Menu
Documentationbreadcrumb arrow Helm chartsbreadcrumb arrow breadcrumb arrow Grafana mimir-distributed Helm chartbreadcrumb arrow Migration guidesbreadcrumb arrow Migrate to Kubernetes 1.25
Enterprise Open source

Migrate to Kubernetes version 1.25

This procedure describes how to prepare a mimir-distributed Helm chart release for an upgrade to Kubernetes 1.25.

Background

Kubernetes version 1.25 removes the support for the deprecated PodSecurityPolicy object. You can learn more about this topic by visiting PodSecurityPolicy Deprecation: Past, Present, and Future.

Due to how Helm works, PodSecurityPolicy objects must already be removed from the release prior to upgrading to Kubernetes version 1.25. If you are using PodSecurityPolicy on Kubernetes 1.24, this is a breaking change. mimir-distributed Helm chart versions before 5.0 used PodSecurityPolicy by default in Kubernetes version 1.24.

Prerequisite

  • You have Kubernetes version 1.22, 1.23 or 1.24.
  • This procedure is only applicable if rbac.create is true and rbac.type is psp in your current Helm values. This was the case by default before Helm chart version 5.0.

Procedure

  1. If rbac.create is false or rbac.type is scc, then there is nothing to do, skip the whole procedure.
  2. Optionally follow the Kubernetes Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller guide to replace PodSecurityPolicy.
  3. Set the rbac.create value to false.
  4. Upgrade the deployment. The chart will not install PodSecurityPolicy objects anymore.

Note

Grafana Mimir does not require any special permissions on the hosts that it runs on. Because of this, you can deploy it in environments that enforce the Kubernetes Restricted security policy.

Troubleshoot

If you have upgraded to Kubernetes 1.25 and see the following error containing PodSecurityPolicy during a Helm release upgrade:

resource mapping not found for name: "mimir" namespace: "" from "":
no matches for kind "PodSecurityPolicy" in version "policy/v1beta1" ensure CRDs are installed first

This happens because Helm stores the current release in a Secret in the namespace. If the current release contains removed resources the helm command fails to determine the current state of the release.

To remove the PodSecurityPolicy from the Helm release history follow this procedure:

  1. Optionally follow the Kubernetes Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller guide to replace PodSecurityPolicy.
  2. Set the rbac.create value to false.
  3. Remove PodSecurityPolicy from the Helm release history following the Updating API Versions of a Release Manifest Helm documentation in order to proceed with the upgrade.
  4. Upgrade the release. The upgrade should succeed now.