deploy: remove psp from cephcsi

as PSP is deprecated in kubernetes 1.21 and will be removed in kubernetes 1.25 removing the existing PSP related templates from the repo and updated the required documents. fixes #1988 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 02:33:34 +00:00 · 2022-08-23 10:34:16 +05:30
parent 3d05ef0585
commit 96a3aabe5a
32 changed files with 37 additions and 987 deletions
--- a/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml
+++ b/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml
@ -1,77 +0,0 @@
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: nfs-csi-nodeplugin-psp
-spec:
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-    - 'SYS_ADMIN'
-  fsGroup:
-    rule: RunAsAny
-  privileged: true
-  hostNetwork: true
-  hostPID: true
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'hostPath'
-  allowedHostPaths:
-    - pathPrefix: '/dev'
-      readOnly: false
-    - pathPrefix: '/run/mount'
-      readOnly: false
-    - pathPrefix: '/sys'
-      readOnly: false
-    - pathPrefix: '/etc/selinux'
-      readOnly: true
-    - pathPrefix: '/lib/modules'
-      readOnly: true
-    - pathPrefix: '/var/lib/kubelet/pods'
-      readOnly: false
-    - pathPrefix: '/var/lib/kubelet/plugins/nfs.csi.ceph.com'
-      readOnly: false
-    - pathPrefix: '/var/lib/kubelet/plugins_registry'
-      readOnly: false
-    - pathPrefix: '/var/lib/kubelet/plugins'
-      readOnly: false
-  hostPorts:
-    - min: 29653
-      max: 29653
---
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: nfs-csi-nodeplugin-psp
-  # replace with non-default namespace name
-  namespace: default
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: ['nfs-csi-nodeplugin-psp']
-
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: nfs-csi-nodeplugin-psp
-  # replace with non-default namespace name
-  namespace: default
-subjects:
-  - kind: ServiceAccount
-    name: nfs-csi-nodeplugin
-    # replace with non-default namespace name
-    namespace: default
-roleRef:
-  kind: Role
-  name: nfs-csi-nodeplugin-psp
-  apiGroup: rbac.authorization.k8s.io
--- a/deploy/nfs/kubernetes/csi-provisioner-psp.yaml
+++ b/deploy/nfs/kubernetes/csi-provisioner-psp.yaml
@ -1,55 +0,0 @@
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: nfs-csi-provisioner-psp
-spec:
-  fsGroup:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'hostPath'
-  allowedHostPaths:
-    - pathPrefix: '/dev'
-      readOnly: false
-    - pathPrefix: '/sys'
-      readOnly: false
-    - pathPrefix: '/lib/modules'
-      readOnly: true
---
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: nfs-csi-provisioner-psp
-  # replace with non-default namespace name
-  namespace: default
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs: ['use']
-    resourceNames: ['nfs-csi-provisioner-psp']
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: nfs-csi-provisioner-psp
-  # replace with non-default namespace name
-  namespace: default
-subjects:
-  - kind: ServiceAccount
-    name: nfs-csi-provisioner
-    # replace with non-default namespace name
-    namespace: default
-roleRef:
-  kind: Role
-  name: nfs-csi-provisioner-psp
-  apiGroup: rbac.authorization.k8s.io