Remove PodSecurityPolicy

PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.[1]

In Kubernetes 1.21, PodSecurityPolicy is deprecated. As with all Kubernetes feature deprecations, PodSecurityPolicy will continue to be available and fully-functional for several more releases. PodSecurityPolicy, previously in the beta stage, is planned for removal in Kubernetes 1.25.[2]

[1] https://kubernetes.io/docs/concepts/security/pod-security-policy/
[2] https://kubernetes.io/blog/2021/04/08/kubernetes-1-21-release-announcement/#podsecuritypolicy-deprecation

Change-Id: Ic060d925b6e97e5651e74a1a1161906aef740a8c

namespace-config/Chart.yaml

@@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Namespace Config
 name: namespace-config
-version: 0.1.1
+version: 0.1.2
 home: https://kubernetes.io/docs/concepts/policy/limit-range/
 ...

namespace-config/templates/psp-rbac.yaml

@@ -1,29 +0,0 @@
-{{- if (not (empty .Values.podSecurityPolicy.existingPsp)) -}}
-{{- $name := printf "psp:%s:%s" .Release.Name .Values.podSecurityPolicy.existingPsp -}}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ $name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $name }}
-subjects:
-- kind: Group
-  name: system:serviceaccounts:{{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ $name }}
-rules:
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-  resourceNames:
-  - {{ .Values.podSecurityPolicy.existingPsp }}
-{{- end -}}

namespace-config/values.yaml

@@ -25,9 +25,4 @@ limits:
       cpu: 0.1
       memory: 64Mi
 
-podSecurityPolicy:
-  # Optionally specify the name of an existing pod security policy.
-  # If specified, a role and rolebinding will be created granting access for
-  # service accounts in this namespace to use existingPsp.
-  existingPsp: ""
 ...

podsecuritypolicy/.helmignore

@@ -1,22 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.pyc
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj

podsecuritypolicy/Chart.yaml

@@ -1,24 +0,0 @@
-# Copyright 2018, AT&T Intellectual Property
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-apiVersion: v1
-appVersion: v1.0.0
-description: OpenStack-Helm PodSecurityPolicy Chart
-name: podsecuritypolicy
-version: 0.1.2
-home: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-maintainers:
-  - name: OpenStack-Helm Authors
-...

podsecuritypolicy/requirements.yaml

@@ -1,20 +0,0 @@
-# Copyright 2018, AT&T Intellectual Property
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-dependencies:
-  - name: helm-toolkit
-    repository: file://../helm-toolkit
-    version: ">= 0.1.0"
-...

podsecuritypolicy/templates/podsecuritypolicy.yaml

@@ -1,106 +0,0 @@
-{{- /*
-Copyright 2018, AT&T Intellectual Property
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.podsecuritypolicy }}
-{{- $envAll := . }}
-
-{{- /* Create one ClusterRole and PSP per PSP definition in values */}}
-{{- range $pspName, $pspDetails := .Values.data }}
-{{- if and $pspName $pspDetails }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ $pspName }}
-  labels:
-{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-{{- if $pspDetails.annotations }}
-  annotations:
-{{ toYaml $pspDetails.annotations | indent 4 }}
-{{- end }}
-spec:
-{{ toYaml $pspDetails.spec | indent 2 }}
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ $pspName }}
-  labels:
-{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-rules:
-- apiGroups: ['policy']
-  resources: ['podsecuritypolicies']
-  verbs: ['use']
-  resourceNames:
-  - {{ $pspName }}
-{{- end }}
-{{- end }}
-
-{{- /* Configure ClusterRoles to bind to different subjects as defaults */}}
-{{- if .Values.conf.defaults }}
-{{- range $rbacSubject, $defaultRole := .Values.conf.defaults }}
-{{- if and $defaultRole (not (eq "nil" $defaultRole)) }}
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-{{- /* NOTE: the role name is included in the name of the binding below
-     for the sake of chart upgrades.  The roleRef for a binding is immutable,
-     so if the the defaultRole changes, we need a different binding to
-     reflect that. This issue was only sporadic! */}}
-  name: psp-binding-for-{{- $rbacSubject | replace ":" "-" -}}-{{- $defaultRole }}
-  labels:
-{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-roleRef:
-  kind: ClusterRole
-  name: {{ $defaultRole }}
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: Group
-  name: system:{{- $rbacSubject }}
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
-{{- end }}
-{{- end }}
-{{- /* Configure ClusterRoles to bind to non-default subjects */}}
-{{- if .Values.conf.serviceaccounts }}
-{{- range $rbacSubject, $rbacRole := .Values.conf.serviceaccounts }}
-{{- if and $rbacSubject (not (eq "nil" $rbacRole)) }}
-{{- $subjectName := ( $rbacSubject | split ":" )._1 | default "default" }}
-{{- $subjectNamespace := ($rbacSubject | split ":" )._0 }}
----
-apiVersion: "rbac.authorization.k8s.io/v1"
-kind: "ClusterRoleBinding"
-metadata:
-{{- /* NOTE: the role name is included in the name of the binding below
-     for the sake of chart upgrades.  The roleRef for a binding is immutable,
-     so if the the defaultRole changes, we need a different binding to
-     reflect that. This issue was only sporadic! */}}
-  name: psp-binding-for-{{- $subjectNamespace -}}-{{- $subjectName -}}-{{- $rbacRole }}
-  labels:
-{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-roleRef:
-  kind: "ClusterRole"
-  name: {{ $rbacRole | quote }}
-  apiGroup: "rbac.authorization.k8s.io"
-subjects:
-- kind: "ServiceAccount"
-  name: {{ $subjectName | quote }}
-  namespace: {{ $subjectNamespace| quote }}
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}

