From aaffbe5d4ccfc705b2e3af1face8760e3574b8d2 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 30 Aug 2022 20:31:38 -0700 Subject: [PATCH] chore: remove psp (#966) Signed-off-by: Anish Ramasekar Signed-off-by: Anish Ramasekar --- .../templates/podsecuritypolicy.yaml | 2 +- .../templates/role.yaml | 2 +- .../templates/rolebinding.yaml | 2 +- .../deployment/pod-security-policy.yaml | 101 ------------------ 4 files changed, 3 insertions(+), 104 deletions(-) delete mode 100644 manifest_staging/deployment/pod-security-policy.yaml diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml index 4f4ea873b..d82f07dd8 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.pspEnabled }} +{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/role.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/role.yaml index 9c08f8764..f995023c2 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/role.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.pspEnabled }} +{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml index 590f5a262..14365fc61 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.pspEnabled }} +{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/manifest_staging/deployment/pod-security-policy.yaml b/manifest_staging/deployment/pod-security-policy.yaml deleted file mode 100644 index edd3e8ac7..000000000 --- a/manifest_staging/deployment/pod-security-policy.yaml +++ /dev/null @@ -1,101 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: allow-csi-driver -spec: - seLinux: - rule: RunAsAny - volumes: - - csi - - hostPath - - secret - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPorts: - - min: 9808 - max: 9808 - allowedHostPaths: - - pathPrefix: /etc/kubernetes/secrets-store-csi-providers - - pathPrefix: /var/lib/kubelet ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:allow-csi-driver -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - allow-csi-driver ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: default:allow-csi-driver -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:allow-csi-driver -subjects: -- kind: ServiceAccount - name: secrets-store-csi-driver - namespace: default -- kind: ServiceAccount - name: csi-secrets-store-provider-azure - namespace: default -- kind: Group - name: system:authenticated - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: allow-csi-driver-provider-azure -spec: - seLinux: - rule: RunAsAny - privileged: true - volumes: - - hostPath - - secret - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:allow-csi-driver-provider-azure -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - allow-csi-driver-provider-azure ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: default:allow-csi-driver-provider-azure -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:allow-csi-driver-provider-azure -subjects: -- kind: ServiceAccount - name: csi-secrets-store-provider-azure - namespace: default