Toolforge: drop PodSecurityPolicy
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• aborrero
	Jun 21 2024, 11:40 AM

Description

Once we have set up the replacement (Kyverno pod security rules), we can drop the deprecated PodSecurityPolicy mechanism from Toolforge k8s.

Plan is:

drop PSP controller
drop resources from the cluster and update each account state configmap https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/49
cleanup the code from maintain-kubeusers https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/48
review and update privileged-psp role usage
cleanup

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
kubeadm: remove reference to PSP directory	operations/puppet	production	+0 -4
kubedm: absent psp directory	operations/puppet	production	+1 -13
toolforge: remove references to PodSecurityPolicy	operations/puppet	production	+1 -208

Customize query in gerrit

Related Changes in GitLab:

Title	Reference	Author	Source Branch	Dest Branch
registry-admission: bump to 0.0.45-20240708145115-17015d83	repos/cloud/toolforge/toolforge-deploy!400	ghost	bump_registry-admission	main
deployment: remove PSP reference	repos/cloud/toolforge/registry-admission!8	aborrero	arturo-183-deployment-remove-p	master
envvars-api: bump to 0.0.52-20240705101149-aa9da2fa	repos/cloud/toolforge/toolforge-deploy!391	ghost	bump_envvars-api	main
builds-builder: bump to 0.0.107-20240702102918-afd8fe1a	repos/cloud/toolforge/toolforge-deploy!374	ghost	bump_builds-builder	main
tekton-pipelines: drop internal PSP definitions	repos/cloud/toolforge/builds-builder!48	aborrero	arturo-278-tekton-pipelines-dr	main
wmcs-k8s-metrics: kube-state-metrics: drop internal PSP definition	repos/cloud/toolforge/toolforge-deploy!373	aborrero	arturo-326-wmcs-k8s-metrics-ku	main
cert-manager: drop internal PSP definitions	repos/cloud/toolforge/toolforge-deploy!372	aborrero	arturo-225-cert-manager-drop-i	main
builds-builder: bump to 0.0.106-20240702085825-e1519ac7	repos/cloud/toolforge/toolforge-deploy!371	ghost	bump_builds-builder	main
volume-admission: bump to 0.0.48-20240701144407-0003a769	repos/cloud/toolforge/toolforge-deploy!370	ghost	bump_volume-admission	main
wmcs-k8s-metrics: bump to 0.0.20-20240628101504-9ed20c1f	repos/cloud/toolforge/toolforge-deploy!366	ghost	bump_wmcs-k8s-metrics	main
cadvisor: drop PSP	repos/cloud/toolforge/wmcs-k8s-metrics!9	aborrero	arturo-971-cadvisor-drop-psp	main
wmcs-k8s-metrics: drop PSP	repos/cloud/toolforge/toolforge-deploy!364	aborrero	arturo-266-wmcs-k8s-metrics-dr	main
kyverno: drop PSP	repos/cloud/toolforge/toolforge-deploy!363	aborrero	arturo-326-kyverno-drop-psp	main
jobs-api: bump to 0.0.311-20240628093550-c6df8783	repos/cloud/toolforge/toolforge-deploy!362	ghost	bump_jobs-api	main
api-gateway: bump to 0.0.25-20240628091913-285fb180	repos/cloud/toolforge/toolforge-deploy!361	ghost	bump_api-gateway	main
cert-manager: drop PSP	repos/cloud/toolforge/toolforge-deploy!360	aborrero	arturo-430-cert-manager-drop-p	main
ingress-nginx: drop PSP	repos/cloud/toolforge/toolforge-deploy!359	aborrero	arturo-227-ingress-nginx-drop	main
maintain-kubeusers: bump to 0.0.160-20240627102103-cfd4ebd5	repos/cloud/toolforge/toolforge-deploy!358	ghost	bump_maintain-kubeusers	main
tests/fixtures: drop PSP reference	repos/cloud/toolforge/toolforge-weld!47	aborrero	arturo-157-tests-fixtures-drop	main
deployment: drop PSP	repos/cloud/toolforge/volume-admission!10	aborrero	arturo-173-deployment-drop-psp	main

Related Objects
Search...

Status	Assigned	Task
Resolved	Raymond_Ndibe	T359641 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.27
		Restricted Task
Resolved	Slst2020	T327025 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.26
Resolved	• aborrero	T316107 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.25
Resolved	• aborrero	T279110 [infra] Replace PodSecurityPolicy in Toolforge Kubernetes
Resolved	• aborrero	T364297 [k8s,infra] track PSP migration plan
Resolved	• aborrero	T368142 Toolforge: drop PodSecurityPolicy

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

• aborrero mentioned this in T364297: [k8s,infra] track PSP migration plan.Jun 21 2024, 11:40 AM

• aborrero moved this task from Backlog to Next on the User-aborrero board.

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/49

PSP: delete them

• aborrero triaged this task as Medium priority.Jun 21 2024, 12:22 PM

• aborrero updated the task description. (Show Details)

scheduled for tomorrow 2024-06-26

• aborrero updated the task description. (Show Details)Jun 26 2024, 11:16 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/49

PSP: delete them

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/356

maintain-kubeusers: bump to 0.0.159-20240627085452-0ae1a288

• aborrero updated the task description. (Show Details)Jun 27 2024, 9:06 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/lima-kilo/-/merge_requests/153

k8s: drop PodSecurityPolicies

Change #1050271 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] toolforge: remove references to PodSecurityPolicy

https://gerrit.wikimedia.org/r/1050271

Mentioned in SAL (#wikimedia-cloud) [2024-06-27T09:28:20Z] <arturo> disabled PodSecurityPolicy admission plugin from apiserver static pod manifests (T368142)

Mentioned in SAL (#wikimedia-cloud) [2024-06-27T09:30:33Z] <arturo> disabled PodSecurityPolicy admission plugin from kubeadm configmap (T368142)

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/lima-kilo/-/merge_requests/153

k8s: drop PodSecurityPolicies

Change #1050271 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] toolforge: remove references to PodSecurityPolicy

https://gerrit.wikimedia.org/r/1050271

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/356

maintain-kubeusers: bump to 0.0.159-20240627085452-0ae1a288

• aborrero updated the task description. (Show Details)Jun 27 2024, 9:58 AM

Mentioned in SAL (#wikimedia-cloud) [2024-06-27T10:02:07Z] <arturo> disabled PodSecurityPolicy admission plugin from kubeadm configmap (T368142)

Mentioned in SAL (#wikimedia-cloud) [2024-06-27T10:02:27Z] <arturo> drop all PSP definitions for all accounts (T368142)

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/357

components: drop PSP references

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/builds-api/-/merge_requests/98

deployment: drop PSP rolebinding

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/api-gateway/-/merge_requests/24

deployment: drop PSP

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/builds-admission/-/merge_requests/8

deployment: drop PSP

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/builds-builder/-/merge_requests/47

deployment: drop PSP

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-api/-/merge_requests/34

deployment: drop PSP reference

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/foxtrot-ldap/-/merge_requests/8

helmchart: drop PSP

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-api/-/merge_requests/98

deployment: drop PSP reference

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/volume-admission/-/merge_requests/10

deployment: drop PSP

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-weld/-/merge_requests/47

tests/fixtures: drop PSP reference

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/48

resources: drop PSP

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/358

maintain-kubeusers: bump to 0.0.160-20240627102103-cfd4ebd5

Change #1050306 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] kubedm: absent psp directory

https://gerrit.wikimedia.org/r/1050306

Change #1050306 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] kubedm: absent psp directory

https://gerrit.wikimedia.org/r/1050306

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/358

maintain-kubeusers: bump to 0.0.160-20240627102103-cfd4ebd5

• aborrero moved this task from Next to Doing on the User-aborrero board.Jun 27 2024, 11:03 AM

Change #1050310 had a related patch set uploaded (by Arturo Borrero Gonzalez; author: Arturo Borrero Gonzalez):

[operations/puppet@production] kubeadm: remove reference to PSP directory

https://gerrit.wikimedia.org/r/1050310

Change #1050310 merged by Arturo Borrero Gonzalez:

[operations/puppet@production] kubeadm: remove reference to PSP directory

https://gerrit.wikimedia.org/r/1050310

• aborrero updated the task description. (Show Details)Jun 27 2024, 11:40 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/foxtrot-ldap/-/merge_requests/8

helmchart: drop PSP

• aborrero closed this task as Resolved.Jun 27 2024, 11:45 AM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/builds-api/-/merge_requests/98

deployment: drop PSP rolebinding

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/359

ingress-nginx: drop PSP

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/359

ingress-nginx: drop PSP

Reopening while we merge the cleanup patches.

• aborrero updated the task description. (Show Details)Jun 27 2024, 2:56 PM

aborrero closed https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/357

components: drop PSP references

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/360

cert-manager: drop PSP

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/360

cert-manager: drop PSP

aborrero@toolsbeta-test-k8s-control-7:~$ sudo helm list -n cert-manager
NAME        	NAMESPACE   	REVISION	UPDATED                                	STATUS  	CHART               	APP VERSION
cert-manager	cert-manager	6       	2023-02-16 15:28:25.14619534 +0000 UTC 	deployed	cert-manager-v1.11.0	v1.11.0    
reloader    	cert-manager	1       	2023-02-16 15:28:24.537311669 +0000 UTC	deployed	reloader-v1.0.5     	v1.0.5     
reloader-psp	cert-manager	1       	2023-02-16 15:28:24.347972406 +0000 UTC	deployed	raw-0.3.0           	0.2.3      
aborrero@toolsbeta-test-k8s-control-7:~$ sudo helm uninstall -n cert-manager reloader-psp
release "reloader-psp" uninstalled
aborrero@toolsbeta-test-k8s-control-7:~$ sudo helm list -n cert-manager
NAME        	NAMESPACE   	REVISION	UPDATED                                	STATUS  	CHART               	APP VERSION
cert-manager	cert-manager	6       	2023-02-16 15:28:25.14619534 +0000 UTC 	deployed	cert-manager-v1.11.0	v1.11.0    
reloader    	cert-manager	1       	2023-02-16 15:28:24.537311669 +0000 UTC	deployed	reloader-v1.0.5     	v1.0.5

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/api-gateway/-/merge_requests/24

deployment: drop PSP

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/361

api-gateway: bump to 0.0.25-20240628091913-285fb180

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/361

api-gateway: bump to 0.0.25-20240628091913-285fb180

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-api/-/merge_requests/98

deployment: drop PSP reference

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/362

jobs-api: bump to 0.0.311-20240628093550-c6df8783

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/363

kyverno: drop PSP