diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 99551e6d49..8c06cdce26 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -244,7 +244,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | | controller.admissionWebhooks.enabled | bool | `true` | | -| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | @@ -307,7 +306,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.enableAnnotationValidations | bool | `true` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | -| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | @@ -497,7 +495,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers | | defaultBackend.enabled | bool | `false` | | -| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | | defaultBackend.extraConfigMaps | list | `[]` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | @@ -550,7 +547,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | -| podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | diff --git a/charts/ingress-nginx/ci/deamonset-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-psp-values.yaml deleted file mode 100644 index 8026a6356f..0000000000 --- a/charts/ingress-nginx/ci/deamonset-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml deleted file mode 100644 index fccdb134cf..0000000000 --- a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deployment-psp-values.yaml b/charts/ingress-nginx/ci/deployment-psp-values.yaml deleted file mode 100644 index 2f332a7b20..0000000000 --- a/charts/ingress-nginx/ci/deployment-psp-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml deleted file mode 100644 index 6195bb3391..0000000000 --- a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: true - service: - type: ClusterIP - -podSecurityPolicy: - enabled: true diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index aa206084d5..6cbda2d4d2 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -235,17 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem } {{- end -}} {{- end -}} -{{/* -Return the appropriate apiGroup for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} -{{- else -}} -{{- print "extensions" -}} -{{- end -}} -{{- end -}} - {{/* Extra modules. */}} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index a21848201b..54af7abb65 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -20,14 +20,4 @@ rules: verbs: - get - update -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.controller.admissionWebhooks.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}] - {{- end }} -{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml deleted file mode 100644 index 8e5dc72ac4..0000000000 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: admission-webhook - {{- with .Values.controller.admissionWebhooks.patch.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: false - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: true - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - seLinux: - rule: RunAsAny -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml deleted file mode 100644 index aad1d27361..0000000000 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: {{ .Values.controller.hostNetwork }} -{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} - hostPorts: - {{- if .Values.controller.hostNetwork }} - {{- range $key, $value := .Values.controller.containerPort }} - # controller.containerPort.{{ $key }} - - min: {{ $value }} - max: {{ $value }} - {{- end }} - {{- else if .Values.controller.hostPort.enabled }} - {{- range $key, $value := .Values.controller.hostPort.ports }} - # controller.hostPort.ports.{{ $key }} - - min: {{ $value }} - max: {{ $value }} - {{- end }} - {{- end }} - {{- if .Values.controller.metrics.enabled }} - # controller.metrics.port - - min: {{ .Values.controller.metrics.port }} - max: {{ .Values.controller.metrics.port }} - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - # controller.admissionWebhooks.port - - min: {{ .Values.controller.admissionWebhooks.port }} - max: {{ .Values.controller.admissionWebhooks.port }} - {{- end }} - {{- range $key, $value := .Values.tcp }} - # tcp.{{ $key }} - - min: {{ $key }} - max: {{ $key }} - {{- end }} - {{- range $key, $value := .Values.udp }} - # udp.{{ $key }} - - min: {{ $key }} - max: {{ $key }} - {{- end }} -{{- end }} - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} - requiredDropCapabilities: - - ALL - allowedCapabilities: - - NET_BIND_SERVICE - {{- if .Values.controller.image.chroot }} - {{- if .Values.controller.image.seccompProfile }} - - SYS_ADMIN - {{- end }} - - SYS_CHROOT - {{- end }} - seLinux: - rule: RunAsAny -{{- if .Values.controller.sysctls }} - allowedUnsafeSysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - {{ $sysctl }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index a94b399782..127b368c46 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -91,14 +91,4 @@ rules: - list - watch - get -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.controller.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}] - {{- end }} -{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml deleted file mode 100644 index 4241091091..0000000000 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-backend - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - privileged: false - hostPID: false - hostIPC: false - hostNetwork: false - volumes: - - configMap - - downwardAPI - - emptyDir - - secret - - projected - fsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: true - runAsUser: - rule: MustRunAsNonRoot - runAsGroup: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: MustRunAs - ranges: - - min: 1 - max: 65535 - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - seLinux: - rule: RunAsAny -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml deleted file mode 100644 index dd7868aa0e..0000000000 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -rules: - - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - resources: ['podsecuritypolicies'] - verbs: ['use'] - {{- with .Values.defaultBackend.existingPsp }} - resourceNames: [{{ . }}] - {{- else }} - resourceNames: [{{ include "ingress-nginx.fullname" . }}-backend] - {{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml deleted file mode 100644 index 3203b6f575..0000000000 --- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: default-backend - {{- with .Values.defaultBackend.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ include "ingress-nginx.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "ingress-nginx.fullname" . }}-backend -subjects: - - kind: ServiceAccount - name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ include "ingress-nginx.namespace" . }} -{{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 46cfa089b0..bd8955500f 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -41,8 +41,6 @@ controller: seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: false - # -- Use an existing PSP instead of creating one - existingPsp: "" # -- Configures the controller container name containerName: controller # -- Configures the ports that the nginx-controller listens on @@ -758,8 +756,6 @@ controller: objectSelector: {} # -- Labels to be added to admission webhooks labels: {} - # -- Use an existing PSP instead of creating one - existingPsp: "" service: annotations: {} # clusterIP: "" @@ -979,8 +975,6 @@ defaultBackend: seccompProfile: type: RuntimeDefault readOnlyRootFilesystem: true - # -- Use an existing PSP instead of creating one - existingPsp: "" extraArgs: {} serviceAccount: create: true @@ -1166,10 +1160,6 @@ defaultBackend: rbac: create: true scope: false -## If true, create & use Pod Security Policy resources -## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -podSecurityPolicy: - enabled: false serviceAccount: create: true name: "" diff --git a/docs/examples/psp/README.md b/docs/examples/psp/README.md deleted file mode 100644 index f8426baf25..0000000000 --- a/docs/examples/psp/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Pod Security Policy (PSP) - -In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`) -have permissions to create pods. -Kubernetes however provides a more fine-grained authorization policy called -[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). - -PSP allows the cluster owner to define the permission of each object, for example creating a pod. -If you have PSP enabled on the cluster, and you deploy ingress-nginx, -you will need to provide the `Deployment` with the permissions to create pods. - -Before applying any objects, first apply the PSP permissions by running: -```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml -``` - -Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`. diff --git a/docs/examples/psp/psp.yaml b/docs/examples/psp/psp.yaml deleted file mode 100644 index 0f859decef..0000000000 --- a/docs/examples/psp/psp.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: ingress-nginx - namespace: ingress-nginx -spec: - allowedCapabilities: - - NET_BIND_SERVICE - privileged: false - allowPrivilegeEscalation: true - # Allow core volume types. - volumes: - - configMap - - secret - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: MustRunAsNonRoot - supplementalGroups: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: MustRunAs - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - seLinux: - rule: RunAsAny - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-psp - namespace: ingress-nginx -rules: -- apiGroups: [policy] - resources: [podsecuritypolicies] - verbs: [use] - resourceNames: [ingress-nginx] - ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-psp - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-psp -subjects: -- kind: ServiceAccount - name: default -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index e1fd6956ed..ffd8f839f9 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -443,7 +443,7 @@ $ capsh --decode=0000000000000400 ``` ## Create a test pod as root -(Note, this may be restricted by PodSecurityPolicy, PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.) +(Note, this may be restricted by PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.) To test further you may want to install additional utilities, etc. Modify the pod yaml by: * changing runAsUser from 101 to 0 * removing the "drop..ALL" section from the capabilities. diff --git a/magefiles/utils/helm.go b/magefiles/utils/helm.go index dea68caab0..677e322f55 100644 --- a/magefiles/utils/helm.go +++ b/magefiles/utils/helm.go @@ -31,7 +31,6 @@ type IngressChartValue struct { RunAsUser int `yaml:"runAsUser"` AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"image"` - ExistingPsp string `yaml:"existingPsp"` ContainerName string `yaml:"containerName"` ContainerPort struct { HTTP int `yaml:"http"` @@ -226,7 +225,6 @@ type IngressChartValue struct { NamespaceSelector struct{} `yaml:"namespaceSelector"` ObjectSelector struct{} `yaml:"objectSelector"` Labels struct{} `yaml:"labels"` - ExistingPsp string `yaml:"existingPsp"` NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` Service struct { Annotations struct{} `yaml:"annotations"` @@ -329,7 +327,6 @@ type IngressChartValue struct { ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"image"` - ExistingPsp string `yaml:"existingPsp"` ExtraArgs struct{} `yaml:"extraArgs"` ServiceAccount struct { Create bool `yaml:"create"` @@ -388,9 +385,6 @@ type IngressChartValue struct { Create bool `yaml:"create"` Scope bool `yaml:"scope"` } `yaml:"rbac"` - PodSecurityPolicy struct { - Enabled bool `yaml:"enabled"` - } `yaml:"podSecurityPolicy"` ServiceAccount struct { Create bool `yaml:"create"` Name string `yaml:"name"` diff --git a/mkdocs.yml b/mkdocs.yml index 4b010c5ff4..b9cf7917a1 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -124,7 +124,6 @@ nav: - Rewrite: "examples/rewrite/README.md" - Static IPs: "examples/static-ip/README.md" - TLS termination: "examples/tls-termination/README.md" - - Pod Security Policy (PSP): "examples/psp/README.md" - Open Policy Agent rules: "examples/openpolicyagent/README.md" - Canary Deployments: "examples/canary/README.md" - Developer Guide: