From 6c6ba9acfef1d524b3de16e17ff7f24fe377098a Mon Sep 17 00:00:00 2001 From: Marc LeBlanc Date: Mon, 8 Dec 2025 04:35:49 -0700 Subject: [PATCH] Remove deprecated PodSecurityPolicy --- charts/sourcegraph/README.md | 2 - .../cadvisor/cadvisor.ClusterRole.yaml | 17 --- .../cadvisor/cadvisor.ClusterRoleBinding.yaml | 19 --- .../cadvisor/cadvisor.PodSecurityPolicy.yaml | 27 ---- .../node-exporter.ClusterRole.yaml | 17 --- .../node-exporter.ClusterRoleBinding.yaml | 19 --- .../node-exporter.PodSecurityPolicy.yaml | 34 ----- .../sourcegraph/tests/nodeExporter_test.yaml | 131 ++++-------------- charts/sourcegraph/values.yaml | 6 - 9 files changed, 28 insertions(+), 244 deletions(-) delete mode 100644 charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRole.yaml delete mode 100644 charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRoleBinding.yaml delete mode 100644 charts/sourcegraph/templates/cadvisor/cadvisor.PodSecurityPolicy.yaml delete mode 100644 charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRole.yaml delete mode 100644 charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRoleBinding.yaml delete mode 100644 charts/sourcegraph/templates/node-exporter/node-exporter.PodSecurityPolicy.yaml diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md index b30d4d0d..1bcf2630 100644 --- a/charts/sourcegraph/README.md +++ b/charts/sourcegraph/README.md @@ -46,7 +46,6 @@ In addition to the documented values, all services also support the following va | cadvisor.image.defaultTag | string | `"6.0.0@sha256:48082a2822a727e22c556ae2c3bae5f5bf4528c7b462efc3c085271ee5145be8"` | Docker image tag for the `cadvisor` image | | cadvisor.image.name | string | `"cadvisor"` | Docker image name for the `cadvisor` image | | cadvisor.name | string | `"cadvisor"` | Name used by resources. Does not affect service names or PVCs. | -| cadvisor.podSecurityPolicy.enabled | bool | `false` | Enable [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for `cadvisor` pods | | cadvisor.resources | object | `{"limits":{"cpu":"300m","memory":"2000Mi"},"requests":{"cpu":"150m","memory":"200Mi"}}` | Resource requests & limits for the `cadvisor` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | cadvisor.serviceAccount.create | bool | `true` | Enable creation of ServiceAccount for `cadvisor` | | cadvisor.serviceAccount.name | string | `"cadvisor"` | Name of the ServiceAccount to be created or an existing ServiceAccount | @@ -188,7 +187,6 @@ In addition to the documented values, all services also support the following va | nodeExporter.image.name | string | `"node-exporter"` | Docker image name for the `node-exporter` image | | nodeExporter.name | string | `"node-exporter"` | Name used by resources. Does not affect service names or PVCs. | | nodeExporter.podSecurityContext | object | `{"fsGroup":65534,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534}` | Security context for the `node-exporter` pod, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | -| nodeExporter.podSecurityPolicy.enabled | bool | `false` | Enable [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for `node-exporter` pods | | nodeExporter.resources | object | `{"limits":{"cpu":"1","memory":"1Gi"},"requests":{"cpu":".2","memory":"100Mi"}}` | Resource requests & limits for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | nodeExporter.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `node-exporter` | | nodeExporter.serviceAccount.name | string | `"node-exporter"` | Name of the ServiceAccount to be created or an existing ServiceAccount | diff --git a/charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRole.yaml b/charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRole.yaml deleted file mode 100644 index 86ee7705..00000000 --- a/charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRole.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and .Values.cadvisor.enabled .Values.cadvisor.podSecurityPolicy.enabled -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - app: cadvisor - category: rbac - deploy: sourcegraph - app.kubernetes.io/component: cadvisor - name: {{ .Values.cadvisor.name }} -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ .Values.cadvisor.name }} -{{- end }} diff --git a/charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRoleBinding.yaml b/charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRoleBinding.yaml deleted file mode 100644 index f10abe8b..00000000 --- a/charts/sourcegraph/templates/cadvisor/cadvisor.ClusterRoleBinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.cadvisor.enabled .Values.cadvisor.podSecurityPolicy.enabled -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - app: cadvisor - category: rbac - deploy: sourcegraph - app.kubernetes.io/component: cadvisor - name: {{ .Values.cadvisor.name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.cadvisor.name }} -subjects: -- name: {{ include "sourcegraph.serviceAccountName" (list . "cadvisor") }} - kind: ServiceAccount - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/sourcegraph/templates/cadvisor/cadvisor.PodSecurityPolicy.yaml b/charts/sourcegraph/templates/cadvisor/cadvisor.PodSecurityPolicy.yaml deleted file mode 100644 index 4d83fa11..00000000 --- a/charts/sourcegraph/templates/cadvisor/cadvisor.PodSecurityPolicy.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if and .Values.cadvisor.enabled .Values.cadvisor.podSecurityPolicy.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - labels: - app: cadvisor - deploy: sourcegraph - app.kubernetes.io/component: cadvisor - name: {{ .Values.cadvisor.name }} -spec: - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' - allowedHostPaths: - - pathPrefix: "/" - - pathPrefix: "/var/run" - - pathPrefix: "/sys" - - pathPrefix: "/var/lib/docker" - - pathPrefix: "/dev/disk" -{{- end }} diff --git a/charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRole.yaml b/charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRole.yaml deleted file mode 100644 index 25227f09..00000000 --- a/charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRole.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and .Values.nodeExporter.enabled .Values.nodeExporter.podSecurityPolicy.enabled -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - app: node-exporter - category: rbac - deploy: sourcegraph - app.kubernetes.io/component: node-exporter - name: {{ .Values.nodeExporter.name }} -rules: - - apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ .Values.nodeExporter.name }} -{{- end }} diff --git a/charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRoleBinding.yaml b/charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRoleBinding.yaml deleted file mode 100644 index 698e98a4..00000000 --- a/charts/sourcegraph/templates/node-exporter/node-exporter.ClusterRoleBinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.nodeExporter.enabled .Values.nodeExporter.podSecurityPolicy.enabled -}} -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - labels: - app: node-exporter - category: rbac - deploy: sourcegraph - app.kubernetes.io/component: node-exporter - name: {{ .Values.nodeExporter.name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.nodeExporter.name }} -subjects: -- name: {{ include "sourcegraph.serviceAccountName" (list . "nodeExporter") }} - kind: ServiceAccount - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/sourcegraph/templates/node-exporter/node-exporter.PodSecurityPolicy.yaml b/charts/sourcegraph/templates/node-exporter/node-exporter.PodSecurityPolicy.yaml deleted file mode 100644 index 255e7890..00000000 --- a/charts/sourcegraph/templates/node-exporter/node-exporter.PodSecurityPolicy.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if and .Values.nodeExporter.enabled .Values.nodeExporter.podSecurityPolicy.enabled -}} - -{{- if not .Values.nodeExporter.serviceAccount.create -}} -{{ fail "Node Exporter's service account must be enabled in order to use its pod security policy (set 'nodeExporter.ServiceAccount.create' to true)" }} -{{- end -}} - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - labels: - app: node-exporter - deploy: sourcegraph - app.kubernetes.io/component: node-exporter - name: {{ .Values.nodeExporter.name }} -spec: - privileged: false - hostIPC: false - hostPID: {{ .Values.nodeExporter.hostPID }} - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' - allowedHostPaths: - - pathPrefix: "/" - - pathPrefix: "/sys" - - pathPrefix: "/proc" - readOnlyRootFilesystem: true -{{- end }} diff --git a/charts/sourcegraph/tests/nodeExporter_test.yaml b/charts/sourcegraph/tests/nodeExporter_test.yaml index 51f5a82d..2147a2b4 100644 --- a/charts/sourcegraph/tests/nodeExporter_test.yaml +++ b/charts/sourcegraph/tests/nodeExporter_test.yaml @@ -1,15 +1,12 @@ suite: nodeExporter templates: - NOTES.txt - - node-exporter/node-exporter.ClusterRole.yaml - - node-exporter/node-exporter.ClusterRoleBinding.yaml - node-exporter/node-exporter.DaemonSet.yaml - - node-exporter/node-exporter.PodSecurityPolicy.yaml - node-exporter/node-exporter.Service.yaml - node-exporter/node-exporter.ServiceAccount.yaml tests: - it: should render the DaemonSet and Service if node-exporter is enabled - set: + set: nodeExporter: enabled: true asserts: @@ -25,66 +22,37 @@ tests: template: node-exporter/node-exporter.Service.yaml - it: should not render any resources if node-exporter is disabled - set: + set: nodeExporter: enabled: false asserts: - - hasDocuments: + - hasDocuments: count: 0 templates: - - node-exporter/node-exporter.ClusterRole.yaml - - node-exporter/node-exporter.ClusterRoleBinding.yaml - node-exporter/node-exporter.DaemonSet.yaml - - node-exporter/node-exporter.PodSecurityPolicy.yaml - node-exporter/node-exporter.Service.yaml - node-exporter/node-exporter.ServiceAccount.yaml - - it: should not render the PodSecurityPolicy, Service Accounts, and ClusterRoles by default + - it: should not render the Service Accounts by default asserts: - - hasDocuments: - count: 0 - template: node-exporter/node-exporter.PodSecurityPolicy.yaml - - hasDocuments: - count: 0 - template: node-exporter/node-exporter.ClusterRole.yaml - - hasDocuments: - count: 0 - template: node-exporter/node-exporter.ClusterRoleBinding.yaml - - hasDocuments: + - hasDocuments: count: 0 template: node-exporter/node-exporter.ServiceAccount.yaml - - it: should render the PodSecurityPolicy, ServiceAccounts, and ClusterRoles if PodSecurityPolicy + Service Accounts are enabled - set: + - it: should render the ServiceAccounts if Service Accounts are enabled + set: nodeExporter: serviceAccount: create: true - podSecurityPolicy: - enabled: true asserts: - - containsDocument: - kind: PodSecurityPolicy - apiVersion: policy/v1beta1 - name: node-exporter - template: node-exporter/node-exporter.PodSecurityPolicy.yaml - containsDocument: kind: ServiceAccount apiVersion: v1 name: node-exporter template: node-exporter/node-exporter.ServiceAccount.yaml - - containsDocument: - kind: ClusterRole - apiVersion: rbac.authorization.k8s.io/v1 - name: node-exporter - template: node-exporter/node-exporter.ClusterRole.yaml - - containsDocument: - kind: ClusterRoleBinding - apiVersion: rbac.authorization.k8s.io/v1 - name: node-exporter - template: node-exporter/node-exporter.ClusterRoleBinding.yaml - + - it: should add the ServiceAccount name to the DaemonSet spec if the ServiceAccount is enabled - set: + set: nodeExporter: serviceAccount: create: true @@ -94,9 +62,9 @@ tests: path: spec.template.spec.serviceAccountName value: "test-service-account-name" template: node-exporter/node-exporter.DaemonSet.yaml - + - it: should add not the ServiceAccount name to the DaemonSet spec if the ServiceAccount is disabled - set: + set: nodeExporter: serviceAccount: create: false @@ -105,95 +73,52 @@ tests: - notExists: path: spec.template.spec.serviceAccountName template: node-exporter/node-exporter.DaemonSet.yaml - - - it: should fail to render if the PodSecurityPolicy is enabled, but the ServiceAccount isn't - set: - nodeExporter: - serviceAccount: - create: false - podSecurityPolicy: - enabled: true - asserts: - - failedTemplate: - errorMessage: "Node Exporter's service account must be enabled in order to use its pod security policy (set 'nodeExporter.ServiceAccount.create' to true)" - template: node-exporter/node-exporter.PodSecurityPolicy.yaml - - it: should not render the podSecurityPolicy if disabled - set: - nodeExporter: - podSecurityPolicy: - enabled: false - asserts: - - hasDocuments: - count: 0 - template: node-exporter/node-exporter.PodSecurityPolicy.yaml - - - it: should ensure that the namespace is properly propagated to the cluster role binding - release: - namespace: "my-test-namespace" + - it: should have hostPID enabled by default set: nodeExporter: serviceAccount: create: true - podSecurityPolicy: - enabled: true asserts: - equal: - path: subjects[0].namespace - value: "my-test-namespace" - template: node-exporter/node-exporter.ClusterRoleBinding.yaml - - - it: should have hostPID enabled by default - set: - nodeExporter: - # (these settings are unrelated to host pid defaults, they're just for ensuring that PodSecurityPolicy gets rendered so that we can check them in same test) - serviceAccount: - create: true - podSecurityPolicy: - enabled: true - asserts: - - equal: path: spec.template.spec.hostPID value: true template: node-exporter/node-exporter.DaemonSet.yaml - - equal: - path: spec.hostPID + - equal: + path: spec.template.spec.hostPID value: true - template: node-exporter/node-exporter.PodSecurityPolicy.yaml - - - it: should propagate host PID settings to both the daemonset and podSecurityPolicy + template: node-exporter/node-exporter.DaemonSet.yaml + + - it: should propagate host PID settings to the daemonset set: nodeExporter: hostPID: false - # (these settings are unrelated to host pid defaults, they're just for ensuring that PodSecurityPolicy gets rendered so that we can check them in same test) serviceAccount: create: true - podSecurityPolicy: - enabled: true - asserts: - - equal: + asserts: + - equal: path: spec.template.spec.hostPID value: false template: node-exporter/node-exporter.DaemonSet.yaml - - equal: - path: spec.hostPID + - equal: + path: spec.template.spec.hostPID value: false - template: node-exporter/node-exporter.PodSecurityPolicy.yaml + template: node-exporter/node-exporter.DaemonSet.yaml - it: should not generate warnings if node-exporter is enabled set: nodeExporter: enabled: true - asserts: + asserts: - notMatchRegexRaw: pattern: You have set 'nodeExporter.enabled' to 'false' template: NOTES.txt - + - it: should generate warnings if node-exporter is disabled set: nodeExporter: enabled: false - asserts: + asserts: - matchRegexRaw: pattern: You have set 'nodeExporter.enabled' to 'false' template: NOTES.txt @@ -202,16 +127,16 @@ tests: set: nodeExporter: hostPID: true - asserts: + asserts: - notMatchRegexRaw: pattern: You have set 'nodeExporter.hostPID' to 'false' template: NOTES.txt - - it: should generate warnings if hostPID is false + - it: should generate warnings if hostPID is false set: nodeExporter: hostPID: false - asserts: + asserts: - matchRegexRaw: pattern: You have set 'nodeExporter.hostPID' to 'false' template: NOTES.txt diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml index f11ca539..280ad2f1 100644 --- a/charts/sourcegraph/values.yaml +++ b/charts/sourcegraph/values.yaml @@ -119,9 +119,6 @@ cadvisor: name: "cadvisor" # -- Name used by resources. Does not affect service names or PVCs. name: "cadvisor" - podSecurityPolicy: - # -- Enable [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for `cadvisor` pods - enabled: false # -- Resource requests & limits for the `cadvisor` container, # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: @@ -674,9 +671,6 @@ nodeExporter: name: "node-exporter" # -- Name used by resources. Does not affect service names or PVCs. name: "node-exporter" - podSecurityPolicy: - # -- Enable [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) for `node-exporter` pods - enabled: false # -- Resource requests & limits for the `node-exporter` container, # learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) resources: