Question about version in PSA labels

[Jimmy Shen]

In this doc, it mentions optionally we can set

pod-security.kubernetes.io/<MODE>-version: <VERSION>

And the if didn't set it, the value defaults to "latest"

Want to clarify what "latest" means here. let's say if our k8s cluster is not on the most recent version, let's say we are on 1.23, does the "latest" here means "v1.23"? or does it means the latest kubernetes version available (I believe it's 1.27 now)?

And do you see a disadvantage of not setting the version, and default to "latest"? I am asking in the context of doing a kubernetes version upgrade. Let say i want to upgrade, I want to (NOT set the version label), let is default to "latest" so that I don't have to change the pinned version every time I perform an upgrade.

[Jordan Liggitt]

It means the latest policy known to the apiserver, so if you are running a 1.23 server, "latest" means that server will enforce 1.23-level policies.

The requirements for the PSA levels (especially the `restricted` level) can change over time. If you leave the version unspecified or use "latest", and upgrade to a release that added another requirement to the "restricted" level, any workloads which weren't compliant with the new requirement wouldn't be able to create new pods until they were updated. Pinning your restricted level to "1.23", upgrading your cluster to 1.24, then dry-running an update of your restricted level from "1.23" back to "latest" would tell you if you had workloads that needed fixup in a non-disruptive way.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/32782dab-64b1-4d9d-8fc0-8d07cf1097b6n%40googlegroups.com.

[Jimmy Shen]

Cool, that make a lot sense!  Thank you so much for the quick response!