From c3c128352fb1655eae818401e8e9c7810c2109b1 Mon Sep 17 00:00:00 2001 From: zhengtianbao Date: Wed, 22 Dec 2021 01:55:35 -0600 Subject: [PATCH] Remove registry-proxy (#8327) --- roles/download/defaults/main.yml | 11 ---- roles/kubernetes-apps/registry/tasks/main.yml | 7 +-- .../templates/registry-proxy-cr.yml.j2 | 15 ----- .../templates/registry-proxy-crb.yml.j2 | 13 ----- .../templates/registry-proxy-ds.yml.j2 | 36 ------------ .../templates/registry-proxy-psp.yml.j2 | 56 ------------------- .../templates/registry-proxy-sa.yml.j2 | 5 -- 7 files changed, 1 insertion(+), 142 deletions(-) delete mode 100644 roles/kubernetes-apps/registry/templates/registry-proxy-cr.yml.j2 delete mode 100644 roles/kubernetes-apps/registry/templates/registry-proxy-crb.yml.j2 delete mode 100644 roles/kubernetes-apps/registry/templates/registry-proxy-ds.yml.j2 delete mode 100644 roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 delete mode 100644 roles/kubernetes-apps/registry/templates/registry-proxy-sa.yml.j2 diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 5cd1dddc6..7a1b21729 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -704,8 +704,6 @@ dnsautoscaler_image_tag: "{{ dnsautoscaler_version }}" registry_image_repo: "{{ docker_image_repo }}/library/registry" registry_image_tag: "2.7.1" -registry_proxy_image_repo: "{{ kube_image_repo }}/kube-registry-proxy" -registry_proxy_image_tag: "0.4" metrics_server_version: "v0.5.0" metrics_server_image_repo: "{{ kube_image_repo }}/metrics-server/metrics-server" metrics_server_image_tag: "{{ metrics_server_version }}" @@ -1232,15 +1230,6 @@ downloads: groups: - kube_node - registry_proxy: - enabled: "{{ registry_enabled }}" - container: true - repo: "{{ registry_proxy_image_repo }}" - tag: "{{ registry_proxy_image_tag }}" - sha256: "{{ registry_proxy_digest_checksum|default(None) }}" - groups: - - kube_node - metrics_server: enabled: "{{ metrics_server_enabled }}" container: true diff --git a/roles/kubernetes-apps/registry/tasks/main.yml b/roles/kubernetes-apps/registry/tasks/main.yml index 3a5d68d70..d7c455292 100644 --- a/roles/kubernetes-apps/registry/tasks/main.yml +++ b/roles/kubernetes-apps/registry/tasks/main.yml @@ -38,23 +38,18 @@ registry_templates: - { name: registry-ns, file: registry-ns.yml, type: ns } - { name: registry-sa, file: registry-sa.yml, type: sa } - - { name: registry-proxy-sa, file: registry-proxy-sa.yml, type: sa } - { name: registry-svc, file: registry-svc.yml, type: svc } - { name: registry-secrets, file: registry-secrets.yml, type: secrets } - { name: registry-cm, file: registry-cm.yml, type: cm } - { name: registry-rs, file: registry-rs.yml, type: rs } - - { name: registry-proxy-ds, file: registry-proxy-ds.yml, type: ds } registry_templates_for_psp: - { name: registry-psp, file: registry-psp.yml, type: psp } - { name: registry-cr, file: registry-cr.yml, type: clusterrole } - { name: registry-crb, file: registry-crb.yml, type: rolebinding } - - { name: registry-proxy-psp, file: registry-proxy-psp.yml, type: psp } - - { name: registry-proxy-cr, file: registry-proxy-cr.yml, type: clusterrole } - - { name: registry-proxy-crb, file: registry-proxy-crb.yml, type: rolebinding } - name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy set_fact: - registry_templates: "{{ registry_templates[:3] + registry_templates_for_psp + registry_templates[3:] }}" + registry_templates: "{{ registry_templates[:2] + registry_templates_for_psp + registry_templates[2:] }}" when: - podsecuritypolicy_enabled - registry_namespace != "kube-system" diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-cr.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-cr.yml.j2 deleted file mode 100644 index 9b715aa56..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-proxy-cr.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:registry-proxy - namespace: {{ registry_namespace }} -rules: - - apiGroups: - - policy - resourceNames: - - registry-proxy - resources: - - podsecuritypolicies - verbs: - - use diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-crb.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-crb.yml.j2 deleted file mode 100644 index c73bbb423..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-proxy-crb.yml.j2 +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: psp:registry-proxy - namespace: {{ registry_namespace }} -subjects: - - kind: ServiceAccount - name: registry-proxy - namespace: {{ registry_namespace }} -roleRef: - kind: ClusterRole - name: psp:registry-proxy - apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-ds.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-ds.yml.j2 deleted file mode 100644 index a6fd92ec3..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-proxy-ds.yml.j2 +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: registry-proxy - namespace: {{ registry_namespace }} - labels: - k8s-app: registry-proxy - version: v{{ registry_proxy_image_tag }} -spec: - selector: - matchLabels: - k8s-app: registry-proxy - version: v{{ registry_proxy_image_tag }} - template: - metadata: - labels: - k8s-app: registry-proxy - kubernetes.io/name: "registry-proxy" - version: v{{ registry_proxy_image_tag }} - spec: - priorityClassName: {% if registry_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{''}} - serviceAccountName: registry-proxy - containers: - - name: registry-proxy - image: {{ registry_proxy_image_repo }}:{{ registry_proxy_image_tag }} - imagePullPolicy: {{ k8s_image_pull_policy }} - env: - - name: REGISTRY_HOST - value: registry.{{ registry_namespace }}.svc.{{ dns_domain }} - - name: REGISTRY_PORT - value: "{{ registry_port }}" - ports: - - name: registry - containerPort: 80 - hostPort: {{ registry_port }} diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 deleted file mode 100644 index 3a0233a2a..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-proxy-psp.yml.j2 +++ /dev/null @@ -1,56 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: registry-proxy - annotations: - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' -{% if apparmor_enabled %} - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' -{% endif %} - labels: - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - SETPCAP - - MKNOD - - AUDIT_WRITE - - NET_RAW - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - SYS_CHROOT - - SETFCAP - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: true - hostPorts: - - min: {{ registry_port }} - max: {{ registry_port }} - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false diff --git a/roles/kubernetes-apps/registry/templates/registry-proxy-sa.yml.j2 b/roles/kubernetes-apps/registry/templates/registry-proxy-sa.yml.j2 deleted file mode 100644 index 418ee5fc4..000000000 --- a/roles/kubernetes-apps/registry/templates/registry-proxy-sa.yml.j2 +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: registry-proxy - namespace: {{ registry_namespace }}