Skip to content

[rancher-staging-rke2] Prepare the upgrade to kubernetes 1.25+

There is a couple of PodSecurityPolicies to remove:

kubectl --context archive-staging-rke2 get podsecuritypolicies
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
NAME                                          PRIV    CAPS           SELINUX    RUNASUSER          FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
calico-kube-controllers                       false                  RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
calico-node                                   true                   RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath
calico-typha                                  false                  RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
global-restricted-psp                         false                  RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
global-unrestricted-psp                       true    *              RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
rancher-monitoring-alertmanager               false                  RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
rancher-monitoring-crd-manager                false                  RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,secret
rancher-monitoring-grafana                    false                  RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,csi,secret,downwardAPI,persistentVolumeClaim
rancher-monitoring-kube-state-metrics         false                  RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            secret
rancher-monitoring-operator                   false                  RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
rancher-monitoring-patch-sa                   false                  RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            secret
rancher-monitoring-prometheus                 false                  RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
rancher-monitoring-prometheus-adapter         false                  RunAsAny   MustRunAs          RunAsAny    RunAsAny    false            secret,emptyDir,configMap
rancher-monitoring-prometheus-node-exporter   false                  RunAsAny   RunAsAny           MustRunAs   MustRunAs   false            configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim,hostPath
system-unrestricted-psp                       true    *              RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
system-upgrade-controller                     true    CAP_SYS_BOOT   RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
tigera-operator                               false                  RunAsAny   MustRunAsNonRoot   MustRunAs   MustRunAs   false            hostPath,configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim

Most of them are created by the rancher monitoring application, the others seems to be created by rancher components (calico, tigera, ...)