Mellanox · e0ne · Dec 5, 2023 · Sep 27, 2023
diff --git a/Makefile b/Makefile
@@ -245,9 +245,6 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 	kubectl apply -f hack/crds/*
 
-deploy-with-psp: deploy ## Deploy controller to the K8s cluster specified in ~/.kube/config and apply privileged pod security policy
-	$(KUSTOMIZE) build config/psp | kubectl apply -f -
-
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 	$(KUSTOMIZE) build config/resources-namespace | kubectl delete -f -

diff --git a/README.md b/README.md
@@ -20,7 +20,6 @@
     - [IPoIBNetwork CRD](#ipoibnetwork-crd)
       - [IPoIBNetwork spec:](#ipoibnetwork-spec)
         - [Example for IPoIBNetwork resource:](#example-for-ipoibnetwork-resource)
-  - [Pod Security Policy](#pod-security-policy)
   - [System Requirements](#system-requirements)
   - [Tested Network Adapters](#tested-network-adapters)
   - [Compatibility Notes](#compatibility-notes)
@@ -414,9 +413,6 @@ spec:
 
 Can be found at: `example/crs/mellanox.com_v1alpha1_ipoibnetwork_cr.yaml`
 
-## Pod Security Policy
-NVIDIA Network Operator supports [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). When NicClusterPolicy is created with `psp.enabled=True`, privileged PSP is created and applied to all network-operator's pods. Requires [admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in) to be enabled.
-
 ## System Requirements
 * RDMA capable hardware: Mellanox ConnectX-5 NIC or newer.
 * NVIDIA GPU and driver supporting GPUDirect e.g Quadro RTX 6000/8000 or Tesla T4 or Tesla V100 or Tesla V100.

diff --git a/api/v1alpha1/nicclusterpolicy_types.go b/api/v1alpha1/nicclusterpolicy_types.go
@@ -180,14 +180,6 @@ type SecondaryNetworkSpec struct {
 	IpamPlugin *ImageSpec `json:"ipamPlugin,omitempty"`
 }
 
-// PSPSpec describes configuration for PodSecurityPolicies to apply for all Pods
-type PSPSpec struct {
-	// Enabled indicates if PodSecurityPolicies needs to be enabled for all Pods
-	// +optional
-	// +kubebuilder:default:=false
-	Enabled bool `json:"enabled,omitempty"`
-}
-
 // IBKubernetesSpec describes configuration options for ib-kubernetes
 type IBKubernetesSpec struct {
 	// Image information for ib-kubernetes
@@ -233,7 +225,6 @@ type NicClusterPolicySpec struct {
 	IBKubernetes           *IBKubernetesSpec        `json:"ibKubernetes,omitempty"`
 	SecondaryNetwork       *SecondaryNetworkSpec    `json:"secondaryNetwork,omitempty"`
 	NvIpam                 *NVIPAMSpec              `json:"nvIpam,omitempty"`
-	PSP                    *PSPSpec                 `json:"psp,omitempty"`
 	NicFeatureDiscovery    *NICFeatureDiscoverySpec `json:"nicFeatureDiscovery,omitempty"`
 }
 

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/mellanox.com_nicclusterpolicies.yaml b/bundle/manifests/mellanox.com_nicclusterpolicies.yaml
@@ -580,16 +580,6 @@ spec:
                 - repository
                 - version
                 type: object
-              psp:
-                description: PSPSpec describes configuration for PodSecurityPolicies
-                  to apply for all Pods
-                properties:
-                  enabled:
-                    default: false
-                    description: Enabled indicates if PodSecurityPolicies needs to
-                      be enabled for all Pods
-                    type: boolean
-                type: object
               rdmaSharedDevicePlugin:
                 description: DevicePluginSpec describes configuration options for
                   device plugin 1. Image information for device plugin 2. Device plugin

diff --git a/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml b/bundle/manifests/nvidia-network-operator.clusterserviceversion.yaml
@@ -445,18 +445,6 @@ spec:
           - get
           - patch
           - update
-        - apiGroups:
-          - policy
-          resources:
-          - podsecuritypolicies
-          verbs:
-          - create
-          - delete
-          - get
-          - list
-          - patch
-          - update
-          - watch
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:

diff --git a/config/crd/bases/mellanox.com_nicclusterpolicies.yaml b/config/crd/bases/mellanox.com_nicclusterpolicies.yaml
@@ -581,16 +581,6 @@ spec:
                 - repository
                 - version
                 type: object
-              psp:
-                description: PSPSpec describes configuration for PodSecurityPolicies
-                  to apply for all Pods
-                properties:
-                  enabled:
-                    default: false
-                    description: Enabled indicates if PodSecurityPolicies needs to
-                      be enabled for all Pods
-                    type: boolean
-                type: object
               rdmaSharedDevicePlugin:
                 description: DevicePluginSpec describes configuration options for
                   device plugin 1. Image information for device plugin 2. Device plugin

diff --git a/config/psp/kustomization.yaml b/config/psp/kustomization.yaml
diff --git a/config/psp/manager_psp_role.yaml b/config/psp/manager_psp_role.yaml
diff --git a/config/psp/manager_psp_rolebinding.yaml b/config/psp/manager_psp_rolebinding.yaml
diff --git a/config/psp/pod_security_policy.yaml b/config/psp/pod_security_policy.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -316,18 +316,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

