m/n/k/reconciler: remove PSP role and rolebinding
Pod Security Policies have been removed from Kubernetes. The default PSP
was removed in commit 6211e4dc40, but the role and rolebinding was still
left. They do not have a function anymore. Now that reconciler updates
are implemented, these will be removed from existing clusters after
upgrading.
Change-Id: Ia953a5ae03c581b15efc4e3b3711aaa008dc145d
Reviewed-on: https://review.monogon.dev/c/monogon/+/3091
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/node/kubernetes/controller-manager.go b/metropolis/node/kubernetes/controller-manager.go
index 252de53..71918f9 100644
--- a/metropolis/node/kubernetes/controller-manager.go
+++ b/metropolis/node/kubernetes/controller-manager.go
@@ -77,7 +77,7 @@
pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
args.FileOpt("--client-ca-file", "root-ca.pem",
pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
- "--use-service-account-credentials=true", // Enables things like PSP enforcement
+ "--use-service-account-credentials=true",
fmt.Sprintf("--cluster-cidr=%v", config.clusterNet.String()),
fmt.Sprintf("--service-cluster-ip-range=%v", config.serviceNet.String()),
args.FileOpt("--tls-cert-file", "server-cert.pem",
diff --git a/metropolis/node/kubernetes/reconciler/resources_rbac.go b/metropolis/node/kubernetes/reconciler/resources_rbac.go
index 5ae5246..42cd202 100644
--- a/metropolis/node/kubernetes/reconciler/resources_rbac.go
+++ b/metropolis/node/kubernetes/reconciler/resources_rbac.go
@@ -25,8 +25,6 @@
)
var (
- clusterRolePSPDefault = builtinRBACName("psp-default")
- clusterRoleBindingDefaultPSP = builtinRBACName("default-psp-for-sa")
clusterRoleBindingAPIServerKubeletClient = builtinRBACName("apiserver-kubelet-client")
clusterRoleBindingOwnerAdmin = builtinRBACName("owner-admin")
clusterRoleCSIProvisioner = builtinRBACName("csi-provisioner")
@@ -69,23 +67,6 @@
return []meta.Object{
&rbac.ClusterRole{
ObjectMeta: meta.ObjectMeta{
- Name: clusterRolePSPDefault,
- Labels: builtinLabels(nil),
- Annotations: map[string]string{
- "kubernetes.io/description": "This role grants access to the \"default\" PSP.",
- },
- },
- Rules: []rbac.PolicyRule{
- {
- APIGroups: []string{"policy"},
- Resources: []string{"podsecuritypolicies"},
- ResourceNames: []string{"default"},
- Verbs: []string{"use"},
- },
- },
- },
- &rbac.ClusterRole{
- ObjectMeta: meta.ObjectMeta{
Name: clusterRoleCSIProvisioner,
Labels: builtinLabels(nil),
Annotations: map[string]string{
@@ -168,29 +149,6 @@
return []meta.Object{
&rbac.ClusterRoleBinding{
ObjectMeta: meta.ObjectMeta{
- Name: clusterRoleBindingDefaultPSP,
- Labels: builtinLabels(nil),
- Annotations: map[string]string{
- "kubernetes.io/description": "This binding grants every service account access to the \"default\" PSP. " +
- "Creation of Pods is still restricted by other RBAC roles. Otherwise no pods (unprivileged or not) " +
- "can be created.",
- },
- },
- RoleRef: rbac.RoleRef{
- APIGroup: rbac.GroupName,
- Kind: "ClusterRole",
- Name: clusterRolePSPDefault,
- },
- Subjects: []rbac.Subject{
- {
- APIGroup: rbac.GroupName,
- Kind: "Group",
- Name: "system:serviceaccounts",
- },
- },
- },
- &rbac.ClusterRoleBinding{
- ObjectMeta: meta.ObjectMeta{
Name: clusterRoleBindingAPIServerKubeletClient,
Labels: builtinLabels(nil),
Annotations: map[string]string{