K8S PSP getting created after setting excludePodSecurityPolicy to true
Applies to
Kubernetes version to 1.24 and below
Answer
Kubernetes clusters can be upgraded with objects of removed APIs.
After the upgrade, each is handled in its own way.
Usually they are served by a newer API, but because PodSecurityPolicy (PSP) were removed completely, they effectively disappear from the cluster.
Helm has a bug where charts that contain removed APIs cannot be upgraded or uninstalled
Helm has a bug where charts that contain removed APIs cannot be upgraded or uninstalled
Additional Information
The Trident chart creates PSP -`tridentoperatorpods`,
trident-node-linux
and trident-controller
. The tridentoperatorpods psp must be removed from the chart before it can be upgraded or uninstalled in a v1.25 or above cluster (if the cluster is upgraded without removing the PSP from the chart, the PSP must be removed from the chart manually using the steps here).The
The Trident operator detects the Kubernetes version and does not attempt to recreate PSPs if the version is greater than or equal to v1.25.0.
`excludePodSecurityPolic
` value can be used to remove tridentoperatorpods PSP from the chart before upgrading the cluster so that the Trident chart can be upgraded or uninstalled after upgrading the cluster, but does not remove trident-node-linux and trident-controller psps.The Trident operator detects the Kubernetes version and does not attempt to recreate PSPs if the version is greater than or equal to v1.25.0.