From cf33b3e7a1f761b3d1359e2b8f16aff08c72b4a0 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Tue, 23 Aug 2022 10:34:16 +0530 Subject: [PATCH] deploy: remove psp from cephcsi as PSP is deprecated in kubernetes 1.21 and will be removed in kubernetes 1.25 removing the existing PSP related templates from the repo and updated the required documents. fixes #1988 Signed-off-by: Madhu Rajanna (cherry picked from commit 96a3aabe5a044d7c190e5797fc62ec7ee5d2c3f7) --- .../templates/nodeplugin-psp.yaml | 51 ------- .../templates/nodeplugin-role.yaml | 18 --- .../templates/nodeplugin-rolebinding.yaml | 21 --- .../templates/provisioner-psp.yaml | 34 ----- .../templates/provisioner-role.yaml | 6 - charts/ceph-csi-cephfs/values.yaml | 10 -- .../templates/nodeplugin-psp.yaml | 53 ------- .../templates/nodeplugin-role.yaml | 18 --- .../templates/nodeplugin-rolebinding.yaml | 21 --- .../templates/provisioner-psp.yaml | 34 ----- .../templates/provisioner-role.yaml | 6 - charts/ceph-csi-rbd/values.yaml | 10 -- .../cephfs/kubernetes/csi-nodeplugin-psp.yaml | 75 ---------- .../kubernetes/csi-provisioner-psp.yaml | 57 -------- deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml | 77 ---------- .../nfs/kubernetes/csi-provisioner-psp.yaml | 55 ------- deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml | 77 ---------- .../rbd/kubernetes/csi-provisioner-psp.yaml | 57 -------- docs/ceph-csi-upgrade.md | 33 +++++ docs/deploy-cephfs.md | 10 -- docs/deploy-rbd.md | 10 -- docs/rbd-nbd.md | 2 +- e2e/cephfs.go | 10 -- e2e/deploy-vault.go | 10 -- e2e/nfs.go | 10 -- e2e/rbd.go | 10 -- examples/kms/vault/vault-psp.yaml | 47 ------ scripts/install-helm.sh | 4 +- scripts/install-snapshot.sh | 3 - scripts/minikube.sh | 5 +- scripts/psp.yaml | 135 ------------------ scripts/snapshot-controller-psp.yaml | 55 ------- 32 files changed, 37 insertions(+), 987 deletions(-) delete mode 100644 charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml delete mode 100644 charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml delete mode 100644 charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml delete mode 100644 charts/ceph-csi-cephfs/templates/provisioner-psp.yaml delete mode 100644 charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml delete mode 100644 charts/ceph-csi-rbd/templates/nodeplugin-role.yaml delete mode 100644 charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml delete mode 100644 charts/ceph-csi-rbd/templates/provisioner-psp.yaml delete mode 100644 deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml delete mode 100644 deploy/cephfs/kubernetes/csi-provisioner-psp.yaml delete mode 100644 deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml delete mode 100644 deploy/nfs/kubernetes/csi-provisioner-psp.yaml delete mode 100644 deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml delete mode 100644 deploy/rbd/kubernetes/csi-provisioner-psp.yaml delete mode 100644 examples/kms/vault/vault-psp.yaml delete mode 100644 scripts/psp.yaml delete mode 100644 scripts/snapshot-controller-psp.yaml diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml deleted file mode 100644 index 197a865c8..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-psp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-cephfs.fullname" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPorts: - - min: {{ .Values.nodeplugin.httpMetrics.containerPort }} - max: {{ .Values.nodeplugin.httpMetrics.containerPort }} - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false -{{- if .Values.selinuxMount }} - - pathPrefix: '/etc/selinux' - readOnly: true -{{- end }} - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '{{ .Values.kubeletDir }}' - readOnly: false -{{- end }} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml deleted file mode 100644 index 4b211d7fc..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-cephfs.fullname" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}'] -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml deleted file mode 100644 index 19b3b6d8b..000000000 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-cephfs.fullname" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -subjects: - - kind: ServiceAccount - name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-psp.yaml b/charts/ceph-csi-cephfs/templates/provisioner-psp.yaml deleted file mode 100644 index fceecd01d..000000000 --- a/charts/ceph-csi-cephfs/templates/provisioner-psp.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.provisioner.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} - labels: - app: {{ include "ceph-csi-cephfs.name" . }} - chart: {{ include "ceph-csi-cephfs.chart" . }} - component: {{ .Values.provisioner.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true -{{- end }} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-role.yaml b/charts/ceph-csi-cephfs/templates/provisioner-role.yaml index 983bc60ee..d5cc57500 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-role.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-role.yaml @@ -17,10 +17,4 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] -{{- if .Values.provisioner.podSecurityPolicy.enabled }} - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-cephfs.provisioner.fullname" . }}'] -{{- end -}} {{- end -}} diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index 04e1b060e..2bf596a4f 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -110,11 +110,6 @@ nodeplugin: kernelmountoptions: "" fusemountoptions: "" - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - provisioner: name: provisioner replicaCount: 3 @@ -205,11 +200,6 @@ provisioner: affinity: {} - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - # Mount the host /etc/selinux inside pods to support # selinux-enabled filesystems selinuxMount: true diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml deleted file mode 100644 index 5fc5c48d5..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-psp.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPorts: - - min: {{ .Values.nodeplugin.httpMetrics.containerPort }} - max: {{ .Values.nodeplugin.httpMetrics.containerPort }} - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false -{{- if .Values.selinuxMount }} - - pathPrefix: '/etc/selinux' - readOnly: true -{{- end }} - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '{{ .Values.cephLogDirHostPath }}' - readOnly: false - - pathPrefix: '{{ .Values.kubeletDir }}' - readOnly: false -{{- end }} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml deleted file mode 100644 index d9d5a0e7b..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-role.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}'] -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml deleted file mode 100644 index f4cce98af..000000000 --- a/charts/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.nodeplugin.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -subjects: - - kind: ServiceAccount - name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end -}} diff --git a/charts/ceph-csi-rbd/templates/provisioner-psp.yaml b/charts/ceph-csi-rbd/templates/provisioner-psp.yaml deleted file mode 100644 index 111226e14..000000000 --- a/charts/ceph-csi-rbd/templates/provisioner-psp.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.provisioner.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} - labels: - app: {{ include "ceph-csi-rbd.name" . }} - chart: {{ include "ceph-csi-rbd.chart" . }} - component: {{ .Values.provisioner.name }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true -{{- end }} diff --git a/charts/ceph-csi-rbd/templates/provisioner-role.yaml b/charts/ceph-csi-rbd/templates/provisioner-role.yaml index ae16fde62..3a235a36d 100644 --- a/charts/ceph-csi-rbd/templates/provisioner-role.yaml +++ b/charts/ceph-csi-rbd/templates/provisioner-role.yaml @@ -17,10 +17,4 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] -{{- if .Values.provisioner.podSecurityPolicy.enabled }} - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}'] -{{- end -}} {{- end -}} diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 2697e1a37..a58871a01 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -124,11 +124,6 @@ nodeplugin: affinity: {} - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - provisioner: name: provisioner replicaCount: 3 @@ -247,11 +242,6 @@ provisioner: affinity: {} - # If true, create & use Pod Security Policy resources - # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - podSecurityPolicy: - enabled: false - topology: # Specifies whether topology based provisioning support should # be exposed by CSI diff --git a/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml b/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml deleted file mode 100644 index 5349b6d74..000000000 --- a/deploy/cephfs/kubernetes/csi-nodeplugin-psp.yaml +++ /dev/null @@ -1,75 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: cephfs-csi-nodeplugin-psp -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/etc/selinux' - readOnly: true - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '/var/lib/kubelet/pods' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins/cephfs.csi.ceph.com' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins_registry' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins' - readOnly: false - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['cephfs-csi-nodeplugin-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: cephfs-csi-nodeplugin - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: cephfs-csi-nodeplugin-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/cephfs/kubernetes/csi-provisioner-psp.yaml b/deploy/cephfs/kubernetes/csi-provisioner-psp.yaml deleted file mode 100644 index 82ba30874..000000000 --- a/deploy/cephfs/kubernetes/csi-provisioner-psp.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: cephfs-csi-provisioner-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['cephfs-csi-provisioner-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: cephfs-csi-provisioner - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: cephfs-csi-provisioner-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml b/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml deleted file mode 100644 index 1ae0398ff..000000000 --- a/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nfs-csi-nodeplugin-psp -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/etc/selinux' - readOnly: true - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '/var/lib/kubelet/pods' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins/nfs.csi.ceph.com' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins_registry' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins' - readOnly: false - hostPorts: - - min: 29653 - max: 29653 ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['nfs-csi-nodeplugin-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: nfs-csi-nodeplugin - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: nfs-csi-nodeplugin-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/nfs/kubernetes/csi-provisioner-psp.yaml b/deploy/nfs/kubernetes/csi-provisioner-psp.yaml deleted file mode 100644 index b5115817d..000000000 --- a/deploy/nfs/kubernetes/csi-provisioner-psp.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nfs-csi-provisioner-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['nfs-csi-provisioner-psp'] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: nfs-csi-provisioner - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: nfs-csi-provisioner-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml b/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml deleted file mode 100644 index 5ca5b3645..000000000 --- a/deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: rbd-csi-nodeplugin-psp -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - 'SYS_ADMIN' - fsGroup: - rule: RunAsAny - privileged: true - hostNetwork: true - hostPID: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'hostPath' - - 'secret' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/run/mount' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/etc/selinux' - readOnly: true - - pathPrefix: '/lib/modules' - readOnly: true - - pathPrefix: '/var/lib/kubelet/pods' - readOnly: false - - pathPrefix: '/var/log/ceph' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins/rbd.csi.ceph.com' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins_registry' - readOnly: false - - pathPrefix: '/var/lib/kubelet/plugins' - readOnly: false - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['rbd-csi-nodeplugin-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: rbd-csi-nodeplugin - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: rbd-csi-nodeplugin-psp - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/rbd/kubernetes/csi-provisioner-psp.yaml b/deploy/rbd/kubernetes/csi-provisioner-psp.yaml deleted file mode 100644 index b6200b625..000000000 --- a/deploy/rbd/kubernetes/csi-provisioner-psp.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: rbd-csi-provisioner-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: '/dev' - readOnly: false - - pathPrefix: '/sys' - readOnly: false - - pathPrefix: '/lib/modules' - readOnly: true - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # replace with non-default namespace name - namespace: default - name: rbd-csi-provisioner-psp -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['rbd-csi-provisioner-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-provisioner-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: rbd-csi-provisioner - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: rbd-csi-provisioner-psp - apiGroup: rbac.authorization.k8s.io diff --git a/docs/ceph-csi-upgrade.md b/docs/ceph-csi-upgrade.md index ead87c757..424b0ccb5 100644 --- a/docs/ceph-csi-upgrade.md +++ b/docs/ceph-csi-upgrade.md @@ -17,6 +17,7 @@ - [2.1 Update the CephFS Nodeplugin RBAC](#21-update-the-cephfs-nodeplugin-rbac) - [2.2 Update the CephFS Nodeplugin daemonset](#22-update-the-cephfs-nodeplugin-daemonset) - [2.3 Manual deletion of CephFS Nodeplugin daemonset pods](#23-manual-deletion-of-cephfs-nodeplugin-daemonset-pods) + - [Delete removed CephFS PSP, Role and RoleBinding](#delete-removed-cephfs-psp-role-and-rolebinding) - [Upgrading RBD](#upgrading-rbd) - [3. Upgrade RBD Provisioner resources](#3-upgrade-rbd-provisioner-resources) - [3.1 Update the RBD Provisioner RBAC](#31-update-the-rbd-provisioner-rbac) @@ -24,6 +25,7 @@ - [4. Upgrade RBD Nodeplugin resources](#4-upgrade-rbd-nodeplugin-resources) - [4.1 Update the RBD Nodeplugin RBAC](#41-update-the-rbd-nodeplugin-rbac) - [4.2 Update the RBD Nodeplugin daemonset](#42-update-the-rbd-nodeplugin-daemonset) + - [Delete removed RBD PSP, Role and RoleBinding](#delete-removed-rbd-psp-role-and-rolebinding) - [Upgrading NFS](#upgrading-nfs) - [5. Upgrade NFS Provisioner resources](#5-upgrade-nfs-provisioner-resources) - [5.1 Update the NFS Provisioner RBAC](#51-update-the-nfs-provisioner-rbac) @@ -231,6 +233,20 @@ For each node: - The pod deletion causes the pods to be restarted and updated automatically on the node. +#### Delete removed CephFS PSP, Role and RoleBinding + +As PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP +support for CephFS is removed. + +```console +kubectl delete psp cephfs-csi-provisioner-psp --ignore-not-found +kubectl delete role cephfs-csi-provisioner-psp --ignore-not-found +kubectl delete rolebinding cephfs-csi-provisioner-psp --ignore-not-found +kubectl delete psp cephfs-csi-nodeplugin-psp --ignore-not-found +kubectl delete role cephfs-csi-nodeplugin-psp --ignore-not-found +kubectl delete rolebinding cephfs-csi-nodeplugin-psp --ignore-not-found +``` + we have successfully upgraded cephfs csi from v3.6 to v3.7 ### Upgrading RBD @@ -297,6 +313,23 @@ daemonset.apps/csi-rbdplugin configured service/csi-metrics-rbdplugin configured ``` +#### Delete removed RBD PSP, Role and RoleBinding + +As PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP +support for RBD is removed. + +```console +kubectl delete psp rbd-csi-provisioner-psp --ignore-not-found +kubectl delete role rbd-csi-provisioner-psp --ignore-not-found +kubectl delete rolebinding rbd-csi-provisioner-psp --ignore-not-found +kubectl delete psp rbd-csi-nodeplugin-psp --ignore-not-found +kubectl delete role rbd-csi-nodeplugin-psp --ignore-not-found +kubectl delete rolebinding rbd-csi-nodeplugin-psp --ignore-not-found +kubectl delete psp rbd-csi-vault-token-review-psp --ignore-not-found +kubectl delete role rbd-csi-vault-token-review-psp --ignore-not-found +kubectl delete rolebinding rbd-csi-vault-token-review-psp --ignore-not-found +``` + we have successfully upgraded RBD csi from v3.6 to v3.7 ### Upgrading NFS diff --git a/docs/deploy-cephfs.md b/docs/deploy-cephfs.md index 037b0ac4d..b79035dc6 100644 --- a/docs/deploy-cephfs.md +++ b/docs/deploy-cephfs.md @@ -140,16 +140,6 @@ Those manifests deploy service accounts, cluster roles and cluster role bindings. These are shared for both RBD and CephFS CSI plugins, as they require the same permissions. -**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:** - -**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) -admission controller is active on your cluster. - -```bash -kubectl create -f csi-provisioner-psp.yaml -kubectl create -f csi-nodeplugin-psp.yaml -``` - **Deploy ConfigMap for CSI plugins:** ```bash diff --git a/docs/deploy-rbd.md b/docs/deploy-rbd.md index 91e8918b9..3f2dc69bd 100644 --- a/docs/deploy-rbd.md +++ b/docs/deploy-rbd.md @@ -109,16 +109,6 @@ Those manifests deploy service accounts, cluster roles and cluster role bindings. These are shared for both RBD and CephFS CSI plugins, as they require the same permissions. -**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:** - -**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) -admission controller is active on your cluster. - -```bash -kubectl create -f csi-provisioner-psp.yaml -kubectl create -f csi-nodeplugin-psp.yaml -``` - **Deploy ConfigMap for CSI plugins:** ```bash diff --git a/docs/rbd-nbd.md b/docs/rbd-nbd.md index 61d7ac72a..d9eb9d78c 100644 --- a/docs/rbd-nbd.md +++ b/docs/rbd-nbd.md @@ -61,7 +61,7 @@ storageclass yaml ``` - For standard templates edit [csi-rbdplugin.yaml](../deploy/rbd/kubernetes/csi-rbdplugin.yaml) - to update `hostPath` for `ceph-logdir`, also edit psp [csi-nodeplugin-psp.yaml](../deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml) + to update `hostPath` for `ceph-logdir`. to update `pathPrefix` spec entries. - Update the StorageClass with the customized log directory path - Now update rbd StorageClass for `cephLogDir`, for example diff --git a/e2e/cephfs.go b/e2e/cephfs.go index 509972c19..c21a06ac5 100644 --- a/e2e/cephfs.go +++ b/e2e/cephfs.go @@ -34,10 +34,8 @@ import ( var ( cephFSProvisioner = "csi-cephfsplugin-provisioner.yaml" cephFSProvisionerRBAC = "csi-provisioner-rbac.yaml" - cephFSProvisionerPSP = "csi-provisioner-psp.yaml" cephFSNodePlugin = "csi-cephfsplugin.yaml" cephFSNodePluginRBAC = "csi-nodeplugin-rbac.yaml" - cephFSNodePluginPSP = "csi-nodeplugin-psp.yaml" cephFSDeploymentName = "csi-cephfsplugin-provisioner" cephFSDeamonSetName = "csi-cephfsplugin" cephFSContainerName = "csi-cephfsplugin" @@ -83,10 +81,6 @@ func createORDeleteCephfsResources(action kubectlAction) { filename: cephFSDirPath + cephFSProvisionerRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: cephFSDirPath + cephFSProvisionerPSP, - namespace: cephCSINamespace, - }, // the provisioner itself &yamlResourceNamespaced{ filename: cephFSDirPath + cephFSProvisioner, @@ -98,10 +92,6 @@ func createORDeleteCephfsResources(action kubectlAction) { filename: cephFSDirPath + cephFSNodePluginRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: cephFSDirPath + cephFSNodePluginPSP, - namespace: cephCSINamespace, - }, // the node-plugin itself &yamlResourceNamespaced{ filename: cephFSDirPath + cephFSNodePlugin, diff --git a/e2e/deploy-vault.go b/e2e/deploy-vault.go index 6fc8f5237..2f7bad355 100644 --- a/e2e/deploy-vault.go +++ b/e2e/deploy-vault.go @@ -30,7 +30,6 @@ import ( var ( vaultExamplePath = "../examples/kms/vault/" vaultServicePath = "vault.yaml" - vaultPSPPath = "vault-psp.yaml" vaultRBACPath = "csi-vaulttokenreview-rbac.yaml" vaultConfigPath = "kms-config.yaml" vaultTenantPath = "tenant-sa.yaml" @@ -99,15 +98,6 @@ func createORDeleteVault(action kubectlAction) { if err != nil { e2elog.Failf("failed to %s vault configmap %v", action, err) } - - data, err = replaceNamespaceInTemplate(vaultExamplePath + vaultPSPPath) - if err != nil { - e2elog.Failf("failed to read content from %s %v", vaultExamplePath+vaultPSPPath, err) - } - err = retryKubectlInput(cephCSINamespace, action, data, deployTimeout) - if err != nil { - e2elog.Failf("failed to %s vault psp %v", action, err) - } } // createTenantServiceAccount uses the tenant-sa.yaml example file to create diff --git a/e2e/nfs.go b/e2e/nfs.go index ec23d6063..54753f677 100644 --- a/e2e/nfs.go +++ b/e2e/nfs.go @@ -37,10 +37,8 @@ import ( var ( nfsProvisioner = "csi-nfsplugin-provisioner.yaml" nfsProvisionerRBAC = "csi-provisioner-rbac.yaml" - nfsProvisionerPSP = "csi-provisioner-psp.yaml" nfsNodePlugin = "csi-nfsplugin.yaml" nfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml" - nfsNodePluginPSP = "csi-nodeplugin-psp.yaml" nfsRookCephNFS = "rook-nfs.yaml" nfsDeploymentName = "csi-nfsplugin-provisioner" nfsDeamonSetName = "csi-nfsplugin" @@ -95,10 +93,6 @@ func createORDeleteNFSResources(f *framework.Framework, action kubectlAction) { filename: nfsDirPath + nfsProvisionerRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: nfsDirPath + nfsProvisionerPSP, - namespace: cephCSINamespace, - }, // the provisioner itself &yamlResourceNamespaced{ filename: nfsDirPath + nfsProvisioner, @@ -110,10 +104,6 @@ func createORDeleteNFSResources(f *framework.Framework, action kubectlAction) { filename: nfsDirPath + nfsNodePluginRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: nfsDirPath + nfsNodePluginPSP, - namespace: cephCSINamespace, - }, // the node-plugin itself &yamlResourceNamespaced{ filename: nfsDirPath + nfsNodePlugin, diff --git a/e2e/rbd.go b/e2e/rbd.go index 67310e458..d611d8788 100644 --- a/e2e/rbd.go +++ b/e2e/rbd.go @@ -38,10 +38,8 @@ import ( var ( rbdProvisioner = "csi-rbdplugin-provisioner.yaml" rbdProvisionerRBAC = "csi-provisioner-rbac.yaml" - rbdProvisionerPSP = "csi-provisioner-psp.yaml" rbdNodePlugin = "csi-rbdplugin.yaml" rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml" - rbdNodePluginPSP = "csi-nodeplugin-psp.yaml" configMap = "csi-config-map.yaml" cephConfconfigMap = "ceph-conf.yaml" csiDriverObject = "csidriver.yaml" @@ -145,10 +143,6 @@ func createORDeleteRbdResources(action kubectlAction) { filename: rbdDirPath + rbdProvisionerRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: rbdDirPath + rbdProvisionerPSP, - namespace: cephCSINamespace, - }, // the provisioner itself &yamlResourceNamespaced{ filename: rbdDirPath + rbdProvisioner, @@ -161,10 +155,6 @@ func createORDeleteRbdResources(action kubectlAction) { filename: rbdDirPath + rbdNodePluginRBAC, namespace: cephCSINamespace, }, - &yamlResourceNamespaced{ - filename: rbdDirPath + rbdNodePluginPSP, - namespace: cephCSINamespace, - }, // the node-plugin itself &yamlResourceNamespaced{ filename: rbdDirPath + rbdNodePlugin, diff --git a/examples/kms/vault/vault-psp.yaml b/examples/kms/vault/vault-psp.yaml deleted file mode 100644 index fef801ae7..000000000 --- a/examples/kms/vault/vault-psp.yaml +++ /dev/null @@ -1,47 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: rbd-csi-vault-token-review-psp -spec: - fsGroup: - rule: RunAsAny - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - 'configMap' - - 'secret' - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # replace with non-default namespace name - namespace: default - name: rbd-csi-vault-token-review-psp -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: ['rbd-csi-vault-token-review-psp'] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-vault-token-review-psp - # replace with non-default namespace name - namespace: default -subjects: - - kind: ServiceAccount - name: rbd-csi-vault-token-review - # replace with non-default namespace name - namespace: default -roleRef: - kind: Role - name: rbd-csi-vault-token-review-psp - apiGroup: rbac.authorization.k8s.io diff --git a/scripts/install-helm.sh b/scripts/install-helm.sh index 66b58bd76..cf3a8ad44 100755 --- a/scripts/install-helm.sh +++ b/scripts/install-helm.sh @@ -169,7 +169,7 @@ install_cephcsi_helm_charts() { fi # install ceph-csi-cephfs and ceph-csi-rbd charts # shellcheck disable=SC2086 - "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-cephfsplugin-provisioner --set nodeplugin.fullnameOverride=csi-cephfsplugin --set configMapName=ceph-csi-config --set provisioner.podSecurityPolicy.enabled=true --set nodeplugin.podSecurityPolicy.enabled=true --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${CEPHFS_SECRET_TEMPLATE_VALUES} ${CEPHFS_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-cephfs + "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-cephfsplugin-provisioner --set nodeplugin.fullnameOverride=csi-cephfsplugin --set configMapName=ceph-csi-config --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${CEPHFS_SECRET_TEMPLATE_VALUES} ${CEPHFS_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-cephfs check_deployment_status app=ceph-csi-cephfs ${NAMESPACE} check_daemonset_status app=ceph-csi-cephfs ${NAMESPACE} @@ -179,7 +179,7 @@ install_cephcsi_helm_charts() { kubectl_retry delete cm ceph-config --namespace ${NAMESPACE} # shellcheck disable=SC2086 - "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-rbdplugin-provisioner --set nodeplugin.fullnameOverride=csi-rbdplugin --set configMapName=ceph-csi-config --set provisioner.podSecurityPolicy.enabled=true --set nodeplugin.podSecurityPolicy.enabled=true --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${RBD_SECRET_TEMPLATE_VALUES} ${RBD_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-rbd --set topology.enabled=true --set topology.domainLabels="{${NODE_LABEL_REGION},${NODE_LABEL_ZONE}}" --set provisioner.maxSnapshotsOnImage=3 --set provisioner.minSnapshotsOnImage=2 + "${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-rbdplugin-provisioner --set nodeplugin.fullnameOverride=csi-rbdplugin --set configMapName=ceph-csi-config --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${RBD_SECRET_TEMPLATE_VALUES} ${RBD_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-rbd --set topology.enabled=true --set topology.domainLabels="{${NODE_LABEL_REGION},${NODE_LABEL_ZONE}}" --set provisioner.maxSnapshotsOnImage=3 --set provisioner.minSnapshotsOnImage=2 check_deployment_status app=ceph-csi-rbd ${NAMESPACE} check_daemonset_status app=ceph-csi-rbd ${NAMESPACE} diff --git a/scripts/install-snapshot.sh b/scripts/install-snapshot.sh index f6b6d35cf..aa2963104 100755 --- a/scripts/install-snapshot.sh +++ b/scripts/install-snapshot.sh @@ -61,17 +61,14 @@ function create_or_delete_resource() { local namespace=$2 temp_rbac=${TEMP_DIR}/snapshot-rbac.yaml temp_snap_controller=${TEMP_DIR}/snapshot-controller.yaml - snapshotter_psp="${SCRIPT_DIR}/snapshot-controller-psp.yaml" mkdir -p "${TEMP_DIR}" curl -o "${temp_rbac}" "${SNAPSHOT_RBAC}" curl -o "${temp_snap_controller}" "${SNAPSHOT_CONTROLLER}" sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_rbac}" sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_snap_controller}" - sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${snapshotter_psp}" sed -i "s/canary/${SNAPSHOT_VERSION}/g" "${temp_snap_controller}" kubectl "${operation}" -f "${temp_rbac}" - kubectl "${operation}" -f "${snapshotter_psp}" kubectl "${operation}" -f "${temp_snap_controller}" -n "${namespace}" kubectl "${operation}" -f "${SNAPSHOTCLASS}" kubectl "${operation}" -f "${VOLUME_SNAPSHOT_CONTENT}" diff --git a/scripts/minikube.sh b/scripts/minikube.sh index a9db7ead1..30dfc7bd5 100755 --- a/scripts/minikube.sh +++ b/scripts/minikube.sh @@ -212,9 +212,6 @@ CSI_IMAGE_VERSION=${CSI_IMAGE_VERSION:-"v3.7-canary"} #feature-gates for kube K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-""} -#extra-config for kube https://minikube.sigs.k8s.io/docs/reference/configuration/kubernetes/ -EXTRA_CONFIG_PSP="--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy" - # kubelet.resolv-conf needs to point to a file, not a symlink # the default minikube VM has /etc/resolv.conf -> /run/systemd/resolve/resolv.conf RESOLV_CONF='/run/systemd/resolve/resolv.conf' @@ -265,7 +262,7 @@ up) K8S_FEATURE_GATES="${K8S_FEATURE_GATES},RecoverVolumeExpansionFailure=true" fi # shellcheck disable=SC2086 - ${minikube} start --force --memory="${MEMORY}" --cpus="${CPUS}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" --cni="${CNI}" ${EXTRA_CONFIG} ${EXTRA_CONFIG_PSP} --wait-timeout="${MINIKUBE_WAIT_TIMEOUT}" --wait="${MINIKUBE_WAIT}" --delete-on-failure ${DISK_CONFIG} + ${minikube} start --force --memory="${MEMORY}" --cpus="${CPUS}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" --cni="${CNI}" ${EXTRA_CONFIG} --wait-timeout="${MINIKUBE_WAIT_TIMEOUT}" --wait="${MINIKUBE_WAIT}" --delete-on-failure ${DISK_CONFIG} # create a link so the default dataDirHostPath will work for this # environment diff --git a/scripts/psp.yaml b/scripts/psp.yaml deleted file mode 100644 index 06bd37e06..000000000 --- a/scripts/psp.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Required PodSecurityPolicies, Roles and RoleBindings -# for minikube to bootstrap when PSPs are enabled -# https://minikube.sigs.k8s.io/docs/tutorials/using_psp/ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: privileged - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" - labels: - addonmanager.kubernetes.io/mode: EnsureExists -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - "*" - volumes: - - "*" - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: restricted - labels: - addonmanager.kubernetes.io/mode: EnsureExists -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:privileged - labels: - addonmanager.kubernetes.io/mode: EnsureExists -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - privileged ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: psp:restricted - labels: - addonmanager.kubernetes.io/mode: EnsureExists -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - restricted ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: default:restricted - labels: - addonmanager.kubernetes.io/mode: EnsureExists -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:restricted -subjects: - - kind: Group - name: system:authenticated - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: default:privileged - namespace: kube-system - labels: - addonmanager.kubernetes.io/mode: EnsureExists -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp:privileged -subjects: - - kind: Group - name: system:masters - apiGroup: rbac.authorization.k8s.io - - kind: Group - name: system:nodes - apiGroup: rbac.authorization.k8s.io - - kind: Group - name: system:serviceaccounts:kube-system - apiGroup: rbac.authorization.k8s.io diff --git a/scripts/snapshot-controller-psp.yaml b/scripts/snapshot-controller-psp.yaml deleted file mode 100644 index 21c4d0fb6..000000000 --- a/scripts/snapshot-controller-psp.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: csi-snapshotter-psp - namespace: kube-system -spec: - allowPrivilegeEscalation: true - allowedCapabilities: - - "SYS_ADMIN" - fsGroup: - rule: RunAsAny - privileged: true - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - "configMap" - - "emptyDir" - - "secret" - - "projected" - - "hostPath" - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-snapshotter-psp - # replace with non-kube-system namespace name - namespace: kube-system -rules: - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: ["csi-snapshotter-psp"] - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-snapshotter-psp - # replace with non-kube-system namespace name - namespace: kube-system -subjects: - - kind: ServiceAccount - name: snapshot-controller - # replace with non-kube-system namespace name - namespace: kube-system -roleRef: - kind: Role - name: csi-snapshotter-psp - apiGroup: rbac.authorization.k8s.io