From 94a7d48439077966743e7ffe2d10947e33e98df1 Mon Sep 17 00:00:00 2001 From: Gerald Pape Date: Thu, 14 Nov 2024 11:24:10 +0100 Subject: [PATCH] Remove PSP (#309) --- CHANGELOG.md | 4 +++ helm/coredns-app/templates/psp.yaml | 40 ---------------------------- helm/coredns-app/templates/rbac.yaml | 9 ------- helm/coredns-app/values.schema.json | 13 --------- helm/coredns-app/values.yaml | 5 ---- 5 files changed, 4 insertions(+), 67 deletions(-) delete mode 100644 helm/coredns-app/templates/psp.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 941d15d0..9fd9bf87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s - Explicitly expose liveness and readiness probe ports in deployments. +### Removed + +- Remove PodSecurityPolicy and associated Resources and values. + ## [1.22.0] - 2024-09-10 ### Changed diff --git a/helm/coredns-app/templates/psp.yaml b/helm/coredns-app/templates/psp.yaml deleted file mode 100644 index dd7e0282..00000000 --- a/helm/coredns-app/templates/psp.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and (le (int .Capabilities.KubeVersion.Minor) 24) (not .Values.global.podSecurityStandards.enforced) }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ .Values.name }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' - labels: - {{- include "labels.common" . | nindent 4 }} -spec: - privileged: false - allowPrivilegeEscalation: false - # Add back CAP_NET_BIND_SERVICE so that coredns can run on port 53 - allowedCapabilities: - - NET_BIND_SERVICE - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} diff --git a/helm/coredns-app/templates/rbac.yaml b/helm/coredns-app/templates/rbac.yaml index 2db26335..9f8af562 100644 --- a/helm/coredns-app/templates/rbac.yaml +++ b/helm/coredns-app/templates/rbac.yaml @@ -23,15 +23,6 @@ rules: verbs: - watch - list -- apiGroups: - - policy - - extensions - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ .Values.name }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/helm/coredns-app/values.schema.json b/helm/coredns-app/values.schema.json index c8b1072f..f716a472 100644 --- a/helm/coredns-app/values.schema.json +++ b/helm/coredns-app/values.schema.json @@ -53,19 +53,6 @@ } } }, - "global": { - "type": "object", - "properties": { - "podSecurityStandards": { - "type": "object", - "properties": { - "enforced": { - "type": "boolean" - } - } - } - } - }, "groupID": { "type": "integer" }, diff --git a/helm/coredns-app/values.yaml b/helm/coredns-app/values.yaml index 058a94aa..750b92a6 100644 --- a/helm/coredns-app/values.yaml +++ b/helm/coredns-app/values.yaml @@ -82,10 +82,5 @@ mastersInstance: nodeSelector: "node-role.kubernetes.io/control-plane": '""' - -global: - podSecurityStandards: - enforced: false - # Uncomment and define `additionalLocalZones` to add additional local zones to CoreDNS config # additionalLocalZones: []