PSS Restricted v2022 installation fails because of missing K8sPSSRunAsNonRoot CRD

[sshcherbakov]

I have tried installing "PSS Restricted v2022" bundle via Config Sync to an Anthos on Bare Metal cluster with

• Template Library
• Pod Security Standards Baseline v2022
• Pod Security Standards Restricted v2022

bundles installed via Policy Controller in Cloud Console.

In Config Sync I see multiple error messages about missing CRDs:

When I'm trying to install "PSS Restricted v2022" bundle from this project directly using the installation command

kubectl apply -k https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022

I get the following error during installation:

error: resource mapping not found for name: "pss-restricted-v2022-running-as-non-root" namespace: "" from "https://github.com/GoogleCloudPlatform/gke-policy-library.git/anthos-bundles/pss-restricted-v2022": no matches for kind "K8sPSSRunAsNonRoot" in version "constraints.gatekeeper.sh/v1beta1"
ensure CRDs are installed first

Where can I find the K8sPSSRunAsNonRoot constrainttemplate definition?

[sshcherbakov]

The K8sPSSRunAsNonRoot has been introduced in Policy Controller 1.17.3. Once I upgraded to that version the bundle was successfully installed. Closing the ticket.

[lesaux]

thank you for documenting this! I ran into this today.