Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm: don't render PodSecurityPolicy on kubernetes 1.24 and above unless forced #5357

Merged
merged 3 commits into from
Jul 6, 2023
Merged

Helm: don't render PodSecurityPolicy on kubernetes 1.24 and above unless forced #5357

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
06628d6
Helm: don't render PodSecurityPolicy on kubernetes 1.24 and above unl…
dimitarvdimitrov Jun 26, 2023
6d247ef
Add CHANGELOG.md entry
dimitarvdimitrov Jun 26, 2023
553b20b
Merge branch 'main' into dimitar/helm/dont-render-psp-on-1.24-and-above
dimitarvdimitrov Jul 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions operations/helm/charts/mimir-distributed/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Entries should include a reference to the Pull Request that introduced the chang
## main / unreleased

* [CHANGE] Changed max unavailable ingesters and store-gateways in a zone to 50. #5327
* [CHANGE] Don't render PodSecurityPolicy on Kubernetes >=1.24. (was >= 1.25). This helps with upgrades between 1.24 and 1.25. To use a PSP in 1.24, toggle `rbac.forcePSPOnKubernetes124: true`. #5357
* [ENHANCEMENT] Ruler: configure the ruler storage cache when the metadata cache is enabled. #5326 #5334
* [ENHANCEMENT] Helm: support metricRelabelings in the monitoring serviceMonitor resources. #5340

Expand Down
8 changes: 7 additions & 1 deletion operations/helm/charts/mimir-distributed/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -477,7 +477,13 @@ Get the no_auth_tenant from the configuration
Return if we should create a PodSecurityPolicy. Takes into account user values and supported kubernetes versions.
*/}}
{{- define "mimir.rbac.usePodSecurityPolicy" -}}
{{- and (semverCompare "< 1.25-0" (include "mimir.kubeVersion" .)) (and .Values.rbac.create (eq .Values.rbac.type "psp")) -}}
{{- and
(
or (semverCompare "< 1.24-0" (include "mimir.kubeVersion" .))
(and (semverCompare "< 1.25-0" (include "mimir.kubeVersion" .)) .Values.rbac.forcePSPOnKubernetes124)
)
(and .Values.rbac.create (eq .Values.rbac.type "psp"))
-}}
{{- end -}}

{{/*
Expand Down
5 changes: 4 additions & 1 deletion operations/helm/charts/mimir-distributed/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -417,7 +417,10 @@ runtimeConfig: {}
# RBAC configuration
rbac:
create: true
# For GKE/EKS/AKS use 'type: psp'. For OpenShift use 'type: scc'
# -- If true, PodSecurityPolicy will be rendered by the chart on Kuberentes 1.24.
# By default the PodSecurityPolicy is not rendered on version 1.24.
forcePSPOnKubernetes124: false
# -- For GKE/EKS/AKS use 'type: psp'. For OpenShift use 'type: scc'
type: psp
# -- podSecurityContext is the default pod security context for Mimir, GEM, gateway, and cache components.
# When installing on OpenShift, override podSecurityContext settings with
Expand Down