Add PSP to the deprecation guide

[tallclair]

See also #26581

/cc @deads2k

[tallclair]

@reylejano missed your comment before pushing this - how do you want to handle it? This information seems relevant prior to v1.21 being released, so I'd vote to keep it on the main branch.

[netlify]

Deploy preview for kubernetes-io-master-staging ready!

Built with commit ce2e5f8

https://deploy-preview-26629--kubernetes-io-master-staging.netlify.app

[reylejano]

/assign
@cc @sftim @kbhawkey @jimangel @irvifa

@tallclair I've cc'd sig-docs leads to get their input

[liggitt]

my initial version kept this page limited to things with clear replacements. I was going to see what shook out for PSP this release, and if cronjob graduates to v1 as expected in 1.21, update this section for both of them after that.

[liggitt]

also, PSP deprecation is getting released with 1.21, so I'd hold this at least until then

[sftim]

I'm OK with merging this into the live website before v1.21 released, provided that:

• the deprecation in v1.21 is planned out, including how we communicate it
• we are confident beyond any reasonable doubt of the deprecation timeline, we are committing ourselves to make exactly the changes we're documenting here
• we make this update in tandem with the broader piece about communiction

[sftim]

See PR #27369, Add blog post describing PSP deprecation and next steps.

[sftim]

(now merged)

[liggitt]

Suggested change

	* Migrate manifests and API client to use the **policy/v1beta1** API version, available since v1.10.
	* Migrate manifests and API clients to use the **policy/v1beta1** API version, available since v1.10.

[liggitt]

Suggested change

	* Note that the **policy/v1beta1** API version of PodSecurityPolicy will be removed in v1.25.
	* Note that the **policy/v1beta1** API version of PodSecurityPolicy is also deprecated and will be removed in v1.25.

[liggitt]

Suggested change

	PodSecurityPolicy in the **policy/v1beta1** API version will no longer be served in v1.25, and the PodSecurityPolicy admission controller will be removed.
	The **policy/v1beta1** API version of PodSecurityPolicy will no longer be served in v1.25, and the PodSecurityPolicy admission plugin will be removed.

[sftim]

Would be good to add this, but I don't see it blocking a merge.

[liggitt]

I would avoid putting uncertain future-looking statements in this doc

Suggested change

	PodSecurityPolicy replacements are still under discussion, but current use can be migrated to
	Current use can be migrated to

[sftim]

We can link to the blog article from #27369, which I believe is due to merge and publish before the v1.21 release. Usually we don't link to blog articles for information about features but in this case I (confidently) think that's a good idea.

[annajung]

/hold until consensus on adding this to main vs dev-1.21 branch
feel free to remove hold when a decision has been reached

cc @palnabarun

[kbhawkey]

👋 @tallclair .
I'm a bit surprised that this page includes information about future feature deprecations (about 1 yr away?).

nit: PodSecurityPolicy replacements are still under discussion; however, you can migrate current PodSecurityPolicy resources to ...

[liggitt]

the ones already included in the page in master are current deprecations (if you kubectl get those resources on a 1.20 API server, you get a message that they are deprecated, when they'll be removed, and what you should switch to using)

[sftim]

current deprecations

makes sense to me

We could merge this change at the same time as the deprecation announcement.

[tengqm]

SInce PSP deprecation is targeted 1.21, please consider submit this to the dev-1.21 branch.

[reylejano]

/milestone 1.21
/assign @tengqm
/sig auth

[tengqm]

@annajung I was suggesting this going into dev-1.21 branch because PSP is not deprecated in 1.20 yet. Considering that the target page already contains some future predicting contents, maybe we can lift the hold on this?

[liggitt]

Considering that the target page already contains some future predicting contents, maybe we can lift the hold on this?

I intentionally limited this page to items already announced as deprecated in a released version, which had an unequivocal "switch to use ____" call to action. Neither of those is yet true for PSP, so I wouldn't merge this to master yet.

[reylejano]

I intentionally limited this page to items already announced as deprecated in a released version, which had an unequivocal "switch to use ____" call to action. Neither of those is yet true for PSP, so I wouldn't merge this to master yet.

@liggitt @tallclair How about submitting this PR to the dev-1.21 branch so that it merges with master on the 1.21 release date (April 8). March 31 is the "ready to merge" deadline for the dev-1.21 and the PR can be modified until then.

[sftim]

We published https://blog.k8s.io/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/

[sftim]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: c6ccb356f9965f6eaf628f55cdd7b7d52af3b580

[sftim]

Not unholding, but I recommend that whoever approves this does also unhold it.

[reylejano]

Hi @tallclair , what do you think of the suggestion of replacing controller with plugin in L54. The PSP blog post is live now, what do you think of linking to the blog post. This PR can stay targeted to the master branch

[sftim]

I'm definitely happy to see this merge in even if there are nits. The commit in the PR right now could be polished, but is factually accurate enough to merge.

[reylejano]

/hold cancel
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: reylejano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/OWNERS [reylejano]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment