Fix psp in config manifests

[skonto]

Fixes partially #13308 for podsecuritypolicy (deprecated since 1.21, will be unavailable on 1.25) as we need to support the Pod Security Admission instead which becomes stable in 1.25.

• Running with knative-serving ns labeled with:

  pod-security.kubernetes.io/enforce=restricted \
  pod-security.kubernetes.io/warn=restricted \
  pod-security.kubernetes.io/audit=restricted

makes all pods not launching. Errors are as follows on the versions tested 1.23+ (events in the corresponding ns):

8s Warning FailedCreate replicaset/autoscaler-99cb65bf Error creating: pods "autoscaler-99cb65bf-9slvd" is forbidden: violates PodSecurity "restricted:latest": unrestricted capabilities (container "autoscaler" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "autoscaler" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

• Replaces all with ALL in capabilities section because that is the only acceptable string check here and here.
• Tested on: Kind v0.15.0 (1.25), v0.14.0(1.24), v0.12.0(v1.23.4)
• Instructions for testing here.
• TODO: fix third-party projects. Fix queue proxy and user workloads in another PR. This should be tested on a github workflows too.

[codecov]

Codecov Report

Base: 86.50% // Head: 86.50% // No change to project coverage 👍

Coverage data is based on head (1b9a1ad) compared to base (2332731).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #13327   +/-   ##
=======================================
  Coverage   86.50%   86.50%           
=======================================
  Files         196      196           
  Lines       14544    14544           
=======================================
  Hits        12581    12581           
  Misses       1664     1664           
  Partials      299      299           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[matzew]

@skonto perhaps makes sense (here or different PR) to also use 1.25 w/ the kind setup:
https://github.com/knative/serving/blob/main/.github/workflows/kind-e2e.yaml#L89-L92

[skonto]

@matzew yeah we should test eventually on 1.25 on a workflow (added to TODO) but not sure if the project is ready for the migration so I am holding this PR anyway. Out of curiosity will try it here.

[skonto]

/retest

[skonto]

All tests pass will add the 1.25 flow and see if there is any difference.

[skonto]

@psschwei, I am trying 1.25 and we have a dependency that fails, (afaik knative repos are not on v1 could it be the kapp one?):

+ go run github.com/vmware-tanzu/carvel-kapp/cmd/kapp@latest deploy --yes --app serving --file /tmp/knative.GenB3ug8/tmp.AzvkRdEMQj
Target cluster 'https://127.0.0.1:43025/' (nodes: kind-control-plane, 4+)
kapp: Error: Expected to find kind 'policy/v1beta1/PodDisruptionBudget', but did not:

/cc @evankanderson

[skonto]

The update to the latest for metallb also does not work out of the box eg. ingress fails:

3:12:25PM:  ^ Load balancer ingress is empty
kapp: Error: Timed out waiting after 15m0s for resources: [service/istio-ingressgateway (v1) namespace: istio-system]

Also cant use the current on 1.25 due to the psps which are not available. Will revert. Adding 1.25 on github flows needs a separate PR. cc @matzew

[evankanderson]

I can take a look later tonight; I'm surprised that our other testing passed on those platforms.

[skonto]

@evankanderson any update on this one? :)

[psschwei]

@psschwei, I am trying 1.25 and we have a dependency that fails, (afaik knative repos are not on v1 could it be the kapp one?):

Yeah, I think that's it... I opened carvel-dev/kapp#620 to report it.

The update to the latest for metallb also does not work out of the box

I've had issues with that too when trying to set it up locally (haven't had a chance to look into why yet). Did the tests work with the old version?

[skonto]

Did the tests work with the old version?

No because the old version of metallb defines psps that are removed in 1.25, we need that last version.

[skonto]

@psschwei or @evankanderson gentle ping for a merge.

[evankanderson]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• config/OWNERS [evankanderson]
• third_party/OWNERS [evankanderson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[skonto]

/test gateway-api-latest