K8S PSP getting created after setting excludePodSecurityPolicy to true

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 232

Visibility:: Public

Votes:: 0

Category:: trident-kubernetes

Specialty:: snapx

Last Updated:

Applies to

Kubernetes version to 1.24 and below

Answer

Kubernetes clusters can be upgraded with objects of removed APIs.

After the upgrade, each is handled in its own way.

Usually they are served by a newer API, but because PodSecurityPolicy (PSP) were removed completely, they effectively disappear from the cluster.
Helm has a bug where charts that contain removed APIs cannot be upgraded or uninstalled

Additional Information

The Trident chart creates PSP -`tridentoperatorpods`, trident-node-linux and trident-controller . The tridentoperatorpods psp must be removed from the chart before it can be upgraded or uninstalled in a v1.25 or above cluster (if the cluster is upgraded without removing the PSP from the chart, the PSP must be removed from the chart manually using the steps here).

The`excludePodSecurityPolicy` value can be used to remove tridentoperatorpods PSP from the chart before upgrading the cluster so that the Trident chart can be upgraded or uninstalled after upgrading the cluster, but does not remove trident-node-linux and trident-controller psps.
The Trident operator detects the Kubernetes version and does not attempt to recreate PSPs if the version is greater than or equal to v1.25.0.