Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / d5d33ba1e0798b48f56e6a1bc9178af9fc778179^! / . / metropolis / node / kubernetes / controller-manager.go
commitd5d33ba1e0798b48f56e6a1bc9178af9fc778179[log] [tgz]
authorJan Schär <jan@monogon.tech>Wed May 15 11:45:35 2024 +0200
committerJan Schär <jan@monogon.tech>Wed May 15 16:15:25 2024 +0000
tree76f4f0b0a1175a77b64d5dd7469b3ec6a3d57c2d
parent69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41 [diff] [blame]
m/n/k/reconciler: remove PSP role and rolebinding

Pod Security Policies have been removed from Kubernetes. The default PSP 
was removed in commit 6211e4dc40, but the role and rolebinding was still 
left. They do not have a function anymore. Now that reconciler updates 
are implemented, these will be removed from existing clusters after 
upgrading.

Change-Id: Ia953a5ae03c581b15efc4e3b3711aaa008dc145d
Reviewed-on: https://review.monogon.dev/c/monogon/+/3091
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/node/kubernetes/controller-manager.go b/metropolis/node/kubernetes/controller-manager.go
index 252de53..71918f9 100644
--- a/metropolis/node/kubernetes/controller-manager.go
+++ b/metropolis/node/kubernetes/controller-manager.go

@@ -77,7 +77,7 @@
 				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
 			args.FileOpt("--client-ca-file", "root-ca.pem",
 				pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: config.rootCA})),
-			"--use-service-account-credentials=true", // Enables things like PSP enforcement
+			"--use-service-account-credentials=true",
 			fmt.Sprintf("--cluster-cidr=%v", config.clusterNet.String()),
 			fmt.Sprintf("--service-cluster-ip-range=%v", config.serviceNet.String()),
 			args.FileOpt("--tls-cert-file", "server-cert.pem",