[PodSecurityPolicy] Move the install of psp (#8744)

2026-02-28 09:39:12 +03:00 · 2022-05-09 18:21:19 +02:00
parent 02b6e4833a
commit 42fc71fafa
6 changed files with 44 additions and 47 deletions
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -11,53 +11,6 @@
  delay: 6
  when: inventory_hostname == groups['kube_control_plane'][0]

- name: Kubernetes Apps | Check AppArmor status
-  command: which apparmor_parser
-  register: apparmor_status
-  when:
-    - podsecuritypolicy_enabled
-    - inventory_hostname == groups['kube_control_plane'][0]
-  failed_when: false
-
- name: Kubernetes Apps | Set apparmor_enabled
-  set_fact:
-    apparmor_enabled: "{{ apparmor_status.rc == 0 }}"
-  when:
-    - podsecuritypolicy_enabled
-    - inventory_hostname == groups['kube_control_plane'][0]
-
- name: Kubernetes Apps | Render templates for PodSecurityPolicy
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/{{ item.file }}"
-    mode: 0640
-  register: psp_manifests
-  with_items:
-    - {file: psp.yml, type: psp, name: psp}
-    - {file: psp-cr.yml, type: clusterrole, name: psp-cr}
-    - {file: psp-crb.yml, type: rolebinding, name: psp-crb}
-  when:
-    - podsecuritypolicy_enabled
-    - inventory_hostname == groups['kube_control_plane'][0]
-
- name: Kubernetes Apps | Add policies, roles, bindings for PodSecurityPolicy
-  kube:
-    name: "{{ item.item.name }}"
-    kubectl: "{{ bin_dir }}/kubectl"
-    resource: "{{ item.item.type }}"
-    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
-    state: "latest"
-  register: result
-  until: result is succeeded
-  retries: 10
-  delay: 6
-  with_items: "{{ psp_manifests.results }}"
-  when:
-    - inventory_hostname == groups['kube_control_plane'][0]
-    - not item is skipped
-  loop_control:
-    label: "{{ item.item.file }}"
-
 - name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
  template:
    src: "node-crb.yml.j2"
--- a/roles/kubernetes-apps/cluster_roles/templates/psp-cr.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp-cr.yml.j2
@@ -1,32 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:privileged
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
- apiGroups:
-  - policy
-  resourceNames:
-  - privileged
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: psp:restricted
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
- apiGroups:
-  - policy
-  resourceNames:
-  - restricted
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
--- a/roles/kubernetes-apps/cluster_roles/templates/psp-crb.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp-crb.yml.j2
@@ -1,54 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: psp:any:restricted
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:restricted
-subjects:
- kind: Group
-  name: system:authenticated
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:kube-system:privileged
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
- kind: Group
-  name: system:masters
-  apiGroup: rbac.authorization.k8s.io
- kind: Group
-  name: system:serviceaccounts:kube-system
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: psp:nodes:privileged
-  namespace: kube-system
-  annotations:
-    kubernetes.io/description: 'Allow nodes to create privileged pods. Should
-      be used in combination with the NodeRestriction admission plugin to limit
-      nodes to mirror pods bound to themselves.'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: psp:privileged
-subjects:
-  - kind: Group
-    apiGroup: rbac.authorization.k8s.io
-    name: system:nodes
-  - kind: User
-    apiGroup: rbac.authorization.k8s.io
-    # Legacy node ID
-    name: kubelet
--- a/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/psp.yml.j2
@@ -1,27 +0,0 @@
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: restricted
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_restricted_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: privileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  {{ podsecuritypolicy_privileged_spec | to_yaml(indent=2, width=1337) | indent(width=2) }}