Skip to content

Commit

Permalink
Remove PodSecurityPolicy support and references (#10723)
Browse files Browse the repository at this point in the history 
This is removed from kubernetes since 1.25, time to cut some dead code.
  • Loading branch information
@VannTen
VannTen authored Dec 18, 2023
1 parent 7395c27 commit 471326f
Show file tree
Hide file tree
Showing 32 changed files with 4 additions and 619 deletions.
2 changes: 1 addition & 1 deletion docs/hardening.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ kube_pod_security_default_enforce: restricted
Let's take a deep look to the resultant **kubernetes** configuration:
* The `anonymous-auth` (on `kube-apiserver`) is set to `true` by default. This is fine, because it is considered safe if you enable `RBAC` for the `authorization-mode`.
* The `enable-admission-plugins` has not the `PodSecurityPolicy` admission plugin. This because it is going to be definitely removed from **kubernetes** `v1.25`. For this reason we decided to set the newest `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work.
* The `enable-admission-plugins` includes `PodSecurity` (for more details, please take a look here: <https://kubernetes.io/docs/concepts/security/pod-security-admission/>). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work.
* The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this).
* The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`.
See <https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/> for more information on the subject.
Expand Down
2 changes: 0 additions & 2 deletions docs/vars.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,8 +254,6 @@ node_taints:
- "node.example.com/external=true:NoSchedule"
```

* *podsecuritypolicy_enabled* - When set to `true`, enables the PodSecurityPolicy admission controller and defines two policies `privileged` (applying to all resources in `kube-system` namespace and kubelet) and `restricted` (applying all other namespaces).
Addons deployed in kube-system namespaces are handled.
* *kubernetes_audit* - When set to `true`, enables Auditing.
The auditing parameters can be tuned via the following variables (which default values are shown below):
* `audit_log_path`: /var/log/audit/kube-apiserver-audit.log
Expand Down
9 changes: 0 additions & 9 deletions inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,15 +243,6 @@ kubernetes_audit: false
# kubelet_config_dir:
default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"

# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: false

# Custom PodSecurityPolicySpec for restricted policy
# podsecuritypolicy_restricted_spec: {}

# Custom PodSecurityPolicySpec for privileged policy
# podsecuritypolicy_privileged_spec: {}

# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
# kubeconfig_localhost: false
# Use ansible_host as external api ip when copying over kubeconfig.
Expand Down
2 changes: 1 addition & 1 deletion roles/kubernetes-apps/ansible/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ netchecker_etcd_memory_limit: 256M
netchecker_etcd_cpu_requests: 100m
netchecker_etcd_memory_requests: 128M

# SecurityContext when PodSecurityPolicy is enabled
# SecurityContext (user/group)
netchecker_agent_user: 1000
netchecker_server_user: 1000
netchecker_agent_group: 1000
Expand Down
9 changes: 0 additions & 9 deletions roles/kubernetes-apps/ansible/tasks/netchecker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,6 @@
- {file: netchecker-server-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-server}
- {file: netchecker-server-deployment.yml, type: deployment, name: netchecker-server}
- {file: netchecker-server-svc.yml, type: svc, name: netchecker-service}
netchecker_templates_for_psp:
- {file: netchecker-agent-hostnet-psp.yml, type: podsecuritypolicy, name: netchecker-agent-hostnet-policy}
- {file: netchecker-agent-hostnet-clusterrole.yml, type: clusterrole, name: netchecker-agent}
- {file: netchecker-agent-hostnet-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-agent}

- name: Kubernetes Apps | Append extra templates to Netchecker Templates list for PodSecurityPolicy
set_fact:
netchecker_templates: "{{ netchecker_templates_for_psp + netchecker_templates }}"
when: podsecuritypolicy_enabled

- name: Kubernetes Apps | Lay Down Netchecker Template
template:
Expand Down
14 changes: 0 additions & 14 deletions roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2
View file

This file was deleted.

13 changes: 0 additions & 13 deletions roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2
View file

This file was deleted.

44 changes: 0 additions & 44 deletions roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2
View file

This file was deleted.

65 changes: 0 additions & 65 deletions roles/kubernetes-apps/cluster_roles/defaults/main.yml
View file

This file was deleted.

52 changes: 1 addition & 51 deletions roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,56 +162,6 @@ roleRef:
name: csi-gce-pd-resizer-role
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-gce-pd-controller-deploy
rules:
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- csi-gce-pd-controller-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csi-gce-pd-controller-deploy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: csi-gce-pd-controller-deploy
subjects:
- kind: ServiceAccount
name: csi-gce-pd-controller-sa
namespace: kube-system
---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-gce-pd-node-deploy
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- csi-gce-pd-node-psp
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csi-gce-pd-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: csi-gce-pd-node-deploy
subjects:
- kind: ServiceAccount
name: csi-gce-pd-node-sa
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand Down Expand Up @@ -288,4 +238,4 @@ subjects:
roleRef:
kind: Role
name: csi-gce-pd-leaderelection-role
apiGroup: rbac.authorization.k8s.io
apiGroup: rbac.authorization.k8s.io
9 changes: 0 additions & 9 deletions roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,15 +49,6 @@
- { name: rolebinding-cephfs-provisioner, file: rolebinding-cephfs-provisioner.yml, type: rolebinding }
- { name: deploy-cephfs-provisioner, file: deploy-cephfs-provisioner.yml, type: deploy }
- { name: sc-cephfs-provisioner, file: sc-cephfs-provisioner.yml, type: sc }
cephfs_provisioner_templates_for_psp:
- { name: psp-cephfs-provisioner, file: psp-cephfs-provisioner.yml, type: psp }

- name: CephFS Provisioner | Append extra templates to CephFS Provisioner Templates list for PodSecurityPolicy
set_fact:
cephfs_provisioner_templates: "{{ cephfs_provisioner_templates_for_psp + cephfs_provisioner_templates }}"
when:
- podsecuritypolicy_enabled
- cephfs_provisioner_namespace != "kube-system"

- name: CephFS Provisioner | Create manifests
template:
Expand Down
4 changes: 0 additions & 4 deletions ...s/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,3 @@ rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "delete"]
- apiGroups: ["policy"]
resourceNames: ["cephfs-provisioner"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
44 changes: 0 additions & 44 deletions ...etes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2
View file

This file was deleted.

9 changes: 0 additions & 9 deletions roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,15 +49,6 @@
- { name: rolebinding-rbd-provisioner, file: rolebinding-rbd-provisioner.yml, type: rolebinding }
- { name: deploy-rbd-provisioner, file: deploy-rbd-provisioner.yml, type: deploy }
- { name: sc-rbd-provisioner, file: sc-rbd-provisioner.yml, type: sc }
rbd_provisioner_templates_for_psp:
- { name: psp-rbd-provisioner, file: psp-rbd-provisioner.yml, type: psp }

- name: RBD Provisioner | Append extra templates to RBD Provisioner Templates list for PodSecurityPolicy
set_fact:
rbd_provisioner_templates: "{{ rbd_provisioner_templates_for_psp + rbd_provisioner_templates }}"
when:
- podsecuritypolicy_enabled
- rbd_provisioner_namespace != "kube-system"

- name: RBD Provisioner | Create manifests
template:
Expand Down
4 changes: 0 additions & 4 deletions ...es-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,3 @@ rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "delete"]
- apiGroups: ["policy"]
resourceNames: ["rbd-provisioner"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
Loading

0 comments on commit 471326f

Please sign in to comment.