Hi there,
tomorrow 2024-06-26 @ 08:30Z we will start enforcing new Kubernetes security
rules in Toolforge [0].
We have taken measures to eliminate any user impact, but this being a
potentially sensitive change, I wanted to send a heads up email.
In a nut-shell, pod-related kubernetes resources, like Deployment or CronJob
need to have a new set of security-related attributes correctly specified.
This is because we are introducing Kyverno policies as a replacement of the
deprecated PodSecurityPolicies (PSP) [1].
The new Kyverno policies have been deployed already, but are in 'Audit' mode.
What we will be doing tomorrow is setting them to 'Enforce', which is the final
step in this migration, before we can finally drop PSP [2].
Please, report [3] any disruption that you may see.
regards.
[0] https://phabricator.wikimedia.org/T368141
[1] https://phabricator.wikimedia.org/T279110
[2] https://phabricator.wikimedia.org/T364297
[3] https://wikitech.wikimedia.org/wiki/Help:Cloud_Services_communication
_______________________________________________
Cloud-announce mailing list -- cloud-announce@lists.wikimedia.org
List information:
https://lists.wikimedia.org/postorius/lists/cloud-announce.lists.wikimedia.org/
