From 471326f458aae1a6449b29e5f716904651f308c2 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 18 Dec 2023 14:13:43 +0100 Subject: [PATCH] Remove PodSecurityPolicy support and references (#10723) This is removed from kubernetes since 1.25, time to cut some dead code. --- docs/hardening.md | 2 +- docs/vars.md | 2 - .../group_vars/k8s_cluster/k8s-cluster.yml | 9 --- .../kubernetes-apps/ansible/defaults/main.yml | 2 +- .../ansible/tasks/netchecker.yml | 9 --- ...etchecker-agent-hostnet-clusterrole.yml.j2 | 14 ---- ...er-agent-hostnet-clusterrolebinding.yml.j2 | 13 ---- .../netchecker-agent-hostnet-psp.yml.j2 | 44 ------------- .../cluster_roles/defaults/main.yml | 65 ------------------- .../gcp_pd/templates/gcp-pd-csi-setup.yml.j2 | 52 +-------------- .../cephfs_provisioner/tasks/main.yml | 9 --- .../clusterrole-cephfs-provisioner.yml.j2 | 4 -- .../templates/psp-cephfs-provisioner.yml.j2 | 44 ------------- .../rbd_provisioner/tasks/main.yml | 9 --- .../clusterrole-rbd-provisioner.yml.j2 | 4 -- .../templates/psp-rbd-provisioner.yml.j2 | 44 ------------- roles/kubernetes-apps/metallb/tasks/main.yml | 15 ----- .../metallb/templates/metallb.yaml.j2 | 16 ----- roles/kubernetes-apps/registry/tasks/main.yml | 11 ---- .../registry/templates/registry-cr.yml.j2 | 15 ----- .../registry/templates/registry-crb.yml.j2 | 13 ---- .../registry/templates/registry-psp.yml.j2 | 44 ------------- .../control-plane/tasks/kubeadm-setup.yml | 6 -- roles/kubernetes/control-plane/tasks/main.yml | 5 -- .../control-plane/tasks/psp-install.yml | 38 ----------- .../control-plane/templates/psp-cr.yml.j2 | 32 --------- .../control-plane/templates/psp-crb.yml.j2 | 54 --------------- .../control-plane/templates/psp.yml.j2 | 27 -------- roles/kubernetes/node/defaults/main.yml | 1 - .../kubespray-defaults/defaults/main/main.yml | 1 - .../calico/templates/calico-apiserver.yml.j2 | 8 --- .../calico/templates/calico-cr.yml.j2 | 11 +--- 32 files changed, 4 insertions(+), 619 deletions(-) delete mode 100644 roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2 delete mode 100644 roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2 delete mode 100644 roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 delete mode 100644 roles/kubernetes-apps/cluster_roles/defaults/main.yml delete mode 100644 roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 delete mode 100644 roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 delete mode 100644 roles/kubernetes-apps/registry/templates/registry-cr.yml.j2 delete mode 100644 roles/kubernetes-apps/registry/templates/registry-crb.yml.j2 delete mode 100644 roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 delete mode 100644 roles/kubernetes/control-plane/tasks/psp-install.yml delete mode 100644 roles/kubernetes/control-plane/templates/psp-cr.yml.j2 delete mode 100644 roles/kubernetes/control-plane/templates/psp-crb.yml.j2 delete mode 100644 roles/kubernetes/control-plane/templates/psp.yml.j2 diff --git a/docs/hardening.md b/docs/hardening.md index 77a010047..fe2f3a568 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -120,7 +120,7 @@ kube_pod_security_default_enforce: restricted Let's take a deep look to the resultant **kubernetes** configuration: * The `anonymous-auth` (on `kube-apiserver`) is set to `true` by default. This is fine, because it is considered safe if you enable `RBAC` for the `authorization-mode`. -* The `enable-admission-plugins` has not the `PodSecurityPolicy` admission plugin. This because it is going to be definitely removed from **kubernetes** `v1.25`. For this reason we decided to set the newest `PodSecurity` (for more details, please take a look here: ). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work. +* The `enable-admission-plugins` includes `PodSecurity` (for more details, please take a look here: ). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work. * The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this). * The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`. See for more information on the subject. diff --git a/docs/vars.md b/docs/vars.md index b3239da94..959260e31 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -254,8 +254,6 @@ node_taints: - "node.example.com/external=true:NoSchedule" ``` -* *podsecuritypolicy_enabled* - When set to `true`, enables the PodSecurityPolicy admission controller and defines two policies `privileged` (applying to all resources in `kube-system` namespace and kubelet) and `restricted` (applying all other namespaces). - Addons deployed in kube-system namespaces are handled. * *kubernetes_audit* - When set to `true`, enables Auditing. The auditing parameters can be tuned via the following variables (which default values are shown below): * `audit_log_path`: /var/log/audit/kube-apiserver-audit.log diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml index b1c5093d3..bb2250a34 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml @@ -243,15 +243,6 @@ kubernetes_audit: false # kubelet_config_dir: default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir" -# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled) -podsecuritypolicy_enabled: false - -# Custom PodSecurityPolicySpec for restricted policy -# podsecuritypolicy_restricted_spec: {} - -# Custom PodSecurityPolicySpec for privileged policy -# podsecuritypolicy_privileged_spec: {} - # Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts # kubeconfig_localhost: false # Use ansible_host as external api ip when copying over kubeconfig. diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index fb26bd3eb..52444b087 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -81,7 +81,7 @@ netchecker_etcd_memory_limit: 256M netchecker_etcd_cpu_requests: 100m netchecker_etcd_memory_requests: 128M -# SecurityContext when PodSecurityPolicy is enabled +# SecurityContext (user/group) netchecker_agent_user: 1000 netchecker_server_user: 1000 netchecker_agent_group: 1000 diff --git a/roles/kubernetes-apps/ansible/tasks/netchecker.yml b/roles/kubernetes-apps/ansible/tasks/netchecker.yml index b83fd3382..0011e7fc8 100644 --- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml +++ b/roles/kubernetes-apps/ansible/tasks/netchecker.yml @@ -24,15 +24,6 @@ - {file: netchecker-server-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-server} - {file: netchecker-server-deployment.yml, type: deployment, name: netchecker-server} - {file: netchecker-server-svc.yml, type: svc, name: netchecker-service} - netchecker_templates_for_psp: - - {file: netchecker-agent-hostnet-psp.yml, type: podsecuritypolicy, name: netchecker-agent-hostnet-policy} - - {file: netchecker-agent-hostnet-clusterrole.yml, type: clusterrole, name: netchecker-agent} - - {file: netchecker-agent-hostnet-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-agent} - -- name: Kubernetes Apps | Append extra templates to Netchecker Templates list for PodSecurityPolicy - set_fact: - netchecker_templates: "{{ netchecker_templates_for_psp + netchecker_templates }}" - when: podsecuritypolicy_enabled - name: Kubernetes Apps | Lay Down Netchecker Template template: diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2 deleted file mode 100644 index 0e2315063..000000000 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: psp:netchecker-agent-hostnet - namespace: {{ netcheck_namespace }} -rules: - - apiGroups: - - policy - resourceNames: - - netchecker-agent-hostnet - resources: - - podsecuritypolicies - verbs: - - use diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2 deleted file mode 100644 index cf4451513..000000000 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: psp:netchecker-agent-hostnet - namespace: {{ netcheck_namespace }} -subjects: - - kind: ServiceAccount - name: netchecker-agent - namespace: {{ netcheck_namespace }} -roleRef: - kind: ClusterRole - name: psp:netchecker-agent-hostnet - apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 deleted file mode 100644 index 21b397d12..000000000 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2 +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: netchecker-agent-hostnet - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: true - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false diff --git a/roles/kubernetes-apps/cluster_roles/defaults/main.yml b/roles/kubernetes-apps/cluster_roles/defaults/main.yml deleted file mode 100644 index f26583da3..000000000 --- a/roles/kubernetes-apps/cluster_roles/defaults/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- - -podsecuritypolicy_restricted_spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - runAsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - -podsecuritypolicy_privileged_spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - runAsGroup: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false - # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags - allowedUnsafeSysctls: - - '*' diff --git a/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 b/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 index 610baf33b..67ce7f621 100644 --- a/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2 @@ -162,56 +162,6 @@ roleRef: name: csi-gce-pd-resizer-role apiGroup: rbac.authorization.k8s.io --- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-gce-pd-controller-deploy -rules: - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - csi-gce-pd-controller-psp ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: csi-gce-pd-controller-deploy -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: csi-gce-pd-controller-deploy -subjects: - - kind: ServiceAccount - name: csi-gce-pd-controller-sa - namespace: kube-system ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-gce-pd-node-deploy -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - csi-gce-pd-node-psp ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: csi-gce-pd-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: csi-gce-pd-node-deploy -subjects: -- kind: ServiceAccount - name: csi-gce-pd-node-sa - namespace: kube-system ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -288,4 +238,4 @@ subjects: roleRef: kind: Role name: csi-gce-pd-leaderelection-role - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml index 95a2f7586..86cba2d57 100644 --- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml +++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml @@ -49,15 +49,6 @@ - { name: rolebinding-cephfs-provisioner, file: rolebinding-cephfs-provisioner.yml, type: rolebinding } - { name: deploy-cephfs-provisioner, file: deploy-cephfs-provisioner.yml, type: deploy } - { name: sc-cephfs-provisioner, file: sc-cephfs-provisioner.yml, type: sc } - cephfs_provisioner_templates_for_psp: - - { name: psp-cephfs-provisioner, file: psp-cephfs-provisioner.yml, type: psp } - -- name: CephFS Provisioner | Append extra templates to CephFS Provisioner Templates list for PodSecurityPolicy - set_fact: - cephfs_provisioner_templates: "{{ cephfs_provisioner_templates_for_psp + cephfs_provisioner_templates }}" - when: - - podsecuritypolicy_enabled - - cephfs_provisioner_namespace != "kube-system" - name: CephFS Provisioner | Create manifests template: diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2 index 4c92ea68e..c6a149086 100644 --- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2 @@ -20,7 +20,3 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "create", "delete"] - - apiGroups: ["policy"] - resourceNames: ["cephfs-provisioner"] - resources: ["podsecuritypolicies"] - verbs: ["use"] diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 deleted file mode 100644 index 76d146cbb..000000000 --- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2 +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: cephfs-provisioner - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml index 1d08376b7..76445dae0 100644 --- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml +++ b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml @@ -49,15 +49,6 @@ - { name: rolebinding-rbd-provisioner, file: rolebinding-rbd-provisioner.yml, type: rolebinding } - { name: deploy-rbd-provisioner, file: deploy-rbd-provisioner.yml, type: deploy } - { name: sc-rbd-provisioner, file: sc-rbd-provisioner.yml, type: sc } - rbd_provisioner_templates_for_psp: - - { name: psp-rbd-provisioner, file: psp-rbd-provisioner.yml, type: psp } - -- name: RBD Provisioner | Append extra templates to RBD Provisioner Templates list for PodSecurityPolicy - set_fact: - rbd_provisioner_templates: "{{ rbd_provisioner_templates_for_psp + rbd_provisioner_templates }}" - when: - - podsecuritypolicy_enabled - - rbd_provisioner_namespace != "kube-system" - name: RBD Provisioner | Create manifests template: diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2 index 8fc7e4b9d..9e319a348 100644 --- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2 @@ -24,7 +24,3 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "create", "delete"] - - apiGroups: ["policy"] - resourceNames: ["rbd-provisioner"] - resources: ["podsecuritypolicies"] - verbs: ["use"] diff --git a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 deleted file mode 100644 index c59effdba..000000000 --- a/roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2 +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: rbd-provisioner - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false diff --git a/roles/kubernetes-apps/metallb/tasks/main.yml b/roles/kubernetes-apps/metallb/tasks/main.yml index 298868394..eb554c5c2 100644 --- a/roles/kubernetes-apps/metallb/tasks/main.yml +++ b/roles/kubernetes-apps/metallb/tasks/main.yml @@ -11,21 +11,6 @@ when: - matallb_auto_assign is defined -- name: Kubernetes Apps | Check AppArmor status - command: which apparmor_parser - register: apparmor_status - when: - - podsecuritypolicy_enabled - - inventory_hostname == groups['kube_control_plane'][0] - failed_when: false - -- name: Kubernetes Apps | Set apparmor_enabled - set_fact: - apparmor_enabled: "{{ apparmor_status.rc == 0 }}" - when: - - podsecuritypolicy_enabled - - inventory_hostname == groups['kube_control_plane'][0] - - name: Kubernetes Apps | Lay Down MetalLB become: true template: diff --git a/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2 b/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2 index 608ad31cd..af18a100b 100644 --- a/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2 +++ b/roles/kubernetes-apps/metallb/templates/metallb.yaml.j2 @@ -1504,14 +1504,6 @@ rules: verbs: - create - patch -- apiGroups: - - policy - resourceNames: - - controller - resources: - - podsecuritypolicies - verbs: - - use - apiGroups: - admissionregistration.k8s.io resourceNames: @@ -1597,14 +1589,6 @@ rules: verbs: - create - patch -- apiGroups: - - policy - resourceNames: - - speaker - resources: - - podsecuritypolicies - verbs: - - use {% endif %} --- diff --git a/roles/kubernetes-apps/registry/tasks/main.yml b/roles/kubernetes-apps/registry/tasks/main.yml index 06f1f6a13..a915e0773 100644 --- a/roles/kubernetes-apps/registry/tasks/main.yml +++ b/roles/kubernetes-apps/registry/tasks/main.yml @@ -42,17 +42,6 @@ - { name: registry-secrets, file: registry-secrets.yml, type: secrets } - { name: registry-cm, file: registry-cm.yml, type: cm } - { name: registry-rs, file: registry-rs.yml, type: rs } - registry_templates_for_psp: - - { name: registry-psp, file: registry-psp.yml, type: psp } - - { name: registry-cr, file: registry-cr.yml, type: clusterrole } - - { name: registry-crb, file: registry-crb.yml, type: rolebinding } - -- name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy - set_fact: - registry_templates: "{{ registry_templates[:2] + registry_templates_for_psp + registry_templates[2:] }}" - when: - - podsecuritypolicy_enabled - - registry_namespace != "kube-system" - name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled set_fact: diff --git a/roles/kubernetes-apps/registry/templates/registry-cr.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-cr.yml.j2 deleted file mode 100644 index 45f3fc49e..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-cr.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:registry - namespace: {{ registry_namespace }} -rules: - - apiGroups: - - policy - resourceNames: - - registry - resources: - - podsecuritypolicies - verbs: - - use diff --git a/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2 deleted file mode 100644 index 8589420f6..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-crb.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: psp:registry - namespace: {{ registry_namespace }} -subjects: - - kind: ServiceAccount - name: registry - namespace: {{ registry_namespace }} -roleRef: - kind: ClusterRole - name: psp:registry - apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 deleted file mode 100644 index b04d8c27a..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-psp.yml.j2 +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: registry - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index dbc38ad81..dcad832ba 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -232,12 +232,6 @@ tags: - kubeadm_token -- name: PodSecurityPolicy | install PodSecurityPolicy - include_tasks: psp-install.yml - when: - - podsecuritypolicy_enabled - - inventory_hostname == first_kube_control_plane - - name: Kubeadm | Join other masters include_tasks: kubeadm-secondary.yml diff --git a/roles/kubernetes/control-plane/tasks/main.yml b/roles/kubernetes/control-plane/tasks/main.yml index 50eccbd07..37f36ab14 100644 --- a/roles/kubernetes/control-plane/tasks/main.yml +++ b/roles/kubernetes/control-plane/tasks/main.yml @@ -80,11 +80,6 @@ - upgrade ignore_errors: true # noqa ignore-errors -- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy - set_fact: - kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}" - when: podsecuritypolicy_enabled - - name: Define nodes already joined to existing cluster and first_kube_control_plane import_tasks: define-first-kube-control.yml diff --git a/roles/kubernetes/control-plane/tasks/psp-install.yml b/roles/kubernetes/control-plane/tasks/psp-install.yml deleted file mode 100644 index 4a990f82a..000000000 --- a/roles/kubernetes/control-plane/tasks/psp-install.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- name: Check AppArmor status - command: which apparmor_parser - register: apparmor_status - failed_when: false - changed_when: apparmor_status.rc != 0 - -- name: Set apparmor_enabled - set_fact: - apparmor_enabled: "{{ apparmor_status.rc == 0 }}" - -- name: Render templates for PodSecurityPolicy - template: - src: "{{ item.file }}.j2" - dest: "{{ kube_config_dir }}/{{ item.file }}" - mode: 0640 - register: psp_manifests - with_items: - - {file: psp.yml, type: psp, name: psp} - - {file: psp-cr.yml, type: clusterrole, name: psp-cr} - - {file: psp-crb.yml, type: rolebinding, name: psp-crb} - -- name: Add policies, roles, bindings for PodSecurityPolicy - kube: - name: "{{ item.item.name }}" - kubectl: "{{ bin_dir }}/kubectl" - resource: "{{ item.item.type }}" - filename: "{{ kube_config_dir }}/{{ item.item.file }}" - state: "latest" - register: result - until: result is succeeded - retries: 10 - delay: 6 - with_items: "{{ psp_manifests.results }}" - environment: - KUBECONFIG: "{{ kube_config_dir }}/admin.conf" - loop_control: - label: "{{ item.item.file }}" diff --git a/roles/kubernetes/control-plane/templates/psp-cr.yml.j2 b/roles/kubernetes/control-plane/templates/psp-cr.yml.j2 deleted file mode 100644 index d9f0e8d53..000000000 --- a/roles/kubernetes/control-plane/templates/psp-cr.yml.j2 +++ /dev/null @@ -1,32 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:privileged - labels: - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - policy - resourceNames: - - privileged - resources: - - podsecuritypolicies - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:restricted - labels: - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - policy - resourceNames: - - restricted - resources: - - podsecuritypolicies - verbs: - - use diff --git a/roles/kubernetes/control-plane/templates/psp-crb.yml.j2 b/roles/kubernetes/control-plane/templates/psp-crb.yml.j2 deleted file mode 100644 index 7513c3c5f..000000000 --- a/roles/kubernetes/control-plane/templates/psp-crb.yml.j2 +++ /dev/null @@ -1,54 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: psp:any:restricted -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:restricted -subjects: -- kind: Group - name: system:authenticated - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: psp:kube-system:privileged - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:privileged -subjects: -- kind: Group - name: system:masters - apiGroup: rbac.authorization.k8s.io -- kind: Group - name: system:serviceaccounts:kube-system - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: psp:nodes:privileged - namespace: kube-system - annotations: - kubernetes.io/description: 'Allow nodes to create privileged pods. Should - be used in combination with the NodeRestriction admission plugin to limit - nodes to mirror pods bound to themselves.' - labels: - addonmanager.kubernetes.io/mode: Reconcile -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:privileged -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: system:nodes - - kind: User - apiGroup: rbac.authorization.k8s.io - # Legacy node ID - name: kubelet diff --git a/roles/kubernetes/control-plane/templates/psp.yml.j2 b/roles/kubernetes/control-plane/templates/psp.yml.j2 deleted file mode 100644 index 5da540041..000000000 --- a/roles/kubernetes/control-plane/templates/psp.yml.j2 +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: restricted - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }} ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: privileged - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }} diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index b6642a066..cbe95835c 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -102,7 +102,6 @@ loadbalancer_apiserver_pod_name: "{% if loadbalancer_apiserver_type == 'nginx' % # - extensions/v1beta1/deployments=true # - extensions/v1beta1/replicasets=true # - extensions/v1beta1/networkpolicies=true -# - extensions/v1beta1/podsecuritypolicies=true # A port range to reserve for services with NodePort visibility. # Inclusive at both ends of the range. diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml index a18505bcb..ddb290f91 100644 --- a/roles/kubespray-defaults/defaults/main/main.yml +++ b/roles/kubespray-defaults/defaults/main/main.yml @@ -608,7 +608,6 @@ etcd_events_peer_addresses: |- {{ hostvars[item].etcd_member_name | default("etcd" + loop.index | string) }}-events=https://{{ hostvars[item].etcd_events_access_address | default(hostvars[item].ip | default(fallback_ips[item])) }}:2382{% if not loop.last %},{% endif %} {%- endfor %} -podsecuritypolicy_enabled: false etcd_heartbeat_interval: "250" etcd_election_timeout: "5000" etcd_snapshot_count: "10000" diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 index 783561945..49f5918b4 100644 --- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 @@ -172,14 +172,6 @@ rules: - create - update - delete -- apiGroups: - - policy - resourceNames: - - calico-apiserver - resources: - - podsecuritypolicies - verbs: - - use --- diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2 index d00c9e9a7..ac0331f22 100644 --- a/roles/network_plugin/calico/templates/calico-cr.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2 @@ -71,16 +71,7 @@ rules: verbs: # Needed for clearing NodeNetworkUnavailable flag. - patch -{% if calico_datastore == "etcd" %} - - apiGroups: - - policy - resourceNames: - - privileged - resources: - - podsecuritypolicies - verbs: - - use -{% elif calico_datastore == "kdd" %} +{% if calico_datastore == "kdd" %} # Calico stores some configuration information in node annotations. - update # Watch for changes to Kubernetes NetworkPolicies.