chore: remove PSP and migrate to PSA

[sozercan]

Signed-off-by: Sertac Ozercan sozercan@gmail.com
What this PR does / why we need it:

• remove PSP since it's going to be removed in v1.25 in static yaml deployment.
• for Helm, If policy/v1beta1 API exists (k8s < 1.25), PSP will still be deployed using psp.enabled value (enabled by default).
• update PDB to policy/v1 by default
• update to use seccompProfile instead of seccomp annotations. This can be turned off with Helm since it might cause issues with OpenShift
• add restricted pod security standards for audit/warn/enforce in gatekeeper-system.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #2147

Special notes for your reviewer:
Since Helm creates the namespace, we can't add PSA annotations. Should that be part of docs or maybe we can do this with a helm hook?

Added a post-install helm hook. However, pre-install helm hook will be triggered too early (before namespace creation) and post-install will be too late (after deployment), but we'll have labels in the GK namespace after post-install.

[ritazh]

remove PSP since it's going to be removed in v1.25

For k8s versions < v1.25, users might still need PSP. Maybe conditionally delete it based on k8s version?

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 54.49%. Comparing base (4ca9d10) to head (6d7c748).
Report is 861 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2174      +/-   ##
==========================================
+ Coverage   54.44%   54.49%   +0.05%     
==========================================
  Files         111      111              
  Lines        9529     9529              
==========================================
+ Hits         5188     5193       +5     
+ Misses       3945     3941       -4     
+ Partials      396      395       -1     

Flag	Coverage Δ
unittests	54.49% <ø> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sozercan]

Maybe conditionally delete it based on k8s version?

@ritazh updated the PR description to clarify we are deploying PSP if psp.enabled value is enabled (which is true by default) and policy/v1beta1 API is present (true for k8s < 1.25). However, we can't do this for static yaml.

[maxsmythe]

LGTM

[ritazh]

Should we get it via Capabilities.KubeVersion.Version

[sozercan]

we know we are compatible with 1.24, but we won't know it for future versions. That's why enforce is pinned while audit and warn is latest

[ritazh]

LGTM

[sathieu]

Some parts are missing, see #2351

[srmars]

@sozercan @ritazh
We are trying upgrade gatekeeper from 3.11.0 to 3.11.1 but we are getting below error in kubernets version 1.25. previously gatekeeper version 3.11.0 running in kubernets version 1.24 and recently we upgraded our cluster to 1.25.

Before running helm upgrade, updated psp to false in values.yaml

https://github.com/open-policy-agent/gatekeeper/blob/v3.11.1/charts/gatekeeper/values.yaml#L237

Error: UPGRADE FAILED: current release manifest contains removed kubernetes api(s)
for this kubernetes version and it is therefore unable to build the kubernetes
objects for performing the diff. error from
kubernetes: unable to recognize "":
no matches for kind "PodSecurityPolicy”

Kindly let me know, am I missing anything.

[fopni01]

I have the same issue @srmars . Want to redeploy gate-keeper with helm chart on a v1.25 k8s cluster.

[KevinHuang40856]

@srmars @fopni01

I know your comments were 1 year ago, hopefull you had found how to fix it. in case not, please have a look at this https://ranchermanager.docs.rancher.com/v2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards#install-helm-mapkubeapis. although your clusters may not run on rancher, however this doc still applies. you should remove psp before upgraded to k8s 1.25 as per https://ranchermanager.docs.rancher.com/v2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards#removing-podsecuritypolicies-from-rancher-maintained-apps--marketplace-workloads.

[srmars]

We have reinstalled the gatekeepers Thanks, Sri

…

On Wed, 4 Sep 2024 at 9:45 AM, Kevin Huang ***@***.***> wrote: @srmars <https://github.com/srmars> @fopni01 <https://github.com/fopni01> I know your comments were 1 year ago, hopefull you had found how to fix it. in case not, please have a look at this https://ranchermanager.docs.rancher.com/v2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards#install-helm-mapkubeapis. although your clusters may not run on rancher, however this doc still applies. you should remove psp before upgraded to k8s 1.25 as per https://ranchermanager.docs.rancher.com/v2.7/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/pod-security-standards#removing-podsecuritypolicies-from-rancher-maintained-apps--marketplace-workloads . — Reply to this email directly, view it on GitHub <#2174 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALYNAS47DALTYPEY52PTSULZU2CN7AVCNFSM6AAAAABNTNX42SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRXHA3TQMRTGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>