Kubernetes 1.25 and PSP removal
PodSecurityPolicies (PSPs) were deprecated in Kubernetes 1.22 and are removed in Kubernetes 1.25. This page explains the security implications of such changes for Teleport users, and what actions are required.
The two Teleport charts teleport-cluster and teleport-kube-agent were relying
on PodSecurityPolicies to provide an additional security level for Teleport pods.
Their removal has two main consequences:
- After upgrading to 1.25, Helm can end up with a corrupted state referencing PSP objects. In this case, the Helm release state has to be manually fixed.
- Security policy enforcement is managed by PodSecurityAdmission (PSA) since 1.23.
PSA security level is configured on the
namespaceresource, which Helm doesn't manage. You now have to set the security enforcement level as the chart can't do it.
To prepare for the 1.25 upgrade:
-
Make sure you are running at least Kubernetes 1.23 (run
kubectl version) -
Label the namespace you are deploying the chart in with the PSA enforcement level:
$ kubectl label namespace my-teleport-namespace 'pod-security.kubernetes.io/enforce=baseline'
namespace/my-teleport-namespace labeled -
Explicitly disable PSP deployment from the chart by setting
podSecurityPolicy.enabled: falseand upgrading the Helm release.
Once all the Teleport namespaces are labeled with the adequate PodSecurityStandard, and all Helm releases have been upgraded at least once with PSP disabled, you can safely upgrade to 1.25.