removal of podsecuritypolicy code

2025-09-02 07:24:20 +00:00 · 2024-05-17 22:32:40 +05:30
parent 899a6edc91
commit 3da4365485
10 changed files with 0 additions and 162 deletions
--- a/authz/psp.go
+++ b/authz/psp.go
@@ -1,40 +0,0 @@
-package authz
-
-import (
-	"context"
-
-	"k8s.io/client-go/transport"
-
-	"github.com/rancher/rke/k8s"
-	"github.com/rancher/rke/log"
-	"github.com/rancher/rke/templates"
-)
-
-func ApplyDefaultPodSecurityPolicy(ctx context.Context, kubeConfigPath string, k8sWrapTransport transport.WrapperFunc) error {
-	log.Infof(ctx, "[authz] Applying default PodSecurityPolicy")
-	k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport)
-	if err != nil {
-		return err
-	}
-	if err := k8s.UpdatePodSecurityPolicyFromYaml(k8sClient, templates.DefaultPodSecurityPolicy); err != nil {
-		return err
-	}
-	log.Infof(ctx, "[authz] Default PodSecurityPolicy applied successfully")
-	return nil
-}
-
-func ApplyDefaultPodSecurityPolicyRole(ctx context.Context, kubeConfigPath, namespace string, k8sWrapTransport transport.WrapperFunc) error {
-	log.Infof(ctx, "[authz] Applying default PodSecurityPolicy Role and RoleBinding in %s", namespace)
-	k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport)
-	if err != nil {
-		return err
-	}
-	if err := k8s.UpdateRoleFromYaml(k8sClient, templates.DefaultPodSecurityRole, namespace); err != nil {
-		return err
-	}
-	if err := k8s.UpdateRoleBindingFromYaml(k8sClient, templates.DefaultPodSecurityRoleBinding, namespace); err != nil {
-		return err
-	}
-	log.Infof(ctx, "[authz] Default PodSecurityPolicy Role and RoleBinding applied successfully")
-	return nil
-}
--- a/cluster/addons.go
+++ b/cluster/addons.go
@@ -13,10 +13,8 @@ import (
 	"time"

 	"github.com/rancher/rke/addons"
-	"github.com/rancher/rke/authz"
 	"github.com/rancher/rke/k8s"
 	"github.com/rancher/rke/log"
-	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/templates"
 	v3 "github.com/rancher/rke/types"
 	"github.com/rancher/rke/types/kdm"
@@ -674,12 +672,6 @@ func (c *Cluster) deployIngress(ctx context.Context, data map[string]interface{}
 	if err := c.doAddonDeploy(ctx, ingressYaml, IngressAddonResourceName, true); err != nil {
 		return err
 	}
-	// ingress runs in it's own namespace, so it needs it's own role/rolebinding for PSP
-	if c.Authorization.Mode == services.RBACAuthorizationMode && c.Services.KubeAPI.PodSecurityPolicy {
-		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, c.LocalKubeConfigPath, NginxIngressAddonAppName, c.K8sWrapTransport); err != nil {
-			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
-		}
-	}

 	// After deployment of the new ingress controller based on the update strategy, remove the default backend as requested.
 	if !ingressConfig.DefaultBackend {
--- a/cluster/cluster.go
+++ b/cluster/cluster.go
@@ -939,14 +939,6 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi
 			return fmt.Errorf("Failed to apply the ClusterRole and Binding needed for node kubeapi proxy: %v", err)
 		}
 	}
-	if kubeCluster.Authorization.Mode == services.RBACAuthorizationMode && kubeCluster.Services.KubeAPI.PodSecurityPolicy {
-		if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
-			return fmt.Errorf("Failed to apply default PodSecurityPolicy: %v", err)
-		}
-		if err := authz.ApplyDefaultPodSecurityPolicyRole(ctx, kubeCluster.LocalKubeConfigPath, SystemNamespace, kubeCluster.K8sWrapTransport); err != nil {
-			return fmt.Errorf("Failed to apply default PodSecurityPolicy ClusterRole and ClusterRoleBinding: %v", err)
-		}
-	}
 	return nil
 }

--- a/cluster/defaults.go
+++ b/cluster/defaults.go
@@ -12,9 +12,7 @@ import (
 	"github.com/rancher/rke/cloudprovider/aws"
 	"github.com/rancher/rke/docker"
 	"github.com/rancher/rke/k8s"
-	"github.com/rancher/rke/log"
 	"github.com/rancher/rke/metadata"
-	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/templates"
 	v3 "github.com/rancher/rke/types"
 	"github.com/rancher/rke/util"
@@ -255,10 +253,6 @@ func (c *Cluster) setClusterDefaults(ctx context.Context, flags ExternalFlags) e
 	if len(c.Authorization.Mode) == 0 {
 		c.Authorization.Mode = DefaultAuthorizationMode
 	}
-	if c.Services.KubeAPI.PodSecurityPolicy && c.Authorization.Mode != services.RBACAuthorizationMode {
-		log.Warnf(ctx, "PodSecurityPolicy can't be enabled with RBAC support disabled")
-		c.Services.KubeAPI.PodSecurityPolicy = false
-	}
 	if len(c.Ingress.Provider) == 0 {
 		c.Ingress.Provider = DefaultIngressController
 	}
--- a/cluster/plan.go
+++ b/cluster/plan.go
@@ -254,11 +254,6 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, serviceOptions v3.Kubern
 		}
 	}

-	if c.Services.KubeAPI.PodSecurityPolicy {
-		CommandArgs["runtime-config"] = "policy/v1beta1/podsecuritypolicy=true"
-		CommandArgs[admissionControlOptionName] = CommandArgs[admissionControlOptionName] + ",PodSecurityPolicy"
-	}
-
 	if c.Services.KubeAPI.AlwaysPullImages {
 		CommandArgs[admissionControlOptionName] = CommandArgs[admissionControlOptionName] + ",AlwaysPullImages"
 	}
--- a/cluster/validation.go
+++ b/cluster/validation.go
@@ -54,10 +54,6 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
 		return err
 	}

-	// validate enabling Pod Security Policy
-	if err := validatePodSecurityPolicy(c); err != nil {
-		return err
-	}
 	// validate enabling Pod Security
 	if err := validatePodSecurity(c); err != nil {
 		return err
@@ -682,24 +678,6 @@ func validateCRIDockerdOption(c *Cluster) error {
 	return nil
 }

-func validatePodSecurityPolicy(c *Cluster) error {
-	parsedVersion, err := getClusterVersion(c.Version)
-	if err != nil {
-		logrus.Warnf("Failed to parse semver range for validating Pod Security Policy")
-		return err
-	}
-	logrus.Debugf("Checking PodSecurityPolicy for cluster version [%s]", c.Version)
-	if c.Services.KubeAPI.PodSecurityPolicy {
-		if c.Authorization.Mode != services.RBACAuthorizationMode {
-			return errors.New("PodSecurityPolicy can't be enabled with RBAC support disabled")
-		}
-		if parsedRangeAtLeast125(parsedVersion) {
-			return errors.New("PodSecurityPolicy has been removed and can not be enabled since k8s v1.25")
-		}
-	}
-	return nil
-}
-
 func validatePodSecurity(c *Cluster) error {
 	parsedVersion, err := getClusterVersion(c.Version)
 	if err != nil {
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -330,16 +330,6 @@ func getServiceConfig(reader *bufio.Reader) (*v3.RKEConfigServices, error) {
 	servicesConfig.KubeAPI.ServiceClusterIPRange = serviceClusterIPRange
 	servicesConfig.KubeController.ServiceClusterIPRange = serviceClusterIPRange

-	podSecurityPolicy, err := getConfig(reader, "Enable PodSecurityPolicy", "n")
-	if err != nil {
-		return nil, err
-	}
-	if podSecurityPolicy == "y" || podSecurityPolicy == "Y" {
-		servicesConfig.KubeAPI.PodSecurityPolicy = true
-	} else {
-		servicesConfig.KubeAPI.PodSecurityPolicy = false
-	}
-
 	clusterNetworkCidr, err := getConfig(reader, "Cluster Network CIDR", cluster.DefaultClusterCIDR)
 	if err != nil {
 		return nil, err
--- a/k8s/psp.go
+++ b/k8s/psp.go
@@ -1,32 +0,0 @@
-package k8s
-
-import (
-	"context"
-
-	"k8s.io/api/policy/v1beta1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
-)
-
-func UpdatePodSecurityPolicyFromYaml(k8sClient *kubernetes.Clientset, pspYaml string) error {
-	psp := v1beta1.PodSecurityPolicy{}
-	if err := DecodeYamlResource(&psp, pspYaml); err != nil {
-		return err
-	}
-	return retryTo(updatePodSecurityPolicy, k8sClient, psp, DefaultRetries, DefaultSleepSeconds)
-}
-
-func updatePodSecurityPolicy(k8sClient *kubernetes.Clientset, p interface{}) error {
-	psp := p.(v1beta1.PodSecurityPolicy)
-	if _, err := k8sClient.PolicyV1beta1().PodSecurityPolicies().Create(context.TODO(), &psp, metav1.CreateOptions{}); err != nil {
-		if !apierrors.IsAlreadyExists(err) {
-			return err
-		}
-		if _, err := k8sClient.PolicyV1beta1().PodSecurityPolicies().Update(context.TODO(), &psp, metav1.UpdateOptions{}); err != nil {
-			return err
-		}
-	}
-	return nil
-
-}
--- a/templates/authz.go
+++ b/templates/authz.go
@@ -67,35 +67,6 @@ subjects:
  namespace: kube-system
  name: rke-job-deployer`

-	DefaultPodSecurityPolicy = `
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: default-psp
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-spec:
-  privileged: true
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-  - '*'
-  volumes:
-  - '*'
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  hostIPC: true
-  hostPID: true
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'`
-
 	DefaultPodSecurityRole = `
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
--- a/types/rke_types.go
+++ b/types/rke_types.go
@@ -293,8 +293,6 @@ type KubeAPIService struct {
 	ServiceClusterIPRange string `yaml:"service_cluster_ip_range" json:"serviceClusterIpRange,omitempty"`
 	// Port range for services defined with NodePort type
 	ServiceNodePortRange string `yaml:"service_node_port_range" json:"serviceNodePortRange,omitempty" norman:"default=30000-32767"`
-	// Enabled/Disable PodSecurityPolicy
-	PodSecurityPolicy bool `yaml:"pod_security_policy" json:"podSecurityPolicy,omitempty"`
 	// setting the default configuration for PodSecurityAdmission
 	PodSecurityConfiguration string `yaml:"pod_security_configuration" json:"podSecurityConfiguration,omitempty"`
 	// Enable/Disable AlwaysPullImages admissions plugin