From 664f4c9dfb146a90c6f3681e0e9859d1daf33fcc Mon Sep 17 00:00:00 2001 From: Samuel Liu Date: Fri, 2 Jun 2023 09:54:18 +0800 Subject: [PATCH] Remove PodSecurityPolicy PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25.[1] In Kubernetes 1.21, PodSecurityPolicy is deprecated. As with all Kubernetes feature deprecations, PodSecurityPolicy will continue to be available and fully-functional for several more releases. PodSecurityPolicy, previously in the beta stage, is planned for removal in Kubernetes 1.25.[2] [1] https://kubernetes.io/docs/concepts/security/pod-security-policy/ [2] https://kubernetes.io/blog/2021/04/08/kubernetes-1-21-release-announcement/#podsecuritypolicy-deprecation Change-Id: Ic060d925b6e97e5651e74a1a1161906aef740a8c --- namespace-config/Chart.yaml | 2 +- namespace-config/templates/psp-rbac.yaml | 29 ----- namespace-config/values.yaml | 5 - podsecuritypolicy/.helmignore | 22 ---- podsecuritypolicy/Chart.yaml | 24 ---- podsecuritypolicy/requirements.yaml | 20 ---- .../templates/podsecuritypolicy.yaml | 106 ------------------ podsecuritypolicy/values.yaml | 73 ------------ releasenotes/config.yaml | 1 - releasenotes/notes/namespace-config.yaml | 1 + releasenotes/notes/podsecuritypolicy.yaml | 1 + .../podsecuritypolicy/000-install-packages.sh | 1 - .../podsecuritypolicy/005-deploy-k8s.sh | 1 - .../podsecuritypolicy/006-config-k8s-psp.sh | 31 ----- .../007-podsecuritypolicy.sh | 65 ----------- zuul.d/jobs.yaml | 16 --- zuul.d/project.yaml | 3 - 17 files changed, 3 insertions(+), 398 deletions(-) delete mode 100644 namespace-config/templates/psp-rbac.yaml delete mode 100644 podsecuritypolicy/.helmignore delete mode 100644 podsecuritypolicy/Chart.yaml delete mode 100644 podsecuritypolicy/requirements.yaml delete mode 100644 podsecuritypolicy/templates/podsecuritypolicy.yaml delete mode 100644 podsecuritypolicy/values.yaml delete mode 120000 tools/deployment/podsecuritypolicy/000-install-packages.sh delete mode 120000 tools/deployment/podsecuritypolicy/005-deploy-k8s.sh delete mode 100755 tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh delete mode 100755 tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh diff --git a/namespace-config/Chart.yaml b/namespace-config/Chart.yaml index f6da8d2e9..38ffdfdb5 100644 --- a/namespace-config/Chart.yaml +++ b/namespace-config/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Namespace Config name: namespace-config -version: 0.1.1 +version: 0.1.2 home: https://kubernetes.io/docs/concepts/policy/limit-range/ ... diff --git a/namespace-config/templates/psp-rbac.yaml b/namespace-config/templates/psp-rbac.yaml deleted file mode 100644 index 916a2c1c6..000000000 --- a/namespace-config/templates/psp-rbac.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if (not (empty .Values.podSecurityPolicy.existingPsp)) -}} -{{- $name := printf "psp:%s:%s" .Release.Name .Values.podSecurityPolicy.existingPsp -}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ $name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $name }} -subjects: -- kind: Group - name: system:serviceaccounts:{{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ $name }} -rules: -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ .Values.podSecurityPolicy.existingPsp }} -{{- end -}} diff --git a/namespace-config/values.yaml b/namespace-config/values.yaml index ae3311d81..62ba15611 100644 --- a/namespace-config/values.yaml +++ b/namespace-config/values.yaml @@ -25,9 +25,4 @@ limits: cpu: 0.1 memory: 64Mi -podSecurityPolicy: - # Optionally specify the name of an existing pod security policy. - # If specified, a role and rolebinding will be created granting access for - # service accounts in this namespace to use existingPsp. - existingPsp: "" ... diff --git a/podsecuritypolicy/.helmignore b/podsecuritypolicy/.helmignore deleted file mode 100644 index 8fdbe6895..000000000 --- a/podsecuritypolicy/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.pyc -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/podsecuritypolicy/Chart.yaml b/podsecuritypolicy/Chart.yaml deleted file mode 100644 index 58adb979e..000000000 --- a/podsecuritypolicy/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2018, AT&T Intellectual Property -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -appVersion: v1.0.0 -description: OpenStack-Helm PodSecurityPolicy Chart -name: podsecuritypolicy -version: 0.1.2 -home: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -maintainers: - - name: OpenStack-Helm Authors -... diff --git a/podsecuritypolicy/requirements.yaml b/podsecuritypolicy/requirements.yaml deleted file mode 100644 index 41f16d55b..000000000 --- a/podsecuritypolicy/requirements.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2018, AT&T Intellectual Property -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -dependencies: - - name: helm-toolkit - repository: file://../helm-toolkit - version: ">= 0.1.0" -... diff --git a/podsecuritypolicy/templates/podsecuritypolicy.yaml b/podsecuritypolicy/templates/podsecuritypolicy.yaml deleted file mode 100644 index c12d5f385..000000000 --- a/podsecuritypolicy/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,106 +0,0 @@ -{{- /* -Copyright 2018, AT&T Intellectual Property - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.podsecuritypolicy }} -{{- $envAll := . }} - -{{- /* Create one ClusterRole and PSP per PSP definition in values */}} -{{- range $pspName, $pspDetails := .Values.data }} -{{- if and $pspName $pspDetails }} ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ $pspName }} - labels: -{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -{{- if $pspDetails.annotations }} - annotations: -{{ toYaml $pspDetails.annotations | indent 4 }} -{{- end }} -spec: -{{ toYaml $pspDetails.spec | indent 2 }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $pspName }} - labels: -{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -rules: -- apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ $pspName }} -{{- end }} -{{- end }} - -{{- /* Configure ClusterRoles to bind to different subjects as defaults */}} -{{- if .Values.conf.defaults }} -{{- range $rbacSubject, $defaultRole := .Values.conf.defaults }} -{{- if and $defaultRole (not (eq "nil" $defaultRole)) }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: -{{- /* NOTE: the role name is included in the name of the binding below - for the sake of chart upgrades. The roleRef for a binding is immutable, - so if the the defaultRole changes, we need a different binding to - reflect that. This issue was only sporadic! */}} - name: psp-binding-for-{{- $rbacSubject | replace ":" "-" -}}-{{- $defaultRole }} - labels: -{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -roleRef: - kind: ClusterRole - name: {{ $defaultRole }} - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: Group - name: system:{{- $rbacSubject }} - apiGroup: rbac.authorization.k8s.io -{{- end }} -{{- end }} -{{- end }} -{{- /* Configure ClusterRoles to bind to non-default subjects */}} -{{- if .Values.conf.serviceaccounts }} -{{- range $rbacSubject, $rbacRole := .Values.conf.serviceaccounts }} -{{- if and $rbacSubject (not (eq "nil" $rbacRole)) }} -{{- $subjectName := ( $rbacSubject | split ":" )._1 | default "default" }} -{{- $subjectNamespace := ($rbacSubject | split ":" )._0 }} ---- -apiVersion: "rbac.authorization.k8s.io/v1" -kind: "ClusterRoleBinding" -metadata: -{{- /* NOTE: the role name is included in the name of the binding below - for the sake of chart upgrades. The roleRef for a binding is immutable, - so if the the defaultRole changes, we need a different binding to - reflect that. This issue was only sporadic! */}} - name: psp-binding-for-{{- $subjectNamespace -}}-{{- $subjectName -}}-{{- $rbacRole }} - labels: -{{ tuple $envAll "podsecuritypolicy" "policy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} -roleRef: - kind: "ClusterRole" - name: {{ $rbacRole | quote }} - apiGroup: "rbac.authorization.k8s.io" -subjects: -- kind: "ServiceAccount" - name: {{ $subjectName | quote }} - namespace: {{ $subjectNamespace| quote }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/podsecuritypolicy/values.yaml b/podsecuritypolicy/values.yaml deleted file mode 100644 index daa0c3ccd..000000000 --- a/podsecuritypolicy/values.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2018, AT&T Intellectual Property -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -conf: - # The keys under serviceaccounts define specific serviceaccounts, for - # which this tempalte creates clusterRoleBindigs to bind the serviceaccounts - # to the clusterRole. The cluserRole names are defined by the value for - # each each key. - # Each clusterRoles uses a podSecurityPolicy with the same name, defined - # in the data section below. - # Kubernetes controllers use the podSecurityPolicy, bound to the serviceaccount, - # assigned to a pod, to assess if it is allowed to create the pod and its - # listed containers with the securityContexts defined in thier specs. - serviceaccounts: {} - # namespace-1:service-account-1: psp-all-permissive - - # This defines creation of ClusterRoleBindings that configure - # default PodSecurityPolicies for the subjects below. - # `nil` avoids creation of a default binding for the subject. - # - defaults: - serviceaccounts: psp-default - authenticated: psp-default - unauthenticated: nil - -data: - # Each of these corresponds to the `spec` of a PodSecurityPolicy object. - # Note that this default PodSecurityPolicy is incredibly permissive. It is - # intended to be tuned over time as a default, and to be overridden by - # operators as appropriate. - # - # A ClusterRole will be created for the PSP, with the same `metadata.name`. - # - # Note: you can define as many PSPs here as you need. - # - psp-default: # This will be the `metadata.name` of the PodSecurityPolicy - annotations: {} # Placeholder to add seccomp/apparmor default annotations - spec: - privileged: true - allowPrivilegeEscalation: true - hostNetwork: true - hostPID: true - hostIPC: true - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' - allowedCapabilities: - - '*' - hostPorts: - - min: 1 - max: 65536 -manifests: - podsecuritypolicy: true -... diff --git a/releasenotes/config.yaml b/releasenotes/config.yaml index b4679bca0..1b18c4717 100644 --- a/releasenotes/config.yaml +++ b/releasenotes/config.yaml @@ -41,7 +41,6 @@ sections: - [nfs-provisioner, nfs-provisioner Chart] - [openvswitch, openvswitch Chart] - [ovn, ovn Chart] - - [podsecuritypolicy, podsecuritypolicy Chart] - [postgresql, postgresql Chart] - [powerdns, powerdns Chart] - [prometheus, prometheus Chart] diff --git a/releasenotes/notes/namespace-config.yaml b/releasenotes/notes/namespace-config.yaml index 42d525ee3..13f7852da 100644 --- a/releasenotes/notes/namespace-config.yaml +++ b/releasenotes/notes/namespace-config.yaml @@ -2,4 +2,5 @@ namespace-config: - 0.1.0 Initial Chart - 0.1.1 Grant access to existing PodSecurityPolicy + - 0.1.2 Rmove PodSecurityPolicy ... diff --git a/releasenotes/notes/podsecuritypolicy.yaml b/releasenotes/notes/podsecuritypolicy.yaml index 038f33179..a4b083c65 100644 --- a/releasenotes/notes/podsecuritypolicy.yaml +++ b/releasenotes/notes/podsecuritypolicy.yaml @@ -3,4 +3,5 @@ podsecuritypolicy: - 0.1.0 Initial Chart - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" - 0.1.2 Update htk requirements + - 1.0.0 Remove chart due to PodSecurityPolicy deprecation ... diff --git a/tools/deployment/podsecuritypolicy/000-install-packages.sh b/tools/deployment/podsecuritypolicy/000-install-packages.sh deleted file mode 120000 index d702c4899..000000000 --- a/tools/deployment/podsecuritypolicy/000-install-packages.sh +++ /dev/null @@ -1 +0,0 @@ -../common/000-install-packages.sh \ No newline at end of file diff --git a/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh b/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh deleted file mode 120000 index 003bfbb8e..000000000 --- a/tools/deployment/podsecuritypolicy/005-deploy-k8s.sh +++ /dev/null @@ -1 +0,0 @@ -../../gate/deploy-k8s.sh \ No newline at end of file diff --git a/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh b/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh deleted file mode 100755 index f3233b82a..000000000 --- a/tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -set -xe - -# This restarts minikube with podsecuritypolicy admission controller enabled -sudo -E minikube stop -sleep 10 -sudo -E minikube start \ - --docker-env HTTP_PROXY="${HTTP_PROXY}" \ - --docker-env HTTPS_PROXY="${HTTPS_PROXY}" \ - --docker-env NO_PROXY="${NO_PROXY},10.96.0.0/12" \ - --extra-config=kubelet.network-plugin=cni \ - --extra-config=controller-manager.allocate-node-cidrs=true \ - --extra-config=controller-manager.cluster-cidr=192.168.0.0/16 \ - --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy - -# NOTE: Wait for node to be ready. -kubectl wait --timeout=240s --for=condition=Ready nodes/minikube diff --git a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh b/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh deleted file mode 100755 index 770dd9257..000000000 --- a/tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -set -xe - -#NOTE: Lint and package chart -make podsecuritypolicy - -#NOTE: Create a privileged pod to test with -tee /tmp/psp-test-pod.yaml << EOF -apiVersion: v1 -kind: Pod -metadata: - name: psp-test -spec: - hostNetwork: true - containers: - - name: psp-test - image: na -EOF - -#NOTE: Deploy with host networking off, and test for failure -helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ - --namespace=kube-system \ - --set data.psp-default.spec.hostNetwork=false \ - ${OSH_INFRA_EXTRA_HELM_ARGS} \ - ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY} - -#NOTE: Wait for deploy -./tools/deployment/common/wait-for-pods.sh kube-system - -# Test that host networking is disallowed -if kubectl apply -f /tmp/psp-test-pod.yaml; then - echo "ERROR: podsecuritypolicy incorrectly admitted a privileged pod" - kubectl delete pod psp-test - exit 1 -else - echo "Failure above is expected. Continuing." -fi - -#NOTE: Deploy with host networking on, and test for success -helm upgrade --install podsecuritypolicy ./podsecuritypolicy \ - --namespace=kube-system \ - --set data.psp-default.spec.hostNetwork=true \ - ${OSH_INFRA_EXTRA_HELM_ARGS} \ - ${OSH_INFRA_EXTRA_HELM_ARGS_PODSECURITYPOLICY} - -#NOTE: Wait for deploy -./tools/deployment/common/wait-for-pods.sh kube-system - -# Test that host networking is allowed -kubectl apply -f /tmp/psp-test-pod.yaml - -kubectl delete pod psp-test diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 47abe2069..948da772a 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -464,22 +464,6 @@ - ./tools/deployment/elastic-beats/090-elastic-filebeat.sh - ./tools/deployment/elastic-beats/100-elastic-packetbeat.sh -- job: - name: openstack-helm-infra-aio-podsecuritypolicy - parent: openstack-helm-infra-functional - timeout: 7200 - pre-run: - - playbooks/osh-infra-upgrade-host.yaml - post-run: playbooks/osh-infra-collect-logs.yaml - nodeset: openstack-helm-single-node - vars: - gate_scripts_relative_path: ../openstack-helm-infra - gate_scripts: - - ./tools/deployment/podsecuritypolicy/000-install-packages.sh - - ./tools/deployment/podsecuritypolicy/005-deploy-k8s.sh - - ./tools/deployment/podsecuritypolicy/006-config-k8s-psp.sh - - ./tools/deployment/podsecuritypolicy/007-podsecuritypolicy.sh - - job: name: openstack-helm-infra-local-storage parent: openstack-helm-infra-functional diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 31d9177d1..54b59ee12 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -28,9 +28,6 @@ - openstack-helm-infra-openstack-support - openstack-helm-infra-openstack-support-ssl - openstack-helm-infra-metacontroller - # NOTE(gagehugo): Disabling this job until it's fixed - # - openstack-helm-infra-aio-podsecuritypolicy: - # voting: false gate: jobs: - openstack-helm-lint