diff --git a/chart/README.md b/chart/README.md index bc722b6..09b8366 100644 --- a/chart/README.md +++ b/chart/README.md @@ -22,6 +22,20 @@ Longhorn is 100% open source software. Project source code is spread across a nu 3. Make sure `bash`, `curl`, `findmnt`, `grep`, `awk` and `blkid` has been installed in all nodes of the Kubernetes cluster. 4. Make sure `open-iscsi` has been installed, and the `iscsid` daemon is running on all nodes of the Kubernetes cluster. For GKE, recommended Ubuntu as guest OS image since it contains `open-iscsi` already. +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `enablePSP` set to `false` if it has been previously set to `true`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, you may have to clean up your Helm release secrets. +Upon setting `enablePSP` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Longhorn docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + ## Installation 1. Add Longhorn chart repository. ``` diff --git a/chart/questions.yaml b/chart/questions.yaml index 0c21b2a..4e5ec56 100644 --- a/chart/questions.yaml +++ b/chart/questions.yaml @@ -824,7 +824,7 @@ Set the value to **0** to disable backup restore." show_if: "service.ui.type=NodePort||service.ui.type=LoadBalancer" label: UI Service NodePort number - variable: enablePSP - default: "true" + default: "false" description: "Setup a pod security policy for Longhorn workloads." label: Pod Security Policy type: boolean diff --git a/chart/templates/validate-psp-install.yaml b/chart/templates/validate-psp-install.yaml new file mode 100644 index 0000000..0df98e3 --- /dev/null +++ b/chart/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.enablePSP }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/deploy/longhorn.yaml b/deploy/longhorn.yaml index e42a1bb..e8b874b 100644 --- a/deploy/longhorn.yaml +++ b/deploy/longhorn.yaml @@ -4272,3 +4272,6 @@ spec: fieldRef: fieldPath: spec.nodeName serviceAccountName: longhorn-service-account +--- +# Source: longhorn/templates/validate-psp-install.yaml +#