Skip to content

Commit

Permalink
chore(sysdig-deploy): add notes for Pod Security Admission (#1177)
Browse files Browse the repository at this point in the history
francesco-furlan authored Jun 27, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 91c054b commit 9e140f8
Showing 4 changed files with 39 additions and 1 deletion.
2 changes: 1 addition & 1 deletion charts/sysdig-deploy/Chart.yaml
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.8.28
version: 1.8.29
maintainers:
- name: aroberts87
email: adam.roberts@sysdig.com
7 changes: 7 additions & 0 deletions charts/sysdig-deploy/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -40,3 +40,10 @@ secure or secure_light mode. Please set agent.monitor.enabled=false to ensure al
when running the Agent in secure or secure_light modes.
{{ end }}
{{ end }}

{{- if include "kubeVersionGreaterThan" (dict "root" . "major" 1 "minor" 24) }}
Pod Security Admission now replaces Pod Security Policies.
Be aware that if you enforce "baseline" or "restricted" policies in your cluster, you need to enforce "privileged" policy to this namespace:
kubectl label --overwrite ns <sysdig-namespace> pod-security.kubernetes.io/enforce=privileged
Otherwise you're ok to go.
{{ end }}
13 changes: 13 additions & 0 deletions charts/sysdig-deploy/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -43,3 +43,16 @@ Determine sysdig secure endpoint based on provided region
{{- end -}}
{{- end -}}
{{- end -}}

{{/* Returns string 'true' if the cluster's kubeVersion is greater than the parameter provided, or nothing otherwise
Use like: {{ include "kubeVersionGreaterThan" (dict "root" . "major" <kube_major_to_compare> "minor" <kube_minor_to_compare>) }}
Note: The use of `"root" .` in the parameter dict is necessary as the .Capabilities fields are not provided in
helper functions when "helm template" is used.
*/}}
{{- define "kubeVersionGreaterThan" }}
{{- if (and (ge (.root.Capabilities.KubeVersion.Major | int) .major)
(gt (.root.Capabilities.KubeVersion.Minor | trimSuffix "+" | int) .minor)) }}
true
{{- end }}
{{- end }}
18 changes: 18 additions & 0 deletions charts/sysdig-deploy/tests/notes_test.yaml
Original file line number Diff line number Diff line change
@@ -209,3 +209,21 @@ tests:
- notMatchRegexRaw:
pattern: |-
A PriorityClass is recommended for GKE Autopilot environments. Please set agent.gke.createPriorityClass=true or provide the name of an existing PriorityClass by using the agent.priorityClassName parameter.
- it: Test PSA note is printed on k8s >=1.25
capabilities:
majorVersion: 1
minorVersion: 25
asserts:
- matchRegexRaw:
pattern: |-
Pod Security Admission now replaces Pod Security Policies.
- it: Test PSA note is not printed on k8s <=1.24
capabilities:
majorVersion: 1
minorVersion: 24
asserts:
- notMatchRegexRaw:
pattern: |-
Pod Security Admission now replaces Pod Security Policies.

0 comments on commit 9e140f8

Please sign in to comment.