Skip to main content
Version: v2.7

Upgrading a Hardened Custom/Imported Cluster to Kubernetes v1.25

Kubernetes v1.25 changes how clusters describe and implement security policies. From this version forward, Pod Security Policies (PSPs) are no longer available. Kubernetes v1.25 replaces them with new security objects: Pod Security Standards (PSS), and Pod Security Admissions (PSAs).

If you have custom or imported hardened clusters, you must take special preparations to ensure that the upgrade from an earlier version of Kubernetes to v1.25 or later goes smoothly.

note

After you upgrade to v1.25, add the necessary Rancher namespace exemptions. See Pod Security Admission (PSA) Configuration Templates for more details.

Upgrading Imported Hardened Clusters to Kubernetes v1.25 or Later

Perform the following on each node in the cluster:

  1. Save rancher-psact.yaml in /etc/rancher/rke2.
  2. Edit the RKE2 configuration file:
    1. Update the profile field to cis-1.23.
    2. Specify the path for the configuration file that you just added: pod-security-admission-config-file: /etc/rancher/rke2/rancher-psact.yaml.

After you perform these steps, you can upgrade the cluster's Kubernetes version through the Rancher UI:

  1. In the upper left corner, click ☰ > Cluster Management.
  2. Find the cluster you want to update in the Clusters table, and click the .
  3. Select Edit Config.
  4. In the Kubernetes Version dropdown menu, select the version that you would like to use.
  5. Click Save.

Upgrading Custom Hardened Clusters to Kubernetes v1.25 or Later

  1. In the upper left corner, click ☰ > Cluster Management.
  2. Find the cluster you want to update in the Clusters table, and click the .
  3. Select Edit Config.
  4. Under Basics > Security, in the CIS Profile dropdown menu, select cis-1.23.
  5. In the Pod Security Admission Configuration Template dropdown menu, select rancher-restricted.
  6. In the Kubernetes Version dropdown menu, select the version that you would like to use.
  7. Click Save.