podsecuritypolicy/values.yaml

@@ -1,73 +0,0 @@
-# Copyright 2018, AT&T Intellectual Property
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-conf:
-  # The keys under serviceaccounts define specific serviceaccounts, for
-  # which this tempalte creates clusterRoleBindigs to bind the serviceaccounts
-  # to the clusterRole. The cluserRole names are defined by the value for
-  # each each key.
-  # Each clusterRoles uses a podSecurityPolicy with the same name, defined
-  # in the data section below.
-  # Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount,
-  # assigned to a pod, to assess if it is allowed to create the pod and its
-  # listed containers with the securityContexts defined in thier specs.
-  serviceaccounts: {}
-  #  namespace-1:service-account-1: psp-all-permissive
-
-  # This defines creation of ClusterRoleBindings that configure
-  # default PodSecurityPolicies for the subjects below.
-  # `nil` avoids creation of a default binding for the subject.
-  #
-  defaults:
-    serviceaccounts: psp-default
-    authenticated: psp-default
-    unauthenticated: nil
-
-data:
-  # Each of these corresponds to the `spec` of a PodSecurityPolicy object.
-  # Note that this default PodSecurityPolicy is incredibly permissive.  It is
-  # intended to be tuned over time as a default, and to be overridden by
-  # operators as appropriate.
-  #
-  # A ClusterRole will be created for the PSP, with the same `metadata.name`.
-  #
-  # Note: you can define as many PSPs here as you need.
-  #
-  psp-default:  # This will be the `metadata.name` of the PodSecurityPolicy
-    annotations: {}  # Placeholder to add seccomp/apparmor default annotations
-    spec:
-      privileged: true
-      allowPrivilegeEscalation: true
-      hostNetwork: true
-      hostPID: true
-      hostIPC: true
-      seLinux:
-        rule: RunAsAny
-      supplementalGroups:
-        rule: RunAsAny
-      runAsUser:
-        rule: RunAsAny
-      fsGroup:
-        rule: RunAsAny
-      volumes:
-        - '*'
-      allowedCapabilities:
-        - '*'
-      hostPorts:
-        - min: 1
-          max: 65536
-manifests:
-  podsecuritypolicy: true
-...

releasenotes/config.yaml

@@ -41,7 +41,6 @@ sections:
   - [nfs-provisioner, nfs-provisioner Chart]
   - [openvswitch, openvswitch Chart]
   - [ovn, ovn Chart]
-  - [podsecuritypolicy, podsecuritypolicy Chart]
   - [postgresql, postgresql Chart]
   - [powerdns, powerdns Chart]
   - [prometheus, prometheus Chart]

releasenotes/notes/namespace-config.yaml

@@ -2,4 +2,5 @@
 namespace-config:
   - 0.1.0 Initial Chart
   - 0.1.1 Grant access to existing PodSecurityPolicy
+  - 0.1.2 Rmove PodSecurityPolicy
 ...

releasenotes/notes/podsecuritypolicy.yaml

@@ -3,4 +3,5 @@ podsecuritypolicy:
   - 0.1.0 Initial Chart
   - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0"
   - 0.1.2 Update htk requirements
+  - 1.0.0 Remove chart due to PodSecurityPolicy deprecation
 ...

tools/deployment/podsecuritypolicy/000-install-packages.sh

@@ -1 +0,0 @@
-../common/000-install-packages.sh

tools/deployment/podsecuritypolicy/005-deploy-k8s.sh

@@ -1 +0,0 @@
-../../gate/deploy-k8s.sh

tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-# This restarts minikube with podsecuritypolicy admission controller enabled
-sudo -E minikube stop
-sleep 10
-sudo -E minikube start \
-  --docker-env HTTP_PROXY="${HTTP_PROXY}" \
-  --docker-env HTTPS_PROXY="${HTTPS_PROXY}" \
-  --docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \
-  --extra-config=kubelet.network-plugin=cni \
-  --extra-config=controller-manager.allocate-node-cidrs=true \
-  --extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \
-  --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
-
-# NOTE: Wait for node to be ready.
-kubectl wait --timeout=240s --for=condition=Ready nodes/minikube

tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh

@@ -1,65 +0,0 @@
-#!/bin/bash
-
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-set -xe
-
-#NOTE: Lint and package chart
-make podsecuritypolicy
-
-#NOTE: Create a privileged pod to test with
-tee /tmp/psp-test-pod.yaml << EOF
-apiVersion: v1
-kind: Pod
-metadata:
-  name: psp-test
-spec:
-  hostNetwork: true
-  containers:
-  - name: psp-test
-    image: na
-EOF
-
-#NOTE: Deploy with host networking off, and test for failure
-helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
-  --namespace=kube-system \
-  --set data.psp-default.spec.hostNetwork=false \
-  ${OSH_INFRA_EXTRA_HELM_ARGS} \
-  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh kube-system
-
-# Test that host networking is disallowed
-if kubectl apply -f /tmp/psp-test-pod.yaml; then
-  echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod"
-  kubectl delete pod psp-test
-  exit 1
-else
-  echo "Failure above is expected. Continuing."
-fi
-
-#NOTE: Deploy with host networking on, and test for success
-helm upgrade --install podsecuritypolicy ./podsecuritypolicy \
-  --namespace=kube-system \
-  --set data.psp-default.spec.hostNetwork=true \
-  ${OSH_INFRA_EXTRA_HELM_ARGS} \
-  ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY}
-
-#NOTE: Wait for deploy
-./tools/deployment/common/wait-for-pods.sh kube-system
-
-# Test that host networking is allowed
-kubectl apply -f /tmp/psp-test-pod.yaml
-
-kubectl delete pod psp-test

zuul.d/jobs.yaml

@@ -464,22 +464,6 @@
         - ./tools/deployment/elastic-beats/090-elastic-filebeat.sh
         - ./tools/deployment/elastic-beats/100-elastic-packetbeat.sh
 
-- job:
-    name: openstack-helm-infra-aio-podsecuritypolicy
-    parent: openstack-helm-infra-functional
-    timeout: 7200
-    pre-run:
-      - playbooks/osh-infra-upgrade-host.yaml
-    post-run: playbooks/osh-infra-collect-logs.yaml
-    nodeset: openstack-helm-single-node
-    vars:
-      gate_scripts_relative_path: ../openstack-helm-infra
-      gate_scripts:
-        - ./tools/deployment/podsecuritypolicy/000-install-packages.sh
-        - ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh
-        - ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh
-        - ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh
-
 - job:
     name: openstack-helm-infra-local-storage
     parent: openstack-helm-infra-functional

zuul.d/project.yaml

@@ -28,9 +28,6 @@
         - openstack-helm-infra-openstack-support
         - openstack-helm-infra-openstack-support-ssl
         - openstack-helm-infra-metacontroller
-        # NOTE(gagehugo): Disabling this job until it's fixed
-        # - openstack-helm-infra-aio-podsecuritypolicy:
-        #    voting: false
     gate:
       jobs:
         - openstack-helm-lint