improve the validation for PSP

cluster/plan.go

@@ -67,6 +67,7 @@ const (
 var (
 	admissionControlOptionNames = []string{"enable-admission-plugins", "admission-control"}
 	parsedRangeAtLeast124       = semver.MustParseRange(">= 1.24.0-rancher0")
+	parsedRangeAtLeast125       = semver.MustParseRange(">= 1.25.0-rancher0")
 )
 
 func GetServiceOptionData(data map[string]interface{}) map[string]*v3.KubernetesServicesOptions {

cluster/validation.go

@@ -54,6 +54,11 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
 		return err
 	}
 
+	// validate enabling Pod Security Policy
+	if err := validatePSP(c); err != nil {
+		return err
+	}
+
 	// validate services options
 	return validateServicesOptions(c)
 }
@@ -650,6 +655,23 @@ func validateCRIDockerdOption(c *Cluster) error {
 	return nil
 }
 
+func validatePSP(c *Cluster) error {
+	parsedVersion, err := getClusterVersion(c.Version)
+	if err != nil {
+		logrus.Warnf("Failed to parse semver range for validating Pod Security Policy")
+		return err
+	}
+	if c.Services.KubeAPI.PodSecurityPolicy {
+		if c.Authorization.Mode != services.RBACAuthorizationMode {
+			return errors.New("PodSecurityPolicy can't be enabled with RBAC support disabled")
+		}
+		if parsedRangeAtLeast125(parsedVersion) {
+			return errors.New("PodSecurityPolicy has been removed and can not be enabled since k8s v1.25")
+		}
+	}
+	return nil
+}
+
 func getClusterVersion(version string) (semver.Version, error) {
 	var parsedVersion semver.Version
 	if len(version) <= 1 || !strings.HasPrefix(version, "v") {