Chart: Remove Pod Security Policy. (#11971)

2024-09-15 17:03:24 +02:00 · 2024-09-15 17:03:24 +02:00 · 027603927b
commit 027603927b
parent 61f56cb490
19 changed files with 1 additions and 438 deletions
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@ -244,7 +244,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
-| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
@ -307,7 +306,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.enableAnnotationValidations | bool | `true` |  |
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
 | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
-| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
@ -497,7 +495,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
 | defaultBackend.enabled | bool | `false` |  |
-| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
 | defaultBackend.extraConfigMaps | list | `[]` |  |
 | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
@ -550,7 +547,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
 | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
 | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
-| podSecurityPolicy.enabled | bool | `false` |  |
 | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
 | rbac.create | bool | `true` |  |
 | rbac.scope | bool | `false` |  |
--- a/charts/ingress-nginx/ci/deamonset-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-psp-values.yaml
@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml
@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/ci/deployment-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-psp-values.yaml
@ -1,10 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
+++ b/charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml
@ -1,12 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true
--- a/charts/ingress-nginx/templates/_helpers.tpl
+++ b/charts/ingress-nginx/templates/_helpers.tpl
@ -235,17 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }
 {{- end -}}
 {{- end -}}

-{{/*
-Return the appropriate apiGroup for PodSecurityPolicy.
-*/}}
-{{- define "podSecurityPolicy.apiGroup" -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-{{- print "policy" -}}
-{{- else -}}
-{{- print "extensions" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Extra modules.
 */}}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@ -20,14 +20,4 @@ rules:
    verbs:
      - get
      - update
-{{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.controller.admissionWebhooks.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
-    {{- end }}
-{{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
@ -1,52 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: admission-webhook
-    {{- with .Values.controller.admissionWebhooks.patch.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: false
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: true
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  seLinux:
-    rule: RunAsAny
-{{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/controller-psp.yaml
+++ b/charts/ingress-nginx/templates/controller-psp.yaml
@ -1,100 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: controller
-    {{- with .Values.controller.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: {{ .Values.controller.hostNetwork }}
-{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
-  hostPorts:
-  {{- if .Values.controller.hostNetwork }}
-  {{- range $key, $value := .Values.controller.containerPort }}
-    # controller.containerPort.{{ $key }}
-    - min: {{ $value }}
-      max: {{ $value }}
-  {{- end }}
-  {{- else if .Values.controller.hostPort.enabled }}
-  {{- range $key, $value := .Values.controller.hostPort.ports }}
-    # controller.hostPort.ports.{{ $key }}
-    - min: {{ $value }}
-      max: {{ $value }}
-  {{- end }}
-  {{- end }}
-  {{- if .Values.controller.metrics.enabled }}
-    # controller.metrics.port
-    - min: {{ .Values.controller.metrics.port }}
-      max: {{ .Values.controller.metrics.port }}
-  {{- end }}
-  {{- if .Values.controller.admissionWebhooks.enabled }}
-    # controller.admissionWebhooks.port
-    - min: {{ .Values.controller.admissionWebhooks.port }}
-      max: {{ .Values.controller.admissionWebhooks.port }}
-  {{- end }}
-  {{- range $key, $value := .Values.tcp }}
-    # tcp.{{ $key }}
-    - min: {{ $key }}
-      max: {{ $key }}
-  {{- end }}
-  {{- range $key, $value := .Values.udp }}
-    # udp.{{ $key }}
-    - min: {{ $key }}
-      max: {{ $key }}
-  {{- end }}
-{{- end }}
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
-  requiredDropCapabilities:
-    - ALL
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  {{- if .Values.controller.image.chroot }}
-  {{- if .Values.controller.image.seccompProfile }}
-    - SYS_ADMIN
-  {{- end }}
-    - SYS_CHROOT
-  {{- end }}
-  seLinux:
-    rule: RunAsAny
-{{- if .Values.controller.sysctls }}
-  allowedUnsafeSysctls:
-  {{- range $sysctl, $value := .Values.controller.sysctls }}
-    - {{ $sysctl }}
-  {{- end }}
-{{- end }}
-{{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/controller-role.yaml
+++ b/charts/ingress-nginx/templates/controller-role.yaml
@ -91,14 +91,4 @@ rules:
      - list
      - watch
      - get
-{{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.controller.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.fullname" . }}]
-    {{- end }}
-{{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/default-backend-psp.yaml
+++ b/charts/ingress-nginx/templates/default-backend-psp.yaml
@ -1,50 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: false
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: true
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  seLinux:
-    rule: RunAsAny
-{{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/default-backend-role.yaml
+++ b/charts/ingress-nginx/templates/default-backend-role.yaml
@ -1,22 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ include "ingress-nginx.namespace" . }}
-rules:
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.defaultBackend.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.fullname" . }}-backend]
-    {{- end }}
-{{- end }}
--- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
+++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml
@ -1,21 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ include "ingress-nginx.namespace" . }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
-    namespace: {{ include "ingress-nginx.namespace" . }}
-{{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -41,8 +41,6 @@ controller:
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: false
-  # -- Use an existing PSP instead of creating one
-  existingPsp: ""
  # -- Configures the controller container name
  containerName: controller
  # -- Configures the ports that the nginx-controller listens on
@ -758,8 +756,6 @@ controller:
    objectSelector: {}
    # -- Labels to be added to admission webhooks
    labels: {}
-    # -- Use an existing PSP instead of creating one
-    existingPsp: ""
    service:
      annotations: {}
      # clusterIP: ""
@ -979,8 +975,6 @@ defaultBackend:
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: true
-  # -- Use an existing PSP instead of creating one
-  existingPsp: ""
  extraArgs: {}
  serviceAccount:
    create: true
@ -1166,10 +1160,6 @@ defaultBackend:
 rbac:
  create: true
  scope: false
-## If true, create & use Pod Security Policy resources
-## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-podSecurityPolicy:
-  enabled: false
 serviceAccount:
  create: true
  name: ""