diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml deleted file mode 100644 index 197a865c8..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-cephfs.fullname" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPorts: - - min: {{ .Values.nodeplugin.httpMetrics.containerPort }} - max: {{ .Values.nodeplugin.httpMetrics.containerPort }} - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false -{{- if .Values.selinuxMount }} - - pathPrefix: '/etc/selinux' - readOnly: true -{{- end }} - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '{{ .Values.kubeletDir }}' - readOnly: false -{{- end }} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml deleted file mode 100644 index 4b211d7fc..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-cephfs.fullname" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}'] -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml deleted file mode 100644 index 19b3b6d8b..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-cephfs.fullname" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -subjects: - - kind: ServiceAccount - name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-psp.yaml b/charts/ceph-csi-cephfs/templates/provisioner-psp.yaml deleted file mode 100644 index fceecd01d..000000000 --- a/charts/ceph-csi-cephfs/templates/provisioner-psp.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.provisioner.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} - labels: - app: {{ include "ceph-csi-cephfs.name" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.provisioner.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true -{{- end }} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-role.yaml b/charts/ceph-csi-cephfs/templates/provisioner-role.yaml index 983bc60ee..d5cc57500 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-role.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-role.yaml @@ -17,10 +17,4 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] -{{- if .Values.provisioner.podSecurityPolicy.enabled }} - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-cephfs.provisioner.fullname" . }}'] -{{- end -}} {{- end -}} diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index 04e1b060e..2bf596a4f 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -110,11 +110,6 @@ nodeplugin: kernelmountoptions: "" fusemountoptions: "" - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - provisioner: name: provisioner replicaCount: 3 @@ -205,11 +200,6 @@ provisioner: affinity: {} - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - # Mount the host /etc/selinux inside pods to support # selinux-enabled filesystems selinuxMount: true diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml deleted file mode 100644 index 5fc5c48d5..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPorts: - - min: {{ .Values.nodeplugin.httpMetrics.containerPort }} - max: {{ .Values.nodeplugin.httpMetrics.containerPort }} - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false -{{- if .Values.selinuxMount }} - - pathPrefix: '/etc/selinux' - readOnly: true -{{- end }} - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '{{ .Values.cephLogDirHostPath }}' - readOnly: false - - pathPrefix: '{{ .Values.kubeletDir }}' - readOnly: false -{{- end }} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml deleted file mode 100644 index d9d5a0e7b..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}'] -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml deleted file mode 100644 index f4cce98af..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -subjects: - - kind: ServiceAccount - name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/provisioner-psp.yaml b/charts/ceph-csi-rbd/templates/provisioner-psp.yaml deleted file mode 100644 index 111226e14..000000000 --- a/charts/ceph-csi-rbd/templates/provisioner-psp.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.provisioner.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.provisioner.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true -{{- end }} diff --git a/charts/ceph-csi-rbd/templates/provisioner-role.yaml b/charts/ceph-csi-rbd/templates/provisioner-role.yaml index ae16fde62..3a235a36d 100644 --- a/charts/ceph-csi-rbd/templates/provisioner-role.yaml +++ b/charts/ceph-csi-rbd/templates/provisioner-role.yaml @@ -17,10 +17,4 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] -{{- if .Values.provisioner.podSecurityPolicy.enabled }} - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}'] -{{- end -}} {{- end -}} diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 2697e1a37..a58871a01 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -124,11 +124,6 @@ nodeplugin: affinity: {} - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - provisioner: name: provisioner replicaCount: 3 @@ -247,11 +242,6 @@ provisioner: affinity: {} - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - topology: # Specifies whether topology based provisioning support should # be exposed by CSI diff --git a/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml b/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml deleted file mode 100644 index 5349b6d74..000000000 --- a/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml +++ /dev/null @@ -1,75 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: cephfs-csi-nodeplugin-psp -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/etc/selinux' - readOnly: true - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '/var/lib/kubelet/pods' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins/cephfs.csi.ceph.com' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins_registry' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins' - readOnly: false - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['cephfs-csi-nodeplugin-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: cephfs-csi-nodeplugin - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: cephfs-csi-nodeplugin-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/cephfs/kubernetes/csi-provisioner-psp.yaml b/deploy/cephfs/kubernetes/csi-provisioner-psp.yaml deleted file mode 100644 index 82ba30874..000000000 --- a/deploy/cephfs/kubernetes/csi-provisioner-psp.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: cephfs-csi-provisioner-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['cephfs-csi-provisioner-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: cephfs-csi-provisioner - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: cephfs-csi-provisioner-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml b/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml deleted file mode 100644 index 1ae0398ff..000000000 --- a/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nfs-csi-nodeplugin-psp -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/etc/selinux' - readOnly: true - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '/var/lib/kubelet/pods' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins/nfs.csi.ceph.com' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins_registry' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins' - readOnly: false - hostPorts: - - min: 29653 - max: 29653 ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['nfs-csi-nodeplugin-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: nfs-csi-nodeplugin - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: nfs-csi-nodeplugin-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/nfs/kubernetes/csi-provisioner-psp.yaml b/deploy/nfs/kubernetes/csi-provisioner-psp.yaml deleted file mode 100644 index b5115817d..000000000 --- a/deploy/nfs/kubernetes/csi-provisioner-psp.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nfs-csi-provisioner-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['nfs-csi-provisioner-psp'] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: nfs-csi-provisioner - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: nfs-csi-provisioner-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml b/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml deleted file mode 100644 index 5ca5b3645..000000000 --- a/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: rbd-csi-nodeplugin-psp -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'hostPath' - - 'secret' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/etc/selinux' - readOnly: true - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '/var/lib/kubelet/pods' - readOnly: false - - pathPrefix: '/var/log/ceph' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins/rbd.csi.ceph.com' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins_registry' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins' - readOnly: false - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['rbd-csi-nodeplugin-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: rbd-csi-nodeplugin - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: rbd-csi-nodeplugin-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/rbd/kubernetes/csi-provisioner-psp.yaml b/deploy/rbd/kubernetes/csi-provisioner-psp.yaml deleted file mode 100644 index b6200b625..000000000 --- a/deploy/rbd/kubernetes/csi-provisioner-psp.