From 471326f458aae1a6449b29e5f716904651f308c2 Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Mon, 18 Dec 2023 14:13:43 +0100
Subject: [PATCH] Remove PodSecurityPolicy support and references (#10723)
This is removed from kubernetes since 1.25, time to cut some dead code.
---
docs/hardening.md | 2 +-
docs/vars.md | 2 -
.../group_vars/k8s_cluster/k8s-cluster.yml | 9 ---
.../kubernetes-apps/ansible/defaults/main.yml | 2 +-
.../ansible/tasks/netchecker.yml | 9 ---
...etchecker-agent-hostnet-clusterrole.yml.j2 | 14 ----
...er-agent-hostnet-clusterrolebinding.yml.j2 | 13 ----
.../netchecker-agent-hostnet-psp.yml.j2 | 44 -------------
.../cluster_roles/defaults/main.yml | 65 -------------------
.../gcp_pd/templates/gcp-pd-csi-setup.yml.j2 | 52 +--------------
.../cephfs_provisioner/tasks/main.yml | 9 ---
.../clusterrole-cephfs-provisioner.yml.j2 | 4 --
.../templates/psp-cephfs-provisioner.yml.j2 | 44 -------------
.../rbd_provisioner/tasks/main.yml | 9 ---
.../clusterrole-rbd-provisioner.yml.j2 | 4 --
.../templates/psp-rbd-provisioner.yml.j2 | 44 -------------
roles/kubernetes-apps/metallb/tasks/main.yml | 15 -----
.../metallb/templates/metallb.yaml.j2 | 16 -----
roles/kubernetes-apps/registry/tasks/main.yml | 11 ----
.../registry/templates/registry-cr.yml.j2 | 15 -----
.../registry/templates/registry-crb.yml.j2 | 13 ----
.../registry/templates/registry-psp.yml.j2 | 44 -------------
.../control-plane/tasks/kubeadm-setup.yml | 6 --
roles/kubernetes/control-plane/tasks/main.yml | 5 --
.../control-plane/tasks/psp-install.yml | 38 -----------
.../control-plane/templates/psp-cr.yml.j2 | 32 ---------
.../control-plane/templates/psp-crb.yml.j2 | 54 ---------------
.../control-plane/templates/psp.yml.j2 | 27 --------
roles/kubernetes/node/defaults/main.yml | 1 -
.../kubespray-defaults/defaults/main/main.yml | 1 -
.../calico/templates/calico-apiserver.yml.j2 | 8 ---
.../calico/templates/calico-cr.yml.j2 | 11 +---
32 files changed, 4 insertions(+), 619 deletions(-)
delete mode 100644 roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2
delete mode 100644 roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2
delete mode 100644 roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
delete mode 100644 roles/kubernetes-apps/cluster_roles/defaults/main.yml
delete mode 100644 roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
delete mode 100644 roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2
delete mode 100644 roles/kubernetes-apps/registry/templates/registry-cr.yml.j2
delete mode 100644 roles/kubernetes-apps/registry/templates/registry-crb.yml.j2
delete mode 100644 roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
delete mode 100644 roles/kubernetes/control-plane/tasks/psp-install.yml
delete mode 100644 roles/kubernetes/control-plane/templates/psp-cr.yml.j2
delete mode 100644 roles/kubernetes/control-plane/templates/psp-crb.yml.j2
delete mode 100644 roles/kubernetes/control-plane/templates/psp.yml.j2
diff --git a/docs/hardening.md b/docs/hardening.md
index 77a010047..fe2f3a568 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -120,7 +120,7 @@ kube_pod_security_default_enforce: restricted
Let's take a deep look to the resultant **kubernetes** configuration:
* The `anonymous-auth` (on `kube-apiserver`) is set to `true` by default. This is fine, because it is considered safe if you enable `RBAC` for the `authorization-mode`.
-* The `enable-admission-plugins` has not the `PodSecurityPolicy` admission plugin. This because it is going to be definitely removed from **kubernetes** `v1.25`. For this reason we decided to set the newest `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work.
+* The `enable-admission-plugins` includes `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work.
* The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this).
* The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`.
See <https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/> for more information on the subject.
diff --git a/docs/vars.md b/docs/vars.md
index b3239da94..959260e31 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -254,8 +254,6 @@ node_taints:
- "node.example.com/external=true:NoSchedule"
```
-* *podsecuritypolicy_enabled* - When set to `true`, enables the PodSecurityPolicy admission controller and defines two policies `privileged` (applying to all resources in `kube-system` namespace and kubelet) and `restricted` (applying all other namespaces).
- Addons deployed in kube-system namespaces are handled.
* *kubernetes_audit* - When set to `true`, enables Auditing.
The auditing parameters can be tuned via the following variables (which default values are shown below):
* `audit_log_path`: /var/log/audit/kube-apiserver-audit.log
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
index b1c5093d3..bb2250a34 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -243,15 +243,6 @@ kubernetes_audit: false
# kubelet_config_dir:
default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"
-# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
-podsecuritypolicy_enabled: false
-
-# Custom PodSecurityPolicySpec for restricted policy
-# podsecuritypolicy_restricted_spec: {}
-
-# Custom PodSecurityPolicySpec for privileged policy
-# podsecuritypolicy_privileged_spec: {}
-
# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
# kubeconfig_localhost: false
# Use ansible_host as external api ip when copying over kubeconfig.
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index fb26bd3eb..52444b087 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -81,7 +81,7 @@ netchecker_etcd_memory_limit: 256M
netchecker_etcd_cpu_requests: 100m
netchecker_etcd_memory_requests: 128M
-# SecurityContext when PodSecurityPolicy is enabled
+# SecurityContext (user/group)
netchecker_agent_user: 1000
netchecker_server_user: 1000
netchecker_agent_group: 1000
diff --git a/roles/kubernetes-apps/ansible/tasks/netchecker.yml b/roles/kubernetes-apps/ansible/tasks/netchecker.yml
index b83fd3382..0011e7fc8 100644
--- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml
+++ b/roles/kubernetes-apps/ansible/tasks/netchecker.yml
@@ -24,15 +24,6 @@
- {file: netchecker-server-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-server}
- {file: netchecker-server-deployment.yml, type: deployment, name: netchecker-server}
- {file: netchecker-server-svc.yml, type: svc, name: netchecker-service}
- netchecker_templates_for_psp:
- - {file: netchecker-agent-hostnet-psp.yml, type: podsecuritypolicy, name: netchecker-agent-hostnet-policy}
- - {file: netchecker-agent-hostnet-clusterrole.yml, type: clusterrole, name: netchecker-agent}
- - {file: netchecker-agent-hostnet-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-agent}
-
-- name: Kubernetes Apps | Append extra templates to Netchecker Templates list for PodSecurityPolicy
- set_fact:
- netchecker_templates: "{{ netchecker_templates_for_psp + netchecker_templates }}"
- when: podsecuritypolicy_enabled
- name: Kubernetes Apps | Lay Down Netchecker Template
template:
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2
deleted file mode 100644
index 0e2315063..000000000
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: psp:netchecker-agent-hostnet
- namespace: {{ netcheck_namespace }}
-rules:
- - apiGroups:
- - policy
- resourceNames:
- - netchecker-agent-hostnet
- resources:
- - podsecuritypolicies
- verbs:
- - use
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2
deleted file mode 100644
index cf4451513..000000000
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: psp:netchecker-agent-hostnet
- namespace: {{ netcheck_namespace }}
-subjects:
- - kind: ServiceAccount
- name: netchecker-agent
- namespace: {{ netcheck_namespace }}
-roleRef:
- kind: ClusterRole
- name: psp:netchecker-agent-hostnet
- apiGroup: rbac.authorization.k8s.io
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
deleted file mode 100644
index 21b397d12..000000000
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
+++ /dev/null
@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: netchecker-agent-hostnet
- annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: true
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'MustRunAsNonRoot'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
diff --git a/roles/kubernetes-apps/cluster_roles/defaults/main.yml b/roles/kubernetes-apps/cluster_roles/defaults/main.yml
deleted file mode 100644
index f26583da3..000000000
--- a/roles/kubernetes-apps/cluster_roles/defaults/main.yml
+++ /dev/null
@@ -1,65 +0,0 @@
----
-
-podsecuritypolicy_restricted_spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'MustRunAsNonRoot'
- seLinux:
- rule: 'RunAsAny'
- runAsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
-
-podsecuritypolicy_privileged_spec:
- privileged: true
- allowPrivilegeEscalation: true
- allowedCapabilities:
- - '*'
- volumes:
- - '*'
- hostNetwork: true
- hostPorts:
- - min: 0
- max: 65535
- hostIPC: true
- hostPID: true
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- runAsGroup:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'RunAsAny'
- fsGroup:
- rule: 'RunAsAny'
- readOnlyRootFilesystem: false
- # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
- allowedUnsafeSysctls:
- - '*'
diff --git a/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 b/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2
index 610baf33b..67ce7f621 100644
--- a/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2
@@ -162,56 +162,6 @@ roleRef:
name: csi-gce-pd-resizer-role
apiGroup: rbac.authorization.k8s.io
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: csi-gce-pd-controller-deploy
-rules:
- - apiGroups: ["policy"]
- resources: ["podsecuritypolicies"]
- verbs: ["use"]
- resourceNames:
- - csi-gce-pd-controller-psp
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: csi-gce-pd-controller-deploy
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: csi-gce-pd-controller-deploy
-subjects:
- - kind: ServiceAccount
- name: csi-gce-pd-controller-sa
- namespace: kube-system
----
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: csi-gce-pd-node-deploy
-rules:
- - apiGroups: ['policy']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames:
- - csi-gce-pd-node-psp
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: csi-gce-pd-node
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: csi-gce-pd-node-deploy
-subjects:
-- kind: ServiceAccount
- name: csi-gce-pd-node-sa
- namespace: kube-system
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -288,4 +238,4 @@ subjects:
roleRef:
kind: Role
name: csi-gce-pd-leaderelection-role
- apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
+ apiGroup: rbac.authorization.k8s.io
diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
index 95a2f7586..86cba2d57 100644
--- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
@@ -49,15 +49,6 @@
- { name: rolebinding-cephfs-provisioner, file: rolebinding-cephfs-provisioner.yml, type: rolebinding }
- { name: deploy-cephfs-provisioner, file: deploy-cephfs-provisioner.yml, type: deploy }
- { name: sc-cephfs-provisioner, file: sc-cephfs-provisioner.yml, type: sc }
- cephfs_provisioner_templates_for_psp:
- - { name: psp-cephfs-provisioner, file: psp-cephfs-provisioner.yml, type: psp }
-
-- name: CephFS Provisioner | Append extra templates to CephFS Provisioner Templates list for PodSecurityPolicy
- set_fact:
- cephfs_provisioner_templates: "{{ cephfs_provisioner_templates_for_psp + cephfs_provisioner_templates }}"
- when:
- - podsecuritypolicy_enabled
- - cephfs_provisioner_namespace != "kube-system"
- name: CephFS Provisioner | Create manifests
template:
diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2
index 4c92ea68e..c6a149086 100644
--- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2
@@ -20,7 +20,3 @@ rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "delete"]
- - apiGroups: ["policy"]
- resourceNames: ["cephfs-provisioner"]
- resources: ["podsecuritypolicies"]
- verbs: ["use"]
diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
deleted file mode 100644
index 76d146cbb..000000000
--- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
+++ /dev/null
@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: cephfs-provisioner
- annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
index 1d08376b7..76445dae0 100644
--- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
@@ -49,15 +49,6 @@
- { name: rolebinding-rbd-provisioner, file: rolebinding-rbd-provisioner.yml, type: rolebinding }
- { name: deploy-rbd-provisioner, file: deploy-rbd-provisioner.yml, type: deploy }
- { name: sc-rbd-provisioner, file: sc-rbd-provisioner.yml, type: sc }
- rbd_provisioner_templates_for_psp:
- - { name: psp-rbd-provisioner, file: psp-rbd-provisioner.yml, type: psp }
-
-- name: RBD Provisioner | Append extra templates to RBD Provisioner Templates list for PodSecurityPolicy
- set_fact:
- rbd_provisioner_templates: "{{ rbd_provisioner_templates_for_psp + rbd_provisioner_templates }}"
- when:
- - podsecuritypolicy_enabled
- - rbd_provisioner_namespace != "kube-system"
- name: RBD Provisioner | Create manifests
template:
diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2
index 8fc7e4b9d..9e319a348 100644
--- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2
@@ -24,7 +24,3 @@ rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "delete"]
- - apiGroups: ["policy"]
- resourceNames: ["rbd-provisioner"]
- resources: ["podsecuritypolicies"]
- verbs: ["use"]
diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2
deleted file mode 100644
index c59effdba..000000000
--- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2
+++ /dev/null
@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: rbd-provisioner
- annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
diff --git a/roles/kubernetes-apps/metallb/tasks/main.yml b/roles/kubernetes-apps/metallb/tasks/main.yml
index 298868394..eb554c5c2 100644
--- a/roles/kubernetes-apps/metallb/tasks/main.yml
+++ b/roles/kubernetes-apps/metallb/tasks/main.yml
@@ -11,21 +11,6 @@
when:
- matallb_auto_assign is defined
-- name: Kubernetes Apps | Check AppArmor status
- command: which apparmor_parser
- register: apparmor_status
- when:
- - podsecuritypolicy_enabled
- - inventory_hostname == groups['kube_control_plane'][0]
- failed_when: false
-
-- name: Kubernetes Apps | Set apparmor_enabled
- set_fact:
- apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
- when:
- - podsecuritypolicy_enabled
- - inventory_hostname == groups['kube_control_plane'][0]
-
- name: Kubernetes Apps | Lay Down MetalLB
become: true
template:
diff --git a/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2 b/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2
index 608ad31cd..af18a100b 100644
--- a/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2
+++ b/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2
@@ -1504,14 +1504,6 @@ rules:
verbs:
- create
- patch
-- apiGroups:
- - policy
- resourceNames:
- - controller
- resources:
- - podsecuritypolicies
- verbs:
- - use
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
@@ -1597,14 +1589,6 @@ rules:
verbs:
- create
- patch
-- apiGroups:
- - policy
- resourceNames:
- - speaker
- resources:
- - podsecuritypolicies
- verbs:
- - use
{% endif %}
---
diff --git a/roles/kubernetes-apps/registry/tasks/main.yml b/roles/kubernetes-apps/registry/tasks/main.yml
index 06f1f6a13..a915e0773 100644
--- a/roles/kubernetes-apps/registry/tasks/main.yml
+++ b/roles/kubernetes-apps/registry/tasks/main.yml
@@ -42,17 +42,6 @@
- { name: registry-secrets, file: registry-secrets.yml, type: secrets }
- { name: registry-cm, file: registry-cm.yml, type: cm }
- { name: registry-rs, file: registry-rs.yml, type: rs }
- registry_templates_for_psp:
- - { name: registry-psp, file: registry-psp.yml, type: psp }
- - { name: registry-cr, file: registry-cr.yml, type: clusterrole }
- - { name: registry-crb, file: registry-crb.yml, type: rolebinding }
-
-- name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy
- set_fact:
- registry_templates: "{{ registry_templates[:2] + registry_templates_for_psp + registry_templates[2:] }}"
- when:
- - podsecuritypolicy_enabled
- - registry_namespace != "kube-system"
- name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
set_fact:
diff --git a/roles/kubernetes-apps/registry/templates/registry-cr.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-cr.yml.j2
deleted file mode 100644
index 45f3fc49e..000000000
--- a/roles/kubernetes-apps/registry/templates/registry-cr.yml.j2
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: psp:registry
- namespace: {{ registry_namespace }}
-rules:
- - apiGroups:
- - policy
- resourceNames:
- - registry
- resources:
- - podsecuritypolicies
- verbs:
- - use
diff --git a/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2
deleted file mode 100644
index 8589420f6..000000000
--- a/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: psp:registry
- namespace: {{ registry_namespace }}
-subjects:
- - kind: ServiceAccount
- name: registry
- namespace: {{ registry_namespace }}
-roleRef:
- kind: ClusterRole
- name: psp:registry
- apiGroup: rbac.authorization.k8s.io
diff --git a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
deleted file mode 100644
index b04d8c27a..000000000
--- a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
+++ /dev/null
@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: registry
- annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- - ALL
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
index dbc38ad81..dcad832ba 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -232,12 +232,6 @@
tags:
- kubeadm_token
-- name: PodSecurityPolicy | install PodSecurityPolicy
- include_tasks: psp-install.yml
- when:
- - podsecuritypolicy_enabled
- - inventory_hostname == first_kube_control_plane
-
- name: Kubeadm | Join other masters
include_tasks: kubeadm-secondary.yml
diff --git a/roles/kubernetes/control-plane/tasks/main.yml b/roles/kubernetes/control-plane/tasks/main.yml
index 50eccbd07..37f36ab14 100644
--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -80,11 +80,6 @@
- upgrade
ignore_errors: true # noqa ignore-errors
-- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
- set_fact:
- kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
- when: podsecuritypolicy_enabled
-
- name: Define nodes already joined to existing cluster and first_kube_control_plane
import_tasks: define-first-kube-control.yml
diff --git a/roles/kubernetes/control-plane/tasks/psp-install.yml b/roles/kubernetes/control-plane/tasks/psp-install.yml
deleted file mode 100644
index 4a990f82a..000000000
--- a/roles/kubernetes/control-plane/tasks/psp-install.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-- name: Check AppArmor status
- command: which apparmor_parser
- register: apparmor_status
- failed_when: false
- changed_when: apparmor_status.rc != 0
-
-- name: Set apparmor_enabled
- set_fact:
- apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
-
-- name: Render templates for PodSecurityPolicy
- template:
- src: "{{ item.file }}.j2"
- dest: "{{ kube_config_dir }}/{{ item.file }}"
- mode: 0640
- register: psp_manifests
- with_items:
- - {file: psp.yml, type: psp, name: psp}
- - {file: psp-cr.yml, type: clusterrole, name: psp-cr}
- - {file: psp-crb.yml, type: rolebinding, name: psp-crb}
-
-- name: Add policies, roles, bindings for PodSecurityPolicy
- kube:
- name: "{{ item.item.name }}"
- kubectl: "{{ bin_dir }}/kubectl"
- resource: "{{ item.item.type }}"
- filename: "{{ kube_config_dir }}/{{ item.item.file }}"
- state: "latest"
- register: result
- until: result is succeeded
- retries: 10
- delay: 6
- with_items: "{{ psp_manifests.results }}"
- environment:
- KUBECONFIG: "{{ kube_config_dir }}/admin.conf"
- loop_control:
- label: "{{ item.item.file }}"
diff --git a/roles/kubernetes/control-plane/templates/psp-cr.yml.j2 b/roles/kubernetes/control-plane/templates/psp-cr.yml.j2
deleted file mode 100644
index d9f0e8d53..000000000
--- a/roles/kubernetes/control-plane/templates/psp-cr.yml.j2
+++ /dev/null
@@ -1,32 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: psp:privileged
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
- - policy
- resourceNames:
- - privileged
- resources:
- - podsecuritypolicies
- verbs:
- - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: psp:restricted
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
- - policy
- resourceNames:
- - restricted
- resources:
- - podsecuritypolicies
- verbs:
- - use
diff --git a/roles/kubernetes/control-plane/templates/psp-crb.yml.j2 b/roles/kubernetes/control-plane/templates/psp-crb.yml.j2
deleted file mode 100644
index 7513c3c5f..000000000
--- a/roles/kubernetes/control-plane/templates/psp-crb.yml.j2
+++ /dev/null
@@ -1,54 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: psp:any:restricted
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:restricted
-subjects:
-- kind: Group
- name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: psp:kube-system:privileged
- namespace: kube-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:privileged
-subjects:
-- kind: Group
- name: system:masters
- apiGroup: rbac.authorization.k8s.io
-- kind: Group
- name: system:serviceaccounts:kube-system
- apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: psp:nodes:privileged
- namespace: kube-system
- annotations:
- kubernetes.io/description: 'Allow nodes to create privileged pods. Should
- be used in combination with the NodeRestriction admission plugin to limit
- nodes to mirror pods bound to themselves.'
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:privileged
-subjects:
- - kind: Group
- apiGroup: rbac.authorization.k8s.io
- name: system:nodes
- - kind: User
- apiGroup: rbac.authorization.k8s.io
- # Legacy node ID
- name: kubelet
diff --git a/roles/kubernetes/control-plane/templates/psp.yml.j2 b/roles/kubernetes/control-plane/templates/psp.yml.j2
deleted file mode 100644
index 5da540041..000000000
--- a/roles/kubernetes/control-plane/templates/psp.yml.j2
+++ /dev/null
@@ -1,27 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: restricted
- annotations:
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
-{% if apparmor_enabled %}
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
- labels:
- addonmanager.kubernetes.io/mode: Reconcile
-spec:
- {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index b6642a066..cbe95835c 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -102,7 +102,6 @@ loadbalancer_apiserver_pod_name: "{% if loadbalancer_apiserver_type == 'nginx' %
# - extensions/v1beta1/deployments=true
# - extensions/v1beta1/replicasets=true
# - extensions/v1beta1/networkpolicies=true
-# - extensions/v1beta1/podsecuritypolicies=true
# A port range to reserve for services with NodePort visibility.
# Inclusive at both ends of the range.
diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml
index a18505bcb..ddb290f91 100644
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -608,7 +608,6 @@ etcd_events_peer_addresses: |-
{{ hostvars[item].etcd_member_name | default("etcd" + loop.index | string) }}-events=https://{{ hostvars[item].etcd_events_access_address | default(hostvars[item].ip | default(fallback_ips[item])) }}:2382{% if not loop.last %},{% endif %}
{%- endfor %}
-podsecuritypolicy_enabled: false
etcd_heartbeat_interval: "250"
etcd_election_timeout: "5000"
etcd_snapshot_count: "10000"
diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
index 783561945..49f5918b4 100644
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -172,14 +172,6 @@ rules:
- create
- update
- delete
-- apiGroups:
- - policy
- resourceNames:
- - calico-apiserver
- resources:
- - podsecuritypolicies
- verbs:
- - use
---
diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2
index d00c9e9a7..ac0331f22 100644
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -71,16 +71,7 @@ rules:
verbs:
# Needed for clearing NodeNetworkUnavailable flag.
- patch
-{% if calico_datastore == "etcd" %}
- - apiGroups:
- - policy
- resourceNames:
- - privileged
- resources:
- - podsecuritypolicies
- verbs:
- - use
-{% elif calico_datastore == "kdd" %}
+{% if calico_datastore == "kdd" %}
# Calico stores some configuration information in node annotations.
- update
# Watch for changes to Kubernetes NetworkPolicies.
--
GitLab