deploy: remove psp from cephcsi

as PSP is deprecated in kubernetes 1.21 and will be removed in kubernetes 1.25 removing the existing PSP related templates from the repo and updated the required documents. fixes #1988 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 02:33:34 +00:00 · 2022-08-23 10:34:16 +05:30
parent 3d05ef0585
commit 96a3aabe5a
32 changed files with 37 additions and 987 deletions
--- a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml
@ -1,53 +0,0 @@
-{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
-  labels:
-    app: {{ include "ceph-csi-rbd.name" . }}
-    chart: {{ include "ceph-csi-rbd.chart" . }}
-    component: {{ .Values.nodeplugin.name }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-    - 'SYS_ADMIN'
-  fsGroup:
-    rule: RunAsAny
-  privileged: true
-  hostNetwork: true
-  hostPorts:
-    - min: {{ .Values.nodeplugin.httpMetrics.containerPort }}
-      max: {{ .Values.nodeplugin.httpMetrics.containerPort }}
-  hostPID: true
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'hostPath'
-  allowedHostPaths:
-    - pathPrefix: '/dev'
-      readOnly: false
-    - pathPrefix: '/run/mount'
-      readOnly: false
-    - pathPrefix: '/sys'
-      readOnly: false
-{{- if .Values.selinuxMount }}
-    - pathPrefix: '/etc/selinux'
-      readOnly: true
-{{- end }}
-    - pathPrefix: '/lib/modules'
-      readOnly: true
-    - pathPrefix: '{{ .Values.cephLogDirHostPath }}'
-      readOnly: false
-    - pathPrefix: '{{ .Values.kubeletDir }}'
-      readOnly: false
-{{- end }}
--- a/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml
@ -1,18 +0,0 @@
-{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: {{ include "ceph-csi-rbd.name" . }}
-    chart: {{ include "ceph-csi-rbd.chart" . }}
-    component: {{ .Values.nodeplugin.name }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}']
-{{- end -}}
--- a/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml
@ -1,21 +0,0 @@
-{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: {{ include "ceph-csi-rbd.name" . }}
-    chart: {{ include "ceph-csi-rbd.chart" . }}
-    component: {{ .Values.nodeplugin.name }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }}
-    namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: Role
-  name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
-  apiGroup: rbac.authorization.k8s.io
-{{- end -}}
--- a/charts/ceph-csi-rbd/templates/provisioner-psp.yaml
+++ b/charts/ceph-csi-rbd/templates/provisioner-psp.yaml
@ -1,34 +0,0 @@
-{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}
-  labels:
-    app: {{ include "ceph-csi-rbd.name" . }}
-    chart: {{ include "ceph-csi-rbd.chart" . }}
-    component: {{ .Values.provisioner.name }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  fsGroup:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'hostPath'
-  allowedHostPaths:
-    - pathPrefix: '/dev'
-      readOnly: false
-    - pathPrefix: '/sys'
-      readOnly: false
-    - pathPrefix: '/lib/modules'
-      readOnly: true
-{{- end }}
--- a/charts/ceph-csi-rbd/templates/provisioner-role.yaml
+++ b/charts/ceph-csi-rbd/templates/provisioner-role.yaml
@ -17,10 +17,4 @@ rules:
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "watch", "list", "delete", "update", "create"]
-{{- if .Values.provisioner.podSecurityPolicy.enabled }}
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}']
-{{- end -}}
 {{- end -}}
--- a/charts/ceph-csi-rbd/values.yaml
+++ b/charts/ceph-csi-rbd/values.yaml
@ -124,11 +124,6 @@ nodeplugin:

  affinity: {}

-  # If true, create & use Pod Security Policy resources
-  # https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-  podSecurityPolicy:
-    enabled: false
-
 provisioner:
  name: provisioner
  replicaCount: 3
@ -247,11 +242,6 @@ provisioner:

  affinity: {}

-  # If true, create & use Pod Security Policy resources
-  # https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-  podSecurityPolicy:
-    enabled: false
-
 topology:
  # Specifies whether topology based provisioning support should
  # be exposed by CSI