Gardener v1.92

charts/gardener-extension-admission-metal/values.yaml

@@ -36,7 +36,6 @@ global:
     ciliumDevices:
     ciliumHubbleEnabled:
     ciliumKubeProxyEnabled:
-    ciliumPSPEnabled:
     ciliumTunnel:
     ciliumIPv4NativeRoutingCIDREnabled:
     ciliumLoadBalancingMode:

charts/internal/control-plane/templates/duros-controller.yaml

@@ -108,7 +108,6 @@ spec:
           - -admin-token=/duros/admin-token
           - -admin-key=/duros/admin-key
           - -shoot-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
-          - -psp-disabled={{ .Values.pspDisabled }}
           - -api-endpoint={{ .Values.duros.controller.apiEndpoint }}
 {{- if .Values.duros.controller.apiCA }}
           - -api-ca=/duros/api-ca

charts/internal/shoot-control-plane/templates/metallb.yaml

@@ -4,88 +4,6 @@ metadata:
   labels:
     app: metallb
   name: metallb-system
-{{- if not .Values.pspDisabled }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  labels:
-    app: metallb
-  name: controller
-  namespace: metallb-system
-spec:
-  allowPrivilegeEscalation: false
-  allowedCapabilities: []
-  allowedHostPaths: []
-  defaultAddCapabilities: []
-  defaultAllowPrivilegeEscalation: false
-  fsGroup:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  hostIPC: false
-  hostNetwork: false
-  hostPID: false
-  privileged: false
-  requiredDropCapabilities:
-  - ALL
-  runAsUser:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  labels:
-    app: metallb
-  name: speaker
-  namespace: metallb-system
-spec:
-  allowPrivilegeEscalation: false
-  allowedCapabilities:
-  - NET_RAW
-  allowedHostPaths: []
-  defaultAddCapabilities: []
-  defaultAllowPrivilegeEscalation: false
-  fsGroup:
-    rule: RunAsAny
-  hostIPC: false
-  hostNetwork: true
-  hostPID: false
-  hostPorts:
-  - max: 7472
-    min: 7472
-  - max: 7946
-    min: 7946
-  privileged: true
-  readOnlyRootFilesystem: true
-  requiredDropCapabilities:
-  - ALL
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
-  {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -198,16 +116,6 @@ rules:
   verbs:
   - list
   - watch
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - policy
-  resourceNames:
-  - controller
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -242,16 +150,6 @@ rules:
   verbs:
   - create
   - patch
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - policy
-  resourceNames:
-  - speaker
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

charts/internal/shoot-control-plane/templates/node-init.yaml

@@ -4,27 +4,6 @@ kind: ServiceAccount
 metadata:
   name: node-init
   namespace: kube-system
-{{- if not .Values.pspDisabled }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: node-init
-spec:
-  allowedCapabilities:
-  - NET_ADMIN
-  fsGroup:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - secret
-  hostNetwork: true
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -39,16 +18,6 @@ rules:
   - watch
   - list
   - get
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - node-init
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/internal/shoot-control-plane/templates/rbac-duros.yaml

@@ -49,21 +49,6 @@ rules:
   - patch
   - update
   - watch
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - "policy"
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - use
-{{- end }}
 - apiGroups:
   - "rbac.authorization.k8s.io"
   resources:

charts/internal/shoot-control-plane/values.yaml

@@ -2,7 +2,6 @@
 kubernetesVersion: "1.16.0"
 apiserverIPs: []
 nodeCIDR:
-pspDisabled: false
 
 images:
     droptailer: image-repository:image-tag

charts/internal/shoot-storageclasses/templates/storageclasses.yaml

@@ -140,43 +140,6 @@ kind: ServiceAccount
 metadata:
   name: csi-lvm-reviver
   namespace: csi-lvm
-{{- if not .Values.pspDisabled }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: csi-lvm-reviver-psp
-  namespace: csi-lvm
-spec:
-  allowPrivilegeEscalation: true
-  privileged: true
-  fsGroup:
-    rule: RunAsAny
-  privileged: true
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - '*'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: csi-lvm-reviver-psp
-  namespace: csi-lvm
-rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - csi-lvm-reviver-psp
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -200,21 +163,6 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
-metadata:
-  name: csi-lvm-reviver-psp
-  namespace: csi-lvm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: csi-lvm-reviver-psp
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: csi-lvm-reviver
-  namespace: csi-lvm
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
 metadata:
   name: csi-lvm-reviver
   namespace: csi-lvm

charts/internal/shoot-storageclasses/values.yaml

@@ -4,4 +4,3 @@ images:
     csi-lvm-provisioner: image-repository:image-tag
 
 isDefaultStorageClass: true
-pspDisabled: false

example/10-fake-shoot-controlplane.yaml

@@ -129,7 +129,7 @@ spec:
       - command:
         - /hyperkube
         - apiserver
-        - --enable-admission-plugins=Priority,NamespaceLifecycle,LimitRanger,PodSecurityPolicy,ServiceAccount,NodeRestriction,DefaultStorageClass,Initializers,DefaultTolerationSeconds,ResourceQuota,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
+        - --enable-admission-plugins=Priority,NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,DefaultStorageClass,Initializers,DefaultTolerationSeconds,ResourceQuota,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
         - --disable-admission-plugins=PersistentVolumeLabel
         - --allow-privileged=true
         - --anonymous-auth=false