removal of podsecuritypolicy code

rancher · May 17, 2024 · 3da4365 · 3da4365
1 parent 899a6ed
commit 3da4365
Show file tree

Hide file tree

Showing 10 changed files with 0 additions and 162 deletions.
diff --git a/authz/psp.go b/authz/psp.go
diff --git a/cluster/addons.go b/cluster/addons.go
@@ -13,10 +13,8 @@ import (
 	"time"
 
 	"github.com/rancher/rke/addons"
-	"github.com/rancher/rke/authz"
 	"github.com/rancher/rke/k8s"
 	"github.com/rancher/rke/log"
-	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/templates"
 	v3 "github.com/rancher/rke/types"
 	"github.com/rancher/rke/types/kdm"
@@ -674,12 +672,6 @@ func (c *Cluster) deployIngress(ctx context.Context, data map[string]interface{}
 	if err := c.doAddonDeploy(ctx, ingressYaml, IngressAddonResourceName, true); err != nil {
 		return err
 	}
-	// ingress runs in it's own namespace, so it needs it's own role/rolebinding for PSP
-	if c.Authorization.Mode == services.RBACAuthorizationMode && c.Services.KubeAPI.PodSecurityPolicy {
-		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, c.LocalKubeConfigPath, NginxIngressAddonAppName, c.K8sWrapTransport); err != nil {
-			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
-		}
-	}
 
 	// After deployment of the new ingress controller based on the update strategy, remove the default backend as requested.
 	if !ingressConfig.DefaultBackend {

diff --git a/cluster/cluster.go b/cluster/cluster.go
@@ -939,14 +939,6 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi
 			return fmt.Errorf("Failed to apply the ClusterRole and Binding needed for node kubeapi proxy: %v", err)
 		}
 	}
-	if kubeCluster.Authorization.Mode == services.RBACAuthorizationMode && kubeCluster.Services.KubeAPI.PodSecurityPolicy {
-		if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
-			return fmt.Errorf("Failed to apply default PodSecurityPolicy: %v", err)
-		}
-		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, SystemNamespace, kubeCluster.K8sWrapTransport); err != nil {
-			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
-		}
-	}
 	return nil
 }
 

diff --git a/cluster/defaults.go b/cluster/defaults.go
@@ -12,9 +12,7 @@ import (
 	"github.com/rancher/rke/cloudprovider/aws"
 	"github.com/rancher/rke/docker"
 	"github.com/rancher/rke/k8s"
-	"github.com/rancher/rke/log"
 	"github.com/rancher/rke/metadata"
-	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/templates"
 	v3 "github.com/rancher/rke/types"
 	"github.com/rancher/rke/util"
@@ -255,10 +253,6 @@ func (c *Cluster) setClusterDefaults(ctx context.Context, flags ExternalFlags) e
 	if len(c.Authorization.Mode) == 0 {
 		c.Authorization.Mode = DefaultAuthorizationMode
 	}
-	if c.Services.KubeAPI.PodSecurityPolicy && c.Authorization.Mode != services.RBACAuthorizationMode {
-		log.Warnf(ctx, "PodSecurityPolicy can't be enabled with RBAC support disabled")
-		c.Services.KubeAPI.PodSecurityPolicy = false
-	}
 	if len(c.Ingress.Provider) == 0 {
 		c.Ingress.Provider = DefaultIngressController
 	}

diff --git a/cluster/plan.go b/cluster/plan.go
@@ -254,11 +254,6 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern
 		}
 	}
 
-	if c.Services.KubeAPI.PodSecurityPolicy {
-		CommandArgs["runtime-config"] = "policy/v1beta1/podsecuritypolicy=true"
-		CommandArgs[admissionControlOptionName] = CommandArgs[admissionControlOptionName] + ",PodSecurityPolicy"
-	}
-
 	if c.Services.KubeAPI.AlwaysPullImages {
 		CommandArgs[admissionControlOptionName] = CommandArgs[admissionControlOptionName] + ",AlwaysPullImages"
 	}

diff --git a/cluster/validation.go b/cluster/validation.go
@@ -54,10 +54,6 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
 		return err
 	}
 
