Browse Source
Remove PodSecurityPolicy support and references (#10723)
Remove PodSecurityPolicy support and references (#10723)
This is removed from kubernetes since 1.25, time to cut some dead code.pull/10730/head
Max Gautier
1 year ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 4 additions and 619 deletions
Split View
Diff Options
-
2docs/hardening.md
-
2docs/vars.md
-
9inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
-
2roles/kubernetes-apps/ansible/defaults/main.yml
-
9roles/kubernetes-apps/ansible/tasks/netchecker.yml
-
14roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2
-
13roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2
-
44roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
-
65roles/kubernetes-apps/cluster_roles/defaults/main.yml
-
52roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2
-
9roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
-
4roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2
-
44roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
-
9roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
-
4roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2
-
44roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2
-
15roles/kubernetes-apps/metallb/tasks/main.yml
-
16roles/kubernetes-apps/metallb/templates/metallb.yaml.j2
-
11roles/kubernetes-apps/registry/tasks/main.yml
-
15roles/kubernetes-apps/registry/templates/registry-cr.yml.j2
-
13roles/kubernetes-apps/registry/templates/registry-crb.yml.j2
-
44roles/kubernetes-apps/registry/templates/registry-psp.yml.j2
-
6roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
-
5roles/kubernetes/control-plane/tasks/main.yml
-
38roles/kubernetes/control-plane/tasks/psp-install.yml
-
32roles/kubernetes/control-plane/templates/psp-cr.yml.j2
-
54roles/kubernetes/control-plane/templates/psp-crb.yml.j2
-
27roles/kubernetes/control-plane/templates/psp.yml.j2
-
1roles/kubernetes/node/defaults/main.yml
-
1roles/kubespray-defaults/defaults/main/main.yml
-
8roles/network_plugin/calico/templates/calico-apiserver.yml.j2
-
11roles/network_plugin/calico/templates/calico-cr.yml.j2
@ -1,14 +0,0 @@ |
|||
kind: ClusterRole |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: psp:netchecker-agent-hostnet |
|||
namespace: {{ netcheck_namespace }} |
|||
rules: |
|||
- apiGroups: |
|||
- policy |
|||
resourceNames: |
|||
- netchecker-agent-hostnet |
|||
resources: |
|||
- podsecuritypolicies |
|||
verbs: |
|||
- use |
|||
@ -1,13 +0,0 @@ |
|||
kind: RoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: psp:netchecker-agent-hostnet |
|||
namespace: {{ netcheck_namespace }} |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: netchecker-agent |
|||
namespace: {{ netcheck_namespace }} |
|||
roleRef: |
|||
kind: ClusterRole |
|||
name: psp:netchecker-agent-hostnet |
|||
apiGroup: rbac.authorization.k8s.io |
|||
@ -1,44 +0,0 @@ |
|||
--- |
|||
apiVersion: policy/v1beta1 |
|||
kind: PodSecurityPolicy |
|||
metadata: |
|||
name: netchecker-agent-hostnet |
|||
annotations: |
|||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% if apparmor_enabled %} |
|||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% endif %} |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
spec: |
|||
privileged: false |
|||
allowPrivilegeEscalation: false |
|||
requiredDropCapabilities: |
|||
- ALL |
|||
volumes: |
|||
- 'configMap' |
|||
- 'emptyDir' |
|||
- 'projected' |
|||
- 'secret' |
|||
- 'downwardAPI' |
|||
- 'persistentVolumeClaim' |
|||
hostNetwork: true |
|||
hostIPC: false |
|||
hostPID: false |
|||
runAsUser: |
|||
rule: 'MustRunAsNonRoot' |
|||
seLinux: |
|||
rule: 'RunAsAny' |
|||
supplementalGroups: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
fsGroup: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
readOnlyRootFilesystem: false |
|||
@ -1,65 +0,0 @@ |
|||
--- |
|||
|
|||
podsecuritypolicy_restricted_spec: |
|||
privileged: false |
|||
allowPrivilegeEscalation: false |
|||
requiredDropCapabilities: |
|||
- ALL |
|||
volumes: |
|||
- 'configMap' |
|||
- 'emptyDir' |
|||
- 'projected' |
|||
- 'secret' |
|||
- 'downwardAPI' |
|||
- 'persistentVolumeClaim' |
|||
hostNetwork: false |
|||
hostIPC: false |
|||
hostPID: false |
|||
runAsUser: |
|||
rule: 'MustRunAsNonRoot' |
|||
seLinux: |
|||
rule: 'RunAsAny' |
|||
runAsGroup: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
supplementalGroups: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
fsGroup: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
readOnlyRootFilesystem: false |
|||
|
|||
podsecuritypolicy_privileged_spec: |
|||
privileged: true |
|||
allowPrivilegeEscalation: true |
|||
allowedCapabilities: |
|||
- '*' |
|||
volumes: |
|||
- '*' |
|||
hostNetwork: true |
|||
hostPorts: |
|||
- min: 0 |
|||
max: 65535 |
|||
hostIPC: true |
|||
hostPID: true |
|||
runAsUser: |
|||
rule: 'RunAsAny' |
|||
seLinux: |
|||
rule: 'RunAsAny' |
|||
runAsGroup: |
|||
rule: 'RunAsAny' |
|||
supplementalGroups: |
|||
rule: 'RunAsAny' |
|||
fsGroup: |
|||
rule: 'RunAsAny' |
|||
readOnlyRootFilesystem: false |
|||
# This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags |
|||
allowedUnsafeSysctls: |
|||
- '*' |
|||
@ -1,44 +0,0 @@ |
|||
--- |
|||
apiVersion: policy/v1beta1 |
|||
kind: PodSecurityPolicy |
|||
metadata: |
|||
name: cephfs-provisioner |
|||
annotations: |
|||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% if apparmor_enabled %} |
|||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% endif %} |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
spec: |
|||
privileged: false |
|||
allowPrivilegeEscalation: false |
|||
requiredDropCapabilities: |
|||
- ALL |
|||
volumes: |
|||
- 'configMap' |
|||
- 'emptyDir' |
|||
- 'projected' |
|||
- 'secret' |
|||
- 'downwardAPI' |
|||
- 'persistentVolumeClaim' |
|||
hostNetwork: false |
|||
hostIPC: false |
|||
hostPID: false |
|||
runAsUser: |
|||
rule: 'RunAsAny' |
|||
seLinux: |
|||
rule: 'RunAsAny' |
|||
supplementalGroups: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
fsGroup: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
readOnlyRootFilesystem: false |
|||
@ -1,44 +0,0 @@ |
|||
--- |
|||
apiVersion: policy/v1beta1 |
|||
kind: PodSecurityPolicy |
|||
metadata: |
|||
name: rbd-provisioner |
|||
annotations: |
|||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% if apparmor_enabled %} |
|||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% endif %} |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
spec: |
|||
privileged: false |
|||
allowPrivilegeEscalation: false |
|||
requiredDropCapabilities: |
|||
- ALL |
|||
volumes: |
|||
- 'configMap' |
|||
- 'emptyDir' |
|||
- 'projected' |
|||
- 'secret' |
|||
- 'downwardAPI' |
|||
- 'persistentVolumeClaim' |
|||
hostNetwork: false |
|||
hostIPC: false |
|||
hostPID: false |
|||
runAsUser: |
|||
rule: 'RunAsAny' |
|||
seLinux: |
|||
rule: 'RunAsAny' |
|||
supplementalGroups: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
fsGroup: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
readOnlyRootFilesystem: false |
|||
@ -1,15 +0,0 @@ |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: psp:registry |
|||
namespace: {{ registry_namespace }} |
|||
rules: |
|||
- apiGroups: |
|||
- policy |
|||
resourceNames: |
|||
- registry |
|||
resources: |
|||
- podsecuritypolicies |
|||
verbs: |
|||
- use |
|||
@ -1,13 +0,0 @@ |
|||
kind: RoleBinding |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
metadata: |
|||
name: psp:registry |
|||
namespace: {{ registry_namespace }} |
|||
subjects: |
|||
- kind: ServiceAccount |
|||
name: registry |
|||
namespace: {{ registry_namespace }} |
|||
roleRef: |
|||
kind: ClusterRole |
|||
name: psp:registry |
|||
apiGroup: rbac.authorization.k8s.io |
|||
@ -1,44 +0,0 @@ |
|||
--- |
|||
apiVersion: policy/v1beta1 |
|||
kind: PodSecurityPolicy |
|||
metadata: |
|||
name: registry |
|||
annotations: |
|||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% if apparmor_enabled %} |
|||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% endif %} |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
spec: |
|||
privileged: false |
|||
allowPrivilegeEscalation: false |
|||
requiredDropCapabilities: |
|||
- ALL |
|||
volumes: |
|||
- 'configMap' |
|||
- 'emptyDir' |
|||
- 'projected' |
|||
- 'secret' |
|||
- 'downwardAPI' |
|||
- 'persistentVolumeClaim' |
|||
hostNetwork: false |
|||
hostIPC: false |
|||
hostPID: false |
|||
runAsUser: |
|||
rule: 'RunAsAny' |
|||
seLinux: |
|||
rule: 'RunAsAny' |
|||
supplementalGroups: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
fsGroup: |
|||
rule: 'MustRunAs' |
|||
ranges: |
|||
- min: 1 |
|||
max: 65535 |
|||
readOnlyRootFilesystem: false |
|||
@ -1,38 +0,0 @@ |
|||
--- |
|||
- name: Check AppArmor status |
|||
command: which apparmor_parser |
|||
register: apparmor_status |
|||
failed_when: false |
|||
changed_when: apparmor_status.rc != 0 |
|||
|
|||
- name: Set apparmor_enabled |
|||
set_fact: |
|||
apparmor_enabled: "{{ apparmor_status.rc == 0 }}" |
|||
|
|||
- name: Render templates for PodSecurityPolicy |
|||
template: |
|||
src: "{{ item.file }}.j2" |
|||
dest: "{{ kube_config_dir }}/{{ item.file }}" |
|||
mode: 0640 |
|||
register: psp_manifests |
|||
with_items: |
|||
- {file: psp.yml, type: psp, name: psp} |
|||
- {file: psp-cr.yml, type: clusterrole, name: psp-cr} |
|||
- {file: psp-crb.yml, type: rolebinding, name: psp-crb} |
|||
|
|||
- name: Add policies, roles, bindings for PodSecurityPolicy |
|||
kube: |
|||
name: "{{ item.item.name }}" |
|||
kubectl: "{{ bin_dir }}/kubectl" |
|||
resource: "{{ item.item.type }}" |
|||
filename: "{{ kube_config_dir }}/{{ item.item.file }}" |
|||
state: "latest" |
|||
register: result |
|||
until: result is succeeded |
|||
retries: 10 |
|||
delay: 6 |
|||
with_items: "{{ psp_manifests.results }}" |
|||
environment: |
|||
KUBECONFIG: "{{ kube_config_dir }}/admin.conf" |
|||
loop_control: |
|||
label: "{{ item.item.file }}" |
|||
@ -1,32 +0,0 @@ |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: psp:privileged |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
rules: |
|||
- apiGroups: |
|||
- policy |
|||
resourceNames: |
|||
- privileged |
|||
resources: |
|||
- podsecuritypolicies |
|||
verbs: |
|||
- use |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRole |
|||
metadata: |
|||
name: psp:restricted |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
rules: |
|||
- apiGroups: |
|||
- policy |
|||
resourceNames: |
|||
- restricted |
|||
resources: |
|||
- podsecuritypolicies |
|||
verbs: |
|||
- use |
|||
@ -1,54 +0,0 @@ |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: ClusterRoleBinding |
|||
metadata: |
|||
name: psp:any:restricted |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: psp:restricted |
|||
subjects: |
|||
- kind: Group |
|||
name: system:authenticated |
|||
apiGroup: rbac.authorization.k8s.io |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: RoleBinding |
|||
metadata: |
|||
name: psp:kube-system:privileged |
|||
namespace: kube-system |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: psp:privileged |
|||
subjects: |
|||
- kind: Group |
|||
name: system:masters |
|||
apiGroup: rbac.authorization.k8s.io |
|||
- kind: Group |
|||
name: system:serviceaccounts:kube-system |
|||
apiGroup: rbac.authorization.k8s.io |
|||
--- |
|||
apiVersion: rbac.authorization.k8s.io/v1 |
|||
kind: RoleBinding |
|||
metadata: |
|||
name: psp:nodes:privileged |
|||
namespace: kube-system |
|||
annotations: |
|||
kubernetes.io/description: 'Allow nodes to create privileged pods. Should |
|||
be used in combination with the NodeRestriction admission plugin to limit |
|||
nodes to mirror pods bound to themselves.' |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
roleRef: |
|||
apiGroup: rbac.authorization.k8s.io |
|||
kind: ClusterRole |
|||
name: psp:privileged |
|||
subjects: |
|||
- kind: Group |
|||
apiGroup: rbac.authorization.k8s.io |
|||
name: system:nodes |
|||
- kind: User |
|||
apiGroup: rbac.authorization.k8s.io |
|||
# Legacy node ID |
|||
name: kubelet |
|||
@ -1,27 +0,0 @@ |
|||
--- |
|||
apiVersion: policy/v1beta1 |
|||
kind: PodSecurityPolicy |
|||
metadata: |
|||
name: restricted |
|||
annotations: |
|||
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' |
|||
{% if apparmor_enabled %} |
|||
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
|||
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' |
|||
{% endif %} |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
spec: |
|||
{{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }} |
|||
--- |
|||
apiVersion: policy/v1beta1 |
|||
kind: PodSecurityPolicy |
|||
metadata: |
|||
name: privileged |
|||
annotations: |
|||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' |
|||
labels: |
|||
addonmanager.kubernetes.io/mode: Reconcile |
|||
spec: |
|||
{{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }} |
|||
Write
Preview
Loading…
Cancel
Save