rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-07-19 17:50:16 +00:00
Code Issues Releases Wiki Activity

Merge pull request #3188 from jiaqiluo/revert-psp-detect

Browse Source
This commit is contained in:
Jiaqi Luo 2023-03-06 10:52:36 -07:00 committed by GitHub
commit 6ec1b45e29
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 0 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
cluster/validation.go
View File

@ -7,7 +7,6 @@ import (
"strings"
"github.com/blang/semver"
"github.com/rancher/rke/k8s"
"github.com/rancher/rke/log"
"github.com/rancher/rke/metadata"
"github.com/rancher/rke/pki"
@ -675,30 +674,6 @@ func validatePodSecurityPolicy(c *Cluster) error {
return errors.New("PodSecurityPolicy has been removed and can not be enabled since k8s v1.25")
}
}
// check if there is any PSP resource when upgrading a cluster to k8s v1.25 and above
if parsedRangeAtLeast125(parsedVersion) {
kubeClient, err := k8s.NewClient(c.LocalKubeConfigPath, c.K8sWrapTransport)
if err != nil {
// we can not tell this is invoked when creating a new cluster or updating an existing one, so skip this check
logrus.Debugf("Skip the check for PSP resource due to the failure of initializing the kubernetes client")
return nil
}
pspList, _ := k8s.GetPSPList(kubeClient)
// ignore the error because the "no such resource type" error is definitely returned in k8s v1.25 and above
items := pspList.Items
if len(items) == 0 {
return nil
}
// a PSP "psp.flannel.unprivileged" from old Flannel templates is created when using Flannel as the network plugin
// we should ignore it if it is the only PSP in the cluster
if len(items) == 1 && items[0].Name == "psp.flannel.unprivileged" && c.Network.Plugin == FlannelNetworkPlugin {
return nil
}
msg := fmt.Sprintf("PodSecurityPolicy(PSP) resource is detected in the cluster, "+
"please remove them before upgrading the cluster version to %s", c.Version)
return errors.New(msg)
}
return nil
}

6
k8s/psp.go
View File

@ -30,9 +30,3 @@ func updatePodSecurityPolicy(k8sClient *kubernetes.Clientset, p interface{}) err
return nil
}
// GetPSPList returns the PodSecurityPolicyList containing all PSPs in the cluster and an error.
// The list could be empty if there is no PSP in the cluster.
func GetPSPList(k8sClient *kubernetes.Clientset) (*v1beta1.PodSecurityPolicyList, error) {
return k8sClient.PolicyV1beta1().PodSecurityPolicies().List(context.TODO(), metav1.ListOptions{})
}