PSP Breaks BigBang 1.0.0 not sure if upstream, Integration, or Documentation Issue

Bottom Line up Front: PSPs (Pod Security Policies) prevents OPA GK from deploying, which prevents everything else from deploying. I suspect we may be able to fix support for PSP in the upstream helm chart. Otherwise we'd need to say we don't support PSP and document it. It's something the BigBang team hasn't discussed as far as I know, so would need discussion after folks get back from Holidays.

Background Context: Alexander Petrov was able to successfully deploy BigBang v1.0.0 on v1.18.12+rke2r2, on Dec 21st. On Dec 23rd he tried v1.18.13+rke2r1, BigBang failed to deploy, so he requested a troubleshooting session, here's some notes from our 1:1 session.

Symptom/Description: kubectl get helmreleases -n=bigbang Showed BigBang successful, OPA Gatekeeper helm release timed out waiting for condition, and everything else pending. (makes since given that OPA GK comes 1st.)

When we checked the gatekeeper-system namespace, we saw deployments but no pods. kubectl logs kube-controller-manager -n=kube-system

I1223 17:55:29.460545 1 event.go:278] Event(v1.ObjectReference{Kind:"ReplicaSet", Namespace:"gatekeeper-system", Name:"gatekeeper-controller-manager-5b9cf6c85d", UID:"ddd27375-c894-4af9-91be-cacf244a60bf", APIVersion:"apps/v1", ResourceVersion:"44016", FieldPath:""}): type: 'Warning' reason: 'FailedCreate' Error creating: pods "gatekeeper-controller-manager-5b9cf6c85d-" is forbidden: unable to validate against any pod security policy: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/manager]: Forbidden: seccomp may not be set pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/manager]: Forbidden: seccomp may not be set pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/manager]: Forbidden: seccomp may not be set]

kubectl get psp -A showed that RKE2 shipped with 3 PSP settings. (1 unrestricted, 2 other ones)

Myself and Alex didn't find a solution, but I suggested the following short term options to him: Opt A. Rollback to the version that worked/didn't default to PSP enforcement Opt B. Research how to disable PSP enforcement cluster wide Opt C. Research how to edit the deployment or service account or however it's done to attach psp unrestricted to OPA gatekeeper deployments.

To Do:

1. Support of PSPs probably warrants a charter discussion of if we officially support PSPs, I vote yes since we are .mil and support the DoD.
2. Then there's the question of if we agree we support PSPs how do we go about doing so. Are we going to create a PSP helm chart that deploys one's we can guarantee exist regardless of the Kubernetes Distro, and have OPA GK + other BigBang tools reference those settings?