Hi there,

tomorrow 2024-06-26 @ 08:30Z we will start enforcing new Kubernetes security rules in Toolforge [0].

We have taken measures to eliminate any user impact, but this being a potentially sensitive change, I wanted to send a heads up email.

In a nut-shell, pod-related kubernetes resources, like Deployment or CronJob need to have a new set of security-related attributes correctly specified.

This is because we are introducing Kyverno policies as a replacement of the deprecated PodSecurityPolicies (PSP) [1].

The new Kyverno policies have been deployed already, but are in 'Audit' mode. What we will be doing tomorrow is setting them to 'Enforce', which is the final step in this migration, before we can finally drop PSP [2].

Please, report [3] any disruption that you may see.

regards.

[0] https://phabricator.wikimedia.org/T368141 [1] https://phabricator.wikimedia.org/T279110 [2] https://phabricator.wikimedia.org/T364297 [3] https://wikitech.wikimedia.org/wiki/Help:Cloud_Services_communication