NSX Application Platform upgrade failed with error "no matches for kind "PodSecurityPolicy"
search cancel

NSX Application Platform upgrade failed with error "no matches for kind "PodSecurityPolicy"

book

Article ID: 380233

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

During NSX Application Platform upgrade, upgrade failed with the error: no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"

Environment

NSX Application Platform 4.1.2

Cause

When NSX Application Platform is installed in Kubernetes version less than 1.25, PodSecurityPolicy in the version "policy/v1beta1" is installed. This API is removed in 1.25+. Helm stores this API in the manifest.

When we upgrade Kubernetes to 1.25+ and perform helm upgrades, the helm manifest cannot match this API in the current Kubernetes environment because PSP was removed in 1.25. So the helm complains about this and errors out.

This issue only happened when:
1. Current NSX Application Platform is 4.1.2.0
2. Upgrading Kubernetes Cluster to 1.25+ after deploying or upgrading NSX Application Platform to 4.1.2.0
3. Upgrading NSX Application Platform from 4.1.2.0 to 4.1.2.1

Resolution

Please perform the below steps to workaround the issue :

(1) Upgrade to 4.2.0 ( as the issue is observed only during 4.1.2.0 - 4.1.2.1 upgrade window)

OR

(2) 

 Install helm mapkubeapis plugin to clean up the manifest

SSH to the NSX Manager, run following commands to install helm mapkubeapis plugin and clean up the manifest

a. wget https://github.com/helm/helm-mapkubeapis/releases/download/v0.5.2/helm-mapkubeapis_0.5.2_darwin_amd64.tar.gz
b. mkdir mapkubeapis
c. tar xvfz helm-mapkubeapis_0.5.2_darwin_amd64.tar.gz  -C mapkubeapis/
d. napp-h plugin install /root/mapkubeapis/
e. napp-h mapkubeapis cert-manager -n cert-manager
f. napp-h mapkubeapis projectcontour -n projectcontour
g. napp-h mapkubeapis nsxi-platform -n nsxi-platform
h. napp-h mapkubeapis metrics -n nsxi-platform