Remove PodSecurityPolicies (#110)

* Removes PSPs
Dynatrace · Aug 19, 2021 · 9659008 · 9659008
1 parent b9dcb0c
commit 9659008
Show file tree

Hide file tree

Showing 69 changed files with 8,289 additions and 5,493 deletions.
diff --git a/...nt-operator-google-marketplace/chart/dynatrace-oneagent-operator/templates/configmap.yaml b/...nt-operator-google-marketplace/chart/dynatrace-oneagent-operator/templates/configmap.yaml
@@ -20,179 +20,6 @@ metadata:
   labels:
     {{- include "dynatrace-oneagent-operator.commonlabels" . | nindent 4 }}
 data:
-  psp-operator.yaml: |
-    apiVersion: policy/v1beta1
-    kind: PodSecurityPolicy
-    metadata:
-      name: dynatrace-oneagent-operator
-      annotations:
-        seccomp.security.alpha.kubernetes.io/allowedProfileNames: "docker/default"
-        apparmor.security.beta.kubernetes.io/allowedProfileNames: "runtime/default"
-        seccomp.security.alpha.kubernetes.io/defaultProfileName: "docker/default"
-        apparmor.security.beta.kubernetes.io/defaultProfileName: "runtime/default"
-      labels:
-        {{- include "dynatrace-oneagent-operator.commonlabels" . | nindent 8 }}
-      ownerReferences:
-      - apiVersion: v1beta1
-        blockOwnerDeletion: true
-        kind: Application
-        name: {{ .Release.Name }}
-        uid: ##UID##
-    spec:
-      privileged: false
-      allowPrivilegeEscalation: false
-      readOnlyRootFilesystem: true
-      requiredDropCapabilities:
-        - ALL
-      volumes:
-        - "configMap"
-        - "emptyDir"
-        - "projected"
-        - "secret"
-        - "downwardAPI"
-        - "persistentVolumeClaim"
-      hostNetwork: false
-      hostIPC: false
-      hostPID: false
-      runAsUser:
-        rule: "MustRunAsNonRoot"
-      seLinux:
-        rule: "RunAsAny"
-      supplementalGroups:
-        rule: "RunAsAny"
-      fsGroup:
-        rule: "RunAsAny"
-  psp-oneagent.yaml: |
-    apiVersion: policy/v1beta1
-    kind: PodSecurityPolicy
-    metadata:
-      name: dynatrace-oneagent
-      annotations:
-        seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-      labels:
-        {{- include "dynatrace-oneagent-operator.commonlabels" . | nindent 8 }}
-      ownerReferences:
-      - apiVersion: v1beta1
-        blockOwnerDeletion: true
-        kind: Application
-        name: {{ .Release.Name }}
-        uid: ##UID##
-    spec:
-      privileged: true
-      allowPrivilegeEscalation: true
-      allowedCapabilities:
-        - "*"
-      volumes:
-        - "*"
-      hostNetwork: true
-      hostIPC: true
-      hostPID: true
-      hostPorts:
-        - min: 0
-          max: 65535
-      runAsUser:
-        rule: "RunAsAny"
-      seLinux:
-        rule: "RunAsAny"
-      supplementalGroups:
-        rule: "RunAsAny"
-      fsGroup:
-        rule: "RunAsAny"
-  psp-webhook.yaml: |
-    apiVersion: policy/v1beta1
-    kind: PodSecurityPolicy
-    metadata:
-      name: dynatrace-oneagent-webhook
-      annotations:
-        seccomp.security.alpha.kubernetes.io/allowedProfileNames: "docker/default"
-        apparmor.security.beta.kubernetes.io/allowedProfileNames: "runtime/default"
-        seccomp.security.alpha.kubernetes.io/defaultProfileName: "docker/default"
-        apparmor.security.beta.kubernetes.io/defaultProfileName: "runtime/default"
-      labels:
-        {{- include "dynatrace-oneagent-operator.commonlabels" . | nindent 8 }}
-      ownerReferences:
-      - apiVersion: v1beta1
-        blockOwnerDeletion: true
-        kind: Application
-        name: {{ .Release.Name }}
-        uid: ##UID##
-    spec:
-      privileged: false
-      allowPrivilegeEscalation: false
-      readOnlyRootFilesystem: true
-      requiredDropCapabilities:
-        - ALL
-      volumes:
-        - "configMap"
-        - "emptyDir"
-        - "projected"
-        - "secret"
-        - "downwardAPI"
-        - "persistentVolumeClaim"
-      hostNetwork: false
-      hostIPC: false
-      hostPID: false
-      runAsUser:
-        rule: "MustRunAsNonRoot"
-      seLinux:
-        rule: "RunAsAny"
-      supplementalGroups:
-        rule: "RunAsAny"
-      fsGroup:
-        rule: "RunAsAny"
-  psp-oneagent-unprivileged.yaml: |
-    apiVersion: policy/v1beta1
-    kind: PodSecurityPolicy
-    metadata:
-      name: dynatrace-oneagent-unprivileged
-      annotations:
-        apparmor.security.beta.kubernetes.io/allowedProfileNames: "unconfined"
-        seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-      labels:
-        {{- include "dynatrace-oneagent-operator.commonlabels" . | nindent 8 }}
-      ownerReferences:
-      - apiVersion: v1beta1
-        blockOwnerDeletion: true
-        kind: Application
-        name: {{ .Release.Name }}
-        uid: ##UID##
-    spec:
-      privileged: false
-      allowPrivilegeEscalation: true
-      allowedCapabilities:
-        - CHOWN
-        - DAC_OVERRIDE
-        - DAC_READ_SEARCH
-        - FOWNER
-        - FSETID
-        - KILL
-        - NET_ADMIN
-        - NET_RAW
-        - SETFCAP
-        - SETGID
-        - SETUID
-        - SYS_ADMIN
-        - SYS_CHROOT
-        - SYS_PTRACE
-        - SYS_RESOURCE
-      requiredDropCapabilities:
-        - ALL
-      volumes:
-        - "*"
-      hostNetwork: true
-      hostIPC: true
-      hostPID: true
-      hostPorts:
-        - min: 0
-          max: 65535
-      runAsUser:
-        rule: "RunAsAny"
-      seLinux:
-        rule: "RunAsAny"
-      supplementalGroups:
-        rule: "RunAsAny"
-      fsGroup:
-        rule: "RunAsAny"
   oneagentapm_crd.yaml: |
     apiVersion: apiextensions.k8s.io/v1beta1
     kind: CustomResourceDefinition

diff --git a/...tor-google-marketplace/chart/dynatrace-oneagent-operator/templates/configuration-job.yaml b/...tor-google-marketplace/chart/dynatrace-oneagent-operator/templates/configuration-job.yaml
@@ -31,10 +31,6 @@ spec:
         - "-ec"
         - |
           uid=$(kubectl get application {{ .Release.Name }} -n {{ .Release.Namespace }} -o jsonpath='{.metadata.uid}')
-          sed "s/##UID##/${uid}/g" /objects/psp-operator.yaml | kubectl apply -f -
-          sed "s/##UID##/${uid}/g" /objects/psp-oneagent.yaml | kubectl apply -f -
-          sed "s/##UID##/${uid}/g" /objects/psp-webhook.yaml | kubectl apply -f -
-          sed "s/##UID##/${uid}/g" /objects/psp-oneagent-unprivileged.yaml | kubectl apply -f -
           sed "s/##UID##/${uid}/g" /objects/mutatingwebhookconfiguration.yaml | kubectl apply -f -
           sed "s/##UID##/${uid}/g" /objects/oneagentapm_crd.yaml | kubectl apply -f -
           sed "s/##UID##/${uid}/g" /objects/oneagent_crd.yaml | kubectl apply -f -

diff --git a/dynatrace-oneagent-operator-google-marketplace/schema.yaml b/dynatrace-oneagent-operator-google-marketplace/schema.yaml
@@ -227,14 +227,6 @@ properties:
                   - get
                   - update
                   - create
-              - apiGroups:
-                  - policy
-                resources:
-                  - podsecuritypolicies
-                resourceNames:
-                  - dynatrace-oneagent-webhook
-                verbs:
-                  - use
   operatorServiceAccount:
     type: string
     title: Service account used by the Dynatrace OneAgent Operator
@@ -385,14 +377,6 @@ properties:
                   - get
                   - update
                   - create
-              - apiGroups:
-                  - policy
-                resources:
-                  - podsecuritypolicies
-                resourceNames:
-                  - dynatrace-oneagent-operator
-                verbs:
-                  - use
   oneagentServiceAccount:
     type: string
     title: Service account used by the Dynatrace OneAgent
@@ -405,14 +389,7 @@ properties:
           - type: Role
             rulesType: CUSTOM
             rules:
-              - apiGroups:
-                  - policy
-                resources:
-                  - podsecuritypolicies
-                resourceNames:
-                  - dynatrace-oneagent
-                verbs:
-                  - use
+
   oneagentUnprivilegedServiceAccount:
     type: string
     title: Service account used by the unprivileged Dynatrace OneAgent
@@ -425,14 +402,7 @@ properties:
           - type: Role
             rulesType: CUSTOM
             rules:
-              - apiGroups:
-                  - policy
-                resources:
-                  - podsecuritypolicies
-                resourceNames:
-                  - dynatrace-oneagent-unprivileged
-                verbs:
-                  - use
+
   configurationServiceAccount:
     type: string
     title: Service account used to configure the Dynatrace OneAgent Operator
@@ -455,15 +425,6 @@ properties:
                   - list
                   - create
                   - patch
-              - apiGroups:
-                  - policy
-                resources:
-                  - podsecuritypolicies
-                verbs:
-                  - get
-                  - list
-                  - create
-                  - patch
               - apiGroups:
                   - apiextensions.k8s.io
                 resources:

diff --git a/...trace-oneagent-operator/templates/Kubernetes/podsecuritypolicy-oneagent-unprivileged.yaml b/...trace-oneagent-operator/templates/Kubernetes/podsecuritypolicy-oneagent-unprivileged.yaml
diff --git a/dynatrace-oneagent-operator/templates/Kubernetes/podsecuritypolicy-oneagent.yaml b/dynatrace-oneagent-operator/templates/Kubernetes/podsecuritypolicy-oneagent.yaml