bump apps and disable PSPs (#752)

giantswarm · Apr 30, 2024 · 0428dbb · 0428dbb
1 parent d3257b5
commit 0428dbb
Show file tree

Hide file tree

Showing 11 changed files with 34 additions and 52 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-- Bump `coredns-app` to `1.21.0`.
+- Bump `flatcar` to `3815.2.2`.
+- Bump `coredns-app` to `1.21.0` and force enable PSS.
+- Bump `cilium-app` to `0.21.0` and force enable PSS.
+- Bump `aws-cloud-controller-manager` to `1.25.14-gs2` and force enable PSS.
+- Bump `aws-ebs-csi-driver` to `2.28.1` and force enable PSS.
+- Bump `aws-node-termination-handler` to `1.19.0` and force enable PSS.
+- Disable PSPs for `ingress-nginx`.
+
+### Remove
+
+- Removed `restricted-psp-user` and used `privileged-psp-user` instead.
 
 ## [14.20.0] - 2024-01-08
 

diff --git a/platforms/aws/giantnetes/variables.tf b/platforms/aws/giantnetes/variables.tf
@@ -153,7 +153,7 @@ variable "flatcar_linux_channel" {
 variable "flatcar_linux_version" {
   description = "Flatcar linux version."
   type        = string
-  default     = "3602.2.1"
+  default     = "3815.2.2"
 }
 
 variable "flatcar_ami_owner" {

diff --git a/templates/files/apps/aws/aws-cloud-controller-manager-app.yaml b/templates/files/apps/aws/aws-cloud-controller-manager-app.yaml
@@ -7,6 +7,9 @@ data:
   values: |
     image:
       registry: {{.DockerRegistry}}
+    global:
+      podSecurityStandards:
+        enforced: true
 ---
 apiVersion: application.giantswarm.io/v1alpha1
 kind: App
@@ -43,4 +46,4 @@ spec:
     secret:
       name: ""
       namespace: ""
-  version: 1.24.1-gs9
+  version: 1.25.14-gs2
diff --git a/templates/files/apps/aws/aws-ebs-csi-driver-app.yaml b/templates/files/apps/aws/aws-ebs-csi-driver-app.yaml
@@ -13,6 +13,8 @@ data:
       nodeSelector:
         kubernetes.io/os: linux
     global:
+      podSecurityStandards:
+        enforced: true
       image:
         registry: {{.DockerRegistry}}
 ---
@@ -51,4 +53,4 @@ spec:
     secret:
       name: ""
       namespace: ""
-  version: 2.25.0
+  version: 2.28.1
diff --git a/templates/files/apps/aws/aws-node-termination-handler-app.yaml b/templates/files/apps/aws/aws-node-termination-handler-app.yaml
@@ -8,6 +8,9 @@ data:
     queueURL: "{{.ClusterName}}-node-termination"
     image:
       registry: {{.DockerRegistry}}
+    global:
+      podSecurityStandards:
+        enforced: true
 ---
 apiVersion: application.giantswarm.io/v1alpha1
 kind: App
@@ -44,4 +47,4 @@ spec:
     secret:
       name: ""
       namespace: ""
-  version: 1.18.0
+  version: 1.19.0
diff --git a/templates/files/apps/common/cilium-app.yaml b/templates/files/apps/common/cilium-app.yaml
@@ -11,6 +11,9 @@ data:
     kubeProxyReplacement: strict
     k8sServiceHost: "{{ .APIInternalDomainName }}"
     k8sServicePort: "443"
+    global:
+      podSecurityStandards:
+        enforced: true
     ipam:
       mode: kubernetes
     localRedirectPolicy: true
@@ -96,4 +99,4 @@ spec:
     secret:
       name: ""
       namespace: ""
-  version: 0.12.0
+  version: 0.21.0
diff --git a/templates/files/apps/common/coredns-app.yaml b/templates/files/apps/common/coredns-app.yaml
@@ -14,6 +14,9 @@ data:
           clusterIPRange: {{ .K8SServiceCIDR }}
         DNS:
           IP: {{ .K8SDNSIP }}
+    global:
+      podSecurityStandards:
+        enforced: true
 ---
 apiVersion: application.giantswarm.io/v1alpha1
 kind: App

diff --git a/templates/files/apps/common/nginx-ingress-controller-app.yaml b/templates/files/apps/common/nginx-ingress-controller-app.yaml
@@ -19,6 +19,8 @@ data:
         type: NodePort
     image:
       registry: {{ .DockerRegistry }}
+    podSecurityPolicy:
+      enabled: false
 ---
 apiVersion: application.giantswarm.io/v1alpha1
 kind: App

diff --git a/templates/files/k8s-resource/psp-bindings.yaml b/templates/files/k8s-resource/psp-bindings.yaml
@@ -3,12 +3,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-    name: restricted-psp-users
+    name: privileged-psp-user
 subjects:
 - kind: Group
   apiGroup: rbac.authorization.k8s.io
   name: system:authenticated
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: restricted-psp-user
+  name: privileged-psp-user
diff --git a/templates/files/k8s-resource/psp-policies.yaml b/templates/files/k8s-resource/psp-policies.yaml
@@ -25,31 +25,3 @@ spec:
   hostPorts:
   - min: 1
     max: 65536
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: restricted
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
-  privileged: false
-  fsGroup:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - 'emptyDir'
-  - 'secret'
-  - 'downwardAPI'
-  - 'configMap'
-  - 'persistentVolumeClaim'
-  - 'projected'
-  hostPID: false
-  hostIPC: false
-  hostNetwork: false
diff --git a/templates/files/k8s-resource/psp-roles.yaml b/templates/files/k8s-resource/psp-roles.yaml
@@ -1,19 +1,3 @@
-# restrictedPSP grants access to use
-# the restricted PSP.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: restricted-psp-user
-rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - restricted
-  verbs:
-  - use
----
 # privilegedPSP grants access to use the privileged
 # PSP.
 apiVersion: rbac.authorization.k8s.io/v1