Upgrading a Hardened Custom/Imported Cluster to Kubernetes v1.25

Kubernetes v1.25 changes how clusters describe and implement security policies. From this version forward, Pod Security Policies (PSPs) are no longer available. Kubernetes v1.25 replaces them with new security objects: Pod Security Standards (PSS), and Pod Security Admissions (PSAs).

If you have custom or imported hardened clusters, you must take special preparations to ensure that the upgrade from an earlier version of Kubernetes to v1.25 or later goes smoothly.

After you upgrade to v1.25, add the necessary Rancher namespace exemptions. See Pod Security Admission (PSA) Configuration Templates for more details.

Upgrading Imported Hardened Clusters to Kubernetes v1.25 or Later

  • RKE2

  • K3s

Perform the following on each node in the cluster:

  1. Save rancher-psact.yaml in /etc/rancher/rke2.

  2. Edit the RKE2 configuration file:

    1. Update the profile field to cis-1.23.

    2. Specify the path for the configuration file that you just added: pod-security-admission-config-file: /etc/rancher/rke2/rancher-psact.yaml.

Perform the following on each node in the cluster:

Follow the official K3s instructions on Upgrading Hardened Clusters from v1.24.x to v1.25.x, but use a custom Rancher PSA configuration template, instead of the configuration provided on the official K3s site.

After you perform these steps, you can upgrade the cluster’s Kubernetes version through the Rancher UI:

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Find the cluster you want to update in the Clusters table, and click the .

  3. Select Edit Config.

  4. In the Kubernetes Version dropdown menu, select the version that you would like to use.

  5. Click Save.

Upgrading Custom Hardened Clusters to Kubernetes v1.25 or Later

  • RKE2

  • K3s

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Find the cluster you want to update in the Clusters table, and click the .

  3. Select Edit Config.

  4. Under menu:Basics[Security], in the CIS Profile dropdown menu, select cis-1.23.

  5. In the Pod Security Admission Configuration Template dropdown menu, select rancher-restricted.

  6. In the Kubernetes Version dropdown menu, select the version that you would like to use.

  7. Click Save.

  1. In the upper left corner, click ☰ > Cluster Management.

  2. Find the cluster you want to update in the Clusters table, and click the .

  3. Select Edit YAML.

  4. Delete PodSecurityPolicy from kube-apiserver-arg.enable-admission-plugins

  5. Add this line to the spec field: defaultPodSecurityAdmissionConfigurationTemplateName: rancher-restricted

  6. Update kubernetesVersion to your chosen version (v1.25 or later).

  7. Click Save.