Hi community,
We’re planning to upgrade our Kubernetes cluster from v1.24.14 to v1.25.9 using Kubespray. We are currently using PodSecurityPolicies (PSPs), which we know are deprecated and removed in v1.25. PSPs are currently being used by Calico (for networking) and Istio (as a service mesh).
To avoid issues during the upgrade and ensure zero downtime, I’m looking for guidance on the best approach to safely remove PSPs.
Here’s the plan I’m considering:
- Annotate the
caliconamespace to enforceprivilegedPod Security Admission (PSA) mode - Annotate the
istio-systemnamespace and other application namespaces withbaselinemode - Remove all existing PSP resources and PSP-related RBAC before upgrade
- Upgrade the cluster using Kubespray
Questions:
- Is this a safe and complete plan for PSP removal and ensuring smooth operation of Calico and Istio after the upgrade?
- Are there additional considerations or recommended steps (e.g., testing with dry-run, PSA audit mode, etc.)?
- Has anyone done this with Kubespray—any gotchas specific to the Kubespray upgrade process?
Thanks in advance!