Chart: Remove Pod Security Policy. (#11971)

charts/ingress-nginx/README.md

@@ -244,7 +244,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
-| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
@@ -307,7 +306,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.enableAnnotationValidations | bool | `true` |  |
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
 | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
-| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
@@ -497,7 +495,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
 | defaultBackend.enabled | bool | `false` |  |
-| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
 | defaultBackend.extraConfigMaps | list | `[]` |  |
 | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
@@ -550,7 +547,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
 | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
 | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
-| podSecurityPolicy.enabled | bool | `false` |  |
 | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
 | rbac.create | bool | `true` |  |
 | rbac.scope | bool | `false` |  |

charts/ingress-nginx/ci/deamonset-psp-values.yaml

@@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true

charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml

@@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true

charts/ingress-nginx/ci/deployment-psp-values.yaml

@@ -1,10 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true

charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml

@@ -1,12 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: true
-  service:
-    type: ClusterIP
-
-podSecurityPolicy:
-  enabled: true

charts/ingress-nginx/templates/_helpers.tpl

@@ -235,17 +235,6 @@ readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }
 {{- end -}}
 {{- end -}}
 
-{{/*
-Return the appropriate apiGroup for PodSecurityPolicy.
-*/}}
-{{- define "podSecurityPolicy.apiGroup" -}}
-{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-{{- print "policy" -}}
-{{- else -}}
-{{- print "extensions" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Extra modules.
 */}}

charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml

@@ -20,14 +20,4 @@ rules:
     verbs:
       - get
       - update
-{{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.controller.admissionWebhooks.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
-    {{- end }}
-{{- end }}
 {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml

@@ -1,52 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: admission-webhook
-    {{- with .Values.controller.admissionWebhooks.patch.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: false
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: true
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  seLinux:
-    rule: RunAsAny
-{{- end }}
-{{- end }}

charts/ingress-nginx/templates/controller-psp.yaml

@@ -1,100 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: controller
-    {{- with .Values.controller.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: {{ .Values.controller.hostNetwork }}
-{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
-  hostPorts:
-  {{- if .Values.controller.hostNetwork }}
-  {{- range $key, $value := .Values.controller.containerPort }}
-    # controller.containerPort.{{ $key }}
-    - min: {{ $value }}
-      max: {{ $value }}
-  {{- end }}
-  {{- else if .Values.controller.hostPort.enabled }}
-  {{- range $key, $value := .Values.controller.hostPort.ports }}
-    # controller.hostPort.ports.{{ $key }}
-    - min: {{ $value }}
-      max: {{ $value }}
-  {{- end }}
-  {{- end }}
-  {{- if .Values.controller.metrics.enabled }}
-    # controller.metrics.port
-    - min: {{ .Values.controller.metrics.port }}
-      max: {{ .Values.controller.metrics.port }}
-  {{- end }}
-  {{- if .Values.controller.admissionWebhooks.enabled }}
-    # controller.admissionWebhooks.port
-    - min: {{ .Values.controller.admissionWebhooks.port }}
-      max: {{ .Values.controller.admissionWebhooks.port }}
-  {{- end }}
-  {{- range $key, $value := .Values.tcp }}
-    # tcp.{{ $key }}
-    - min: {{ $key }}
-      max: {{ $key }}
-  {{- end }}
-  {{- range $key, $value := .Values.udp }}
-    # udp.{{ $key }}
-    - min: {{ $key }}
-      max: {{ $key }}
-  {{- end }}
-{{- end }}
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
-  requiredDropCapabilities:
-    - ALL
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  {{- if .Values.controller.image.chroot }}
-  {{- if .Values.controller.image.seccompProfile }}
-    - SYS_ADMIN
-  {{- end }}
-    - SYS_CHROOT
-  {{- end }}
-  seLinux:
-    rule: RunAsAny
-{{- if .Values.controller.sysctls }}
-  allowedUnsafeSysctls:
-  {{- range $sysctl, $value := .Values.controller.sysctls }}
-    - {{ $sysctl }}
-  {{- end }}
-{{- end }}
-{{- end }}
-{{- end }}

