chore: remove PSP manifests and code paths (#909)

PodSecurityPolicy is removed as of k8s 1.25. This change removes usages
of acm-psp from the installation manifests and testing code paths.

Makefile.build

@@ -216,8 +216,6 @@ build-manifests-oss: "$(GOBIN)/addlicense" "$(BIN_DIR)/kustomize" $(OUTPUT_DIR)
 	@ "$(GOBIN)/addlicense" $(OSS_MANIFEST_STAGING_DIR)/config-sync-manifest.yaml
 
 	@ # Additional optional OSS manifests
-	@ rsync \
-		manifests/acm-psp.yaml $(OSS_MANIFEST_STAGING_DIR)/acm-psp.yaml
 	@ cat "manifests/templates/admission-webhook.yaml" \
 		| sed -e "s|WEBHOOK_IMAGE_NAME|$(ADMISSION_WEBHOOK_TAG)|g" \
 		> $(OSS_MANIFEST_STAGING_DIR)/admission-webhook.yaml

e2e/nomostest/config_sync.go

@@ -188,10 +188,6 @@ func uninstallConfigSync(nt *NT) error {
 	return DeleteObjectsAndWait(nt, objs...)
 }
 
-func isPSPCluster() bool {
-	return strings.Contains(*e2e.GCPCluster, "psp")
-}
-
 // convertToTypedObjects converts objects to their literal types. We can do this as
 // we should have all required types in the Scheme anyway. This keeps us from
 // having to do ugly Unstructured operations.
@@ -305,9 +301,6 @@ func multiRepoObjects(objects []client.Object, opts ...func(obj client.Object) e
 	var filtered []client.Object
 	found := false
 	for _, obj := range objects {
-		if !isPSPCluster() && obj.GetName() == "acm-psp" {
-			continue
-		}
 		if IsReconcilerTemplateConfigMap(obj) {
 			// Mark that we've found the ReconcilerManager ConfigMap.
 			// This way we know we've enabled debug mode.
@@ -476,27 +469,6 @@ func RepoSyncRoleBinding(nn types.NamespacedName) *rbacv1.RoleBinding {
 	return rb
 }
 
-// repoSyncClusterRoleBinding returns clusterrolebinding that grants service account
-// permission to manage resources in the namespace.
-func repoSyncClusterRoleBinding(nn types.NamespacedName) *rbacv1.ClusterRoleBinding {
-	rb := fake.ClusterRoleBindingObject(core.Name(nn.Name + "-" + nn.Namespace))
-	sb := []rbacv1.Subject{
-		{
-			Kind:      "ServiceAccount",
-			Name:      core.NsReconcilerName(nn.Namespace, nn.Name),
-			Namespace: configmanagement.ControllerNamespace,
-		},
-	}
-	rf := rbacv1.RoleRef{
-		APIGroup: "rbac.authorization.k8s.io",
-		Kind:     "ClusterRole",
-		Name:     clusterRoleName,
-	}
-	rb.Subjects = sb
-	rb.RoleRef = rf
-	return rb
-}
-
 func setupRepoSyncRoleBinding(nt *NT, nn types.NamespacedName) error {
 	if err := nt.KubeClient.Create(RepoSyncRoleBinding(nn)); err != nil {
 		nt.T.Fatal(err)
@@ -617,18 +589,6 @@ func setupDelegatedControl(nt *NT) {
 	}
 
 	for nn := range nt.NonRootRepos {
-		// Add a ClusterRoleBinding so that the pods can be created
-		// when the cluster has PodSecurityPolicy enabled.
-		// Background: If a RoleBinding (not a ClusterRoleBinding) is used,
-		// it will only grant usage for pods being run in the same namespace as the binding.
-		// TODO: Remove the psp related change when Kubernetes 1.25 is
-		// available on GKE.
-		if isPSPCluster() {
-			if err := nt.KubeClient.Create(repoSyncClusterRoleBinding(nn)); err != nil {
-				nt.T.Fatal(err)
-			}
-		}
-
 		// create namespace for namespace reconciler.
 		err := nt.KubeClient.Create(fake.NamespaceObject(nn.Namespace))
 		if err != nil {
@@ -910,18 +870,6 @@ func setupCentralizedControl(nt *NT) {
 		nt.Must(nt.RootRepos[configsync.RootSyncName].Add(StructuredNSPath(ns, fmt.Sprintf("rb-%s", rsNN.Name)), rb))
 		nt.MetricsExpectations.AddObjectApply(configsync.RootSyncKind, rootSyncNN, rb)
 
-		if isPSPCluster() {
-			// Add a ClusterRoleBinding so that the pods can be created
-			// when the cluster has PodSecurityPolicy enabled.
-			// Background: If a RoleBinding (not a ClusterRoleBinding) is used,
-			// it will only grant usage for pods being run in the same namespace as the binding.
-			// TODO: Remove the psp related change when Kubernetes 1.25 is
-			// available on GKE.
-			crb := repoSyncClusterRoleBinding(rsNN)
-			nt.Must(nt.RootRepos[configsync.RootSyncName].Add(fmt.Sprintf("acme/cluster/crb-%s-%s.yaml", ns, rsNN.Name), crb))
-			nt.MetricsExpectations.AddObjectApply(configsync.RootSyncKind, rootSyncNN, crb)
-		}
-
 		// Add RepoSync pointing to the Git repo specified in nt.NonRootRepos[rsNN]
 		rs := RepoSyncObjectV1Beta1FromNonRootRepo(nt, rsNN)
 		nt.Must(nt.RootRepos[configsync.RootSyncName].Add(StructuredNSPath(ns, rsNN.Name), rs))
@@ -989,10 +937,6 @@ func SetRepoSyncDependencies(nt *NT, rs client.Object) error {
 		nt.RepoSyncClusterRole(),
 		RepoSyncRoleBinding(rsNN),
 	}
-	if isPSPCluster() {
-		crb := repoSyncClusterRoleBinding(rsNN)
-		dependencies = append(dependencies, crb)
-	}
 	return SetDependencies(rs, dependencies...)
 }
 

e2e/nomostest/git-server.go

@@ -19,10 +19,7 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/api/policy/v1beta1"
-	rbacv1 "k8s.io/api/rbac/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"kpt.dev/configsync/e2e/nomostest/testing"
@@ -75,75 +72,13 @@ func gitServer() []client.Object {
 		gitService(),
 		gitDeployment(),
 	}
-	if isPSPCluster() {
-		objs = append(objs, []client.Object{
-			gitPodSecurityPolicy(),
-			gitRole(),
-			gitRoleBinding(),
-		}...)
-	}
 	return objs
 }
 
 func gitNamespace() *corev1.Namespace {
 	return fake.NamespaceObject(testGitNamespace)
 }
 
-func gitPodSecurityPolicy() *v1beta1.PodSecurityPolicy {
-	psp := &v1beta1.PodSecurityPolicy{}
-	psp.SetGroupVersionKind(schema.GroupVersionKind{
-		Group:   "policy",
-		Version: "v1beta1",
-		Kind:    "PodSecurityPolicy",
-	})
-	psp.SetName(testGitServer)
-	psp.Spec.Privileged = false
-	psp.Spec.Volumes = []v1beta1.FSType{
-		"*",
-	}
-	psp.Spec.RunAsUser.Rule = v1beta1.RunAsUserStrategyRunAsAny
-	psp.Spec.SELinux.Rule = v1beta1.SELinuxStrategyRunAsAny
-	psp.Spec.SupplementalGroups.Rule = v1beta1.SupplementalGroupsStrategyRunAsAny
-	psp.Spec.FSGroup.Rule = v1beta1.FSGroupStrategyRunAsAny
-	return psp
-}
-
-func gitRole() *rbacv1.Role {
-	role := fake.RoleObject(
-		core.Name(testGitServer),
-		core.Namespace(testGitNamespace),
-	)
-	role.Rules = []rbacv1.PolicyRule{
-		{
-			APIGroups:     []string{"policy"},
-			Resources:     []string{"podsecuritypolicies"},
-			ResourceNames: []string{testGitServer},
-			Verbs:         []string{"use"},
-		},
-	}
-	return role
-}
-
-func gitRoleBinding() *rbacv1.RoleBinding {
-	rolebinding := fake.RoleBindingObject(
-		core.Name(testGitServer),
-		core.Namespace(testGitNamespace),
-	)
-	rolebinding.RoleRef = rbacv1.RoleRef{
-		APIGroup: "rbac.authorization.k8s.io",
-		Kind:     "Role",
-		Name:     testGitServer,
-	}
-	rolebinding.Subjects = []rbacv1.Subject{
-		{
-			Kind:      "ServiceAccount",
-			Namespace: testGitNamespace,
-			Name:      "default",
-		},
-	}
-	return rolebinding
-}
-
 func gitService() *corev1.Service {
 	service := fake.ServiceObject(
 		core.Name(testGitServer),

e2e/nomostest/nt.go

@@ -865,14 +865,6 @@ func (nt *NT) SupportV1Beta1CRDAndRBAC() (bool, error) {
 func (nt *NT) RepoSyncClusterRole() *rbacv1.ClusterRole {
 	cr := fake.ClusterRoleObject(core.Name(clusterRoleName))
 	cr.Rules = append(cr.Rules, nt.repoSyncPermissions...)
-	if isPSPCluster() {
-		cr.Rules = append(cr.Rules, rbacv1.PolicyRule{
-			APIGroups:     []string{"policy"},
-			Resources:     []string{"podsecuritypolicies"},
-			ResourceNames: []string{"acm-psp"},
-			Verbs:         []string{"use"},
-		})
-	}
 	return cr
 }
 

e2e/nomostest/reset.go

@@ -304,24 +304,6 @@ func ResetRepoSyncs(nt *NT, rsList []v1beta1.RepoSync) error {
 		return err
 	}
 
-	// Delete any ClusterRoleBindings left behind.
-	// CRBs are usually only applied if PSP was enabled, but clean them up regardless.
-	nt.T.Log("[RESET] Deleting test ClusterRoleBindings")
-	var crbs []client.Object
-	for _, item := range rsList {
-		rs := &item
-		rsNN := client.ObjectKeyFromObject(rs)
-		crbs = append(crbs, repoSyncClusterRoleBinding(rsNN))
-	}
-	// Skip deleting managed ClusterRoleBindings
-	crbs, err = findUnmanaged(nt, crbs...)
-	if err != nil {
-		return err
-	}
-	if err := DeleteObjectsAndWait(nt, crbs...); err != nil {
-		return err
-	}
-
 	return deleteRepoSyncClusterRole(nt)
 }
 

manifests/ns-reconciler-cluster-role.yaml

@@ -32,11 +32,3 @@ rules:
 - apiGroups: ["kpt.dev"]
   resources: ["resourcegroups/status"]
   verbs: ["*"]
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - acm-psp
-  verbs:
-  - use

manifests/operator/kustomization.yaml

@@ -14,7 +14,6 @@
 
 resources:
 - ../base
-- ../acm-psp.yaml
 - ../hierarchyconfig-crd.yaml
 - ../policy-controller-psp.yaml
 - ../templates/admission-webhook.yaml

manifests/templates/otel-collector.yaml

@@ -44,43 +44,6 @@ data:
           processors: [batch]
           exporters: [prometheus]
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: configmanagement.gke.io:otel-collector-psp
-  namespace: config-management-monitoring
-  labels:
-    component: otel-collector
-    configmanagement.gke.io/system: "true"
-    configmanagement.gke.io/arch: "csmr"
-rules:
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - acm-psp
-  verbs:
-  - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: configmanagement.gke.io:otel-collector-psp
-  namespace: config-management-monitoring
-  labels:
-    component: otel-collector
-    configmanagement.gke.io/system: "true"
-    configmanagement.gke.io/arch: "csmr"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: configmanagement.gke.io:otel-collector-psp
-subjects:
-- kind: ServiceAccount
-  name: default
-  namespace: config-management-monitoring
----
 apiVersion: v1
 kind: Service
 metadata: