 21 2024, 11:35 AM
aborrero closed subtask T367348: Incident: 2024-06-12 toolforge k8s control plane as Resolved.Jun 21 2024, 11:37 AM
aborrero updated the task description. (Show Details)
aborrero updated the task description. (Show Details)Jun 21 2024, 11:40 AM
aborrero changed the status of subtask T368141: toolforge: kyverno: change policies to Enforce from Open to In Progress.
aborrero updated the task description. (Show Details)Jun 25 2024, 9:56 AM
aborrero updated the task description. (Show Details)
aborrero closed subtask T368141: toolforge: kyverno: change policies to Enforce as Resolved.Jun 26 2024, 11:09 AM
aborrero updated the task description. (Show Details)
aborrero closed subtask T368142: Toolforge: drop PodSecurityPolicy as Resolved.Jun 27 2024, 11:45 AM
aborrero updated the task description. (Show Details)

this has been completed.

aborrero reopened subtask T368142: Toolforge: drop PodSecurityPolicy as In Progress.Jun 27 2024, 2:56 PM
aborrero closed this task as Resolved.Jul 2 2024, 11:01 AM
aborrero closed subtask T368142: Toolforge: drop PodSecurityPolicy as Resolved.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits