Remove PodSecurityPolicy support and references (#10723)

This is removed from kubernetes since 1.25, time to cut some dead code.

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -232,12 +232,6 @@
   tags:
     - kubeadm_token
 
-- name: PodSecurityPolicy | install PodSecurityPolicy
-  include_tasks: psp-install.yml
-  when:
-    - podsecuritypolicy_enabled
-    - inventory_hostname == first_kube_control_plane
-
 - name: Kubeadm | Join other masters
   include_tasks: kubeadm-secondary.yml
 

roles/kubernetes/control-plane/tasks/main.yml

@@ -80,11 +80,6 @@
     - upgrade
   ignore_errors: true  # noqa ignore-errors
 
-- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
-  set_fact:
-    kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
-  when: podsecuritypolicy_enabled
-
 - name: Define nodes already joined to existing cluster and first_kube_control_plane
   import_tasks: define-first-kube-control.yml
 

roles/kubernetes/control-plane/tasks/psp-install.yml

@@ -1,38 +0,0 @@
----
-- name: Check AppArmor status
-  command: which apparmor_parser
-  register: apparmor_status
-  failed_when: false
-  changed_when: apparmor_status.rc != 0
-
-- name: Set apparmor_enabled
-  set_fact:
-    apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
-
-- name: Render templates for PodSecurityPolicy
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0640
-  register: psp_manifests
-  with_items:
-    - {file: psp.yml, type: psp, name: psp}
-    - {file: psp-cr.yml, type: clusterrole, name: psp-cr}
-    - {file: psp-crb.yml, type: rolebinding, name: psp-crb}
-
-- name: Add policies, roles, bindings for PodSecurityPolicy
-  kube:
-    name: "{{ item.item.name }}"
-    kubectl: "{{ bin_dir }}/kubectl"
-    resource: "{{ item.item.type }}"
-    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
-    state: "latest"
-  register: result
-  until: result is succeeded
-  retries: 10
-  delay: 6
-  with_items: "{{ psp_manifests.results }}"
-  environment:
-    KUBECONFIG: "{{ kube_config_dir }}/admin.conf"
-  loop_control:
-    label: "{{ item.item.file }}"

roles/kubernetes/control-plane/templates/psp-cr.yml.j2

@@ -1,32 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:privileged
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
-  - policy
-  resourceNames:
-  - privileged
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:restricted
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
-  - policy
-  resourceNames:
-  - restricted
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use

roles/kubernetes/control-plane/templates/psp-crb.yml.j2

@@ -1,54 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: psp:any:restricted
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:restricted
-subjects:
-- kind: Group
-  name: system:authenticated
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:kube-system:privileged
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
-- kind: Group
-  name: system:masters
-  apiGroup: rbac.authorization.k8s.io
-- kind: Group
-  name: system:serviceaccounts:kube-system
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:nodes:privileged
-  namespace: kube-system
-  annotations:
-    kubernetes.io/description: 'Allow nodes to create privileged pods. Should
-      be used in combination with the NodeRestriction admission plugin to limit
-      nodes to mirror pods bound to themselves.'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
-  - kind: Group
-    apiGroup: rbac.authorization.k8s.io
-    name: system:nodes
-  - kind: User
-    apiGroup: rbac.authorization.k8s.io
-    # Legacy node ID
-    name: kubelet

roles/kubernetes/control-plane/templates/psp.yml.j2

@@ -1,27 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: restricted
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: privileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}

roles/kubernetes/node/defaults/main.yml

@@ -102,7 +102,6 @@ loadbalancer_apiserver_pod_name: "{% if loadbalancer_apiserver_type == 'nginx' %
 #   - extensions/v1beta1/deployments=true
 #   - extensions/v1beta1/replicasets=true
 #   - extensions/v1beta1/networkpolicies=true
-#   - extensions/v1beta1/podsecuritypolicies=true
 
 # A port range to reserve for services with NodePort visibility.
 # Inclusive at both ends of the range.