From 229331faf1f8d8fba9dae410d2b82bb0a9885d6f Mon Sep 17 00:00:00 2001 From: Tatsuya Sato Date: Thu, 28 Sep 2023 11:27:07 +0000 Subject: [PATCH] Use PodSecurity Admission controller for k8s versions v1.25.x Signed-off-by: Tatsuya Sato --- .../rbac/fabric-operator-clusterrole.yaml | 8 ---- .../config/rbac/fabric-operator-psp.yaml | 48 ------------------- .../config/rbac/kustomization.yaml | 1 - .../sample-network/scripts/sample_network.sh | 3 ++ 4 files changed, 3 insertions(+), 57 deletions(-) delete mode 100644 full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml index 3a775e7617..4c0619998b 100644 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml +++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml @@ -27,14 +27,6 @@ metadata: app.kubernetes.io/instance: "ibm-hlfsupport" app.kubernetes.io/managed-by: "ibm-hlfsupport-operator" rules: - - apiGroups: - - extensions - resourceNames: - - ibm-hlfsupport-psp - resources: - - podsecuritypolicies - verbs: - - use - apiGroups: - apiextensions.k8s.io resources: diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml deleted file mode 100644 index dcd53c72ee..0000000000 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# -# Copyright contributors to the Hyperledger Fabric Operator project -# -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: ibm-hlfsupport-psp -spec: - hostIPC: false - hostNetwork: false - hostPID: false - privileged: true - allowPrivilegeEscalation: true - readOnlyRootFilesystem: false - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - requiredDropCapabilities: - - ALL - allowedCapabilities: - - NET_BIND_SERVICE - - CHOWN - - DAC_OVERRIDE - - SETGID - - SETUID - - FOWNER - volumes: - - '*' diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml index a6930c5dc5..bdb0039e94 100644 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml +++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml @@ -19,7 +19,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - fabric-operator-psp.yaml - fabric-operator-serviceaccount.yaml - fabric-operator-clusterrole.yaml - fabric-operator-clusterrolebinding.yaml diff --git a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh index 8a56e89240..8fd8d636b7 100644 --- a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh +++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh @@ -60,6 +60,9 @@ metadata: name: ${NS} EOF + # https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ + kubectl label --overwrite namespace $NS pod-security.kubernetes.io/enforce=baseline + pop_fn }