chore: remove PSP and migrate to PSA (#2174)

open-policy-agent · Aug 1, 2022 · 52db6a7 · 52db6a7
1 parent 05650d2
commit 52db6a7
Show file tree

Hide file tree

Showing 19 changed files with 112 additions and 59 deletions.
diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml
@@ -73,8 +73,6 @@ patchesJson6902:
         path: /spec/template/spec/containers/0/resources/limits
       - op: remove
         path: /spec/template/spec/containers/0/resources/requests
-      - op: remove
-        path: /spec/template/metadata/annotations/container.seccomp.security.alpha.kubernetes.io~1manager
       - op: remove
         path: /spec/template/spec/nodeSelector/kubernetes.io~1os
       - op: remove
@@ -91,6 +89,8 @@ patchesJson6902:
         path: /spec/template/spec/containers/0/securityContext/runAsNonRoot
       - op: remove
         path: /spec/template/spec/containers/0/securityContext/runAsUser
+      - op: remove
+        path: /spec/template/spec/containers/0/securityContext/seccompProfile
   - target:
       kind: Deployment
       name: gatekeeper-controller-manager
@@ -99,8 +99,6 @@ patchesJson6902:
         path: /spec/template/spec/containers/0/resources/limits
       - op: remove
         path: /spec/template/spec/containers/0/resources/requests
-      - op: remove
-        path: /spec/template/metadata/annotations/container.seccomp.security.alpha.kubernetes.io~1manager
       - op: remove
         path: /spec/template/spec/nodeSelector/kubernetes.io~1os
       - op: remove
@@ -119,6 +117,8 @@ patchesJson6902:
         path: /spec/template/spec/containers/0/securityContext/runAsNonRoot
       - op: remove
         path: /spec/template/spec/containers/0/securityContext/runAsUser
+      - op: remove
+        path: /spec/template/spec/containers/0/securityContext/seccompProfile
   - target:
       kind: Service
       name: webhook-service

diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml
@@ -258,7 +258,7 @@ webhooks:
   timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
   failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_CHECK_IGNORE_FAILURE_POLICY
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: gatekeeper-controller-manager

diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go
@@ -142,11 +142,7 @@ func (ks *kindSet) Write() error {
 			}
 
 			if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" {
-				obj = strings.Replace(obj, "apiVersion: policy/v1beta1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1)
-			}
-
-			if name == "gatekeeper-admin" && kind == "PodSecurityPolicy" {
-				obj = "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n" + obj + "{{- end }}\n"
+				obj = strings.Replace(obj, "apiVersion: policy/v1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1)
 			}
 
 			if name == "gatekeeper-manager-role" && kind == "ClusterRole" {

diff --git a/config/rbac/podsecuritypolicy.yaml → ...s/gatekeeper-admin-podsecuritypolicy.yaml b/config/rbac/podsecuritypolicy.yaml → ...s/gatekeeper-admin-podsecuritypolicy.yaml
@@ -1,9 +1,16 @@
+{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: admin
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+  labels:
+    app: '{{ template "gatekeeper.name" . }}'
+    chart: '{{ template "gatekeeper.name" . }}'
+    gatekeeper.sh/system: "yes"
+    heritage: '{{ .Release.Service }}'
+    release: '{{ .Release.Name }}'
+  name: gatekeeper-admin
 spec:
   allowPrivilegeEscalation: false
   fsGroup:
@@ -28,3 +35,4 @@ spec:
   - secret
   - downwardAPI
   - emptyDir
+{{- end }}
diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml
@@ -48,8 +48,15 @@ spec:
             - {{ . }}
             {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
             - --overwrite
           securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
             {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
 ---
 apiVersion: v1

diff --git a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml
@@ -40,6 +40,9 @@ spec:
             - {{ . }}
             {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
             - --overwrite
           securityContext:
             {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}

diff --git a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml
@@ -99,6 +99,10 @@ spec:
         resources:
           {{- toYaml .Values.crds.resources | nindent 10 }}
         securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
           {{- toYaml .Values.crds.securityContext | nindent 10 }}
       affinity:
         {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}

diff --git a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml
@@ -43,6 +43,10 @@ spec:
             - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
             {{- end }}
           securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
             {{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
 ---
 apiVersion: v1

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -38,6 +38,12 @@ postUpgrade:
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
+    podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+      "pod-security.kubernetes.io/audit-version=latest",
+      "pod-security.kubernetes.io/warn=restricted",
+      "pod-security.kubernetes.io/warn-version=latest",
+      "pod-security.kubernetes.io/enforce=restricted",
+      "pod-security.kubernetes.io/enforce-version=v1.24"]
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -57,6 +63,12 @@ postInstall:
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
+    podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+      "pod-security.kubernetes.io/audit-version=latest",
+      "pod-security.kubernetes.io/warn=restricted",
+      "pod-security.kubernetes.io/warn-version=latest",
+      "pod-security.kubernetes.io/enforce=restricted",
+      "pod-security.kubernetes.io/enforce-version=v1.24"]
   probeWebhook:
     enabled: true
     image:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -4,6 +4,12 @@ metadata:
   labels:
     control-plane: controller-manager
     admission.gatekeeper.sh/ignore: no-self-managing
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: latest
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.24
   name: system
 ---
 apiVersion: apps/v1
@@ -22,8 +28,6 @@ spec:
   replicas: 3
   template:
     metadata:
-      annotations:
-        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
       labels:
         control-plane: controller-manager
         gatekeeper.sh/operation: webhook
@@ -104,9 +108,11 @@ spec:
             runAsGroup: 999
             runAsNonRoot: true
             allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
             capabilities:
               drop:
-                - all
+                - ALL
       terminationGracePeriodSeconds: 60
       nodeSelector:
         kubernetes.io/os: linux
@@ -131,8 +137,6 @@ spec:
       labels:
         control-plane: audit-controller
         gatekeeper.sh/operation: audit
-      annotations:
-        container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
     spec:
       automountServiceAccountToken: true
       containers:
@@ -199,10 +203,12 @@ spec:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
-                - all
+                - ALL
             runAsGroup: 999
             runAsNonRoot: true
             runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
       serviceAccountName: gatekeeper-admin
       terminationGracePeriodSeconds: 60
       nodeSelector:

diff --git a/config/pdb/pdb.yaml b/config/pdb/pdb.yaml
@@ -1,4 +1,4 @@
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: controller-manager

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -2,7 +2,6 @@ resources:
 - role.yaml
 - role_binding.yaml
 - service_account.yaml
-- podsecuritypolicy.yaml
 # - leader_election_role.yaml
 # - leader_election_role_binding.yaml
 # Comment the following 3 lines if you want to disable

diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml
@@ -48,8 +48,15 @@ spec:
             - {{ . }}
             {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
             - --overwrite
           securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
             {{- toYaml .Values.postInstall.securityContext | nindent 12 }}
 ---
 apiVersion: v1

diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml
@@ -40,6 +40,9 @@ spec:
             - {{ . }}
             {{- end }}
             - admission.gatekeeper.sh/ignore=no-self-managing
+            {{- range .Values.postInstall.labelNamespace.podSecurity }}
+            - {{ . }}
+            {{- end }}
             - --overwrite
           securityContext:
             {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}

diff --git a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml
@@ -99,6 +99,10 @@ spec:
         resources:
           {{- toYaml .Values.crds.resources | nindent 10 }}
         securityContext:
+          {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+          seccompProfile:
+            type: RuntimeDefault
+          {{- end }}
           {{- toYaml .Values.crds.securityContext | nindent 10 }}
       affinity:
         {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}

diff --git a/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml b/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml
@@ -43,6 +43,10 @@ spec:
             - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
             {{- end }}
           securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
             {{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
 ---
 apiVersion: v1

diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
@@ -38,6 +38,12 @@ postUpgrade:
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
+    podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+      "pod-security.kubernetes.io/audit-version=latest",
+      "pod-security.kubernetes.io/warn=restricted",
+      "pod-security.kubernetes.io/warn-version=latest",
+      "pod-security.kubernetes.io/enforce=restricted",
+      "pod-security.kubernetes.io/enforce-version=v1.24"]
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -57,6 +63,12 @@ postInstall:
       pullPolicy: IfNotPresent
       pullSecrets: []
     extraNamespaces: []
+    podSecurity: ["pod-security.kubernetes.io/audit=restricted",
+      "pod-security.kubernetes.io/audit-version=latest",
+      "pod-security.kubernetes.io/warn=restricted",
+      "pod-security.kubernetes.io/warn-version=latest",
+      "pod-security.kubernetes.io/enforce=restricted",
+      "pod-security.kubernetes.io/enforce-version=v1.24"]
   probeWebhook:
     enabled: true
     image: