Remove PodSecurityPolicy support and references (#10723)

This is removed from kubernetes since 1.25, time to cut some dead code.

Remove PodSecurityPolicy support and references (#10723)
471326f4 · Max Gautier · GitHub · 7395c279 · 7395c279 · 7395c279
Unverified Commit 471326f4 authored Dec 18, 2023 by Max Gautier Committed by GitHub Dec 18, 2023
--- a/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: psp:registry
-  namespace: {{ registry_namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: registry
-    namespace: {{ registry_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: psp:registry
-  apiGroup: rbac.authorization.k8s.io
--- a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
+++ b/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: registry
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -232,12 +232,6 @@
  tags:
    - kubeadm_token
- name: PodSecurityPolicy | install PodSecurityPolicy
-  include_tasks: psp-install.yml
-  when:
-    - podsecuritypolicy_enabled
-    - inventory_hostname == first_kube_control_plane
 - name: Kubeadm | Join other masters
  include_tasks: kubeadm-secondary.yml

--- a/roles/kubernetes/control-plane/tasks/main.yml
+++ b/roles/kubernetes/control-plane/tasks/main.yml
@@ -80,11 +80,6 @@
    - upgrade
  ignore_errors: true  # noqa ignore-errors
- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
-  set_fact:
-    kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
-  when: podsecuritypolicy_enabled
 - name: Define nodes already joined to existing cluster and first_kube_control_plane
  import_tasks: define-first-kube-control.yml

--- a/roles/kubernetes/control-plane/tasks/psp-install.yml
+++ b/roles/kubernetes/control-plane/tasks/psp-install.yml
---
- name: Check AppArmor status
-  command: which apparmor_parser
-  register: apparmor_status
-  failed_when: false
-  changed_when: apparmor_status.rc != 0
- name: Set apparmor_enabled
-  set_fact:
-    apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
- name: Render templates for PodSecurityPolicy
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0640
-  register: psp_manifests
-  with_items:
-    - {file: psp.yml, type: psp, name: psp}
-    - {file: psp-cr.yml, type: clusterrole, name: psp-cr}
-    - {file: psp-crb.yml, type: rolebinding, name: psp-crb}
- name: Add policies, roles, bindings for PodSecurityPolicy
-  kube:
-    name: "{{ item.item.name }}"
-    kubectl: "{{ bin_dir }}/kubectl"
-    resource: "{{ item.item.type }}"
-    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
-    state: "latest"
-  register: result
-  until: result is succeeded
-  retries: 10
-  delay: 6
-  with_items: "{{ psp_manifests.results }}"
-  environment:
-    KUBECONFIG: "{{ kube_config_dir }}/admin.conf"
-  loop_control:
-    label: "{{ item.item.file }}"
--- a/roles/kubernetes/control-plane/templates/psp-cr.yml.j2
+++ b/roles/kubernetes/control-plane/templates/psp-cr.yml.j2
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:privileged
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
- apiGroups:
-  - policy
-  resourceNames:
-  - privileged
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:restricted
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
- apiGroups:
-  - policy
-  resourceNames:
-  - restricted
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
--- a/roles/kubernetes/control-plane/templates/psp-crb.yml.j2
+++ b/roles/kubernetes/control-plane/templates/psp-crb.yml.j2
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: psp:any:restricted
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:restricted
-subjects:
- kind: Group
-  name: system:authenticated
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:kube-system:privileged
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
- kind: Group
-  name: system:masters
-  apiGroup: rbac.authorization.k8s.io
- kind: Group
-  name: system:serviceaccounts:kube-system
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:nodes:privileged
-  namespace: kube-system
-  annotations:
-    kubernetes.io/description: 'Allow nodes to create privileged pods. Should
-      be used in combination with the NodeRestriction admission plugin to limit
-      nodes to mirror pods bound to themselves.'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
-  - kind: Group
-    apiGroup: rbac.authorization.k8s.io
-    name: system:nodes
-  - kind: User
-    apiGroup: rbac.authorization.k8s.io
-    # Legacy node ID
-    name: kubelet
--- a/roles/kubernetes/control-plane/templates/psp.yml.j2
+++ b/roles/kubernetes/control-plane/templates/psp.yml.j2
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: restricted
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: privileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -102,7 +102,6 @@ loadbalancer_apiserver_pod_name: "{% if loadbalancer_apiserver_type == 'nginx' %
 #   - extensions/v1beta1/deployments=true
 #   - extensions/v1beta1/replicasets=true
 #   - extensions/v1beta1/networkpolicies=true
-#   - extensions/v1beta1/podsecuritypolicies=true
 # A port range to reserve for services with NodePort visibility.
 # Inclusive at both ends of the range.

--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -608,7 +608,6 @@ etcd_events_peer_addresses: |-
    {{ hostvars[item].etcd_member_name | default("etcd" + loop.index | string) }}-events=https://{{ hostvars[item].etcd_events_access_address | default(hostvars[item].ip | default(fallback_ips[item])) }}:2382{% if not loop.last %},{% endif %}
  {%- endfor %}
-podsecuritypolicy_enabled: false
 etcd_heartbeat_interval: "250"
 etcd_election_timeout: "5000"
 etcd_snapshot_count: "10000"

--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -172,14 +172,6 @@ rules:
  - create
  - update
  - delete
- apiGroups:
-  - policy
-  resourceNames:
-  - calico-apiserver
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
 ---

--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -71,16 +71,7 @@ rules:
    verbs:
      # Needed for clearing NodeNetworkUnavailable flag.
      - patch
-{% if calico_datastore == "etcd" %}
+{% if calico_datastore == "kdd" %}
-  - apiGroups:
-    - policy
-    resourceNames:
-    - privileged
-    resources:
-    - podsecuritypolicies
-    verbs:
-    - use
-{% elif calico_datastore == "kdd" %}
      # Calico stores some configuration information in node annotations.
      - update
  # Watch for changes to Kubernetes NetworkPolicies.