Refresh PSP migration guidelines

[flavio]

The information we have inside of of the psp-migration documentation are outdated and not working anymore.

These are some of issues that we face:

• The psp-migration script is producing old Kubewarden CRDs: both policy/v1beta1 and v1alpha2
• The version of the policies being recommended is pretty old
• The pod-privileged policy being used is extremely old. The version used was produced using AssemblyScript as programming language. Due to some AssemblyScript quirks, the policy cannot be ran by Policy Server when the "policy evaluation timeout protection" is used. Latest versions of the policy have been rewritten with Rust, hence they work just fine

Actions to perform

• [x] Make a PR against the psp-migration tool to ensure latest version of Kubewarden CRDs and Kubewarden policies are being used
• [x] Update the psp-migration page of the Kubewarden doc to reflect the new output produced by the tool: https://github.com/kubewarden/docs/issues/207
• [x] Update the blog post about psp-migration to include a warning message: https://github.com/kubewarden/kubewarden.io/issues/185

[viccuad]

Given that we don't control avia/psp-migration, should we add an e2e test for this, so we catch this in the future?

[flavio]

I think the main issues with the code generated by the psp-migration tool are:

• Reference old version of our CRDs: we don't change them that often, I think we can fix that by hand the next time something is changed
• Reference old versions of the policies: even if there are no significant code changes, from time to time we update the polices.

I would invest time not in building e2e tests, but on doing some update-cli automation to address the second problem. If appvia doesn't accept our PRs we can think about other solutions

[jvanz]

We do not need to update the AppVia tool. They have a renovate bot wich always bump our policies version.

2de845e - Update ghcr.io/kubewarden/policies/sysctl-psp Docker tag to v0.1.12 (4 weeks ago) <renovate[bot]>
750ac4f - Update ghcr.io/kubewarden/policies/hostpaths-psp Docker tag to v0.1.10 (4 weeks ago) <renovate[bot]>
562aab8 - Update ghcr.io/kubewarden/policies/volumes-psp Docker tag to v0.1.11 (3 months ago) <renovate[bot]>
3e45cd9 - bump all kubewarden lib versions (3 months ago) <Chris Nesbitt-Smith>

What we need to do is to bump the tool version used in out migration script.

[flavio]

Have they upgraded the api version used when generating the (Cluster)AdmissionPolicy yaml files?

[jvanz]

Have they upgraded the api version used when generating the (Cluster)AdmissionPolicy yaml files?

Actually, we have done that ( I did not remember that ):

commit f8522f4cf8bb6f06cf448682d52de861e88bd39d
Author: José Guilherme Vanz <1514798+jvanz@users.noreply.github.com>
Date:   Mon Jul 4 10:02:04 2022 -0300

    Create Kuberwarden v1 CRDs. (#231)

    Kubewarden bumped the CRDs version to v1. This commit updates the code
    and tests to use the latest released CRDs version.

diff --git a/src/kubewarden.ts b/src/kubewarden.ts
index 4abedef..1c59ccb 100644
--- a/src/kubewarden.ts
+++ b/src/kubewarden.ts
@@ -151,7 +151,7 @@ export function transform_kubewarden(PSP: k8s.V1beta1PodSecurityPolicy): object[

 export function kubewarden_policy_helper(name: string, module: string, settings: any = null, mutating: boolean = false) {
   return {
-    apiVersion: "policies.kubewarden.io/v1alpha2",
+    apiVersion: "policies.kubewarden.io/v1",
     kind: "ClusterAdmissionPolicy",
     metadata: {
       name: `psp-${name.toLowerCase()}`,

[flavio]

Closing, there's nothing left to be done :clap: