Remove PSPs if k8s >=1.25 (#335)

metal-stack · Jul 21, 2023 · ec2b40c · ec2b40c
1 parent c9e6f67
commit ec2b40c
Show file tree

Hide file tree

Showing 13 changed files with 43 additions and 13 deletions.
diff --git a/charts/internal/shoot-control-plane/templates/audittailer.yaml b/charts/internal/shoot-control-plane/templates/audittailer.yaml
@@ -54,7 +54,7 @@ spec:
           runAsUser: 65534
           allowPrivilegeEscalation: false
           runAsNonRoot: true
-{{- if semverCompare ">= 1.19" .Values.kubernetesVersion }}
+{{- if semverCompare ">= 1.19" .Capabilities.KubeVersion.GitVersion }}
           seccompProfile:
             type: RuntimeDefault
 {{- end }}

diff --git a/charts/internal/shoot-control-plane/templates/firewall/droptailer.yaml b/charts/internal/shoot-control-plane/templates/firewall/droptailer.yaml
@@ -55,7 +55,7 @@ spec:
           runAsUser: 65534
           allowPrivilegeEscalation: false
           runAsNonRoot: true
-{{- if semverCompare ">= 1.19" .Values.kubernetesVersion }}
+{{- if semverCompare ">= 1.19" .Capabilities.KubeVersion.GitVersion }}
           seccompProfile:
             type: RuntimeDefault
 {{- end }}

diff --git a/charts/internal/shoot-control-plane/templates/metallb.yaml b/charts/internal/shoot-control-plane/templates/metallb.yaml
@@ -4,6 +4,7 @@ metadata:
   labels:
     app: metallb
   name: metallb-system
+{{- if semverCompare "< 1.25" .Capabilities.KubeVersion.GitVersion }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -84,6 +85,7 @@ spec:
   - configMap
   - secret
   - emptyDir
+  {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -131,6 +133,7 @@ rules:
   verbs:
   - create
   - patch
+{{- if semverCompare "< 1.25" .Capabilities.KubeVersion.GitVersion }}
 - apiGroups:
   - policy
   resourceNames:
@@ -139,6 +142,7 @@ rules:
   - podsecuritypolicies
   verbs:
   - use
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -171,6 +175,7 @@ rules:
   verbs:
   - create
   - patch
+{{- if semverCompare "< 1.25" .Capabilities.KubeVersion.GitVersion }}
 - apiGroups:
   - policy
   resourceNames:
@@ -179,6 +184,7 @@ rules:
   - podsecuritypolicies
   verbs:
   - use
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -379,9 +385,7 @@ spec:
         operator: Exists
       - effect: NoExecute
         operator: Exists
-{{- if semverCompare ">= 1.17" .Values.kubernetesVersion }}
       priorityClassName: system-node-critical
-{{- end }}
 ---
 apiVersion: apps/v1
 kind: Deployment

diff --git a/charts/internal/shoot-control-plane/templates/node-init.yaml b/charts/internal/shoot-control-plane/templates/node-init.yaml
@@ -4,6 +4,7 @@ kind: ServiceAccount
 metadata:
   name: node-init
   namespace: kube-system
+{{- if semverCompare "< 1.25" .Capabilities.KubeVersion.GitVersion }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -23,6 +24,7 @@ spec:
   volumes:
   - secret
   hostNetwork: true
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -37,6 +39,7 @@ rules:
   - watch
   - list
   - get
+{{- if semverCompare "< 1.25" .Capabilities.KubeVersion.GitVersion }}
 - apiGroups:
   - extensions
   resources:
@@ -45,6 +48,7 @@ rules:
   - node-init
   verbs:
   - use
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/charts/internal/shoot-control-plane/templates/rbac-duros.yaml b/charts/internal/shoot-control-plane/templates/rbac-duros.yaml
@@ -49,6 +49,7 @@ rules:
   - patch
   - update
   - watch
+{{- if semverCompare "< 1.25" .Capabilities.KubeVersion.GitVersion }}
 - apiGroups:
   - "policy"
   resources:
@@ -62,6 +63,7 @@ rules:
   - update
   - watch
   - use
+{{- end }}
 - apiGroups:
   - "rbac.authorization.k8s.io"
   resources:

diff --git a/...internal/shoot-control-plane/templates/snapshot.storage.k8s.io_volumesnapshotclasses.yaml b/...internal/shoot-control-plane/templates/snapshot.storage.k8s.io_volumesnapshotclasses.yaml
@@ -1,4 +1,4 @@
-{{- if semverCompare ">= 1.17" .Values.kubernetesVersion }}
+{{- if semverCompare ">= 1.17" .Capabilities.KubeVersion.GitVersion }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

diff --git a/...nternal/shoot-control-plane/templates/snapshot.storage.k8s.io_volumesnapshotcontents.yaml b/...nternal/shoot-control-plane/templates/snapshot.storage.k8s.io_volumesnapshotcontents.yaml
@@ -1,5 +1,5 @@
 
-{{- if semverCompare ">= 1.17" .Values.kubernetesVersion }}
+{{- if semverCompare ">= 1.17" .Capabilities.KubeVersion.GitVersion }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

diff --git a/charts/internal/shoot-control-plane/templates/snapshot.storage.k8s.io_volumesnapshots.yaml b/charts/internal/shoot-control-plane/templates/snapshot.storage.k8s.io_volumesnapshots.yaml
@@ -1,4 +1,4 @@
-{{- if semverCompare ">= 1.17" .Values.kubernetesVersion }}
+{{- if semverCompare ">= 1.17" .Capabilities.KubeVersion.GitVersion }}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

diff --git a/charts/internal/shoot-storageclasses/templates/storageclasses.yaml b/charts/internal/shoot-storageclasses/templates/storageclasses.yaml
@@ -127,6 +127,7 @@ kind: ServiceAccount
 metadata:
   name: csi-lvm-reviver
   namespace: csi-lvm
+{{- if semverCompare "< 1.25" .Capabilities.KubeVersion.GitVersion }}
 ---
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -162,6 +163,7 @@ rules:
   - csi-lvm-reviver-psp
   verbs:
   - use
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

diff --git a/go.mod b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/metal-stack/firewall-controller-manager v0.2.3
 	github.com/metal-stack/machine-controller-manager-provider-metal v0.1.14
 	github.com/metal-stack/metal-go v0.22.8
-	github.com/metal-stack/metal-lib v0.12.3
+	github.com/metal-stack/metal-lib v0.12.4
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.8
 	github.com/spf13/cobra v1.7.0

diff --git a/go.sum b/go.sum
@@ -445,8 +445,8 @@ github.com/metal-stack/machine-controller-manager-provider-metal v0.1.14 h1:qbbd
 github.com/metal-stack/machine-controller-manager-provider-metal v0.1.14/go.mod h1:d36VmegtqJd7AKv8FVFvuimRPK+M93odICUUbTXg8CU=
 github.com/metal-stack/metal-go v0.22.8 h1:32HZdR8BNWWdKkhfJ5OVFGLLuTQ+bkw44PvU0ObqbIo=
 github.com/metal-stack/metal-go v0.22.8/go.mod h1:n0KALbtB6JGAICDmgSU5B/jekEFODuqcluTHEAXMPng=
-github.com/metal-stack/metal-lib v0.12.3 h1:IsurXFoLpgJ/9GG3zsAYmk72tukcJSw40UvPYI47rEI=
-github.com/metal-stack/metal-lib v0.12.3/go.mod h1:j9I8YAqxS8AFZ6z0T113hlwy2MHpb0ExQsGhi6zlteI=
+github.com/metal-stack/metal-lib v0.12.4 h1:ISdh1kYsb75UbQWwRwbwY38wN4h+i6KqvaFMeItdX7Q=
+github.com/metal-stack/metal-lib v0.12.4/go.mod h1:YyE9IbyA38sgoyrgBZgvmlWhwUU6G+o4+tqNiLDXOgI=
 github.com/metal-stack/security v0.6.6 h1:KSPNN8YZd2EJEjsJ0xCBcd5o53uU0iFupahHA9Twuh0=
 github.com/metal-stack/security v0.6.6/go.mod h1:WchPm3+2Xjj1h7AxM+DsnR9EWgLw+ktoGCl/0gcmgSA=
 github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=

diff --git a/pkg/admission/mutator/defaulter.go b/pkg/admission/mutator/defaulter.go
@@ -12,7 +12,9 @@ import (
 	"github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal"
 	"github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper"
 	metalv1alpha1 "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/v1alpha1"
+	"github.com/metal-stack/metal-lib/pkg/k8s"
 	"github.com/metal-stack/metal-lib/pkg/pointer"
+
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -25,7 +27,11 @@ type defaulter struct {
 }
 
 func (d *defaulter) defaultShoot(shoot *gardenv1beta1.Shoot) error {
-	if shoot.Spec.Kubernetes.AllowPrivilegedContainers == nil {
+	lessThan125, err := k8s.LessThan(shoot.Spec.Kubernetes.Version, k8s.KubernetesV125)
+	if err != nil {
+		return err
+	}
+	if shoot.Spec.Kubernetes.AllowPrivilegedContainers == nil && lessThan125 {
 		shoot.Spec.Kubernetes.AllowPrivilegedContainers = pointer.Pointer(d.c.allowedPrivilegedContainers())
 	}
 
@@ -45,7 +51,7 @@ func (d *defaulter) defaultShoot(shoot *gardenv1beta1.Shoot) error {
 		shoot.Spec.Kubernetes.Kubelet.MaxPods = pointer.Pointer(d.c.maxPods())
 	}
 
-	err := d.defaultInfrastructureConfig(shoot)
+	err = d.defaultInfrastructureConfig(shoot)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/admission/mutator/defaulter_test.go b/pkg/admission/mutator/defaulter_test.go
@@ -75,6 +75,7 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 		completeShootSpec = &gardenv1beta1.Shoot{
 			Spec: gardenv1beta1.ShootSpec{
 				Kubernetes: gardenv1beta1.Kubernetes{
+					Version:                   "1.24.0",
 					AllowPrivilegedContainers: pointer.Pointer(false),
 					KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 						NodeCIDRMaskSize: pointer.Pointer(int32(24)),
@@ -107,11 +108,16 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 		{
 			name: "empty spec",
 			shoot: &gardenv1beta1.Shoot{
-				Spec: gardenv1beta1.ShootSpec{},
+				Spec: gardenv1beta1.ShootSpec{
+					Kubernetes: gardenv1beta1.Kubernetes{
+						Version: "1.24.0",
+					},
+				},
 			},
 			want: &gardenv1beta1.Shoot{
 				Spec: gardenv1beta1.ShootSpec{
 					Kubernetes: gardenv1beta1.Kubernetes{
+						Version:                   "1.24.0",
 						AllowPrivilegedContainers: pointer.Pointer(true),
 						KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 							NodeCIDRMaskSize: pointer.Pointer(int32(23)),
@@ -162,6 +168,7 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 			shoot: &gardenv1beta1.Shoot{
 				Spec: gardenv1beta1.ShootSpec{
 					Kubernetes: gardenv1beta1.Kubernetes{
+						Version:                   "1.24.0",
 						AllowPrivilegedContainers: pointer.Pointer(false),
 						KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 							NodeCIDRMaskSize: pointer.Pointer(int32(24)),
@@ -195,6 +202,7 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 			want: &gardenv1beta1.Shoot{
 				Spec: gardenv1beta1.ShootSpec{
 					Kubernetes: gardenv1beta1.Kubernetes{
+						Version:                   "1.24.0",
 						AllowPrivilegedContainers: pointer.Pointer(false),
 						KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 							NodeCIDRMaskSize: pointer.Pointer(int32(24)),
@@ -231,6 +239,7 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 			shoot: &gardenv1beta1.Shoot{
 				Spec: gardenv1beta1.ShootSpec{
 					Kubernetes: gardenv1beta1.Kubernetes{
+						Version:                   "1.24.0",
 						AllowPrivilegedContainers: pointer.Pointer(false),
 						KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 							NodeCIDRMaskSize: pointer.Pointer(int32(24)),
@@ -254,6 +263,7 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 			want: &gardenv1beta1.Shoot{
 				Spec: gardenv1beta1.ShootSpec{
 					Kubernetes: gardenv1beta1.Kubernetes{
+						Version:                   "1.24.0",
 						AllowPrivilegedContainers: pointer.Pointer(false),
 						KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 							NodeCIDRMaskSize: pointer.Pointer(int32(24)),
@@ -299,6 +309,7 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 			shoot: &gardenv1beta1.Shoot{
 				Spec: gardenv1beta1.ShootSpec{
 					Kubernetes: gardenv1beta1.Kubernetes{
+						Version:                   "1.24.0",
 						AllowPrivilegedContainers: pointer.Pointer(false),
 						KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 							NodeCIDRMaskSize: pointer.Pointer(int32(24)),
@@ -325,6 +336,7 @@ func Test_defaulter_defaultShoot(t *testing.T) {
 			want: &gardenv1beta1.Shoot{
 				Spec: gardenv1beta1.ShootSpec{
 					Kubernetes: gardenv1beta1.Kubernetes{
+						Version:                   "1.24.0",
 						AllowPrivilegedContainers: pointer.Pointer(false),
 						KubeControllerManager: &gardenv1beta1.KubeControllerManagerConfig{
 							NodeCIDRMaskSize: pointer.Pointer(int32(24)),