Skip to content
Snippets Groups Projects
Unverified Commit 471326f4 authored by Max Gautier's avatar Max Gautier Committed by GitHub
Browse files

Remove PodSecurityPolicy support and references (#10723) 

This is removed from kubernetes since 1.25, time to cut some dead code.
parent 7395c279
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 3 additions and 380 deletions
docs/hardening.md
+ 1
1
View file @ 471326f4
...@@ -120,7 +120,7 @@ kube_pod_security_default_enforce: restricted ...@@ -120,7 +120,7 @@ kube_pod_security_default_enforce: restricted
Let's take a deep look to the resultant **kubernetes** configuration: Let's take a deep look to the resultant **kubernetes** configuration:
* The `anonymous-auth` (on `kube-apiserver`) is set to `true` by default. This is fine, because it is considered safe if you enable `RBAC` for the `authorization-mode`. * The `anonymous-auth` (on `kube-apiserver`) is set to `true` by default. This is fine, because it is considered safe if you enable `RBAC` for the `authorization-mode`.
* The `enable-admission-plugins` has not the `PodSecurityPolicy` admission plugin. This because it is going to be definitely removed from **kubernetes** `v1.25`. For this reason we decided to set the newest `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work. * The `enable-admission-plugins` includes `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work.
* The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this). * The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this).
* The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`. * The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`.
See <https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/> for more information on the subject. See <https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/> for more information on the subject.
......
docs/vars.md
+ 0
2
View file @ 471326f4
...@@ -254,8 +254,6 @@ node_taints: ...@@ -254,8 +254,6 @@ node_taints:
- "node.example.com/external=true:NoSchedule" - "node.example.com/external=true:NoSchedule"
``` ```
* *podsecuritypolicy_enabled* - When set to `true`, enables the PodSecurityPolicy admission controller and defines two policies `privileged` (applying to all resources in `kube-system` namespace and kubelet) and `restricted` (applying all other namespaces).
Addons deployed in kube-system namespaces are handled.
* *kubernetes_audit* - When set to `true`, enables Auditing. * *kubernetes_audit* - When set to `true`, enables Auditing.
The auditing parameters can be tuned via the following variables (which default values are shown below): The auditing parameters can be tuned via the following variables (which default values are shown below):
* `audit_log_path`: /var/log/audit/kube-apiserver-audit.log * `audit_log_path`: /var/log/audit/kube-apiserver-audit.log
......
inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+ 0
9
View file @ 471326f4
...@@ -243,15 +243,6 @@ kubernetes_audit: false ...@@ -243,15 +243,6 @@ kubernetes_audit: false
# kubelet_config_dir: # kubelet_config_dir:
default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir" default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"
# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: false
# Custom PodSecurityPolicySpec for restricted policy
# podsecuritypolicy_restricted_spec: {}
# Custom PodSecurityPolicySpec for privileged policy
# podsecuritypolicy_privileged_spec: {}
# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts # Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
# kubeconfig_localhost: false # kubeconfig_localhost: false
# Use ansible_host as external api ip when copying over kubeconfig. # Use ansible_host as external api ip when copying over kubeconfig.
......
roles/kubernetes-apps/ansible/defaults/main.yml
+ 1
1
View file @ 471326f4
...@@ -81,7 +81,7 @@ netchecker_etcd_memory_limit: 256M ...@@ -81,7 +81,7 @@ netchecker_etcd_memory_limit: 256M
netchecker_etcd_cpu_requests: 100m netchecker_etcd_cpu_requests: 100m
netchecker_etcd_memory_requests: 128M netchecker_etcd_memory_requests: 128M
# SecurityContext when PodSecurityPolicy is enabled # SecurityContext (user/group)
netchecker_agent_user: 1000 netchecker_agent_user: 1000
netchecker_server_user: 1000 netchecker_server_user: 1000
netchecker_agent_group: 1000 netchecker_agent_group: 1000
......
roles/kubernetes-apps/ansible/tasks/netchecker.yml
+ 0
9
View file @ 471326f4
...@@ -24,15 +24,6 @@ ...@@ -24,15 +24,6 @@
- {file: netchecker-server-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-server} - {file: netchecker-server-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-server}
- {file: netchecker-server-deployment.yml, type: deployment, name: netchecker-server} - {file: netchecker-server-deployment.yml, type: deployment, name: netchecker-server}
- {file: netchecker-server-svc.yml, type: svc, name: netchecker-service} - {file: netchecker-server-svc.yml, type: svc, name: netchecker-service}
netchecker_templates_for_psp:
- {file: netchecker-agent-hostnet-psp.yml, type: podsecuritypolicy, name: netchecker-agent-hostnet-policy}
- {file: netchecker-agent-hostnet-clusterrole.yml, type: clusterrole, name: netchecker-agent}
- {file: netchecker-agent-hostnet-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-agent}
- name: Kubernetes Apps | Append extra templates to Netchecker Templates list for PodSecurityPolicy
set_fact:
netchecker_templates: "{{ netchecker_templates_for_psp + netchecker_templates }}"
when: podsecuritypolicy_enabled
- name: Kubernetes Apps | Lay Down Netchecker Template - name: Kubernetes Apps | Lay Down Netchecker Template
template: template:
......
roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2 deleted 100644 → 0
+ 0
14
View file @ 7395c279
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:netchecker-agent-hostnet
namespace: {{ netcheck_namespace }}
rules:
- apiGroups:
- policy
resourceNames:
- netchecker-agent-hostnet
resources:
- podsecuritypolicies
verbs:
- use
roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2 deleted 100644 → 0
+ 0
13
View file @ 7395c279
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:netchecker-agent-hostnet
namespace: {{ netcheck_namespace }}
subjects:
- kind: ServiceAccount
name: netchecker-agent
namespace: {{ netcheck_namespace }}
roleRef:
kind: ClusterRole
name: psp:netchecker-agent-hostnet
apiGroup: rbac.authorization.k8s.io
roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 deleted 100644 → 0
+ 0
44
View file @ 7395c279
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: netchecker-agent-hostnet
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
{% endif %}
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: true
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
roles/kubernetes-apps/cluster_roles/defaults/main.yml deleted 100644 → 0
+ 0
65
View file @ 7395c279
---
podsecuritypolicy_restricted_spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
podsecuritypolicy_privileged_spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
# This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
allowedUnsafeSysctls:
- '*'
roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2
+ 1
51
View file @ 471326f4
...@@ -162,56 +162,6 @@ roleRef: ...@@ -162,56 +162,6 @@ roleRef:
name: csi-gce-pd-resizer-role name: csi-gce-pd-resizer-role
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
--- ---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-gce-pd-controller-deploy
rules:
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- csi-gce-pd-controller-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csi-gce-pd-controller-deploy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: csi-gce-pd-controller-deploy
subjects:
- kind: ServiceAccount
name: csi-gce-pd-controller-sa
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-gce-pd-node-deploy
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- csi-gce-pd-node-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csi-gce-pd-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: csi-gce-pd-node-deploy
subjects:
- kind: ServiceAccount
name: csi-gce-pd-node-sa
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
......
roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
+ 0
9
View file @ 471326f4
...@@ -49,15 +49,6 @@ ...@@ -49,15 +49,6 @@
- { name: rolebinding-cephfs-provisioner, file: rolebinding-cephfs-provisioner.yml, type: rolebinding } - { name: rolebinding-cephfs-provisioner, file: rolebinding-cephfs-provisioner.yml, type: rolebinding }
- { name: deploy-cephfs-provisioner, file: deploy-cephfs-provisioner.yml, type: deploy } - { name: deploy-cephfs-provisioner, file: deploy-cephfs-provisioner.yml, type: deploy }
- { name: sc-cephfs-provisioner, file: sc-cephfs-provisioner.yml, type: sc } - { name: sc-cephfs-provisioner, file: sc-cephfs-provisioner.yml, type: sc }
cephfs_provisioner_templates_for_psp:
- { name: psp-cephfs-provisioner, file: psp-cephfs-provisioner.yml, type: psp }
- name: CephFS Provisioner | Append extra templates to CephFS Provisioner Templates list for PodSecurityPolicy
set_fact:
cephfs_provisioner_templates: "{{ cephfs_provisioner_templates_for_psp + cephfs_provisioner_templates }}"
when:
- podsecuritypolicy_enabled
- cephfs_provisioner_namespace != "kube-system"
- name: CephFS Provisioner | Create manifests - name: CephFS Provisioner | Create manifests
template: template:
......
roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2
+ 0
4
View file @ 471326f4
...@@ -20,7 +20,3 @@ rules: ...@@ -20,7 +20,3 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "create", "delete"] verbs: ["get", "create", "delete"]
- apiGroups: ["policy"]
resourceNames: ["cephfs-provisioner"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 deleted 100644 → 0
+ 0
44
View file @ 7395c279
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cephfs-provisioner
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
{% endif %}
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
+ 0
9
View file @ 471326f4
...@@ -49,15 +49,6 @@ ...@@ -49,15 +49,6 @@
- { name: rolebinding-rbd-provisioner, file: rolebinding-rbd-provisioner.yml, type: rolebinding } - { name: rolebinding-rbd-provisioner, file: rolebinding-rbd-provisioner.yml, type: rolebinding }
- { name: deploy-rbd-provisioner, file: deploy-rbd-provisioner.yml, type: deploy } - { name: deploy-rbd-provisioner, file: deploy-rbd-provisioner.yml, type: deploy }
- { name: sc-rbd-provisioner, file: sc-rbd-provisioner.yml, type: sc } - { name: sc-rbd-provisioner, file: sc-rbd-provisioner.yml, type: sc }
rbd_provisioner_templates_for_psp:
- { name: psp-rbd-provisioner, file: psp-rbd-provisioner.yml, type: psp }
- name: RBD Provisioner | Append extra templates to RBD Provisioner Templates list for PodSecurityPolicy
set_fact:
rbd_provisioner_templates: "{{ rbd_provisioner_templates_for_psp + rbd_provisioner_templates }}"
when:
- podsecuritypolicy_enabled
- rbd_provisioner_namespace != "kube-system"
- name: RBD Provisioner | Create manifests - name: RBD Provisioner | Create manifests
template: template:
......
roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2
+ 0
4
View file @ 471326f4
...@@ -24,7 +24,3 @@ rules: ...@@ -24,7 +24,3 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get", "create", "delete"] verbs: ["get", "create", "delete"]
- apiGroups: ["policy"]
resourceNames: ["rbd-provisioner"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 deleted 100644 → 0
+ 0
44
View file @ 7395c279
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: rbd-provisioner
annotations:
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
{% if apparmor_enabled %}
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
{% endif %}
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
roles/kubernetes-apps/metallb/tasks/main.yml
+ 0
15
View file @ 471326f4
...@@ -11,21 +11,6 @@ ...@@ -11,21 +11,6 @@
when: when:
- matallb_auto_assign is defined - matallb_auto_assign is defined
- name: Kubernetes Apps | Check AppArmor status
command: which apparmor_parser
register: apparmor_status
when:
- podsecuritypolicy_enabled
- inventory_hostname == groups['kube_control_plane'][0]
failed_when: false
- name: Kubernetes Apps | Set apparmor_enabled
set_fact:
apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
when:
- podsecuritypolicy_enabled
- inventory_hostname == groups['kube_control_plane'][0]
- name: Kubernetes Apps | Lay Down MetalLB - name: Kubernetes Apps | Lay Down MetalLB
become: true become: true
template: template:
......
roles/kubernetes-apps/metallb/templates/metallb.yaml.j2
+ 0
16
View file @ 471326f4
...@@ -1504,14 +1504,6 @@ rules: ...@@ -1504,14 +1504,6 @@ rules:
verbs: verbs:
- create - create
- patch - patch
- apiGroups:
- policy
resourceNames:
- controller
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups: - apiGroups:
- admissionregistration.k8s.io - admissionregistration.k8s.io
resourceNames: resourceNames:
...@@ -1597,14 +1589,6 @@ rules: ...@@ -1597,14 +1589,6 @@ rules:
verbs: verbs:
- create - create
- patch - patch
- apiGroups:
- policy
resourceNames:
- speaker
resources:
- podsecuritypolicies
verbs:
- use
{% endif %} {% endif %}
--- ---
......
roles/kubernetes-apps/registry/tasks/main.yml
+ 0
11
View file @ 471326f4
...@@ -42,17 +42,6 @@ ...@@ -42,17 +42,6 @@
- { name: registry-secrets, file: registry-secrets.yml, type: secrets } - { name: registry-secrets, file: registry-secrets.yml, type: secrets }
- { name: registry-cm, file: registry-cm.yml, type: cm } - { name: registry-cm, file: registry-cm.yml, type: cm }
- { name: registry-rs, file: registry-rs.yml, type: rs } - { name: registry-rs, file: registry-rs.yml, type: rs }
registry_templates_for_psp:
- { name: registry-psp, file: registry-psp.yml, type: psp }
- { name: registry-cr, file: registry-cr.yml, type: clusterrole }
- { name: registry-crb, file: registry-crb.yml, type: rolebinding }
- name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy
set_fact:
registry_templates: "{{ registry_templates[:2] + registry_templates_for_psp + registry_templates[2:] }}"
when:
- podsecuritypolicy_enabled
- registry_namespace != "kube-system"
- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled - name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
set_fact: set_fact:
......
roles/kubernetes-apps/registry/templates/registry-cr.yml.j2 deleted 100644 → 0
+ 0
15
View file @ 7395c279
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:registry
namespace: {{ registry_namespace }}
rules:
- apiGroups:
- policy
resourceNames:
- registry
resources:
- podsecuritypolicies
verbs:
- use
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment