Remove PodSecurityPolicy support and references (#10723)

This is removed from kubernetes since 1.25, time to cut some dead code.

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -81,7 +81,7 @@ netchecker_etcd_memory_limit: 256M
 netchecker_etcd_cpu_requests: 100m
 netchecker_etcd_memory_requests: 128M
 
-# SecurityContext when PodSecurityPolicy is enabled
+# SecurityContext (user/group)
 netchecker_agent_user: 1000
 netchecker_server_user: 1000
 netchecker_agent_group: 1000

roles/kubernetes-apps/ansible/tasks/netchecker.yml

@@ -24,15 +24,6 @@
       - {file: netchecker-server-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-server}
       - {file: netchecker-server-deployment.yml, type: deployment, name: netchecker-server}
       - {file: netchecker-server-svc.yml, type: svc, name: netchecker-service}
-    netchecker_templates_for_psp:
-      - {file: netchecker-agent-hostnet-psp.yml, type: podsecuritypolicy, name: netchecker-agent-hostnet-policy}
-      - {file: netchecker-agent-hostnet-clusterrole.yml, type: clusterrole, name: netchecker-agent}
-      - {file: netchecker-agent-hostnet-clusterrolebinding.yml, type: clusterrolebinding, name: netchecker-agent}
-
-- name: Kubernetes Apps | Append extra templates to Netchecker Templates list for PodSecurityPolicy
-  set_fact:
-    netchecker_templates: "{{ netchecker_templates_for_psp + netchecker_templates }}"
-  when: podsecuritypolicy_enabled
 
 - name: Kubernetes Apps | Lay Down Netchecker Template
   template:

roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrole.yml.j2

@@ -1,14 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: psp:netchecker-agent-hostnet
-  namespace: {{ netcheck_namespace }}
-rules:
-  - apiGroups:
-    - policy
-    resourceNames:
-    - netchecker-agent-hostnet
-    resources:
-    - podsecuritypolicies
-    verbs:
-    - use

roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-clusterrolebinding.yml.j2

@@ -1,13 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: psp:netchecker-agent-hostnet
-  namespace: {{ netcheck_namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: netchecker-agent
-    namespace: {{ netcheck_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: psp:netchecker-agent-hostnet
-  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-psp.yml.j2

@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: netchecker-agent-hostnet
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: true
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false

roles/kubernetes-apps/cluster_roles/defaults/main.yml

@@ -1,65 +0,0 @@
----
-
-podsecuritypolicy_restricted_spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    rule: 'RunAsAny'
-  runAsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-
-podsecuritypolicy_privileged_spec:
-  privileged: true
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-    - '*'
-  volumes:
-    - '*'
-  hostNetwork: true
-  hostPorts:
-    - min: 0
-      max: 65535
-  hostIPC: true
-  hostPID: true
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  runAsGroup:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'
-  readOnlyRootFilesystem: false
-  # This will fail if allowed-unsafe-sysctls is not set accordingly in kubelet flags
-  allowedUnsafeSysctls:
-    - '*'

roles/kubernetes-apps/csi_driver/gcp_pd/templates/gcp-pd-csi-setup.yml.j2

@@ -162,56 +162,6 @@ roleRef:
   name: csi-gce-pd-resizer-role
   apiGroup: rbac.authorization.k8s.io
 ---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-gce-pd-controller-deploy
-rules:
-  - apiGroups: ["policy"]
-    resources: ["podsecuritypolicies"]
-    verbs: ["use"]
-    resourceNames:
-      - csi-gce-pd-controller-psp
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: csi-gce-pd-controller-deploy
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: csi-gce-pd-controller-deploy
-subjects:
-  - kind: ServiceAccount
-    name: csi-gce-pd-controller-sa
-    namespace: kube-system
----
-
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-gce-pd-node-deploy
-rules:
-  - apiGroups: ['policy']
-    resources: ['podsecuritypolicies']
-    verbs:     ['use']
-    resourceNames:
-    - csi-gce-pd-node-psp
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: csi-gce-pd-node
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: csi-gce-pd-node-deploy
-subjects:
-- kind: ServiceAccount
-  name: csi-gce-pd-node-sa
-  namespace: kube-system
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -288,4 +238,4 @@ subjects:
 roleRef:
   kind: Role
   name: csi-gce-pd-leaderelection-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml

@@ -49,15 +49,6 @@
       - { name: rolebinding-cephfs-provisioner, file: rolebinding-cephfs-provisioner.yml, type: rolebinding }
       - { name: deploy-cephfs-provisioner, file: deploy-cephfs-provisioner.yml, type: deploy }
       - { name: sc-cephfs-provisioner, file: sc-cephfs-provisioner.yml, type: sc }
-    cephfs_provisioner_templates_for_psp:
-      - { name: psp-cephfs-provisioner, file: psp-cephfs-provisioner.yml, type: psp }
-
-- name: CephFS Provisioner | Append extra templates to CephFS Provisioner Templates list for PodSecurityPolicy
-  set_fact:
-    cephfs_provisioner_templates: "{{ cephfs_provisioner_templates_for_psp + cephfs_provisioner_templates }}"
-  when:
-    - podsecuritypolicy_enabled
-    - cephfs_provisioner_namespace != "kube-system"
 
 - name: CephFS Provisioner | Create manifests
   template:

roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/clusterrole-cephfs-provisioner.yml.j2

@@ -20,7 +20,3 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "create", "delete"]
-  - apiGroups: ["policy"]
-    resourceNames: ["cephfs-provisioner"]
-    resources: ["podsecuritypolicies"]
-    verbs: ["use"]

roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/psp-cephfs-provisioner.yml.j2

@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: cephfs-provisioner
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false

roles/kubernetes-apps/external_provisioner/rbd_provisioner/tasks/main.yml

@@ -49,15 +49,6 @@
       - { name: rolebinding-rbd-provisioner, file: rolebinding-rbd-provisioner.yml, type: rolebinding }
       - { name: deploy-rbd-provisioner, file: deploy-rbd-provisioner.yml, type: deploy }
       - { name: sc-rbd-provisioner, file: sc-rbd-provisioner.yml, type: sc }
-    rbd_provisioner_templates_for_psp:
-      - { name: psp-rbd-provisioner, file: psp-rbd-provisioner.yml, type: psp }
-
-- name: RBD Provisioner | Append extra templates to RBD Provisioner Templates list for PodSecurityPolicy
-  set_fact:
-    rbd_provisioner_templates: "{{ rbd_provisioner_templates_for_psp + rbd_provisioner_templates }}"
-  when:
-    - podsecuritypolicy_enabled
-    - rbd_provisioner_namespace != "kube-system"
 
 - name: RBD Provisioner | Create manifests
   template:

roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/clusterrole-rbd-provisioner.yml.j2

@@ -24,7 +24,3 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "create", "delete"]
-  - apiGroups: ["policy"]
-    resourceNames: ["rbd-provisioner"]
-    resources: ["podsecuritypolicies"]
-    verbs: ["use"]

roles/kubernetes-apps/external_provisioner/rbd_provisioner/templates/psp-rbd-provisioner.yml.j2

@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: rbd-provisioner
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false

roles/kubernetes-apps/metallb/tasks/main.yml

@@ -11,21 +11,6 @@
   when:
     - matallb_auto_assign is defined
 
-- name: Kubernetes Apps | Check AppArmor status
-  command: which apparmor_parser
-  register: apparmor_status
-  when:
-    - podsecuritypolicy_enabled
-    - inventory_hostname == groups['kube_control_plane'][0]
-  failed_when: false
-
-- name: Kubernetes Apps | Set apparmor_enabled
-  set_fact:
-    apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
-  when:
-    - podsecuritypolicy_enabled
-    - inventory_hostname == groups['kube_control_plane'][0]
-
 - name: Kubernetes Apps | Lay Down MetalLB
   become: true
   template:

roles/kubernetes-apps/metallb/templates/metallb.yaml.j2

@@ -1504,14 +1504,6 @@ rules:
   verbs:
   - create
   - patch
-- apiGroups:
-  - policy
-  resourceNames:
-  - controller
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
 - apiGroups:
   - admissionregistration.k8s.io
   resourceNames:
@@ -1597,14 +1589,6 @@ rules:
   verbs:
   - create
   - patch
-- apiGroups:
-  - policy
-  resourceNames:
-  - speaker
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
 {% endif %}
 
 ---

roles/kubernetes-apps/registry/tasks/main.yml

@@ -42,17 +42,6 @@
       - { name: registry-secrets, file: registry-secrets.yml, type: secrets }
       - { name: registry-cm, file: registry-cm.yml, type: cm }
       - { name: registry-rs, file: registry-rs.yml, type: rs }
-    registry_templates_for_psp:
-      - { name: registry-psp, file: registry-psp.yml, type: psp }
-      - { name: registry-cr, file: registry-cr.yml, type: clusterrole }
-      - { name: registry-crb, file: registry-crb.yml, type: rolebinding }
-
-- name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy
-  set_fact:
-    registry_templates: "{{ registry_templates[:2] + registry_templates_for_psp + registry_templates[2:] }}"
-  when:
-    - podsecuritypolicy_enabled
-    - registry_namespace != "kube-system"
 
 - name: Registry | Append nginx ingress templates to Registry Templates list when ingress enabled
   set_fact:

roles/kubernetes-apps/registry/templates/registry-cr.yml.j2

@@ -1,15 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:registry
-  namespace: {{ registry_namespace }}
-rules:
-  - apiGroups:
-    - policy
-    resourceNames:
-    - registry
-    resources:
-    - podsecuritypolicies
-    verbs:
-    - use

roles/kubernetes-apps/registry/templates/registry-crb.yml.j2

@@ -1,13 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: psp:registry
-  namespace: {{ registry_namespace }}
-subjects:
-  - kind: ServiceAccount
-    name: registry
-    namespace: {{ registry_namespace }}
-roleRef:
-  kind: ClusterRole
-  name: psp:registry
-  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/registry/templates/registry-psp.yml.j2

@@ -1,44 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: registry
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false