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: rbd-csi-provisioner-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # replace with non-default namespace name - namespace: default - name: rbd-csi-provisioner-psp -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['rbd-csi-provisioner-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: rbd-csi-provisioner - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: rbd-csi-provisioner-psp - apiGroup: rbac.authorization.k8s.io diff --git a/docs/ceph-csi-upgrade.md b/docs/ceph-csi-upgrade.md index ead87c757..424b0ccb5 100644 --- a/docs/ceph-csi-upgrade.md +++ b/docs/ceph-csi-upgrade.md @@ -17,6 +17,7 @@ - [2.1 Update the CephFS Nodeplugin RBAC](#21-update-the-cephfs-nodeplugin-rbac) - [2.2 Update the CephFS Nodeplugin daemonset](#22-update-the-cephfs-nodeplugin-daemonset) - [2.3 Manual deletion of CephFS Nodeplugin daemonset pods](#23-manual-deletion-of-cephfs-nodeplugin-daemonset-pods) + - [Delete removed CephFS PSP, Role and RoleBinding](#delete-removed-cephfs-psp-role-and-rolebinding) - [Upgrading RBD](#upgrading-rbd) - [3. Upgrade RBD Provisioner resources](#3-upgrade-rbd-provisioner-resources) - [3.1 Update the RBD Provisioner RBAC](#31-update-the-rbd-provisioner-rbac) @@ -24,6 +25,7 @@ - [4. Upgrade RBD Nodeplugin resources](#4-upgrade-rbd-nodeplugin-resources) - [4.1 Update the RBD Nodeplugin RBAC](#41-update-the-rbd-nodeplugin-rbac) - [4.2 Update the RBD Nodeplugin daemonset](#42-update-the-rbd-nodeplugin-daemonset) + - [Delete removed RBD PSP, Role and RoleBinding](#delete-removed-rbd-psp-role-and-rolebinding) - [Upgrading NFS](#upgrading-nfs) - [5. Upgrade NFS Provisioner resources](#5-upgrade-nfs-provisioner-resources) - [5.1 Update the NFS Provisioner RBAC](#51-update-the-nfs-provisioner-rbac) @@ -231,6 +233,20 @@ For each node: - The pod deletion causes the pods to be restarted and updated automatically on the node. +#### Delete removed CephFS PSP, Role and RoleBinding + +As PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP +support for CephFS is removed. + +```console +kubectl delete psp cephfs-csi-provisioner-psp --ignore-not-found +kubectl delete role cephfs-csi-provisioner-psp --ignore-not-found +kubectl delete rolebinding cephfs-csi-provisioner-psp --ignore-not-found +kubectl delete psp cephfs-csi-nodeplugin-psp --ignore-not-found +kubectl delete role cephfs-csi-nodeplugin-psp --ignore-not-found +kubectl delete rolebinding cephfs-csi-nodeplugin-psp --ignore-not-found +``` + we have successfully upgraded cephfs csi from v3.6 to v3.7 ### Upgrading RBD @@ -297,6 +313,23 @@ daemonset.apps/csi-rbdplugin configured service/csi-metrics-rbdplugin configured ``` +#### Delete removed RBD PSP, Role and RoleBinding + +As PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP +support for RBD is removed. + +```console +kubectl delete psp rbd-csi-provisioner-psp --ignore-not-found +kubectl delete role rbd-csi-provisioner-psp --ignore-not-found +kubectl delete rolebinding rbd-csi-provisioner-psp --ignore-not-found +kubectl delete psp rbd-csi-nodeplugin-psp --ignore-not-found +kubectl delete role rbd-csi-nodeplugin-psp --ignore-not-found +kubectl delete rolebinding rbd-csi-nodeplugin-psp --ignore-not-found +kubectl delete psp rbd-csi-vault-token-review-psp --ignore-not-found +kubectl delete role rbd-csi-vault-token-review-psp --ignore-not-found +kubectl delete rolebinding rbd-csi-vault-token-review-psp --ignore-not-found +``` + we have successfully upgraded RBD csi from v3.6 to v3.7 ### Upgrading NFS diff --git a/docs/deploy-cephfs.md b/docs/deploy-cephfs.md index 037b0ac4d..b79035dc6 100644 --- a/docs/deploy-cephfs.md +++ b/docs/deploy-cephfs.md @@ -140,16 +140,6 @@ Those manifests deploy service accounts, cluster roles and cluster role bindings. These are shared for both RBD and CephFS CSI plugins, as they require the same permissions. -**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:** - -**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) -admission controller is active on your cluster. - -```bash -kubectl create -f csi-provisioner-psp.yaml -kubectl create -f csi-nodeplugin-psp.yaml -``` - **Deploy ConfigMap for CSI plugins:** ```bash diff --git a/docs/deploy-rbd.md b/docs/deploy-rbd.md index 91e8918b9..3f2dc69bd 100644 --- a/docs/deploy-rbd.md +++ b/docs/deploy-rbd.md @@ -109,16 +109,6 @@ Those manifests deploy service accounts, cluster roles and cluster role bindings. These are shared for both RBD and CephFS CSI plugins, as they require the same permissions. -**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:** - -**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) -admission controller is active on your cluster. - -```bash -kubectl create -f csi-provisioner-psp.yaml -kubectl create -f csi-nodeplugin-psp.yaml -``` - **Deploy ConfigMap for CSI plugins:** ```bash diff --git a/docs/rbd-nbd.md b/docs/rbd-nbd.md index 61d7ac72a..d9eb9d78c 100644 --- a/docs/rbd-nbd.md +++ b/docs/rbd-nbd.md @@ -61,7 +61,7 @@ storageclass yaml ``` - For standard templates edit [csi-rbdplugin.yaml](../deploy/rbd/kubernetes/csi-rbdplugin.yaml) - to update `hostPath` for `ceph-logdir`, also edit psp [csi-nodeplugin-psp.yaml](../deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml) + to update `hostPath` for `ceph-logdir`. to update `pathPrefix` spec entries. - Update the StorageClass with the customized log directory path - Now update rbd StorageClass for `cephLogDir`, for example diff --git a/e2e/cephfs.go b/e2e/cephfs.go index 509972c19..c21a06ac5 100644 --- a/e2e/cephfs.go +++ b/e2e/cephfs.go @@ -34,10 +34,8 @@ import ( var ( cephFSProvisioner = "csi-cephfsplugin-provisioner.yaml" cephFSProvisionerRBAC = "csi-provisioner-rbac.yaml" - cephFSProvisionerPSP = "csi-provisioner-psp.yaml" cephFSNodePlugin = "csi-cephfsplugin.yaml" cephFSNodePluginRBAC = "csi-nodeplugin-rbac.yaml" - cephFSNodePluginPSP = "csi-nodeplugin-psp.yaml" cephFSDeploymentName = "csi-cephfsplugin-provisioner" cephFSDeamonSetName = "csi-cephfsplugin" cephFSContainerName = "csi-cephfsplugin" @@ -83,10 +81,6 @@ func createORDeleteCephfsResources(action kubectlAction) { filename: cephFSDirPath + cephFSProvisionerRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: cephFSDirPath + cephFSProvisionerPSP, - namespace: cephCSINamespace, - }, // the provisioner itself &yamlResourceNamespaced{ filename: cephFSDirPath + cephFSProvisioner, @@ -98,10 +92,6 @@ func createORDeleteCephfsResources(action kubectlAction) { filename: cephFSDirPath + cephFSNodePluginRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: cephFSDirPath + cephFSNodePluginPSP, - namespace: cephCSINamespace, - }, // the node-plugin itself &yamlResourceNamespaced{ filename: cephFSDirPath + cephFSNodePlugin, diff --git a/e2e/deploy-vault.go b/e2e/deploy-vault.go index 6fc8f5237..2f7bad355 100644 --- a/e2e/deploy-vault.go +++ b/e2e/deploy-vault.go @@ -30,7 +30,6 @@ import ( var ( vaultExamplePath = "../examples/kms/vault/" vaultServicePath = "vault.yaml" - vaultPSPPath = "vault-psp.yaml" vaultRBACPath = "csi-vaulttokenreview-rbac.yaml" vaultConfigPath = "kms-config.yaml" vaultTenantPath = "tenant-sa.yaml" @@ -99,15 +98,6 @@ func createORDeleteVault(action kubectlAction) { if err != nil { e2elog.Failf("failed to %s vault configmap %v", action, err) } - - data, err = replaceNamespaceInTemplate(vaultExamplePath + vaultPSPPath) - if err != nil { - e2elog.Failf("failed to read content from %s %v", vaultExamplePath+vaultPSPPath, err) - } - err = retryKubectlInput(cephCSINamespace, action, data, deployTimeout) - if err != nil { - e2elog.Failf("failed to %s vault psp %v", action, err) - } } // createTenantServiceAccount uses the tenant-sa.yaml example file to create diff --git a/e2e/nfs.go b/e2e/nfs.go index ec23d6063..54753f677 100644 --- a/e2e/nfs.go +++ b/e2e/nfs.go @@ -37,10 +37,8 @@ import ( var ( nfsProvisioner = "csi-nfsplugin-provisioner.yaml" nfsProvisionerRBAC = "csi-provisioner-rbac.yaml" - nfsProvisionerPSP = "csi-provisioner-psp.yaml" nfsNodePlugin = "csi-nfsplugin.yaml" nfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml" - nfsNodePluginPSP = "csi-nodeplugin-psp.yaml" nfsRookCephNFS = "rook-nfs.yaml" nfsDeploymentName = "csi-nfsplugin-provisioner" nfsDeamonSetName = "csi-nfsplugin" @@ -95,10 +93,6 @@ func createORDeleteNFSResources(f *framework.Framework, action kubectlAction) { filename: nfsDirPath + nfsProvisionerRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: nfsDirPath + nfsProvisionerPSP, - namespace: cephCSINamespace, - }, // the provisioner itself &yamlResourceNamespaced{ filename: nfsDirPath + nfsProvisioner, @@ -110,10 +104,6 @@ func createORDeleteNFSResources(f *framework.Framework, action kubectlAction) { filename: nfsDirPath + nfsNodePluginRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: nfsDirPath + nfsNodePluginPSP, - namespace: cephCSINamespace, - }, // the node-plugin itself &yamlResourceNamespaced{ filename: nfsDirPath + nfsNodePlugin, diff --git a/e2e/rbd.go b/e2e/rbd.go index 67310e458..d611d8788 100644 --- a/e2e/rbd.go +++ b/e2e/rbd.go @@ -38,10 +38,8 @@ import ( var ( rbdProvisioner = "csi-rbdplugin-provisioner.yaml" rbdProvisionerRBAC = "csi-provisioner-rbac.yaml" - rbdProvisionerPSP = "csi-provisioner-psp.yaml" rbdNodePlugin = "csi-rbdplugin.yaml" rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml" - rbdNodePluginPSP = "csi-nodeplugin-psp.yaml" configMap = "csi-config-map.yaml" cephConfconfigMap = "ceph-conf.yaml" csiDriverObject = "csidriver.yaml" @@ -145,10 +143,6 @@ func createORDeleteRbdResources(action kubectlAction) { filename: rbdDirPath + rbdProvisionerRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: rbdDirPath + rbdProvisionerPSP, - namespace: cephCSINamespace, - }, // the provisioner itself &yamlResourceNamespaced{ filename: rbdDirPath + rbdProvisioner, @@ -161,10 +155,6 @@ func createORDeleteRbdResources(action kubectlAction) { filename: rbdDirPath + rbdNodePluginRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: rbdDirPath + rbdNodePluginPSP, - namespace: cephCSINamespace, - }, // the node-plugin itself &yamlResourceNamespaced{ filename: rbdDirPath + rbdNodePlugin, diff --git a/examples/kms/vault/vault-psp.yaml b/examples/kms/vault/vault-psp.yaml deleted file mode 100644 index fef801ae7..000000000 --- a/examples/kms/vault/vault-psp.yaml +++ /dev/null @@ -1,47 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: rbd-csi-vault-token-review-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'secret' - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # replace with non-default namespace name - namespace: default - name: rbd-csi-vault-token-review-psp -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['rbd-csi-vault-token-review-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-vault-token-review-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: rbd-csi-vault-token-review - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: rbd-csi-vault-token-review-psp - apiGroup: rbac.authorization.k8s.io diff --git a/scripts/install-helm.sh b/scripts/install-helm.sh index 66b58bd76..cf3a8ad44 100755 --- a/scripts/install-helm.sh +++ b/scripts/install-helm.sh @@ -169,7 +169,7 @@ install_cephcsi_helm_charts() { fi # install ceph-csi-cephfs and ceph-csi-rbd charts # shellcheck disable=SC2086 - "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-cephfsplugin-provisioner --set nodeplugin.fullnameOverride=csi-cephfsplugin --set configMapName=ceph-csi-config --set provisioner.podSecurityPolicy.enabled=true --set nodeplugin.podSecurityPolicy.enabled=true --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${CEPHFS_SECRET_TEMPLATE_VALUES} ${CEPHFS_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-cephfs + "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-cephfsplugin-provisioner --set nodeplugin.fullnameOverride=csi-cephfsplugin --set configMapName=ceph-csi-config --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${CEPHFS_SECRET_TEMPLATE_VALUES} ${CEPHFS_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-cephfs check_deployment_status app=ceph-csi-cephfs ${NAMESPACE} check_daemonset_status app=ceph-csi-cephfs ${NAMESPACE} @@ -179,7 +179,7 @@ install_cephcsi_helm_charts() { kubectl_retry delete cm ceph-config --namespace ${NAMESPACE} # shellcheck disable=SC2086 - "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-rbdplugin-provisioner --set nodeplugin.fullnameOverride=csi-rbdplugin --set configMapName=ceph-csi-config --set provisioner.podSecurityPolicy.enabled=true --set nodeplugin.podSecurityPolicy.enabled=true --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${RBD_SECRET_TEMPLATE_VALUES} ${RBD_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-rbd --set topology.enabled=true --set topology.domainLabels="{${NODE_LABEL_REGION},${NODE_LABEL_ZONE}}" --set provisioner.maxSnapshotsOnImage=3 --set provisioner.minSnapshotsOnImage=2 + "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-rbdplugin-provisioner --set nodeplugin.fullnameOverride=csi-rbdplugin --set configMapName=ceph-csi-config --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${RBD_SECRET_TEMPLATE_VALUES} ${RBD_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-rbd --set topology.enabled=true --set topology.domainLabels="{${NODE_LABEL_REGION},${NODE_LABEL_ZONE}}" --set provisioner.maxSnapshotsOnImage=3 --set provisioner.minSnapshotsOnImage=2 check_deployment_status app=ceph-csi-rbd ${NAMESPACE} check_daemonset_status app=ceph-csi-rbd ${NAMESPACE} diff --git a/scripts/install-snapshot.sh b/scripts/install-snapshot.sh index f6b6d35cf..aa2963104 100755 --- a/scripts/install-snapshot.sh +++ b/scripts/install-snapshot.sh @@ -61,17 +61,14 @@ function create_or_delete_resource() { local namespace=$2 temp_rbac=${TEMP_DIR}/snapshot-rbac.yaml temp_snap_controller=${TEMP_DIR}/snapshot-controller.yaml - snapshotter_psp="${SCRIPT_DIR}/snapshot-controller-psp.yaml" mkdir -p "${TEMP_DIR}" curl -o "${temp_rbac}" "${SNAPSHOT_RBAC}" curl -o "${temp_snap_controller}" "${SNAPSHOT_CONTROLLER}" sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_rbac}" sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_snap_controller}" - sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${snapshotter_psp}" sed -i "s/canary/${SNAPSHOT_VERSION}/g" "${temp_snap_controller}" kubectl "${operation}" -f "${temp_rbac}" - kubectl "${operation}" -f "${snapshotter_psp}" kubectl "${operation}" -f "${temp_snap_controller}" -n "${namespace}" kubectl "${operation}" -f "${SNAPSHOTCLASS}" kubectl "${operation}" -f "${VOLUME_SNAPSHOT_CONTENT}" diff --git a/scripts/minikube.sh b/scripts/minikube.sh index a9db7ead1..30dfc7bd5 100755 --- a/scripts/minikube.sh +++ b/scripts/minikube.sh @@ -212,9 +212,6 @@ CSI_IMAGE_VERSION=${CSI_IMAGE_VERSION:-"v3.7-canary"} #feature-gates for kube K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-""} -#extra-config for kube https://minikube.sigs.k8s.io/docs/reference/configuration/kubernetes/ -EXTRA_CONFIG_PSP="--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy" - # kubelet.resolv-conf needs to point to a file, not a symlink # the default minikube VM has /etc/resolv.conf -> /run/systemd/resolve/resolv.conf RESOLV_CONF='/run/systemd/resolve/resolv.conf' @@ -265,7 +262,7 @@ up) K8S_FEATURE_GATES="${K8S_FEATURE_GATES},RecoverVolumeExpansionFailure=true" fi # shellcheck disable=SC2086 - ${minikube} start --force --memory="${MEMORY}" --cpus="${CPUS}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" --cni="${CNI}" ${EXTRA_CONFIG} ${EXTRA_CONFIG_PSP} --wait-timeout="${MINIKUBE_WAIT_TIMEOUT}" --wait="${MINIKUBE_WAIT}" --delete-on-failure ${DISK_CONFIG} + ${minikube} start --force --memory="${MEMORY}" --cpus="${CPUS}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" --cni="${CNI}" ${EXTRA_CONFIG} --wait-timeout="${MINIKUBE_WAIT_TIMEOUT}" --wait="${MINIKUBE_WAIT}" --delete-on-failure ${DISK_CONFIG} # create a link so the default dataDirHostPath will work for this # environment diff --git a/scripts/psp.yaml b/scripts/psp.yaml deleted file mode 100644 index 06bd37e06..000000000 --- a/scripts/psp.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Required PodSecurityPolicies, Roles and RoleBindings -# for minikube to bootstrap when PSPs are enabled -# https://minikube.sigs.k8s.io/docs/tutorials/using_psp/ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: privileged - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - addonmanager.kubernetes.io/mode: EnsureExists -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - "*" - volumes: - - "*" - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: restricted - labels: - addonmanager.kubernetes.io/mode: EnsureExists -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:privileged - labels: - addonmanager.kubernetes.io/mode: EnsureExists -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - privileged ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:restricted - labels: - addonmanager.kubernetes.io/mode: EnsureExists -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - restricted ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: default:restricted - labels: - addonmanager.kubernetes.io/mode: EnsureExists -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:restricted -subjects: - - kind: Group - name: system:authenticated - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: default:privileged - namespace: kube-system - labels: - addonmanager.kubernetes.io/mode: EnsureExists -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:privileged -subjects: - - kind: Group - name: system:masters - apiGroup: rbac.authorization.k8s.io - - kind: Group - name: system:nodes - apiGroup: rbac.authorization.k8s.io - - kind: Group - name: system:serviceaccounts:kube-system - apiGroup: rbac.authorization.k8s.io diff --git a/scripts/snapshot-controller-psp.yaml b/scripts/snapshot-controller-psp.yaml deleted file mode 100644 index 21c4d0fb6..000000000 --- a/scripts/snapshot-controller-psp.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: csi-snapshotter-psp - namespace: kube-system -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - "SYS_ADMIN" - fsGroup: - rule: RunAsAny - privileged: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - "configMap" - - "emptyDir" - - "secret" - - "projected" - - "hostPath" - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-snapshotter-psp - # replace with non-kube-system namespace name - namespace: kube-system -rules: - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["csi-snapshotter-psp"] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-snapshotter-psp - # replace with non-kube-system namespace name - namespace: kube-system -subjects: - - kind: ServiceAccount - name: snapshot-controller - # replace with non-kube-system namespace name - namespace: kube-system -roleRef: - kind: Role - name: csi-snapshotter-psp - apiGroup: rbac.authorization.k8s.io