layout: post title: k8s v1.25 移除 podSecurityPolicy 造成 helm charts 無法升級
在kubernetes v1.25正式移除podSecurityPolicy後,如果舊版的helm charts有使用到psp,就會造成helm upgrade更新失敗。
錯誤訊息:
Error: UPGRADE FAILED: current release manifest contains removed kubernetes api(s) for this kubernetes version and it is therefore unable to build the kubernetes objects for performing the diff. error from kubernetes: unable to recognize "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"
這情況根據官方說明需要手動解決,思路大概是修正helm存在cluster上的manifests,把不存在的api yaml更新或移除。
kubectl get secret -l owner=helm,status=deployed
kubectl get secret sh.helm.release.v1.prome.v18 -o yaml > release.yaml
cp release.yaml release.bak
cat release.yaml | grep -oP '(?<=release: ).*' | base64 -d | base64 -d | gzip -d > release.data.decoded
修改 release.data.decoded 以後先加密回去
cat release.data.decoded | gzip | base64 | base64 > release.data.encoded
tr -d "\n" < release.data.encoded > release.data.encoded.final
然後將 release.data.encoded.final 的內容填回 release.yaml 的 data: release: xxx 裡面 最後用 kubectl apply -f 或 kubectl replace -f 更新進cluster
如果遇到
helm Error: UPGRADE FAILED: create: failed to create: Secret is invalid: data: Too long: must have at most 1048576 bytes
中間製造的暫時檔案要先挪到其他資料夾或刪除,如果在charts資料夾裡面操作會造成 helm upgrade 失敗
ref. https://medium.com/@michael_33280/fixing-current-release-manifest-contains-removed-kubernetes-api-s-da6d948b651d https://helm.sh/docs/topics/kubernetes_apis/