Kubernetes SIG/Meetings/2024-03-26
Appearance
Agenda:
- Introductions for new members (if any):
- SIG administrivia:
- Misc:
- Update on Improve how we address outside k8s infrastructure from within charts (e.g. network policies)
- External-services chart deployed to DSE and all of wikikube
- Charts need to be migrated, pick yours : ) https://phabricator.wikimedia.org/T359423
- Update on Improve how we address outside k8s infrastructure from within charts (e.g. network policies)
- Topic: PodSecurityPolicies are deprecated since Kubernetes 1.21, removed with 1.25
- Writeup can be found at: https://wikitech.wikimedia.org/wiki/User:JMeybohm/PSP_Replacement
- There has not been a real decision yet, but we’re leaning towards (re-)creating PSS with Validating Admission Policies for MediaWiki namespaces and just use default PSS for everything else
- All non-wikikube clusters are probably fine with the default PSS profiles
- Downside is that we don’t get the “fail-fast” of external integrations that inform the deployer on manifest submission about policy violations that will happen later (when a deployment creates a Pod for example)
- Action Items:
- Double check if PSS also has a late feedback (e.g. you can submit a deployment that would create a pod that violates a policy but the error is only shown in k8s events. Creation of the deployment is not rejected).