From 3da43654851ebea547155ec9daacc3eed4c06ab1 Mon Sep 17 00:00:00 2001 From: Krunal Hingu Date: Fri, 17 May 2024 22:32:40 +0530 Subject: [PATCH] removal of podsecuritypolicy code --- authz/psp.go | 40 ---------------------------------------- cluster/addons.go | 8 -------- cluster/cluster.go | 8 -------- cluster/defaults.go | 6 ------ cluster/plan.go | 5 ----- cluster/validation.go | 22 ---------------------- cmd/config.go | 10 ---------- k8s/psp.go | 32 -------------------------------- templates/authz.go | 29 ----------------------------- types/rke_types.go | 2 -- 10 files changed, 162 deletions(-) delete mode 100644 authz/psp.go delete mode 100644 k8s/psp.go diff --git a/authz/psp.go b/authz/psp.go deleted file mode 100644 index b27108836..000000000 --- a/authz/psp.go +++ /dev/null @@ -1,40 +0,0 @@ -package authz - -import ( - "context" - - "k8s.io/client-go/transport" - - "github.com/rancher/rke/k8s" - "github.com/rancher/rke/log" - "github.com/rancher/rke/templates" -) - -func ApplyDefaultPodSecurityPolicy(ctx context.Context, kubeConfigPath string, k8sWrapTransport transport.WrapperFunc) error { - log.Infof(ctx, "[authz] Applying default PodSecurityPolicy") - k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport) - if err != nil { - return err - } - if err := k8s.UpdatePodSecurityPolicyFromYaml(k8sClient, templates.DefaultPodSecurityPolicy); err != nil { - return err - } - log.Infof(ctx, "[authz] Default PodSecurityPolicy applied successfully") - return nil -} - -func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath, namespace string, k8sWrapTransport transport.WrapperFunc) error { - log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding in %s", namespace) - k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport) - if err != nil { - return err - } - if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole, namespace); err != nil { - return err - } - if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding, namespace); err != nil { - return err - } - log.Infof(ctx, "[authz] Default PodSecurityPolicy Role and RoleBinding applied successfully") - return nil -} diff --git a/cluster/addons.go b/cluster/addons.go index c6bcf5ce8..d52934294 100644 --- a/cluster/addons.go +++ b/cluster/addons.go @@ -13,10 +13,8 @@ import ( "time" "github.com/rancher/rke/addons" - "github.com/rancher/rke/authz" "github.com/rancher/rke/k8s" "github.com/rancher/rke/log" - "github.com/rancher/rke/services" "github.com/rancher/rke/templates" v3 "github.com/rancher/rke/types" "github.com/rancher/rke/types/kdm" @@ -674,12 +672,6 @@ func (c *Cluster) deployIngress(ctx context.Context, data map[string]interface{} if err := c.doAddonDeploy(ctx, ingressYaml, IngressAddonResourceName, true); err != nil { return err } - // ingress runs in it's own namespace, so it needs it's own role/rolebinding for PSP - if c.Authorization.Mode == services.RBACAuthorizationMode && c.Services.KubeAPI.PodSecurityPolicy { - if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, c.LocalKubeConfigPath, NginxIngressAddonAppName, c.K8sWrapTransport); err != nil { - return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err) - } - } // After deployment of the new ingress controller based on the update strategy, remove the default backend as requested. if !ingressConfig.DefaultBackend { diff --git a/cluster/cluster.go b/cluster/cluster.go index 2c61155cc..66f79ae7a 100644 --- a/cluster/cluster.go +++ b/cluster/cluster.go @@ -939,14 +939,6 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi return fmt.Errorf("Failed to apply the ClusterRole and Binding needed for node kubeapi proxy: %v", err) } } - if kubeCluster.Authorization.Mode == services.RBACAuthorizationMode && kubeCluster.Services.KubeAPI.PodSecurityPolicy { - if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil { - return fmt.Errorf("Failed to apply default PodSecurityPolicy: %v", err) - } - if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, SystemNamespace, kubeCluster.K8sWrapTransport); err != nil { - return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err) - } - } return nil } diff --git a/cluster/defaults.go b/cluster/defaults.go index fd454e3bc..4085d97bd 100644 --- a/cluster/defaults.go +++ b/cluster/defaults.go @@ -12,9 +12,7 @@ import ( "github.com/rancher/rke/cloudprovider/aws" "github.com/rancher/rke/docker" "github.com/rancher/rke/k8s" - "github.com/rancher/rke/log" "github.com/rancher/rke/metadata" - "github.com/rancher/rke/services" "github.com/rancher/rke/templates" v3 "github.com/rancher/rke/types" "github.com/rancher/rke/util" @@ -255,10 +253,6 @@ func (c *Cluster) setClusterDefaults(ctx context.Context, flags ExternalFlags) e if len(c.Authorization.Mode) == 0 { c.Authorization.Mode = DefaultAuthorizationMode } - if c.Services.KubeAPI.PodSecurityPolicy && c.Authorization.Mode != services.RBACAuthorizationMode { - log.Warnf(ctx, "PodSecurityPolicy can't be enabled with RBAC support disabled") - c.Services.KubeAPI.PodSecurityPolicy = false - } if len(c.Ingress.Provider) == 0 { c.Ingress.Provider = DefaultIngressController } diff --git a/cluster/plan.go b/cluster/plan.go index 9d1846aaf..98621fcf2 100644 --- a/cluster/plan.go +++ b/cluster/plan.go @@ -254,11 +254,6 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern } } - if c.Services.KubeAPI.PodSecurityPolicy { - CommandArgs["runtime-config"] = "policy/v1beta1/podsecuritypolicy=true" - CommandArgs[admissionControlOptionName] = CommandArgs[admissionControlOptionName] + ",PodSecurityPolicy" - } - if c.Services.KubeAPI.AlwaysPullImages { CommandArgs[admissionControlOptionName] = CommandArgs[admissionControlOptionName] + ",AlwaysPullImages" } diff --git a/cluster/validation.go b/cluster/validation.go index 1cafa5173..339066c64 100644 --- a/cluster/validation.go +++ b/cluster/validation.go @@ -54,10 +54,6 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error { return err } - // validate enabling Pod Security Policy - if err := validatePodSecurityPolicy(c); err != nil { - return err - } // validate enabling Pod Security if err := validatePodSecurity(c); err != nil { return err @@ -682,24 +678,6 @@ func validateCRIDockerdOption(c *Cluster) error { return nil } -func validatePodSecurityPolicy(c *Cluster) error { - parsedVersion, err := getClusterVersion(c.Version) - if err != nil { - logrus.Warnf("Failed to parse semver range for validating Pod Security Policy") - return err - } - logrus.Debugf("Checking PodSecurityPolicy for cluster version [%s]", c.Version) - if c.Services.KubeAPI.PodSecurityPolicy { - if c.Authorization.Mode != services.RBACAuthorizationMode { - return errors.New("PodSecurityPolicy can't be enabled with RBAC support disabled") - } - if parsedRangeAtLeast125(parsedVersion) { - return errors.New("PodSecurityPolicy has been removed and can not be enabled since k8s v1.25") - } - } - return nil -} - func validatePodSecurity(c *Cluster) error { parsedVersion, err := getClusterVersion(c.Version) if err != nil { diff --git a/cmd/config.go b/cmd/config.go index 9489f6743..ef331e6df 100644 --- a/cmd/config.go +++ b/cmd/config.go @@ -330,16 +330,6 @@ func getServiceConfig(reader *bufio.Reader) (*v3.RKEConfigServices, error) { servicesConfig.KubeAPI.ServiceClusterIPRange = serviceClusterIPRange servicesConfig.KubeController.ServiceClusterIPRange = serviceClusterIPRange - podSecurityPolicy, err := getConfig(reader, "Enable PodSecurityPolicy", "n") - if err != nil { - return nil, err - } - if podSecurityPolicy == "y" || podSecurityPolicy == "Y" { - servicesConfig.KubeAPI.PodSecurityPolicy = true - } else { - servicesConfig.KubeAPI.PodSecurityPolicy = false - } - clusterNetworkCidr, err := getConfig(reader, "Cluster Network CIDR", cluster.DefaultClusterCIDR) if err != nil { return nil, err diff --git a/k8s/psp.go b/k8s/psp.go deleted file mode 100644 index 64afd6439..000000000 --- a/k8s/psp.go +++ /dev/null @@ -1,32 +0,0 @@ -package k8s - -import ( - "context" - - "k8s.io/api/policy/v1beta1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" -) - -func UpdatePodSecurityPolicyFromYaml(k8sClient *kubernetes.Clientset, pspYaml string) error { - psp := v1beta1.PodSecurityPolicy{} - if err := DecodeYamlResource(&psp, pspYaml); err != nil { - return err - } - return retryTo(updatePodSecurityPolicy, k8sClient, psp, DefaultRetries, DefaultSleepSeconds) -} - -func updatePodSecurityPolicy(k8sClient *kubernetes.Clientset, p interface{}) error { - psp := p.(v1beta1.PodSecurityPolicy) - if _, err := k8sClient.PolicyV1beta1().PodSecurityPolicies().Create(context.TODO(), &psp, metav1.CreateOptions{}); err != nil { - if !apierrors.IsAlreadyExists(err) { - return err - } - if _, err := k8sClient.PolicyV1beta1().PodSecurityPolicies().Update(context.TODO(), &psp, metav1.UpdateOptions{}); err != nil { - return err - } - } - return nil - -} diff --git a/templates/authz.go b/templates/authz.go index 51336340b..982b489b8 100644 --- a/templates/authz.go +++ b/templates/authz.go @@ -67,35 +67,6 @@ subjects: namespace: kube-system name: rke-job-deployer` - DefaultPodSecurityPolicy = ` -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: default-psp - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny'` - DefaultPodSecurityRole = ` kind: Role apiVersion: rbac.authorization.k8s.io/v1 diff --git a/types/rke_types.go b/types/rke_types.go index 09819c98d..b623c44d9 100644 --- a/types/rke_types.go +++ b/types/rke_types.go @@ -293,8 +293,6 @@ type KubeAPIService struct { ServiceClusterIPRange string `yaml:"service_cluster_ip_range" json:"serviceClusterIpRange,omitempty"` // Port range for services defined with NodePort type ServiceNodePortRange string `yaml:"service_node_port_range" json:"serviceNodePortRange,omitempty" norman:"default=30000-32767"` - // Enabled/Disable PodSecurityPolicy - PodSecurityPolicy bool `yaml:"pod_security_policy" json:"podSecurityPolicy,omitempty"` // setting the default configuration for PodSecurityAdmission PodSecurityConfiguration string `yaml:"pod_security_configuration" json:"podSecurityConfiguration,omitempty"` // Enable/Disable AlwaysPullImages admissions plugin