diff --git a/controllers/nicclusterpolicy_controller.go b/controllers/nicclusterpolicy_controller.go
@@ -63,7 +63,6 @@ type NicClusterPolicyReconciler struct {
 // +kubebuilder:rbac:groups=mellanox.com,resources=nicclusterpolicies/finalizers,verbs=update
 // +kubebuilder:rbac:groups=security.openshift.io,resourceNames=privileged,resources=securitycontextconstraints,verbs=use
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=events.k8s.io,resources=events,verbs=create;patch;update
 // +kubebuilder:rbac:groups="",resources=namespaces;serviceaccounts;pods;pods/status;services;services/finalizers;endpoints,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete

diff --git a/deployment/network-operator/README.md b/deployment/network-operator/README.md
@@ -373,7 +373,6 @@ parameters.
 | `sriovNetworkOperator.enabled`                       | bool   | `False`                                  | deploy SR-IOV Network Operator                                                                                                                              |
 | `upgradeCRDs`                                        | bool   | `True`                                   | enable CRDs upgrade with helm pre-install and pre-upgrade hooks                                                                                             |
 | `sriovNetworkOperator.configDaemonNodeSelectorExtra` | object | `{"node-role.kubernetes.io/worker": ""}` | Additional nodeSelector for sriov-network-operator config daemon. These values will be added in addition to default values managed by the network-operator. |
-| `psp.enabled`                                        | bool   | `False`                                  | deploy Pod Security Policy                                                                                                                                  |
 | `imagePullSecrets`                                   | list   | `[]`                                     | An optional list of references to secrets to use for pulling any of the Network Operator image if it's not overrided                                        |
 | `operator.repository`                                | string | `nvcr.io/nvidia/cloud-native`            | Network Operator image repository                                                                                                                           |
 | `operator.image`                                     | string | `network-operator`                       | Network Operator image name                                                                                                                                 |

diff --git a/deployment/network-operator/crds/mellanox.com_nicclusterpolicies.yaml b/deployment/network-operator/crds/mellanox.com_nicclusterpolicies.yaml
@@ -581,16 +581,6 @@ spec:
                 - repository
                 - version
                 type: object
-              psp:
-                description: PSPSpec describes configuration for PodSecurityPolicies
-                  to apply for all Pods
-                properties:
-                  enabled:
-                    default: false
-                    description: Enabled indicates if PodSecurityPolicies needs to
-                      be enabled for all Pods
-                    type: boolean
-                type: object
               rdmaSharedDevicePlugin:
                 description: DevicePluginSpec describes configuration options for
                   device plugin 1. Image information for device plugin 2. Device plugin

diff --git a/deployment/network-operator/templates/mellanox.com_v1alpha1_nicclusterpolicy_cr.yaml b/deployment/network-operator/templates/mellanox.com_v1alpha1_nicclusterpolicy_cr.yaml
@@ -174,8 +174,6 @@ spec:
       imagePullSecrets: {{ include "network-operator.secondaryNetwork.ipamPlugin.imagePullSecrets" . }}
     {{- end }}
   {{- end }}
-  psp:
-    enabled: {{ .Values.psp.enabled }}
   {{- if .Values.nvIpam.deploy }}
   nvIpam:
     image: {{ .Values.nvIpam.image }}

diff --git a/deployment/network-operator/templates/podsecuritypolicy.yaml b/deployment/network-operator/templates/podsecuritypolicy.yaml
diff --git a/deployment/network-operator/templates/role.yaml b/deployment/network-operator/templates/role.yaml
@@ -330,18 +330,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

diff --git a/deployment/network-operator/values.yaml b/deployment/network-operator/values.yaml
@@ -20,9 +20,6 @@ nfd:
   enabled: true
   deployNodeFeatureRules: true
 
-psp:
-  enabled: false
-
 upgradeCRDs: true
 
 sriovNetworkOperator:

diff --git a/hack/templates/values/values.template b/hack/templates/values/values.template
@@ -20,9 +20,6 @@ nfd:
   enabled: true
   deployNodeFeatureRules: true
 
-psp:
-  enabled: false
-
 upgradeCRDs: true
 
 sriovNetworkOperator:

diff --git a/manifests/state-pod-security-policy/0100_role.yaml b/manifests/state-pod-security-policy/0100_role.yaml
diff --git a/manifests/state-pod-security-policy/0200_role_binding.yaml b/manifests/state-pod-security-policy/0200_role_binding.yaml
diff --git a/pkg/state/factory.go b/pkg/state/factory.go
@@ -108,11 +108,6 @@ func newNicClusterPolicyStates(k8sAPIClient client.Client, scheme *runtime.Schem
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to create Whereabouts CNI State")
 	}
-	podSecurityPolicyState, err := NewStatePodSecurityPolicy(
-		k8sAPIClient, scheme, filepath.Join(manifestBaseDir, "state-pod-security-policy"))
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to create Pod Security Policy State")
-	}
 	ibKubernetesState, err := NewStateIBKubernetes(
 		k8sAPIClient, scheme, filepath.Join(manifestBaseDir, "state-ib-kubernetes"))
 	if err != nil {
@@ -130,7 +125,7 @@ func newNicClusterPolicyStates(k8sAPIClient client.Client, scheme *runtime.Schem
 	}
 
 	return []State{
-		podSecurityPolicyState, multusState, cniPluginsState, ipoibState, whereaboutState,
+		multusState, cniPluginsState, ipoibState, whereaboutState,
 		ofedState, sriovDpState, sharedDpState, ibKubernetesState, nvIpamCniState,
 		nicFeatureDiscoveryState}, nil
 }