-	// validate enabling Pod Security Policy
-	if err := validatePodSecurityPolicy(c); err != nil {
-		return err
-	}
 	// validate enabling Pod Security
 	if err := validatePodSecurity(c); err != nil {
 		return err
@@ -682,24 +678,6 @@ func validateCRIDockerdOption(c *Cluster) error {
 	return nil
 }
 
-func validatePodSecurityPolicy(c *Cluster) error {
-	parsedVersion, err := getClusterVersion(c.Version)
-	if err != nil {
-		logrus.Warnf("Failed to parse semver range for validating Pod Security Policy")
-		return err
-	}
-	logrus.Debugf("Checking PodSecurityPolicy for cluster version [%s]", c.Version)
-	if c.Services.KubeAPI.PodSecurityPolicy {
-		if c.Authorization.Mode != services.RBACAuthorizationMode {
-			return errors.New("PodSecurityPolicy can't be enabled with RBAC support disabled")
-		}
-		if parsedRangeAtLeast125(parsedVersion) {
-			return errors.New("PodSecurityPolicy has been removed and can not be enabled since k8s v1.25")
-		}
-	}
-	return nil
-}
-
 func validatePodSecurity(c *Cluster) error {
 	parsedVersion, err := getClusterVersion(c.Version)
 	if err != nil {

diff --git a/cmd/config.go b/cmd/config.go
@@ -330,16 +330,6 @@ func getServiceConfig(reader *bufio.Reader) (*v3.RKEConfigServices, error) {
 	servicesConfig.KubeAPI.ServiceClusterIPRange = serviceClusterIPRange
 	servicesConfig.KubeController.ServiceClusterIPRange = serviceClusterIPRange
 
-	podSecurityPolicy, err := getConfig(reader, "Enable PodSecurityPolicy", "n")
-	if err != nil {
-		return nil, err
-	}
-	if podSecurityPolicy == "y" || podSecurityPolicy == "Y" {
-		servicesConfig.KubeAPI.PodSecurityPolicy = true
-	} else {
-		servicesConfig.KubeAPI.PodSecurityPolicy = false
-	}
-
 	clusterNetworkCidr, err := getConfig(reader, "Cluster Network CIDR", cluster.DefaultClusterCIDR)
 	if err != nil {
 		return nil, err

diff --git a/k8s/psp.go b/k8s/psp.go
diff --git a/templates/authz.go b/templates/authz.go
@@ -67,35 +67,6 @@ subjects:
   namespace: kube-system
   name: rke-job-deployer`
 
-	DefaultPodSecurityPolicy = `
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: default-psp
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-spec:
-  privileged: true
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-  - '*'
-  volumes:
-  - '*'
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  hostIPC: true
-  hostPID: true
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'`
-
 	DefaultPodSecurityRole = `
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/types/rke_types.go b/types/rke_types.go
@@ -293,8 +293,6 @@ type KubeAPIService struct {
 	ServiceClusterIPRange string `yaml:"service_cluster_ip_range" json:"serviceClusterIpRange,omitempty"`
 	// Port range for services defined with NodePort type
 	ServiceNodePortRange string `yaml:"service_node_port_range" json:"serviceNodePortRange,omitempty" norman:"default=30000-32767"`
-	// Enabled/Disable PodSecurityPolicy
-	PodSecurityPolicy bool `yaml:"pod_security_policy" json:"podSecurityPolicy,omitempty"`
 	// setting the default configuration for PodSecurityAdmission
 	PodSecurityConfiguration string `yaml:"pod_security_configuration" json:"podSecurityConfiguration,omitempty"`
 	// Enable/Disable AlwaysPullImages admissions plugin