Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix support for k8s 1.25 #406

Merged
merged 2 commits into from
Sep 22, 2022
Merged

Fix support for k8s 1.25 #406

merged 2 commits into from
Sep 22, 2022

Conversation

e0ne
Copy link
Collaborator

@e0ne e0ne commented Sep 21, 2022
edited
Loading

No description provided.

@e0ne
Fix Whereabouts reconciler job for k8s 1.25
010a05f 
CronJob is promoted to batch/v1 now.

Signed-off-by: Ivan Kolodiazhny <ikolodiazhny@nvidia.com>
@e0ne e0ne changed the title Fix Whereabouts reconciler job for k8s 1.25 Fix support for k8s 1.25 Sep 22, 2022
ykulazhenkov
ykulazhenkov reviewed Sep 22, 2022
View reviewed changes
pkg/state/state_pod_security_policy.go
@@ -102,6 +104,13 @@ func (s *statePodSecurityPolicy) Sync(customResource interface{}, infoCatalog In
// Get a map of source kinds that should be watched for the state keyed by the source kind name
func (s *statePodSecurityPolicy) GetWatchSources() map[string]*source.Kind {
wr := make(map[string]*source.Kind)
psp := &policyv1beta1.PodSecurityPolicyList{}
err := s.client.List(context.TODO(), psp)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we check for error type for NotMatch?

"k8s.io/apimachinery/pkg/api/meta"

meta.IsNoMatchError(err)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's do it! I checked "k8s.io/apimachinery/pkg/api/errors" and it doesn't contain required logic. Thanks for the pointing me on it

almaslennikov
almaslennikov reviewed Sep 22, 2022
View reviewed changes
pkg/state/state_pod_security_policy.go
err := s.client.List(context.TODO(), psp)
if err != nil {
// We assume it's k8s v1.25 or newer so PodSecurityPolicy is not supported and no need to reconcile them
log.V(consts.LogLevelInfo).Info("pod security policy is not available")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to add an error message if helm chart is deployed with PSP enabled on k8s 1.25+?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, it should be done on CRD validation stage in an admission controller which isn't implemented yet

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point.
I guess to explicitly deprecate PSP in NicClusterPolicy we also need an admission controller?

@e0ne
Do not reconcile PSP in Kubernetes v1.25+
622bf73 
Signed-off-by: Ivan Kolodiazhny <ikolodiazhny@nvidia.com>
@e0ne e0ne merged commit e98c493 into Mellanox:master Sep 22, 2022
@e0ne e0ne mentioned this pull request Sep 22, 2022
Closed
24 tasks
@e0ne e0ne mentioned this pull request Mar 15, 2023
Closed
@rollandf rollandf mentioned this pull request Apr 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@almaslennikov almaslennikov almaslennikov approved these changes

@ykulazhenkov ykulazhenkov ykulazhenkov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@e0ne @almaslennikov @ykulazhenkov