Remove PodSecurityPolicy

PodSecurityPolicy has been removed in Kubernetes v1.25 [1]. To allow Magnum to support Kubernetes v1.25 and above, PodSecurityPolicy Admission Controller has has been removed. [1] https://kubernetes.io/docs/concepts/security/pod-security-policy/ Change-Id: I0fb0c372b484275b0677114193289469ee788b84 (cherry picked from commit 1b1c212)
stackhpc · Mar 28, 2024 · a2f3b74 · a2f3b74
1 parent 9919749
commit a2f3b74
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 113 deletions.
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh b/magnum/drivers/common/templates/kubernetes/fragments/flannel-service.sh
@@ -14,62 +14,11 @@ if [ "$NETWORK_DRIVER" = "flannel" ]; then
     set +x
     cat << EOF > ${FLANNEL_DEPLOY}
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: psp.flannel.unprivileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-spec:
-  privileged: false
-  volumes:
-    - configMap
-    - secret
-    - emptyDir
-    - hostPath
-  allowedHostPaths:
-    - pathPrefix: "/etc/cni/net.d"
-    - pathPrefix: "/etc/kube-flannel"
-    - pathPrefix: "/run/flannel"
-  readOnlyRootFilesystem: false
-  # Users and groups
-  runAsUser:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
-  # Privilege Escalation
-  allowPrivilegeEscalation: false
-  defaultAllowPrivilegeEscalation: false
-  # Capabilities
-  allowedCapabilities: ['NET_ADMIN']
-  defaultAddCapabilities: []
-  requiredDropCapabilities: []
-  # Host namespaces
-  hostPID: false
-  hostIPC: false
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  # SELinux
-  seLinux:
-    # SELinux is unsed in CaaSP
-    rule: 'RunAsAny'
----
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: flannel
 rules:
-  - apiGroups: ['extensions']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: ['psp.flannel.unprivileged']
   - apiGroups:
       - ""
     resources:

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
@@ -78,67 +78,6 @@ EOF
 }
 kubectl apply --validate=false -f ${ADMIN_RBAC}
 
-POD_SECURITY_POLICIES=/srv/magnum/kubernetes/podsecuritypolicies.yaml
-# Pod Security Policies
-[ -f ${POD_SECURITY_POLICIES} ] || {
-    echo "Writing File: $POD_SECURITY_POLICIES"
-    mkdir -p $(dirname ${POD_SECURITY_POLICIES})
-    cat > ${POD_SECURITY_POLICIES} <<EOF
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: magnum.privileged
-  annotations:
-    kubernetes.io/description: 'privileged allows full unrestricted access to
-      pod features, as if the PodSecurityPolicy controller was not enabled.'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-  labels:
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: true
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-  - '*'
-  volumes:
-  - '*'
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  hostIPC: true
-  hostPID: true
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'
-  readOnlyRootFilesystem: false
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: magnum:podsecuritypolicy:privileged
-  labels:
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
-  - policy
-  resourceNames:
-  - magnum.privileged
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-EOF
-}
-kubectl apply -f ${POD_SECURITY_POLICIES}
-
 # Add the openstack trustee as a secret under kube-system
 kubectl -n kube-system create secret generic os-trustee \
     --from-literal=os-authURL=${AUTH_URL} \

diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
@@ -226,7 +226,7 @@ parameters:
     type: string
     description: >
       List of admission control plugins to activate
-    default: "PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,RuntimeClass"
 
   kube_allow_priv:
     type: string

diff --git a/releasenotes/notes/remove-podsecuritypolicy-5851f4009f1a166c.yaml b/releasenotes/notes/remove-podsecuritypolicy-5851f4009f1a166c.yaml
@@ -0,0 +1,13 @@
+---
+deprecations:
+  - |
+    PodSecurityPolicy has been removed in Kubernetes v1.25 [1]. To allow Magnum
+    to support Kubernetes v1.25 and above, PodSecurityPolicy Admission
+    Controller has has been removed.
+
+    This means that there is a behaviour change in Cluster Templates created
+    after this change, where new Clusters with such Cluster Templates will not
+    have PodSecurityPolicy. Please be aware of the subsequent impact on Helm
+    Charts, etc.
+
+    [1] https://kubernetes.io/docs/concepts/security/pod-security-policy/