Hello, I am looking to upgrade rke2 clusters from 1.24.x to 1.25x. https://github.com/rancher/rke2/releases/tag/v1.25.0%2Brke2r1 release notes mention this:

Kubernetes v1.25 removes the beta PodSecurityPolicy admission plugin. Please follow the upstream documentation to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+rke2r1.

While upstream documentation tells me to disable

PodSecurityPolicy

admission plugin. I’ve removed it from

kube-apiserver-arg

enable-admission-plugins=NodeRestriction

but it still somehow added back… I am guessing it is enforced by RKE2 hardening so what I actually got is:

I0622 09:17:49.341327       1 flags.go:64] FLAG: --enable-admission-plugins="[NodeRestriction,PodSecurityPolicy,NodeRestriction]"

I also tried to add

--disable-admission-plugins="[PodSecurityPolicy]"

but this cause api server to fail

"command failed" err="[PodSecurityPolicy] in enable-admission-plugins and disable-admission-plugins overlapped"

So my question is: How do I disable

PodSecurityPolicy

admission plugin to be able to remove all PSP before upgrading to 1.25.x 🙏