Upgrading a Hardened Custom/Imported Cluster to Kubernetes v1.25
Kubernetes v1.25 changes how clusters describe and implement security policies. From this version forward, Pod Security Policies (PSPs) are no longer available. Kubernetes v1.25 replaces them with new security objects: Pod Security Standards (PSS), and Pod Security Admissions (PSAs).
If you have custom or imported hardened clusters, you must take special preparations to ensure that the upgrade from an earlier version of Kubernetes to v1.25 or later goes smoothly.
After you upgrade to v1.25, add the necessary Rancher namespace exemptions. See Pod Security Admission (PSA) Configuration Templates for more details.
Upgrading Imported Hardened Clusters to Kubernetes v1.25 or Later
- RKE2
- K3s
Perform the following on each node in the cluster:
- Save
rancher-psact.yaml
in/etc/rancher/rke2
. - Edit the RKE2 configuration file:
- Update the
profile
field tocis-1.23
. - Specify the path for the configuration file that you just added:
pod-security-admission-config-file: /etc/rancher/rke2/rancher-psact.yaml
.
- Update the
Perform the following on each node in the cluster:
Follow the official K3s instructions on Upgrading Hardened Clusters from v1.24.x to v1.25.x, but use a custom Rancher PSA configuration template, instead of the configuration provided on the official K3s site.
After you perform these steps, you can upgrade the cluster's Kubernetes version through the Rancher UI:
- In the upper left corner, click ☰ > Cluster Management.
- Find the cluster you want to update in the Clusters table, and click the ⋮.
- Select Edit Config.
- In the Kubernetes Version dropdown menu, select the version that you would like to use.
- Click Save.
Upgrading Custom Hardened Clusters to Kubernetes v1.25 or Later
- RKE2
- K3s
- In the upper left corner, click ☰ > Cluster Management.
- Find the cluster you want to update in the Clusters table, and click the ⋮.
- Select Edit Config.
- Under Basics > Security, in the CIS Profile dropdown menu, select
cis-1.23
. - In the Pod Security Admission Configuration Template dropdown menu, select
rancher-restricted
. - In the Kubernetes Version dropdown menu, select the version that you would like to use.
- Click Save.
- In the upper left corner, click ☰ > Cluster Management.
- Find the cluster you want to update in the Clusters table, and click the ⋮.
- Select Edit YAML.
- Delete
PodSecurityPolicy
fromkube-apiserver-arg.enable-admission-plugins
- Add this line to the
spec
field:defaultPodSecurityAdmissionConfigurationTemplateName: rancher-restricted
- Update
kubernetesVersion
to your chosen version (v1.25 or later). - Click Save.