Migrate psp Templates.

[devops-inthe-east]

What steps did you take and what happened:

This is not a bug, However a post that requires guidance.

What did you expect to happen:

Cluster have the below ConstraintTemplate

 k get ConstraintTemplate  
NAME                                      AGE
k8sallowedrepos                           9h
k8sblocknodeport                          9h
k8sblockwildcardingress                   9h
k8scontainerlimits                        9h
k8scontainerrequests                      9h
k8sdenyobjectdefaultnamespace             9h
k8sdisallowedtags                         9h
k8spspallowedusers                        9h
k8spspallowprivilegeescalationcontainer   9h
k8spspapparmor                            9h
k8spspcapabilities                        9h
k8spspforbiddensysctls                    9h
k8spsphostfilesystem                      9h
k8spsphostnamespace                       9h
k8spsphostnetworkingports                 9h
k8spspprivilegedcontainer                 9h
k8spspprocmount                           9h
k8spspseccomp                             9h
k8spspselinuxv2                           9h
k8srequiredargoproject                    9h
k8srequiredingressacmannotation           9h
k8srequiredlabels                         9h
k8srequiredprobes                         9h
k8srequiredtopologyspreadconstraints      9h
k8suniqueingresshost                      9h
k8suniqueserviceselector                  9h

There are plenty psp that present,

Need to clarify ::

1. Will these interfere during deployment/replica/pod creation.
2. If yes, how to overcome this

We face this related issue,

1. Applications gets deployed through ArgoCD on EKS.
2. All components get created however the deploy/replicaset/pod are not created.

ERROR on ArgoCD UI

status:
  conditions:
    - lastTransitionTime: '2024-03-20T11:05:49Z'
      message: >-
        pods "datadog-mobile127-preprod-cluster-agent-7c74cfc694-q8nqv" is
        forbidden: violates PodSecurity "restricted:v1.24":
        allowPrivilegeEscalation != false (container "init-volume" must set
        securityContext.allowPrivilegeEscalation=false), unrestricted
        capabilities (containers "init-volume", "cluster-agent" must set
        securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or
        containers "init-volume", "cluster-agent" must set
        securityContext.runAsNonRoot=true), seccompProfile (pod or containers
        "init-volume", "cluster-agent" must set
        securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      reason: FailedCreate
      status: 'True'
      type: ReplicaFailure
  observedGeneration: 2
  replicas: 0

Anything else you would like to add:

Environment:

• Gatekeeper version: 3.9.0
• Kubernetes version: (use kubectl version): EKS 1.27

[JaydipGabani]

@devops-inthe-east

Will these interfere during deployment/replica/pod creation.

If you only have constraint templates in the cluster and not respective constraint to enforce policies, the creation of resources wont be blocked.

ERROR on ArgoCD UI

For the error you faced, it seems to me that the namespace in which you are trying to spin up the pods may have restricted labels (more info here), and the container from the pod is in violation of it. It may not be related to any gk policy, otherwise there would be a name of the constraint there in the error message.

[devops-inthe-east]

Thanks Jay!