Removed PodSecurityPolicy from ingress-nginx (#9448)

d0050810 · yanggang · GitHub · c2724219 · d0050810 · c2724219
Unverified Commit d0050810 authored 2 years ago by yanggang Committed by GitHub 2 years ago
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
@@ -23,8 +23,6 @@
      - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
      - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
      - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
-    ingress_nginx_templates_for_psp:
-      - { name: psp-ingress-nginx, file: psp-ingress-nginx.yml, type: podsecuritypolicy }
    ingress_nginx_templates_for_webhook:
      - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
      - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
@@ -34,11 +32,6 @@
      - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
      - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }

- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for PodSecurityPolicy
-  set_fact:
-    ingress_nginx_templates: "{{ ingress_nginx_templates_for_psp + ingress_nginx_templates }}"
-  when: podsecuritypolicy_enabled
-
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
  set_fact:
    ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"

--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: ingress-nginx
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: {{ ingress_nginx_host_network|bool }}
-  hostPorts:
-  - min: 0
-    max: 65535
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false