charts/ingress-nginx/templates/controller-role.yaml

@@ -91,14 +91,4 @@ rules:
       - list
       - watch
       - get
-{{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.controller.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.fullname" . }}]
-    {{- end }}
-{{- end }}
 {{- end }}

charts/ingress-nginx/templates/default-backend-psp.yaml

@@ -1,50 +0,0 @@
-{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
-{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  privileged: false
-  hostPID: false
-  hostIPC: false
-  hostNetwork: false
-  volumes:
-    - configMap
-    - downwardAPI
-    - emptyDir
-    - secret
-    - projected
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: true
-  runAsUser:
-    rule: MustRunAsNonRoot
-  runAsGroup:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      - min: 1
-        max: 65535
-  allowPrivilegeEscalation: false
-  requiredDropCapabilities:
-    - ALL
-  seLinux:
-    rule: RunAsAny
-{{- end }}
-{{- end }}

charts/ingress-nginx/templates/default-backend-role.yaml

@@ -1,22 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ include "ingress-nginx.namespace" . }}
-rules:
-  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    {{- with .Values.defaultBackend.existingPsp }}
-    resourceNames:  [{{ . }}]
-    {{- else }}
-    resourceNames:  [{{ include "ingress-nginx.fullname" . }}-backend]
-    {{- end }}
-{{- end }}

charts/ingress-nginx/templates/default-backend-rolebinding.yaml

@@ -1,21 +0,0 @@
-{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    {{- include "ingress-nginx.labels" . | nindent 4 }}
-    app.kubernetes.io/component: default-backend
-    {{- with .Values.defaultBackend.labels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-  namespace: {{ include "ingress-nginx.namespace" . }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "ingress-nginx.fullname" . }}-backend
-subjects:
-  - kind: ServiceAccount
-    name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
-    namespace: {{ include "ingress-nginx.namespace" . }}
-{{- end }}

charts/ingress-nginx/values.yaml

@@ -41,8 +41,6 @@ controller:
     seccompProfile:
       type: RuntimeDefault
     readOnlyRootFilesystem: false
-  # -- Use an existing PSP instead of creating one
-  existingPsp: ""
   # -- Configures the controller container name
   containerName: controller
   # -- Configures the ports that the nginx-controller listens on
@@ -758,8 +756,6 @@ controller:
     objectSelector: {}
     # -- Labels to be added to admission webhooks
     labels: {}
-    # -- Use an existing PSP instead of creating one
-    existingPsp: ""
     service:
       annotations: {}
       # clusterIP: ""
@@ -979,8 +975,6 @@ defaultBackend:
     seccompProfile:
       type: RuntimeDefault
     readOnlyRootFilesystem: true
-  # -- Use an existing PSP instead of creating one
-  existingPsp: ""
   extraArgs: {}
   serviceAccount:
     create: true
@@ -1166,10 +1160,6 @@ defaultBackend:
 rbac:
   create: true
   scope: false
-## If true, create & use Pod Security Policy resources
-## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
-podSecurityPolicy:
-  enabled: false
 serviceAccount:
   create: true
   name: ""

docs/examples/psp/README.md

@@ -1,17 +0,0 @@
-# Pod Security Policy (PSP)
-
-In most clusters today, by default, all resources (e.g. `Deployments` and `ReplicatSets`)
-have permissions to create pods.
-Kubernetes however provides a more fine-grained authorization policy called
-[Pod Security Policy (PSP)](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).
-
-PSP allows the cluster owner to define the permission of each object, for example creating a pod.
-If you have PSP enabled on the cluster, and you deploy ingress-nginx,
-you will need to provide the `Deployment` with the permissions to create pods.
-
-Before applying any objects, first apply the PSP permissions by running:
-```console
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml
-```
-
-Note: PSP permissions must be granted before the creation of the `Deployment` and the `ReplicaSet`.

docs/examples/psp/psp.yaml

@@ -1,75 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx
-
----
-
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: ingress-nginx
-  namespace: ingress-nginx
-spec:
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  privileged: false
-  allowPrivilegeEscalation: true
-  # Allow core volume types.
-  volumes:
-    - configMap
-    - secret
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    # Require the container to run without root privileges.
-    rule: MustRunAsNonRoot
-  supplementalGroups:
-    rule: MustRunAs
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: MustRunAs
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-  seLinux:
-    rule: RunAsAny
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: ingress-nginx-psp
-  namespace: ingress-nginx
-rules:
-- apiGroups: [policy]
-  resources: [podsecuritypolicies]
-  verbs: [use]
-  resourceNames: [ingress-nginx]
-
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: ingress-nginx-psp
-  namespace: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: ingress-nginx-psp
-subjects:
-- kind: ServiceAccount
-  name: default
-- kind: ServiceAccount
-  name: ingress-nginx
-  namespace: ingress-nginx
-- kind: ServiceAccount
-  name: ingress-nginx-admission
-  namespace: ingress-nginx

docs/troubleshooting.md

@@ -443,7 +443,7 @@ $ capsh --decode=0000000000000400
 ```
 
 ## Create a test pod as root
-(Note, this may be restricted by PodSecurityPolicy, PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.)
+(Note, this may be restricted by PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.)
 To test further you may want to install additional utilities, etc.  Modify the pod yaml by:
 * changing runAsUser from 101 to 0
 * removing the "drop..ALL" section from the capabilities.

magefiles/utils/helm.go

@@ -31,7 +31,6 @@ type IngressChartValue struct {
 			RunAsUser                int    `yaml:"runAsUser"`
 			AllowPrivilegeEscalation bool   `yaml:"allowPrivilegeEscalation"`
 		} `yaml:"image"`
-		ExistingPsp   string `yaml:"existingPsp"`
 		ContainerName string `yaml:"containerName"`
 		ContainerPort struct {
 			HTTP  int `yaml:"http"`
@@ -226,7 +225,6 @@ type IngressChartValue struct {
 			NamespaceSelector    struct{}      `yaml:"namespaceSelector"`
 			ObjectSelector       struct{}      `yaml:"objectSelector"`
 			Labels               struct{}      `yaml:"labels"`
-			ExistingPsp          string        `yaml:"existingPsp"`
 			NetworkPolicyEnabled bool          `yaml:"networkPolicyEnabled"`
 			Service              struct {
 				Annotations              struct{}      `yaml:"annotations"`
@@ -329,7 +327,6 @@ type IngressChartValue struct {
 			ReadOnlyRootFilesystem   bool   `yaml:"readOnlyRootFilesystem"`
 			AllowPrivilegeEscalation bool   `yaml:"allowPrivilegeEscalation"`
 		} `yaml:"image"`
-		ExistingPsp    string   `yaml:"existingPsp"`
 		ExtraArgs      struct{} `yaml:"extraArgs"`
 		ServiceAccount struct {
 			Create                       bool   `yaml:"create"`
@@ -388,9 +385,6 @@ type IngressChartValue struct {
 		Create bool `yaml:"create"`
 		Scope  bool `yaml:"scope"`
 	} `yaml:"rbac"`
-	PodSecurityPolicy struct {
-		Enabled bool `yaml:"enabled"`
-	} `yaml:"podSecurityPolicy"`
 	ServiceAccount struct {
 		Create                       bool     `yaml:"create"`
 		Name                         string   `yaml:"name"`

mkdocs.yml

@@ -124,7 +124,6 @@ nav:
       - Rewrite: "examples/rewrite/README.md"
       - Static IPs: "examples/static-ip/README.md"
       - TLS termination: "examples/tls-termination/README.md"
-      - Pod Security Policy (PSP): "examples/psp/README.md"
       - Open Policy Agent rules: "examples/openpolicyagent/README.md"
       - Canary Deployments: "examples/canary/README.md"
   - Developer Guide: