PSP Deprecation

Deprecation of PodSecurityPolicies in Kubernetes 1.25

As Kubernetes deprecated the admission plugin of PodSecuritypolicies (PSP), some Building Blocks with PSP enabled cannot be deployed anymore. Helm keeps track of even deprecated APIs and it needs to be disabled before the Migration of your Kubernetes Cluster to 1.25.

Disable PSPs before upgrading to Kubernetes 1.25

Before you upgrade to 1.25 please make sure to read our Upgrade Guide.

To disable PSP on a Building Block, check the README for the configuration.
The Key can be named as e.g. pspEnabled or podSecurityPolicy.enabled.

For e.g. externalDNS you can find the key-value-pair named as rbac.pspEnabled : true. Choose your current installed Version-branch at the top of the page and check the values.
If your current version has it stated to true, create a corresponding values-external-dns.yaml and add the key-value-pair in yaml-format accordingly:

  pspEnabled: false

After that, you can deploy the changes to your Cluster. You should now be fine to continue with the Upgrade Guide.

If you did not disable PSPs before upgrading to Kubernetes 1.25

If you already upgraded to 1.25 or above, you can still change the helm configuration directly to continue with your control-repository updates.
The migration Guide recommends the helm plugin mapkubeapis which will create a new release which is leading to a minimum state drift.

Make sure you have helm installed on your machine. The workaround is as follows:

#first find the current release names you want to fix
helm list --namespace $BBNamespace
#install plugin
helm plugin install
#remove deprecated APIs on the corresponding release you want to fix
helm mapkubeapis $HELM_RELEASE