Add deprecation warning for PodSecurityPolicies

.gitignore

@@ -7,6 +7,7 @@ config.yaml
 tf.json
 *terraform.tfstate*
 .terraform
+.terraform.lock.hcl
 terraform.tfvars
 *kubeconfig
 !*kubeconfig/

docs/api_reference/v1beta1.en.md

@@ -1,6 +1,6 @@
 +++
 title = "v1beta1 API Reference"
-date = 2021-10-27T20:19:09+05:00
+date = 2021-10-28T12:33:26+05:00
 weight = 11
 +++
 ## v1beta1
@@ -322,7 +322,7 @@ Features controls what features will be enabled on the cluster
 | ----- | ----------- | ------ | -------- |
 | podNodeSelector | PodNodeSelector | *[PodNodeSelector](#podnodeselector) | false |
 | podPresets | PodPresets Obsolete: this feature was removed with Kubernetes 1.20 | *[PodPresets](#podpresets) | false |
-| podSecurityPolicy | PodSecurityPolicy | *[PodSecurityPolicy](#podsecuritypolicy) | false |
+| podSecurityPolicy | PodSecurityPolicy Deprecated: will be removed once Kubernetes 1.24 reaches EOL | *[PodSecurityPolicy](#podsecuritypolicy) | false |
 | staticAuditLog | StaticAuditLog | *[StaticAuditLog](#staticauditlog) | false |
 | dynamicAuditLog | DynamicAuditLog | *[DynamicAuditLog](#dynamicauditlog) | false |
 | metricsServer | MetricsServer | *[MetricsServer](#metricsserver) | false |
@@ -555,6 +555,8 @@ The PodPresets feature is obsolete and has been removed
 ### PodSecurityPolicy
 
 PodSecurityPolicy feature flag
+This feature is deprecated and will be removed from the API once
+Kubernetes 1.24 reaches EOL.
 
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |

pkg/apis/kubeone/config/config.go

@@ -123,13 +123,13 @@ func BytesToKubeOneCluster(cluster, tfOutput, credentialsFile []byte, logger log
 		if err := runtime.DecodeInto(kubeonescheme.Codecs.UniversalDecoder(), cluster, v1alpha1Cluster); err != nil {
 			return nil, err
 		}
-		return DefaultedV1Alpha1KubeOneCluster(v1alpha1Cluster, tfOutput, credentialsFile)
+		return DefaultedV1Alpha1KubeOneCluster(v1alpha1Cluster, tfOutput, credentialsFile, logger)
 	case kubeonev1beta1.SchemeGroupVersion.String():
 		v1beta1Cluster := &kubeonev1beta1.KubeOneCluster{}
 		if err := runtime.DecodeInto(kubeonescheme.Codecs.UniversalDecoder(), cluster, v1beta1Cluster); err != nil {
 			return nil, err
 		}
-		return DefaultedV1Beta1KubeOneCluster(v1beta1Cluster, tfOutput, credentialsFile)
+		return DefaultedV1Beta1KubeOneCluster(v1beta1Cluster, tfOutput, credentialsFile, logger)
 	default:
 		return nil, errors.Errorf("invalid api version %q", typeMeta.APIVersion)
 	}
@@ -138,7 +138,7 @@ func BytesToKubeOneCluster(cluster, tfOutput, credentialsFile []byte, logger log
 // DefaultedV1Alpha1KubeOneCluster converts a v1alpha1 KubeOneCluster object to an internal representation of KubeOneCluster
 // object while sourcing information from Terraform output, applying default values and validating the KubeOneCluster
 // object
-func DefaultedV1Alpha1KubeOneCluster(versionedCluster *kubeonev1alpha1.KubeOneCluster, tfOutput, credentialsFile []byte) (*kubeoneapi.KubeOneCluster, error) {
+func DefaultedV1Alpha1KubeOneCluster(versionedCluster *kubeonev1alpha1.KubeOneCluster, tfOutput, credentialsFile []byte, logger logrus.FieldLogger) (*kubeoneapi.KubeOneCluster, error) {
 	if tfOutput != nil {
 		tfConfig, err := terraformv1alpha1.NewConfigFromJSON(tfOutput)
 		if err != nil {
@@ -167,13 +167,16 @@ func DefaultedV1Alpha1KubeOneCluster(versionedCluster *kubeonev1alpha1.KubeOneCl
 		return nil, errors.Wrap(err, "unable to validate the given KubeOneCluster object")
 	}
 
+	// Check for deprecated fields/features for a cluster
+	checkClusterForDeprecations(*internalCluster, logger)
+
 	return internalCluster, nil
 }
 
