From 347f7f6d9ce44a64afdb39967ce84df30c6bcd7a Mon Sep 17 00:00:00 2001
From: Nikhil Varma <nikhilvarma940@gmail.com>
Date: Mon, 18 Dec 2023 10:37:58 +0530
Subject: [PATCH] psp deleted
---
.../grafana/templates/podsecuritypolicy.yaml | 52 -----------------
.../templates/podsecuritypolicy.yaml | 39 -------------
.../templates/psp.yaml | 52 -----------------
.../templates/alertmanager/psp.yaml | 53 ------------------
.../templates/prometheus-operator/psp.yaml | 51 -----------------
.../templates/prometheus/psp.yaml | 56 -------------------
6 files changed, 303 deletions(-)
delete mode 100755 kubernetes/helm_charts/monitoring/prometheus-operator/charts/grafana/templates/podsecuritypolicy.yaml
delete mode 100755 kubernetes/helm_charts/monitoring/prometheus-operator/charts/kube-state-metrics/templates/podsecuritypolicy.yaml
delete mode 100755 kubernetes/helm_charts/monitoring/prometheus-operator/charts/prometheus-node-exporter/templates/psp.yaml
delete mode 100755 kubernetes/helm_charts/monitoring/prometheus-operator/templates/alertmanager/psp.yaml
delete mode 100755 kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus-operator/psp.yaml
delete mode 100755 kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus/psp.yaml
diff --git a/kubernetes/helm_charts/monitoring/prometheus-operator/charts/grafana/templates/podsecuritypolicy.yaml b/kubernetes/helm_charts/monitoring/prometheus-operator/charts/grafana/templates/podsecuritypolicy.yaml
deleted file mode 100755
index c5e6ba05e..000000000
--- a/kubernetes/helm_charts/monitoring/prometheus-operator/charts/grafana/templates/podsecuritypolicy.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-{{- if .Values.rbac.pspEnabled }}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ template "grafana.fullname" . }}
- namespace: {{ template "grafana.namespace" . }}
- labels:
- {{- include "grafana.labels" . | nindent 4 }}
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
- {{- if .Values.rbac.pspUseAppArmor }}
- apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
- apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
- {{- end }}
-spec:
- privileged: false
- allowPrivilegeEscalation: false
- requiredDropCapabilities:
- # Default set from Docker, without DAC_OVERRIDE or CHOWN
- - FOWNER
- - FSETID
- - KILL
- - SETGID
- - SETUID
- - SETPCAP
- - NET_BIND_SERVICE
- - NET_RAW
- - SYS_CHROOT
- - MKNOD
- - AUDIT_WRITE
- - SETFCAP
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'RunAsAny'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'RunAsAny'
- fsGroup:
- rule: 'RunAsAny'
- readOnlyRootFilesystem: false
-{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/prometheus-operator/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/kubernetes/helm_charts/monitoring/prometheus-operator/charts/kube-state-metrics/templates/podsecuritypolicy.yaml
deleted file mode 100755
index aeff11791..000000000
--- a/kubernetes/helm_charts/monitoring/prometheus-operator/charts/kube-state-metrics/templates/podsecuritypolicy.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-{{- if .Values.podSecurityPolicy.enabled }}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ template "kube-state-metrics.fullname" . }}
- labels:
- app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }}
- helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
- app.kubernetes.io/managed-by: {{ .Release.Service }}
- app.kubernetes.io/instance: {{ .Release.Name }}
-{{- if .Values.podSecurityPolicy.annotations }}
- annotations:
-{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }}
-{{- end }}
-spec:
- privileged: false
- volumes:
- - 'secret'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- rule: 'MustRunAsNonRoot'
- seLinux:
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 1
- max: 65535
- readOnlyRootFilesystem: false
-{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/prometheus-operator/charts/prometheus-node-exporter/templates/psp.yaml b/kubernetes/helm_charts/monitoring/prometheus-operator/charts/prometheus-node-exporter/templates/psp.yaml
deleted file mode 100755
index f00506c98..000000000
--- a/kubernetes/helm_charts/monitoring/prometheus-operator/charts/prometheus-node-exporter/templates/psp.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-{{- if .Values.rbac.create }}
-{{- if .Values.rbac.pspEnabled }}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ template "prometheus-node-exporter.fullname" . }}
- namespace: {{ template "prometheus-node-exporter.namespace" . }}
- labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }}
-spec:
- privileged: false
- # Required to prevent escalations to root.
- # allowPrivilegeEscalation: false
- # This is redundant with non-root + disallow privilege escalation,
- # but we can provide it for defense in depth.
- #requiredDropCapabilities:
- # - ALL
- # Allow core volume types.
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- - 'hostPath'
- hostNetwork: true
- hostIPC: false
- hostPID: true
- hostPorts:
- - min: 0
- max: 65535
- runAsUser:
- # Permits the container to run with root privileges as well.
- rule: 'RunAsAny'
- seLinux:
- # This policy assumes the nodes are using AppArmor rather than SELinux.
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- readOnlyRootFilesystem: false
-{{- end }}
-{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/prometheus-operator/templates/alertmanager/psp.yaml b/kubernetes/helm_charts/monitoring/prometheus-operator/templates/alertmanager/psp.yaml
deleted file mode 100755
index a536204fb..000000000
--- a/kubernetes/helm_charts/monitoring/prometheus-operator/templates/alertmanager/psp.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-{{- if and .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ template "prometheus-operator.fullname" . }}-alertmanager
- namespace: {{ $.Release.Namespace }}
- labels:
- app: {{ template "prometheus-operator.name" . }}-alertmanager
-{{- if .Values.global.rbac.pspAnnotations }}
- annotations:
-{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
-{{- end }}
-{{ include "prometheus-operator.labels" . | indent 4 }}
-spec:
- privileged: false
- # Required to prevent escalations to root.
- # allowPrivilegeEscalation: false
- # This is redundant with non-root + disallow privilege escalation,
- # but we can provide it for defense in depth.
- #requiredDropCapabilities:
- # - ALL
- # Allow core volume types.
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- # Permits the container to run with root privileges as well.
- rule: 'RunAsAny'
- seLinux:
- # This policy assumes the nodes are using AppArmor rather than SELinux.
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- readOnlyRootFilesystem: false
-{{- end }}
-
diff --git a/kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus-operator/psp.yaml b/kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus-operator/psp.yaml
deleted file mode 100755
index a0b3a6ed4..000000000
--- a/kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus-operator/psp.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-{{- if and .Values.global.rbac.create .Values.global.rbac.pspEnabled }}apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ template "prometheus-operator.fullname" . }}-operator
- namespace: {{ $.Release.Namespace }}
- labels:
- app: {{ template "prometheus-operator.name" . }}-operator
-{{- if .Values.global.rbac.pspAnnotations }}
- annotations:
-{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
-{{- end }}
-{{ include "prometheus-operator.labels" . | indent 4 }}
-spec:
- privileged: false
- # Required to prevent escalations to root.
- # allowPrivilegeEscalation: false
- # This is redundant with non-root + disallow privilege escalation,
- # but we can provide it for defense in depth.
- #requiredDropCapabilities:
- # - ALL
- # Allow core volume types.
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- # Permits the container to run with root privileges as well.
- rule: 'RunAsAny'
- seLinux:
- # This policy assumes the nodes are using AppArmor rather than SELinux.
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- readOnlyRootFilesystem: false
-{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus/psp.yaml b/kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus/psp.yaml
deleted file mode 100755
index 744b30777..000000000
--- a/kubernetes/helm_charts/monitoring/prometheus-operator/templates/prometheus/psp.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-{{- if and .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: {{ template "prometheus-operator.fullname" . }}-prometheus
- namespace: {{ $.Release.Namespace }}
- labels:
- app: {{ template "prometheus-operator.name" . }}-prometheus
-{{- if .Values.global.rbac.pspAnnotations }}
- annotations:
-{{ toYaml .Values.global.rbac.pspAnnotations | indent 4 }}
-{{- end }}
-{{ include "prometheus-operator.labels" . | indent 4 }}
-spec:
- privileged: false
- # Required to prevent escalations to root.
- # allowPrivilegeEscalation: false
- # This is redundant with non-root + disallow privilege escalation,
- # but we can provide it for defense in depth.
- #requiredDropCapabilities:
- # - ALL
- # Allow core volume types.
- volumes:
- - 'configMap'
- - 'emptyDir'
- - 'projected'
- - 'secret'
- - 'downwardAPI'
- - 'persistentVolumeClaim'
- hostNetwork: false
- hostIPC: false
- hostPID: false
- runAsUser:
- # Permits the container to run with root privileges as well.
- rule: 'RunAsAny'
- seLinux:
- # This policy assumes the nodes are using AppArmor rather than SELinux.
- rule: 'RunAsAny'
- supplementalGroups:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- fsGroup:
- rule: 'MustRunAs'
- ranges:
- # Forbid adding the root group.
- - min: 0
- max: 65535
- readOnlyRootFilesystem: false
-{{- if .Values.prometheus.podSecurityPolicy.allowedCapabilities }}
- allowedCapabilities:
-{{ toYaml .Values.prometheus.podSecurityPolicy.allowedCapabilities | indent 4 }}
-{{- end }}
-{{- end }}
--
GitLab