From fd34a5e6e48e9658f920ff00d4f69c0304b11863 Mon Sep 17 00:00:00 2001 From: George Krajcsovits Date: Wed, 12 Jul 2023 13:51:59 +0200 Subject: [PATCH] Helm: add Troubleshoot section to kubernetes 1.25 migration guide (#5483) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Helm: add Troubleshoot section to kubernetes 1.25 migration guide Signed-off-by: György Krajcsovits * Apply suggestions from code review Co-authored-by: Dimitar Dimitrov * Small typo and lint fix. Signed-off-by: György Krajcsovits --------- Signed-off-by: György Krajcsovits Co-authored-by: Dimitar Dimitrov --- .../migrate-to-kubernetes-version-1.25.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/sources/helm-charts/mimir-distributed/migration-guides/migrate-to-kubernetes-version-1.25.md b/docs/sources/helm-charts/mimir-distributed/migration-guides/migrate-to-kubernetes-version-1.25.md index a0c73fca455..1a6bf59b5a7 100644 --- a/docs/sources/helm-charts/mimir-distributed/migration-guides/migrate-to-kubernetes-version-1.25.md +++ b/docs/sources/helm-charts/mimir-distributed/migration-guides/migrate-to-kubernetes-version-1.25.md @@ -32,3 +32,21 @@ Grafana Mimir does not require any special permissions on the hosts that it runs on. Because of this, you can deploy it in environments that enforce the Kubernetes [Restricted security policy](https://kubernetes.io/docs/concepts/security/pod-security-standards/). {{% /admonition %}} + +## Troubleshoot + +If you have upgraded to Kubernetes 1.25 and see the following error containing PodSecurityPolicy during a Helm release upgrade: + +``` +resource mapping not found for name: "mimir" namespace: "" from "": +no matches for kind "PodSecurityPolicy" in version "policy/v1beta1" ensure CRDs are installed first +``` + +This happens because Helm stores the current release in a Secret in the namespace. If the current release contains removed resources the `helm` command fails to determine the current state of the release. + +To remove the PodSecurityPolicy from the Helm release history follow this procedure: + +1. Optionally follow the Kubernetes [Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/) guide to replace PodSecurityPolicy. +1. Set the `rbac.create` value to `false`. +1. Remove PodSecurityPolicy from the Helm release history following the [Updating API Versions of a Release Manifest](https://helm.sh/docs/topics/kubernetes_apis/#updating-api-versions-of-a-release-manifest) Helm documentation in order to proceed with the upgrade. +1. Upgrade the release. The upgrade should succeed now.