 // DefaultedV1Beta1KubeOneCluster converts a v1beta1 KubeOneCluster object to an internal representation of KubeOneCluster
 // object while sourcing information from Terraform output, applying default values and validating the KubeOneCluster
 // object
-func DefaultedV1Beta1KubeOneCluster(versionedCluster *kubeonev1beta1.KubeOneCluster, tfOutput, credentialsFile []byte) (*kubeoneapi.KubeOneCluster, error) {
+func DefaultedV1Beta1KubeOneCluster(versionedCluster *kubeonev1beta1.KubeOneCluster, tfOutput, credentialsFile []byte, logger logrus.FieldLogger) (*kubeoneapi.KubeOneCluster, error) {
 	if tfOutput != nil {
 		tfConfig, err := terraformv1beta1.NewConfigFromJSON(tfOutput)
 		if err != nil {
@@ -202,6 +205,9 @@ func DefaultedV1Beta1KubeOneCluster(versionedCluster *kubeonev1beta1.KubeOneClus
 		return nil, errors.Wrap(err, "unable to validate the given KubeOneCluster object")
 	}
 
+	// Check for deprecated fields/features for a cluster
+	checkClusterForDeprecations(*internalCluster, logger)
+
 	return internalCluster, nil
 }
 
@@ -226,3 +232,10 @@ func isDir(dirname string) bool {
 	stat, statErr := os.Stat(dirname)
 	return statErr == nil && stat.Mode().IsDir()
 }
+
+// checkClusterForDeprecations with check clusters for usage of deprecated fields, flags etc. and print a warning if any are found
+func checkClusterForDeprecations(c kubeoneapi.KubeOneCluster, logger logrus.FieldLogger) {
+	if c.Features.PodSecurityPolicy != nil && c.Features.PodSecurityPolicy.Enable {
+		logger.Warnf("PodSecurityPolicy is deprecated and will be removed with Kubernetes 1.25 release")
+	}
+}

pkg/apis/kubeone/types.go

@@ -409,6 +409,7 @@ type Features struct {
 	// Obsolete: this feature was removed with Kubernetes 1.20
 	PodPresets *PodPresets `json:"podPresets,omitempty"`
 	// PodSecurityPolicy
+	// Deprecated: will be removed once Kubernetes 1.24 reaches EOL
 	PodSecurityPolicy *PodSecurityPolicy `json:"podSecurityPolicy,omitempty"`
 	// StaticAuditLog
 	StaticAuditLog *StaticAuditLog `json:"staticAuditLog,omitempty"`
@@ -538,6 +539,8 @@ type PodNodeSelectorConfig struct {
 }
 
 // PodSecurityPolicy feature flag
+// This feature is deprecated and will be removed from the API once
+// Kubernetes 1.24 reaches EOL.
 type PodSecurityPolicy struct {
 	// Enable
 	Enable bool `json:"enable,omitempty"`

pkg/apis/kubeone/v1alpha1/types.go

@@ -218,7 +218,8 @@ type Features struct {
 	PodNodeSelector *PodNodeSelector `json:"podNodeSelector"`
 	// PodPresets
 	// Obsolete: this feature was removed with Kubernetes 1.20
-	PodPresets        *PodPresets        `json:"podPresets,omitempty"`
+	PodPresets *PodPresets `json:"podPresets,omitempty"`
+	// Deprecated: will be removed once Kubernetes 1.24 reaches EOL
 	PodSecurityPolicy *PodSecurityPolicy `json:"podSecurityPolicy"`
 	StaticAuditLog    *StaticAuditLog    `json:"staticAuditLog"`
 	DynamicAuditLog   *DynamicAuditLog   `json:"dynamicAuditLog"`
@@ -256,6 +257,8 @@ type PodNodeSelectorConfig struct {
 }
 
 // PodSecurityPolicy feature flag
+// This feature is deprecated and will be removed from the API once
+// Kubernetes 1.24 reaches EOL.
 type PodSecurityPolicy struct {
 	Enable bool `json:"enable"`
 }

pkg/apis/kubeone/v1beta1/types.go

@@ -409,6 +409,7 @@ type Features struct {
 	// Obsolete: this feature was removed with Kubernetes 1.20
 	PodPresets *PodPresets `json:"podPresets,omitempty"`
 	// PodSecurityPolicy
+	// Deprecated: will be removed once Kubernetes 1.24 reaches EOL
 	PodSecurityPolicy *PodSecurityPolicy `json:"podSecurityPolicy,omitempty"`
 	// StaticAuditLog
 	StaticAuditLog *StaticAuditLog `json:"staticAuditLog,omitempty"`
@@ -538,6 +539,8 @@ type PodNodeSelectorConfig struct {
 }
 
 // PodSecurityPolicy feature flag
+// This feature is deprecated and will be removed from the API once
+// Kubernetes 1.24 reaches EOL.
 type PodSecurityPolicy struct {
 	// Enable
 	Enable bool `json:"enable,omitempty"`

pkg/apis/kubeone/validation/validation_test.go

@@ -233,6 +233,7 @@ func TestValidateKubeOneCluster(t *testing.T) {
 			expectedError: true,
 		},
 	}
+
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
@@ -1311,6 +1312,7 @@ func TestValidateFeatures(t *testing.T) {
 			expectedError: true,
 		},
 	}
+
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {