From a44192b9557ab59000dd8f22711b5356be390742 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 4 May 2022 15:45:08 -0400 Subject: [PATCH] Remove PodSecurityPolicy cluster config --- .../event-exporter-psp-binding.yaml | 16 ------ .../event-exporter-psp-role.yaml | 17 ------ .../event-exporter-psp.yaml | 39 ------------- .../fluentd-gcp-psp-binding.yaml | 16 ------ .../fluentd-gcp-psp-role.yaml | 17 ------ .../podsecuritypolicies/fluentd-gcp-psp.yaml | 39 ------------- .../kube-proxy-binding.yaml | 16 ------ .../kube-system-binding.yaml | 17 ------ .../podsecuritypolicies/node-binding.yaml | 24 -------- .../persistent-volume-binder-binding.yaml | 18 ------ .../persistent-volume-binder-role.yaml | 20 ------- .../persistent-volume-binder.yaml | 30 ---------- .../podsecuritypolicies/privileged-role.yaml | 16 ------ .../podsecuritypolicies/privileged.yaml | 33 ----------- .../unprivileged-addon-role.yaml | 17 ------ .../unprivileged-addon.yaml | 55 ------------------- cluster/gce/config-default.sh | 4 -- cluster/gce/config-test.sh | 3 - cluster/gce/gci/configure-helper.sh | 13 ----- cluster/gce/util.sh | 1 - hack/local-up-cluster.sh | 15 ----- 21 files changed, 426 deletions(-) delete mode 100644 cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-binding.yaml delete mode 100644 cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-role.yaml delete mode 100644 cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml delete mode 100644 cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-binding.yaml delete mode 100644 cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-role.yaml delete mode 100644 cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/kube-proxy-binding.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/kube-system-binding.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/node-binding.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-binding.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-role.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/privileged-role.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/privileged.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/unprivileged-addon-role.yaml delete mode 100644 cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-binding.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-binding.yaml deleted file mode 100644 index 5ef3b67340c..00000000000 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-binding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gce:podsecuritypolicy:event-exporter - namespace: kube-system - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gce:podsecuritypolicy:event-exporter -subjects: -- kind: ServiceAccount - name: event-exporter-sa - namespace: kube-system diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-role.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-role.yaml deleted file mode 100644 index 1b0e02b2aa2..00000000000 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp-role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gce:podsecuritypolicy:event-exporter - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - policy - resourceNames: - - gce.event-exporter - resources: - - podsecuritypolicies - verbs: - - use diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml deleted file mode 100644 index fd2e147b686..00000000000 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/event-exporter-psp.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: gce.event-exporter - annotations: - kubernetes.io/description: 'Policy used by the event-exporter addon.' - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' - # 'runtime/default' is already the default, but must be filled in on the - # pod to pass admission. - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - labels: - kubernetes.io/cluster-service: 'true' - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - 'hostPath' - - 'secret' - - 'projected' - # TODO: This only needs a hostPath to read /etc/ssl/certs, - # but it should be able to just include these in the image. - allowedHostPaths: - - pathPrefix: /etc/ssl/certs - hostNetwork: false - hostIPC: false - hostPID: false - # TODO: This doesn't need to run as root. - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-binding.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-binding.yaml deleted file mode 100644 index b34f524c98d..00000000000 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-binding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gce:podsecuritypolicy:fluentd-gcp - namespace: kube-system - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gce:podsecuritypolicy:fluentd-gcp -subjects: -- kind: ServiceAccount - name: fluentd-gcp - namespace: kube-system diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-role.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-role.yaml deleted file mode 100644 index 529d41b7ae4..00000000000 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp-role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gce:podsecuritypolicy:fluentd-gcp - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - policy - resourceNames: - - gce.fluentd-gcp - resources: - - podsecuritypolicies - verbs: - - use diff --git a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml b/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml deleted file mode 100644 index 8c9f096db24..00000000000 --- a/cluster/addons/fluentd-gcp/podsecuritypolicies/fluentd-gcp-psp.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: gce.fluentd-gcp - annotations: - kubernetes.io/description: 'Policy used by the fluentd-gcp addon.' - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' - # 'runtime/default' is already the default, but must be filled in on the - # pod to pass admission. - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - labels: - kubernetes.io/cluster-service: 'true' - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - 'configMap' - - 'hostPath' - - 'secret' - - 'projected' - allowedHostPaths: - - pathPrefix: /var/log - - pathPrefix: /var/lib/docker/containers - - pathPrefix: /usr/lib64 - hostNetwork: true - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false diff --git a/cluster/gce/addons/podsecuritypolicies/kube-proxy-binding.yaml b/cluster/gce/addons/podsecuritypolicies/kube-proxy-binding.yaml deleted file mode 100644 index b8fc8abd81f..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/kube-proxy-binding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gce:podsecuritypolicy:kube-proxy - namespace: kube-system - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gce:podsecuritypolicy:privileged -subjects: - - kind: ServiceAccount - name: kube-proxy - namespace: kube-system diff --git a/cluster/gce/addons/podsecuritypolicies/kube-system-binding.yaml b/cluster/gce/addons/podsecuritypolicies/kube-system-binding.yaml deleted file mode 100644 index 0c3c97eca64..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/kube-system-binding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gce:podsecuritypolicy:unprivileged-addon - namespace: kube-system - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gce:podsecuritypolicy:unprivileged-addon -subjects: -- kind: Group - # All service accounts in the kube-system namespace are allowed to use this. - name: system:serviceaccounts:kube-system - apiGroup: rbac.authorization.k8s.io diff --git a/cluster/gce/addons/podsecuritypolicies/node-binding.yaml b/cluster/gce/addons/podsecuritypolicies/node-binding.yaml deleted file mode 100644 index 332358240b7..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/node-binding.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: gce:podsecuritypolicy:nodes - namespace: kube-system - annotations: - kubernetes.io/description: 'Allow nodes to create privileged pods. Should - be used in combination with the NodeRestriction admission plugin to limit - nodes to mirror pods bound to themselves.' - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: 'true' -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gce:podsecuritypolicy:privileged -subjects: - - kind: Group - apiGroup: rbac.authorization.k8s.io - name: system:nodes - - kind: User - apiGroup: rbac.authorization.k8s.io - # Legacy node ID - name: kubelet diff --git a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-binding.yaml b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-binding.yaml deleted file mode 100644 index 40d202b8362..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-binding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -# The persistent volume binder creates recycler pods in the default namespace, -# but the addon manager only creates namespaced objects in the kube-system -# namespace, so this is a ClusterRoleBinding. -kind: ClusterRoleBinding -metadata: - name: gce:podsecuritypolicy:persistent-volume-binder - labels: - addonmanager.kubernetes.io/mode: Reconcile - kubernetes.io/cluster-service: "true" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gce:podsecuritypolicy:persistent-volume-binder -subjects: -- kind: ServiceAccount - name: persistent-volume-binder - namespace: kube-system diff --git a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-role.yaml b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-role.yaml deleted file mode 100644 index 5103b54ddd8..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder-role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -# The persistent volume binder creates recycler pods in the default namespace, -# but the addon manager only creates namespaced objects in the kube-system -# namespace, so this is a ClusterRole. -kind: ClusterRole -metadata: - name: gce:podsecuritypolicy:persistent-volume-binder - namespace: default - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - policy - resourceNames: - - gce.persistent-volume-binder - resources: - - podsecuritypolicies - verbs: - - use diff --git a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml b/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml deleted file mode 100644 index e365833299c..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/persistent-volume-binder.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: gce.persistent-volume-binder - annotations: - kubernetes.io/description: 'Policy used by the persistent-volume-binder - (a.k.a. persistentvolume-controller) to run recycler pods.' - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' - labels: - kubernetes.io/cluster-service: 'true' - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - volumes: - - 'nfs' - - 'secret' # Required for service account credentials. - - 'projected' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false diff --git a/cluster/gce/addons/podsecuritypolicies/privileged-role.yaml b/cluster/gce/addons/podsecuritypolicies/privileged-role.yaml deleted file mode 100644 index d89f67f2591..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/privileged-role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gce:podsecuritypolicy:privileged - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - policy - resourceNames: - - gce.privileged - resources: - - podsecuritypolicies - verbs: - - use diff --git a/cluster/gce/addons/podsecuritypolicies/privileged.yaml b/cluster/gce/addons/podsecuritypolicies/privileged.yaml deleted file mode 100644 index ba85ef98700..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/privileged.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: gce.privileged - annotations: - kubernetes.io/description: 'privileged allows full unrestricted access to - pod features, as if the PodSecurityPolicy controller was not enabled.' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: true - allowPrivilegeEscalation: true - allowedCapabilities: - - '*' - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false diff --git a/cluster/gce/addons/podsecuritypolicies/unprivileged-addon-role.yaml b/cluster/gce/addons/podsecuritypolicies/unprivileged-addon-role.yaml deleted file mode 100644 index 2edfd62e078..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/unprivileged-addon-role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gce:podsecuritypolicy:unprivileged-addon - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - policy - resourceNames: - - gce.unprivileged-addon - resources: - - podsecuritypolicies - verbs: - - use diff --git a/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml b/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml deleted file mode 100644 index 3e8ae2622f2..00000000000 --- a/cluster/gce/addons/podsecuritypolicies/unprivileged-addon.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: gce.unprivileged-addon - annotations: - kubernetes.io/description: 'This policy grants the minimum amount of - privilege necessary to run non-privileged kube-system pods. This policy is - not intended for use outside of kube-system, and may include further - restrictions in the future.' - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default,docker/default' - # 'runtime/default' is already the default, but must be filled in on the - # pod to pass admission. - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - labels: - kubernetes.io/cluster-service: 'true' - addonmanager.kubernetes.io/mode: Reconcile -spec: - privileged: false - allowPrivilegeEscalation: false - # The docker default set of capabilities - allowedCapabilities: - - SETPCAP - - MKNOD - - AUDIT_WRITE - - CHOWN - - NET_RAW - - DAC_OVERRIDE - - FOWNER - - FSETID - - KILL - - SETGID - - SETUID - - NET_BIND_SERVICE - - SYS_CHROOT - - SETFCAP - volumes: - - 'emptyDir' - - 'configMap' - - 'secret' - - 'projected' - hostNetwork: false - hostIPC: false - hostPID: false - # TODO: The addons using this profile should not run as root. - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index e0139a62ecd..c19bc357855 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -366,10 +366,6 @@ CUSTOM_INGRESS_YAML="${CUSTOM_INGRESS_YAML:-}" # Admission Controllers to invoke prior to persisting objects in cluster ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,PersistentVolumeClaimResize,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection,RuntimeClass -if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then - ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy" -fi - # MutatingAdmissionWebhook should be the last controller that modifies the # request object, otherwise users will be confused if the mutating webhooks' # modification is overwritten. diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 084555555b6..2498262326d 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -411,9 +411,6 @@ CUSTOM_INGRESS_YAML=${CUSTOM_INGRESS_YAML:-} if [[ -z "${KUBE_ADMISSION_CONTROL:-}" ]]; then ADMISSION_CONTROL='NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,Priority,StorageObjectInUseProtection,PersistentVolumeClaimResize,RuntimeClass' - if [[ "${ENABLE_POD_SECURITY_POLICY:-}" = 'true' ]]; then - ADMISSION_CONTROL="${ADMISSION_CONTROL},PodSecurityPolicy" - fi # ResourceQuota must come last, or a creation is recorded, but the pod may be forbidden. ADMISSION_CONTROL="${ADMISSION_CONTROL},MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota" else diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index ba3ab881987..16a9be9c7c0 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -2337,15 +2337,6 @@ function setup-addon-manifests { local -r dst_dir="/etc/kubernetes/$1/$2" copy-manifests "${src_dir}/$2" "${dst_dir}" - - # If the PodSecurityPolicy admission controller is enabled, - # set up the corresponding addon policies. - if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then - local -r psp_dir="${src_dir}/${3:-$2}/podsecuritypolicies" - if [[ -d "${psp_dir}" ]]; then - copy-manifests "${psp_dir}" "${dst_dir}" - fi - fi } # A function that downloads extra addons from a URL and puts them in the GCI @@ -2695,10 +2686,6 @@ function start-kube-addons { setup-addon-manifests "addons" "rbac/legacy-kubelet-user-disable" fi - if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then - setup-addon-manifests "addons" "podsecuritypolicies" - fi - # Set up manifests of other addons. if [[ "${KUBE_PROXY_DAEMONSET:-}" == "true" ]] && [[ "${KUBE_PROXY_DISABLE:-}" != "true" ]]; then if [ -n "${CUSTOM_KUBE_PROXY_YAML:-}" ]; then diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 17a07102b93..74833d66a11 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -1124,7 +1124,6 @@ KUBE_PROXY_MODE: $(yaml-quote "${KUBE_PROXY_MODE:-iptables}") DETECT_LOCAL_MODE: $(yaml-quote "${DETECT_LOCAL_MODE:-}") NODE_PROBLEM_DETECTOR_TOKEN: $(yaml-quote "${NODE_PROBLEM_DETECTOR_TOKEN:-}") ADMISSION_CONTROL: $(yaml-quote "${ADMISSION_CONTROL:-}") -ENABLE_POD_SECURITY_POLICY: $(yaml-quote "${ENABLE_POD_SECURITY_POLICY:-}") MASTER_IP_RANGE: $(yaml-quote "${MASTER_IP_RANGE}") RUNTIME_CONFIG: $(yaml-quote "${RUNTIME_CONFIG}") CA_CERT: $(yaml-quote "${CA_CERT_BASE64:-}") diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 58c91308c99..c04f1e15e61 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -26,7 +26,6 @@ export DOCKER=(docker "${DOCKER_OPTS[@]}") DOCKER_ROOT=${DOCKER_ROOT:-""} ALLOW_PRIVILEGED=${ALLOW_PRIVILEGED:-""} DENY_SECURITY_CONTEXT_ADMISSION=${DENY_SECURITY_CONTEXT_ADMISSION:-""} -PSP_ADMISSION=${PSP_ADMISSION:-""} RUNTIME_CONFIG=${RUNTIME_CONFIG:-""} KUBELET_AUTHORIZATION_WEBHOOK=${KUBELET_AUTHORIZATION_WEBHOOK:-""} KUBELET_AUTHENTICATION_WEBHOOK=${KUBELET_AUTHENTICATION_WEBHOOK:-""} @@ -480,9 +479,6 @@ function start_apiserver { if [[ -n "${DENY_SECURITY_CONTEXT_ADMISSION}" ]]; then security_admission=",SecurityContextDeny" fi - if [[ -n "${PSP_ADMISSION}" ]]; then - security_admission=",PodSecurityPolicy" - fi # Append security_admission plugin ENABLE_ADMISSION_PLUGINS="${ENABLE_ADMISSION_PLUGINS}${security_admission}" @@ -939,13 +935,6 @@ function start_csi_snapshotter { fi } -function create_psp_policy { - echo "Create podsecuritypolicy policies for RBAC." - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create -f "${KUBE_ROOT}/examples/podsecuritypolicy/rbac/policies.yaml" - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create -f "${KUBE_ROOT}/examples/podsecuritypolicy/rbac/roles.yaml" - ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create -f "${KUBE_ROOT}/examples/podsecuritypolicy/rbac/bindings.yaml" -} - function create_storage_class { if [ -z "${CLOUD_PROVIDER}" ]; then CLASS_FILE=${KUBE_ROOT}/cluster/addons/storage-class/local/default.yaml @@ -1208,10 +1197,6 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then fi fi -if [[ -n "${PSP_ADMISSION}" && "${AUTHORIZATION_MODE}" = *RBAC* ]]; then - create_psp_policy -fi - if [[ "${DEFAULT_STORAGE_CLASS}" = "true" ]]; then create_storage_class fi