-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix support for k8s 1.25 #406
Conversation
CronJob is promoted to batch/v1 now. Signed-off-by: Ivan Kolodiazhny <ikolodiazhny@nvidia.com>
56fa81c
to
bc51c81
Compare
@@ -102,6 +104,13 @@ func (s *statePodSecurityPolicy) Sync(customResource interface{}, infoCatalog In | |||
// Get a map of source kinds that should be watched for the state keyed by the source kind name | |||
func (s *statePodSecurityPolicy) GetWatchSources() map[string]*source.Kind { | |||
wr := make(map[string]*source.Kind) | |||
psp := &policyv1beta1.PodSecurityPolicyList{} | |||
err := s.client.List(context.TODO(), psp) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we check for error type for NotMatch?
"k8s.io/apimachinery/pkg/api/meta"
meta.IsNoMatchError(err)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's do it! I checked "k8s.io/apimachinery/pkg/api/errors" and it doesn't contain required logic. Thanks for the pointing me on it
err := s.client.List(context.TODO(), psp) | ||
if err != nil { | ||
// We assume it's k8s v1.25 or newer so PodSecurityPolicy is not supported and no need to reconcile them | ||
log.V(consts.LogLevelInfo).Info("pod security policy is not available") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to add an error message if helm chart is deployed with PSP enabled on k8s 1.25+?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, it should be done on CRD validation stage in an admission controller which isn't implemented yet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point.
I guess to explicitly deprecate PSP in NicClusterPolicy we also need an admission controller?
Signed-off-by: Ivan Kolodiazhny <ikolodiazhny@nvidia.com>
bc51c81
to
622bf73
Compare
No description provided.