From 8a6620d9dc49428d906abd7d12db710ec19254a0 Mon Sep 17 00:00:00 2001 From: Sam Dowell Date: Mon, 2 Oct 2023 11:33:44 -0700 Subject: [PATCH] chore: remove PSP manifests and code paths (#909) PodSecurityPolicy is removed as of k8s 1.25. This change removes usages of acm-psp from the installation manifests and testing code paths. --- Makefile.build | 2 - e2e/nomostest/config_sync.go | 56 ---------------- e2e/nomostest/git-server.go | 65 ------------------- e2e/nomostest/nt.go | 8 --- e2e/nomostest/reset.go | 18 ----- manifests/acm-psp.yaml | 46 ------------- manifests/ns-reconciler-cluster-role.yaml | 8 --- manifests/operator/kustomization.yaml | 1 - manifests/policy-controller-psp.yaml | 43 ------------ manifests/templates/otel-collector.yaml | 37 ----------- .../third_party/resourcegroup-manifest.yaml | 8 --- 11 files changed, 292 deletions(-) delete mode 100644 manifests/acm-psp.yaml delete mode 100644 manifests/policy-controller-psp.yaml diff --git a/Makefile.build b/Makefile.build index f330680beb..11e91123b3 100644 --- a/Makefile.build +++ b/Makefile.build @@ -216,8 +216,6 @@ build-manifests-oss: "$(GOBIN)/addlicense" "$(BIN_DIR)/kustomize" $(OUTPUT_DIR) @ "$(GOBIN)/addlicense" $(OSS_MANIFEST_STAGING_DIR)/config-sync-manifest.yaml @ # Additional optional OSS manifests - @ rsync \ - manifests/acm-psp.yaml $(OSS_MANIFEST_STAGING_DIR)/acm-psp.yaml @ cat "manifests/templates/admission-webhook.yaml" \ | sed -e "s|WEBHOOK_IMAGE_NAME|$(ADMISSION_WEBHOOK_TAG)|g" \ > $(OSS_MANIFEST_STAGING_DIR)/admission-webhook.yaml diff --git a/e2e/nomostest/config_sync.go b/e2e/nomostest/config_sync.go index 098a2179f1..6e97f550ee 100644 --- a/e2e/nomostest/config_sync.go +++ b/e2e/nomostest/config_sync.go @@ -188,10 +188,6 @@ func uninstallConfigSync(nt *NT) error { return DeleteObjectsAndWait(nt, objs...) } -func isPSPCluster() bool { - return strings.Contains(*e2e.GCPCluster, "psp") -} - // convertToTypedObjects converts objects to their literal types. We can do this as // we should have all required types in the Scheme anyway. This keeps us from // having to do ugly Unstructured operations. @@ -305,9 +301,6 @@ func multiRepoObjects(objects []client.Object, opts ...func(obj client.Object) e var filtered []client.Object found := false for _, obj := range objects { - if !isPSPCluster() && obj.GetName() == "acm-psp" { - continue - } if IsReconcilerTemplateConfigMap(obj) { // Mark that we've found the ReconcilerManager ConfigMap. // This way we know we've enabled debug mode. @@ -476,27 +469,6 @@ func RepoSyncRoleBinding(nn types.NamespacedName) *rbacv1.RoleBinding { return rb } -// repoSyncClusterRoleBinding returns clusterrolebinding that grants service account -// permission to manage resources in the namespace. -func repoSyncClusterRoleBinding(nn types.NamespacedName) *rbacv1.ClusterRoleBinding { - rb := fake.ClusterRoleBindingObject(core.Name(nn.Name + "-" + nn.Namespace)) - sb := []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Name: core.NsReconcilerName(nn.Namespace, nn.Name), - Namespace: configmanagement.ControllerNamespace, - }, - } - rf := rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: clusterRoleName, - } - rb.Subjects = sb - rb.RoleRef = rf - return rb -} - func setupRepoSyncRoleBinding(nt *NT, nn types.NamespacedName) error { if err := nt.KubeClient.Create(RepoSyncRoleBinding(nn)); err != nil { nt.T.Fatal(err) @@ -617,18 +589,6 @@ func setupDelegatedControl(nt *NT) { } for nn := range nt.NonRootRepos { - // Add a ClusterRoleBinding so that the pods can be created - // when the cluster has PodSecurityPolicy enabled. - // Background: If a RoleBinding (not a ClusterRoleBinding) is used, - // it will only grant usage for pods being run in the same namespace as the binding. - // TODO: Remove the psp related change when Kubernetes 1.25 is - // available on GKE. - if isPSPCluster() { - if err := nt.KubeClient.Create(repoSyncClusterRoleBinding(nn)); err != nil { - nt.T.Fatal(err) - } - } - // create namespace for namespace reconciler. err := nt.KubeClient.Create(fake.NamespaceObject(nn.Namespace)) if err != nil { @@ -910,18 +870,6 @@ func setupCentralizedControl(nt *NT) { nt.Must(nt.RootRepos[configsync.RootSyncName].Add(StructuredNSPath(ns, fmt.Sprintf("rb-%s", rsNN.Name)), rb)) nt.MetricsExpectations.AddObjectApply(configsync.RootSyncKind, rootSyncNN, rb) - if isPSPCluster() { - // Add a ClusterRoleBinding so that the pods can be created - // when the cluster has PodSecurityPolicy enabled. - // Background: If a RoleBinding (not a ClusterRoleBinding) is used, - // it will only grant usage for pods being run in the same namespace as the binding. - // TODO: Remove the psp related change when Kubernetes 1.25 is - // available on GKE. - crb := repoSyncClusterRoleBinding(rsNN) - nt.Must(nt.RootRepos[configsync.RootSyncName].Add(fmt.Sprintf("acme/cluster/crb-%s-%s.yaml", ns, rsNN.Name), crb)) - nt.MetricsExpectations.AddObjectApply(configsync.RootSyncKind, rootSyncNN, crb) - } - // Add RepoSync pointing to the Git repo specified in nt.NonRootRepos[rsNN] rs := RepoSyncObjectV1Beta1FromNonRootRepo(nt, rsNN) nt.Must(nt.RootRepos[configsync.RootSyncName].Add(StructuredNSPath(ns, rsNN.Name), rs)) @@ -989,10 +937,6 @@ func SetRepoSyncDependencies(nt *NT, rs client.Object) error { nt.RepoSyncClusterRole(), RepoSyncRoleBinding(rsNN), } - if isPSPCluster() { - crb := repoSyncClusterRoleBinding(rsNN) - dependencies = append(dependencies, crb) - } return SetDependencies(rs, dependencies...) } diff --git a/e2e/nomostest/git-server.go b/e2e/nomostest/git-server.go index f42b6237cf..dcbe6fc4c7 100644 --- a/e2e/nomostest/git-server.go +++ b/e2e/nomostest/git-server.go @@ -19,10 +19,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/api/policy/v1beta1" - rbacv1 "k8s.io/api/rbac/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "kpt.dev/configsync/e2e/nomostest/testing" @@ -75,13 +72,6 @@ func gitServer() []client.Object { gitService(), gitDeployment(), } - if isPSPCluster() { - objs = append(objs, []client.Object{ - gitPodSecurityPolicy(), - gitRole(), - gitRoleBinding(), - }...) - } return objs } @@ -89,61 +79,6 @@ func gitNamespace() *corev1.Namespace { return fake.NamespaceObject(testGitNamespace) } -func gitPodSecurityPolicy() *v1beta1.PodSecurityPolicy { - psp := &v1beta1.PodSecurityPolicy{} - psp.SetGroupVersionKind(schema.GroupVersionKind{ - Group: "policy", - Version: "v1beta1", - Kind: "PodSecurityPolicy", - }) - psp.SetName(testGitServer) - psp.Spec.Privileged = false - psp.Spec.Volumes = []v1beta1.FSType{ - "*", - } - psp.Spec.RunAsUser.Rule = v1beta1.RunAsUserStrategyRunAsAny - psp.Spec.SELinux.Rule = v1beta1.SELinuxStrategyRunAsAny - psp.Spec.SupplementalGroups.Rule = v1beta1.SupplementalGroupsStrategyRunAsAny - psp.Spec.FSGroup.Rule = v1beta1.FSGroupStrategyRunAsAny - return psp -} - -func gitRole() *rbacv1.Role { - role := fake.RoleObject( - core.Name(testGitServer), - core.Namespace(testGitNamespace), - ) - role.Rules = []rbacv1.PolicyRule{ - { - APIGroups: []string{"policy"}, - Resources: []string{"podsecuritypolicies"}, - ResourceNames: []string{testGitServer}, - Verbs: []string{"use"}, - }, - } - return role -} - -func gitRoleBinding() *rbacv1.RoleBinding { - rolebinding := fake.RoleBindingObject( - core.Name(testGitServer), - core.Namespace(testGitNamespace), - ) - rolebinding.RoleRef = rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "Role", - Name: testGitServer, - } - rolebinding.Subjects = []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Namespace: testGitNamespace, - Name: "default", - }, - } - return rolebinding -} - func gitService() *corev1.Service { service := fake.ServiceObject( core.Name(testGitServer), diff --git a/e2e/nomostest/nt.go b/e2e/nomostest/nt.go index 0042f9a16e..d0859bf8e6 100644 --- a/e2e/nomostest/nt.go +++ b/e2e/nomostest/nt.go @@ -865,14 +865,6 @@ func (nt *NT) SupportV1Beta1CRDAndRBAC() (bool, error) { func (nt *NT) RepoSyncClusterRole() *rbacv1.ClusterRole { cr := fake.ClusterRoleObject(core.Name(clusterRoleName)) cr.Rules = append(cr.Rules, nt.repoSyncPermissions...) - if isPSPCluster() { - cr.Rules = append(cr.Rules, rbacv1.PolicyRule{ - APIGroups: []string{"policy"}, - Resources: []string{"podsecuritypolicies"}, - ResourceNames: []string{"acm-psp"}, - Verbs: []string{"use"}, - }) - } return cr } diff --git a/e2e/nomostest/reset.go b/e2e/nomostest/reset.go index eefd5cb8c9..5e07a01e14 100644 --- a/e2e/nomostest/reset.go +++ b/e2e/nomostest/reset.go @@ -304,24 +304,6 @@ func ResetRepoSyncs(nt *NT, rsList []v1beta1.RepoSync) error { return err } - // Delete any ClusterRoleBindings left behind. - // CRBs are usually only applied if PSP was enabled, but clean them up regardless. - nt.T.Log("[RESET] Deleting test ClusterRoleBindings") - var crbs []client.Object - for _, item := range rsList { - rs := &item - rsNN := client.ObjectKeyFromObject(rs) - crbs = append(crbs, repoSyncClusterRoleBinding(rsNN)) - } - // Skip deleting managed ClusterRoleBindings - crbs, err = findUnmanaged(nt, crbs...) - if err != nil { - return err - } - if err := DeleteObjectsAndWait(nt, crbs...); err != nil { - return err - } - return deleteRepoSyncClusterRole(nt) } diff --git a/manifests/acm-psp.yaml b/manifests/acm-psp.yaml deleted file mode 100644 index 82ba5be77c..0000000000 --- a/manifests/acm-psp.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: acm-psp -spec: - privileged: false - volumes: - - 'configMap' - - 'downwardAPI' - - 'emptyDir' - - 'persistentVolumeClaim' - - 'projected' - - 'secret' - # Block root privileges - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - # seLinux is a required field, but most configurations don't use it and if we set it to anything - # other than RunAsAny, then the host OS has to have the SELinux security module loaded. - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - # This range allows all GIDs except for root, which is 0 - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - # This range allows all GIDs except for root, which is 0 - ranges: - - min: 1 - max: 65535 \ No newline at end of file diff --git a/manifests/ns-reconciler-cluster-role.yaml b/manifests/ns-reconciler-cluster-role.yaml index f2d2680c42..ab925f8ecf 100644 --- a/manifests/ns-reconciler-cluster-role.yaml +++ b/manifests/ns-reconciler-cluster-role.yaml @@ -32,11 +32,3 @@ rules: - apiGroups: ["kpt.dev"] resources: ["resourcegroups/status"] verbs: ["*"] -- apiGroups: - - policy - resources: - - podsecuritypolicies - resourceNames: - - acm-psp - verbs: - - use \ No newline at end of file diff --git a/manifests/operator/kustomization.yaml b/manifests/operator/kustomization.yaml index 3727bce06f..e2a9ca9c16 100644 --- a/manifests/operator/kustomization.yaml +++ b/manifests/operator/kustomization.yaml @@ -14,7 +14,6 @@ resources: - ../base -- ../acm-psp.yaml - ../hierarchyconfig-crd.yaml - ../policy-controller-psp.yaml - ../templates/admission-webhook.yaml diff --git a/manifests/policy-controller-psp.yaml b/manifests/policy-controller-psp.yaml deleted file mode 100644 index 5d13c320e2..0000000000 --- a/manifests/policy-controller-psp.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Nomos policy controller PSP -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: configmanagement.gke.io:policy-controller-psp -rules: -- apiGroups: - - policy - resources: - - podsecuritypolicies - resourceNames: - - acm-psp - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: configmanagement.gke.io:policy-controller-psp - labels: - policycontroller.configmanagement.gke.io: "true" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: configmanagement.gke.io:policy-controller-psp -subjects: -- kind: ServiceAccount - name: gatekeeper-admin - namespace: gatekeeper-system diff --git a/manifests/templates/otel-collector.yaml b/manifests/templates/otel-collector.yaml index 89e9533931..c7631ca980 100644 --- a/manifests/templates/otel-collector.yaml +++ b/manifests/templates/otel-collector.yaml @@ -44,43 +44,6 @@ data: processors: [batch] exporters: [prometheus] --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: configmanagement.gke.io:otel-collector-psp - namespace: config-management-monitoring - labels: - component: otel-collector - configmanagement.gke.io/system: "true" - configmanagement.gke.io/arch: "csmr" -rules: -- apiGroups: - - policy - resources: - - podsecuritypolicies - resourceNames: - - acm-psp - verbs: - - use ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: configmanagement.gke.io:otel-collector-psp - namespace: config-management-monitoring - labels: - component: otel-collector - configmanagement.gke.io/system: "true" - configmanagement.gke.io/arch: "csmr" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: configmanagement.gke.io:otel-collector-psp -subjects: -- kind: ServiceAccount - name: default - namespace: config-management-monitoring ---- apiVersion: v1 kind: Service metadata: diff --git a/manifests/third_party/resourcegroup-manifest.yaml b/manifests/third_party/resourcegroup-manifest.yaml index 8543b3f928..75e2546066 100644 --- a/manifests/third_party/resourcegroup-manifest.yaml +++ b/manifests/third_party/resourcegroup-manifest.yaml @@ -398,14 +398,6 @@ rules: - get - patch - update -- apiGroups: - - policy - resourceNames: - - acm-psp - resources: - - podsecuritypolicies - verbs: - - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding