Remove PodSecurityPolicy support and references (#10723)

This is removed from kubernetes since 1.25, time to cut some dead code.
2026-05-20 07:17:45 -02:30 · 2023-12-18 14:13:43 +01:00
parent 7395c27932
commit 471326f458
32 changed files with 4 additions and 619 deletions
--- a/roles/kubernetes/control-plane/templates/psp-cr.yml.j2
+++ b/roles/kubernetes/control-plane/templates/psp-cr.yml.j2
@@ -1,32 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:privileged
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
- apiGroups:
-  - policy
-  resourceNames:
-  - privileged
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:restricted
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
- apiGroups:
-  - policy
-  resourceNames:
-  - restricted
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
--- a/roles/kubernetes/control-plane/templates/psp-crb.yml.j2
+++ b/roles/kubernetes/control-plane/templates/psp-crb.yml.j2
@@ -1,54 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: psp:any:restricted
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:restricted
-subjects:
- kind: Group
-  name: system:authenticated
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:kube-system:privileged
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
- kind: Group
-  name: system:masters
-  apiGroup: rbac.authorization.k8s.io
- kind: Group
-  name: system:serviceaccounts:kube-system
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:nodes:privileged
-  namespace: kube-system
-  annotations:
-    kubernetes.io/description: 'Allow nodes to create privileged pods. Should
-      be used in combination with the NodeRestriction admission plugin to limit
-      nodes to mirror pods bound to themselves.'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
-  - kind: Group
-    apiGroup: rbac.authorization.k8s.io
-    name: system:nodes
-  - kind: User
-    apiGroup: rbac.authorization.k8s.io
-    # Legacy node ID
-    name: kubelet
--- a/roles/kubernetes/control-plane/templates/psp.yml.j2
+++ b/roles/kubernetes/control-plane/templates/psp.yml.j2
@@ -1,27 +0,0 @@
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: restricted
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: privileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}