removing deprecated psp (#1540)

googleforgames · Feb 24, 2023 · 3d1bae2 · 3d1bae2
1 parent 7070f05
commit 3d1bae2
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 233 deletions.
diff --git a/Makefile b/Makefile
@@ -318,7 +318,6 @@ build/chart/: build/chart/index.yaml build/chart/index.yaml.$(YEAR_MONTH_DAY)
 
 install-chart-prerequisite: build/toolchain/bin/kubectl$(EXE_EXTENSION) update-chart-deps
 	-$(KUBECTL) create namespace $(OPEN_MATCH_KUBERNETES_NAMESPACE)
-	$(KUBECTL) apply -f install/gke-metadata-server-workaround.yaml
 
 # Used for Open Match development. Install om-configmap-override.yaml by default.
 HELM_UPGRADE_FLAGS = --cleanup-on-fail -i --no-hooks --debug --timeout=600s --namespace=$(OPEN_MATCH_KUBERNETES_NAMESPACE) --set global.gcpProjectId=$(GCP_PROJECT_ID) --set open-match-override.enabled=true --set redis.password=$(REDIS_DEV_PASSWORD) --set redis.auth.enabled=false --set redis.auth.sentinel=false
@@ -389,8 +388,8 @@ install-ci-chart: install-chart-prerequisite build/toolchain/bin/helm$(EXE_EXTEN
 delete-chart: build/toolchain/bin/helm$(EXE_EXTENSION) build/toolchain/bin/kubectl$(EXE_EXTENSION)
 	-$(HELM) uninstall $(OPEN_MATCH_HELM_NAME)
 	-$(HELM) uninstall $(OPEN_MATCH_HELM_NAME)-demo
-	-$(KUBECTL) delete psp,clusterrole,clusterrolebinding --selector=release=open-match
-	-$(KUBECTL) delete psp,clusterrole,clusterrolebinding --selector=release=open-match-demo
+	-$(KUBECTL) delete clusterrole,clusterrolebinding --selector=release=open-match
+	-$(KUBECTL) delete clusterrole,clusterrolebinding --selector=release=open-match-demo
 	-$(KUBECTL) delete namespace $(OPEN_MATCH_KUBERNETES_NAMESPACE)
 	-$(KUBECTL) delete namespace $(OPEN_MATCH_KUBERNETES_NAMESPACE)-demo
 
@@ -641,7 +640,7 @@ delete-kind-cluster: build/toolchain/bin/kind$(EXE_EXTENSION) build/toolchain/bi
 create-cluster-role-binding:
 	$(KUBECTL) create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=$(GCLOUD_ACCOUNT_EMAIL)
 
-create-gke-cluster: GKE_VERSION = 1.22.12-gke.2300 # gcloud beta container get-server-config --zone us-west1-a
+create-gke-cluster: GKE_VERSION = 1.25.5-gke.2000 # gcloud beta container get-server-config --zone us-west1-a
 create-gke-cluster: GKE_CLUSTER_SHAPE_FLAGS = --machine-type n1-standard-8 --enable-autoscaling --min-nodes 1 --num-nodes 6 --max-nodes 10 --disk-size 50
 create-gke-cluster: GKE_FUTURE_COMPAT_FLAGS = --no-enable-basic-auth --no-issue-client-certificate --enable-ip-alias --metadata disable-legacy-endpoints=true --enable-autoupgrade
 create-gke-cluster: build/toolchain/bin/kubectl$(EXE_EXTENSION) gcloud
@@ -650,7 +649,6 @@ create-gke-cluster: build/toolchain/bin/kubectl$(EXE_EXTENSION) gcloud
 		--image-type cos_containerd \
 		--tags open-match \
 		--workload-pool $(GCP_PROJECT_ID).svc.id.goog
-	$(MAKE) create-cluster-role-binding
 
 
 delete-gke-cluster: gcloud

diff --git a/install/helm/open-match/templates/podsecuritypolicy.yaml b/install/helm/open-match/templates/podsecuritypolicy.yaml
diff --git a/install/helm/open-match/templates/service-account.yaml b/install/helm/open-match/templates/service-account.yaml
@@ -23,6 +23,8 @@ metadata:
   labels:
     app: {{ template "openmatch.name" . }}
     release: {{ .Release.Name }}
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: baseline
 {{- end }}
 ---
 # Create a universal service account for open-match-core services.
@@ -39,79 +41,4 @@ metadata:
     release: {{ .Release.Name }}
 automountServiceAccountToken: true
 ---
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "openmatch.fullname" . }}-service-role
-  namespace: {{ .Release.Namespace }}
-  annotations: {{- include "openmatch.chartmeta" . | nindent 4 }}
-  labels:
-    app: {{ template "openmatch.name" . }}
-    release: {{ .Release.Name }}
-rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - {{ include "openmatch.fullname" . }}-core-podsecuritypolicy
-  verbs:
-  - use
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "openmatch.fullname" . }}-service-role-binding
-  namespace: {{ .Release.Namespace }}
-  annotations: {{- include "openmatch.chartmeta" . | nindent 4 }}
-  labels:
-    app: {{ template "openmatch.name" . }}
-    release: {{ .Release.Name }}
-subjects:
-- kind: Group
-  name: system:authenticated # All authenticated users
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: {{ include "openmatch.fullname" . }}-service-role
-  apiGroup: rbac.authorization.k8s.io
----
-{{- if index .Values "open-match-core" "redis" "enabled" }}
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "openmatch.fullname" . }}-redis-role
-  namespace: {{ .Release.Namespace }}
-  annotations: {{- include "openmatch.chartmeta" . | nindent 4 }}
-  labels:
-    app: {{ template "openmatch.name" . }}
-    release: {{ .Release.Name }}
-rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - {{ include "openmatch.fullname" . }}-redis-podsecuritypolicy
-  verbs:
-  - use
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "openmatch.fullname" . }}-redis-role-binding
-  namespace: {{ .Release.Namespace }}
-  annotations: {{- include "openmatch.chartmeta" . | nindent 4 }}
-  labels:
-    app: {{ template "openmatch.name" . }}
-    release: {{ .Release.Name }}
-subjects:
-- kind: ServiceAccount
-  name: {{ include "call-nested" (list . "redis" "redis.serviceAccountName") }}
-  namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: Role
-  name: {{ include "openmatch.fullname" . }}-redis-role
-  apiGroup: rbac.authorization.k8s.io
-{{- end }}
 {{- end }}
diff --git a/install/helm/open-match/templates/tests/om-test-role.yaml b/install/helm/open-match/templates/tests/om-test-role.yaml
@@ -24,14 +24,6 @@ metadata:
     app: {{ template "openmatch.name" . }}
     release: {{ .Release.Name }}
 rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - {{ include "openmatch.fullname" . }}-core-podsecuritypolicy
-  verbs:
-  - use
 # Grant this role get & list permission for k8s endpoints and pods resources
 # Required for e2e in-cluster testing.
 - apiGroups:

diff --git a/install/terraform/open-match-build/open-match-build.tf b/install/terraform/open-match-build/open-match-build.tf
@@ -96,11 +96,6 @@ resource "google_container_cluster" "ci_cluster" {
     identity_namespace = "${var.gcp_project_id}.svc.id.goog"
   }
 
-  # Enable PodSecurityPolicy
-  pod_security_policy_config {
-    enabled = "true"
-  }
-
   node_config {
     oauth_scopes = [
       "https://www.googleapis.com/auth/devstorage.read_only",