Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MANOPD-85384]Doc update #385

Merged
merged 3 commits into from
Mar 28, 2023
Merged

[MANOPD-85384]Doc update #385

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b8c909d
Doc update
alexarefev Mar 14, 2023
043c603
Doc update
alexarefev Mar 14, 2023
473b963
Update Maintenance.md
shmo1218 Mar 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions documentation/Maintenance.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This section describes the features and steps for performing maintenance procedu
- [Manage PSS Procedure](#manage-pss-procedure)
- [Reboot Procedure](#reboot-procedure)
- [Certificate Renew Procedure](#certificate-renew-procedure)
- [Migration Cri Procedure](#migration-cri-procedure)
- [Cri Migration Procedure](#cri-migration-procedure)
- [Admission Migration Procedure](#admission-migration-procedure)
- [Procedure Execution](#procedure-execution)
- [Procedure Execution from CLI](#procedure-execution-from-cli)
Expand Down Expand Up @@ -900,7 +900,7 @@ from particular namespaces will be applied.
**Warnings**:
* Be careful with the `exemptions` section it may cause cluster instability.
* Do not delete `kube-system` namespace from `exemptions` list without strong necessity.
* The PSS labels in namespaces for KubeMarine supported plugins ('nginx-ingress-controller', 'local-path-provisioner',
* The PSS labels in namespaces for Kubemarine supported plugins ('nginx-ingress-controller', 'local-path-provisioner',
'kubernetes-dashboard' etc) will be deleted during the procedure in case of using `pod-security: disabled`
* Be careful with the `restart-pods: true` options it drains nodes one by one and may cause cluster instability. The best way to
restart pods in cluster is a manual restart according to particular application. The restart procedure should consider if the
Expand Down Expand Up @@ -1027,7 +1027,7 @@ The `cert_renew` procedure executes the following sequence of tasks:
2. nginx_ingress_controller
3. certs_overview

## Migration Cri Procedure
## Cri Migration Procedure

The `migrate_cri` procedure allows you to migrate from Docker to Containerd.

Expand Down Expand Up @@ -1133,20 +1133,21 @@ thirdparties:
## Admission Migration Procedure

Since Kubernetes v1.20 Pod Security Policy (PSP) has been deprecated and will be delete in Kubernetes 1.25 the migration procedure
from PSP to another solution is very important. KubeMarine supports Pod Security Standards (PSS) by default as a replacement PSP.
from PSP to another solution is very important. Kubemarine supports Pod Security Standards (PSS) by default as a replacement PSP.
The most important step in the procedure is to define the PSS profiles for particular namespace. PSS has only three feasible options:
`privileged`, `baseline`, `restricted` that should be matched with PSP. It's better to use more restrictive the PSS profile
for namespace. For proper matching see the following articles:
* [Migrate from PodSecurityPolicy](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/)
* [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)

**Notes**:
* KubeMarine predefined PSP such as 'oob-anyuid-psp', 'oob-host-network-psp', 'oob-privileged-psp' match with 'privileged' PSS profile and 'oob-default-psp' matches with 'restricted' PSS profile.
* Kubemarine predefined PSP such as 'oob-anyuid-psp', 'oob-host-network-psp', 'oob-privileged-psp' match with 'privileged' PSS profile and 'oob-default-psp' matches with 'restricted' PSS profile.
* Before running the migration procedure, be sure that all applications in Kubernetes cluster match with prerequisites:
[Application prerequisites](https://github.com/Netcracker/KubeMarine/blob/main/documentation/Installation.md#application-prerequisites)
* One of the ways to check if the pods in a particular namespace are matched with the PSS profile is that the `pod-security.kubernetes.io/enforce` label in the namespace should be set to `privileged`, whereas the `pod-security.kubernetes.io/warn` and `pod-security.kubernetes.io/audit` labels should be set to `restricted` or `baseline`. When the pods are up and running in the namespace, the audit messages and namespace events can be checked. Any violation of the `restricted` profile is reflected in these messages. The next step is to rework the pods that violate the PSS profile and repeat the procedure.

### Procedure Execution Steps

### Procedure Execution Steps

1. Verify that Kubernetes cluster has version v1.23+
2. Match the PSP permission to PSS and define the PSS profile for each namespace in cluster according to the notes above.
Expand Down Expand Up @@ -1266,9 +1267,9 @@ dump/
```

Description of the following files:
* cluster.yaml - input cluster inventory
* version - Kubemarine version.
* procedure_parameters - list of finished tasks.
* cluster.yaml - Input cluster inventory
* version - Kubemarine version
* procedure_parameters - List of finished tasks


## Additional Parameters
Expand Down