update local path provisioner version and remove psp (#10054)

* update local_path_provisioner_version * remove psp and update cm
2023-06-20 02:44:21 +08:00 · 2023-06-20 02:44:21 +08:00 · db696785d5
parent dfec133273
commit db696785d5
10 changed files with 40 additions and 146 deletions
--- a/README.md
+++ b/README.md
@ -192,7 +192,7 @@ Note: Upstart/SysV init based OS types are not supported.
  - [azure-csi-plugin](https://github.com/kubernetes-sigs/azuredisk-csi-driver) v1.10.0
  - [cinder-csi-plugin](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md) v1.22.0
  - [gcp-pd-csi-plugin](https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver) v1.9.2
-  - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.23
+  - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) v0.0.24
  - [local-volume-provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner) v2.5.0
 ## Container Runtime Notes
--- a/inventory/sample/group_vars/k8s_cluster/addons.yml
+++ b/inventory/sample/group_vars/k8s_cluster/addons.yml
@ -29,7 +29,7 @@ local_path_provisioner_enabled: false
 # local_path_provisioner_claim_root: /opt/local-path-provisioner/
 # local_path_provisioner_debug: false
 # local_path_provisioner_image_repo: "rancher/local-path-provisioner"
-# local_path_provisioner_image_tag: "v0.0.23"
+# local_path_provisioner_image_tag: "v0.0.24"
 # local_path_provisioner_helper_image_repo: "busybox"
 # local_path_provisioner_helper_image_tag: "latest"
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -1097,7 +1097,7 @@ cephfs_provisioner_image_tag: "{{ cephfs_provisioner_version }}"
 rbd_provisioner_version: "v2.1.1-k8s1.11"
 rbd_provisioner_image_repo: "{{ quay_image_repo }}/external_storage/rbd-provisioner"
 rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}"
-local_path_provisioner_version: "v0.0.23"
+local_path_provisioner_version: "v0.0.24"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}"
 ingress_nginx_version: "v1.8.0"
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
@ -25,17 +25,6 @@
      - { name: local-path-storage-cm, file: local-path-storage-cm.yml, type: cm }
      - { name: local-path-storage-deployment, file: local-path-storage-deployment.yml, type: deployment }
      - { name: local-path-storage-sc, file: local-path-storage-sc.yml, type: sc }
    local_path_provisioner_templates_for_psp_not_system_ns:
      - { name: local-path-storage-psp, file: local-path-storage-psp.yml, type: psp }
      - { name: local-path-storage-psp-role, file: local-path-storage-psp-cr.yml, type: clusterrole }
      - { name: local-path-storage-psp-rb, file: local-path-storage-psp-rb.yml, type: rolebinding }
 - name: Local Path Provisioner | Insert extra templates to Local Path Provisioner templates list for PodSecurityPolicy
  set_fact:
    local_path_provisioner_templates: "{{ local_path_provisioner_templates[:3] + local_path_provisioner_templates_for_psp_not_system_ns + local_path_provisioner_templates[3:] }}"
  when:
    - podsecuritypolicy_enabled
    - local_path_provisioner_namespace != "kube-system"
 - name: Local Path Provisioner | Create manifests
  template:
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-cm.yml.j2
@ -16,38 +16,12 @@ data:
    }
  setup: |-
    #!/bin/sh
-        while getopts "m:s:p:" opt
+    set -eu
-        do
+    mkdir -m 0777 -p "$VOL_DIR"
            case $opt in
                p)
                absolutePath=$OPTARG
                ;;
                s)
                sizeInBytes=$OPTARG
                ;;
                m)
                volMode=$OPTARG
                ;;
            esac
        done
        mkdir -m 0777 -p ${absolutePath}
  teardown: |-
    #!/bin/sh
-        while getopts "m:s:p:" opt
+    set -eu
-        do
+    rm -rf "$VOL_DIR"
            case $opt in
                p)
                absolutePath=$OPTARG
                ;;
                s)
                sizeInBytes=$OPTARG
                ;;
                m)
                volMode=$OPTARG
                ;;
            esac
        done
        rm -rf ${absolutePath}
  helperPod.yaml: |-
    apiVersion: v1
    kind: Pod
@ -57,3 +31,5 @@ data:
      containers:
      - name: helper-pod
        image: {% if local_path_provisioner_helper_image_repo is defined %}{{ local_path_provisioner_helper_image_repo }}:{{ local_path_provisioner_helper_image_tag }}{% else %}busybox{% endif %}
        imagePullPolicy: IfNotPresent
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-cr.yml.j2
@ -1,15 +0,0 @@
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: psp:local-path-provisioner
  namespace: {{ local_path_provisioner_namespace }}
 rules:
  - apiGroups:
    - policy
    resourceNames:
    - local-path-provisioner
    resources:
    - podsecuritypolicies
    verbs:
    - use
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp-rb.yml.j2
@ -1,14 +0,0 @@
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: psp:local-path-provisioner
  namespace: {{ local_path_provisioner_namespace }}
 subjects:
  - kind: ServiceAccount
    name: local-path-provisioner-service-account
    namespace: {{ local_path_provisioner_namespace }}
 roleRef:
  kind: ClusterRole
  name: psp:local-path-provisioner
  apiGroup: rbac.authorization.k8s.io
--- a/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
+++ b/roles/kubernetes-apps/external_provisioner/local_path_provisioner/templates/local-path-storage-psp.yml.j2
@ -1,43 +0,0 @@
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: local-path-provisioner
  annotations:
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
 {% if apparmor_enabled %}
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
 {% endif %}
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
 spec:
  privileged: true
  allowPrivilegeEscalation: true
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'secret'
    - 'downwardAPI'
    - 'hostPath'
  allowedHostPaths:
    - pathPrefix: "{{ local_path_provisioner_claim_root }}"
      readOnly: false
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false
--- a/tests/files/packet_almalinux8-calico.yml
+++ b/tests/files/packet_almalinux8-calico.yml
@ -9,6 +9,7 @@ metrics_server_enabled: true
 dashboard_namespace: "kube-dashboard"
 dashboard_enabled: true
 loadbalancer_apiserver_type: haproxy
 local_path_provisioner_enabled: true
 # NTP mangement
 ntp_enabled: true