Revert "Merge pull request #3085 from jiaqiluo/1-25"

This reverts commit 2995440767, reversing changes made to 0f8a109f2b.
2025-09-12 13:18:47 +00:00 · 2023-02-22 09:04:47 -08:00
parent 94af4c22c7
commit 82e0b79738
15 changed files with 404 additions and 601 deletions
--- a/cluster/validation.go
+++ b/cluster/validation.go
@@ -54,15 +54,6 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
 		return err
 	}

-	// validate enabling Pod Security Policy
-	if err := validatePodSecurityPolicy(c); err != nil {
-		return err
-	}
-	// validate enabling Pod Security
-	if err := validatePodSecurity(c); err != nil {
-		return err
-	}
-
 	// validate services options
 	return validateServicesOptions(c)
 }
@@ -243,7 +234,7 @@ func validateNetworkOptions(c *Cluster) error {
 	}

 	if c.Network.Plugin == AciNetworkPlugin {
-		// Skip cloud options and throw an error.
+		//Skip cloud options and throw an error.
 		cloudOptionsList := []string{AciEpRegistry, AciOpflexMode, AciUseHostNetnsVolume, AciUseOpflexServerVolume,
 			AciSubnetDomainName, AciKafkaClientCrt, AciKafkaClientKey, AciCApic, UseAciAnywhereCRD,
 			AciOverlayVRFName, AciGbpPodSubnet, AciRunGbpContainer, AciRunOpflexServerContainer, AciOpflexServerPort}
@@ -559,9 +550,9 @@ func validateNetworkImages(c *Cluster) error {
 		if len(c.SystemImages.AciControllerContainer) == 0 {
 			return errors.New("aci controller image is not populated")
 		}
-		// Skipping Cloud image validation.
-		// c.SystemImages.AciOpflexServerContainer
-		// c.SystemImages.AciGbpServerContainer
+		//Skipping Cloud image validation.
+		//c.SystemImages.AciOpflexServerContainer
+		//c.SystemImages.AciGbpServerContainer
 	}
 	return nil
 }
@@ -659,51 +650,6 @@ func validateCRIDockerdOption(c *Cluster) error {
 	return nil
 }

-func validatePodSecurityPolicy(c *Cluster) error {
-	parsedVersion, err := getClusterVersion(c.Version)
-	if err != nil {
-		logrus.Warnf("Failed to parse semver range for validating Pod Security Policy")
-		return err
-	}
-	logrus.Debugf("Checking PodSecurityPolicy for cluster version [%s]", c.Version)
-	if c.Services.KubeAPI.PodSecurityPolicy {
-		if c.Authorization.Mode != services.RBACAuthorizationMode {
-			return errors.New("PodSecurityPolicy can't be enabled with RBAC support disabled")
-		}
-		if parsedRangeAtLeast125(parsedVersion) {
-			return errors.New("PodSecurityPolicy has been removed and can not be enabled since k8s v1.25")
-		}
-	}
-	return nil
-}
-
-func validatePodSecurity(c *Cluster) error {
-	parsedVersion, err := getClusterVersion(c.Version)
-	if err != nil {
-		logrus.Warnf("Failed to parse semver range for validating Pod Security")
-		return err
-	}
-	logrus.Debugf("Checking PodSecurity for cluster version [%s]", c.Version)
-	// The following requirements must be met to set the default Pod Security Admission Config:
-	// - RBAC is enabled on the cluster
-	// - Cluster version is at least 1.23
-	// - valid values are privileged and restricted
-	level := c.Services.KubeAPI.PodSecurityConfiguration
-	if len(level) != 0 {
-		if c.Authorization.Mode != services.RBACAuthorizationMode {
-			return errors.New("PodSecurity can't be enabled with RBAC support disabled")
-		}
-		if !parsedRangeAtLeast123(parsedVersion) {
-			return errors.New("cluster version must be at least v1.23 to use PodSecurity in RKE")
-		}
-		if level != PodSecurityPrivileged && level != PodSecurityRestricted {
-			return fmt.Errorf("invalid pod_security_configuration [%s]. Supported values: [%s, %s]",
-				level, PodSecurityPrivileged, PodSecurityRestricted)
-		}
-	}
-	return nil
-}
-
 func getClusterVersion(version string) (semver.Version, error) {
 	var parsedVersion semver.Version
 	if len(version) <= 1 || !strings.HasPrefix(version, "v") {