Merge tag 'v0.24.8' into update-cilium-extension

# Conflicts: # go.sum # pkg/admission/mutator/config.go # pkg/admission/mutator/defaulter_test.go
metal-stack · Oct 10, 2024 · 7c26113 · 7c26113
2 parents f477828 + 3234a58
commit 7c26113
Show file tree

Hide file tree

Showing 17 changed files with 193 additions and 1,797 deletions.
diff --git a/charts/gardener-extension-admission-metal/values.yaml b/charts/gardener-extension-admission-metal/values.yaml
@@ -36,7 +36,6 @@ global:
     ciliumDevices:
     ciliumHubbleEnabled:
     ciliumKubeProxyEnabled:
-    ciliumPSPEnabled:
     ciliumTunnel:
     ciliumIPv4NativeRoutingCIDREnabled:
     ciliumLoadBalancingMode:

diff --git a/charts/internal/control-plane/templates/duros-controller.yaml b/charts/internal/control-plane/templates/duros-controller.yaml
@@ -108,7 +108,6 @@ spec:
           - -admin-token=/duros/admin-token
           - -admin-key=/duros/admin-key
           - -shoot-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
-          - -psp-disabled={{ .Values.pspDisabled }}
           - -api-endpoint={{ .Values.duros.controller.apiEndpoint }}
 {{- if .Values.duros.controller.apiCA }}
           - -api-ca=/duros/api-ca

diff --git a/charts/internal/shoot-control-plane/templates/metallb.yaml b/charts/internal/shoot-control-plane/templates/metallb.yaml
@@ -5,88 +5,6 @@ metadata:
   labels:
     app: metallb
   name: metallb-system
-{{- if not .Values.pspDisabled }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  labels:
-    app: metallb
-  name: controller
-  namespace: metallb-system
-spec:
-  allowPrivilegeEscalation: false
-  allowedCapabilities: []
-  allowedHostPaths: []
-  defaultAddCapabilities: []
-  defaultAllowPrivilegeEscalation: false
-  fsGroup:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  hostIPC: false
-  hostNetwork: false
-  hostPID: false
-  privileged: false
-  requiredDropCapabilities:
-  - ALL
-  runAsUser:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  labels:
-    app: metallb
-  name: speaker
-  namespace: metallb-system
-spec:
-  allowPrivilegeEscalation: false
-  allowedCapabilities:
-  - NET_RAW
-  allowedHostPaths: []
-  defaultAddCapabilities: []
-  defaultAllowPrivilegeEscalation: false
-  fsGroup:
-    rule: RunAsAny
-  hostIPC: false
-  hostNetwork: true
-  hostPID: false
-  hostPorts:
-  - max: 7472
-    min: 7472
-  - max: 7946
-    min: 7946
-  privileged: true
-  readOnlyRootFilesystem: true
-  requiredDropCapabilities:
-  - ALL
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
-  {{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -199,16 +117,6 @@ rules:
   verbs:
   - list
   - watch
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - policy
-  resourceNames:
-  - controller
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -243,16 +151,6 @@ rules:
   verbs:
   - create
   - patch
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - policy
-  resourceNames:
-  - speaker
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

diff --git a/charts/internal/shoot-control-plane/templates/node-init.yaml b/charts/internal/shoot-control-plane/templates/node-init.yaml
@@ -4,27 +4,6 @@ kind: ServiceAccount
 metadata:
   name: node-init
   namespace: kube-system
-{{- if not .Values.pspDisabled }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: node-init
-spec:
-  allowedCapabilities:
-  - NET_ADMIN
-  fsGroup:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - secret
-  hostNetwork: true
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -39,16 +18,6 @@ rules:
   - watch
   - list
   - get
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - node-init
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/charts/internal/shoot-control-plane/templates/rbac-duros.yaml b/charts/internal/shoot-control-plane/templates/rbac-duros.yaml
@@ -49,21 +49,6 @@ rules:
   - patch
   - update
   - watch
-{{- if not .Values.pspDisabled }}
-- apiGroups:
-  - "policy"
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - use
-{{- end }}
 - apiGroups:
   - "rbac.authorization.k8s.io"
   resources:

diff --git a/charts/internal/shoot-control-plane/values.yaml b/charts/internal/shoot-control-plane/values.yaml
@@ -2,7 +2,6 @@
 kubernetesVersion: "1.16.0"
 apiserverIPs: []
 nodeCIDR:
-pspDisabled: false
 
 images:
     droptailer: image-repository:image-tag

diff --git a/charts/internal/shoot-storageclasses/templates/storageclasses.yaml b/charts/internal/shoot-storageclasses/templates/storageclasses.yaml
@@ -140,43 +140,6 @@ kind: ServiceAccount
 metadata:
   name: csi-lvm-reviver
   namespace: csi-lvm
-{{- if not .Values.pspDisabled }}
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: csi-lvm-reviver-psp
-  namespace: csi-lvm
-spec:
-  allowPrivilegeEscalation: true
-  privileged: true
-  fsGroup:
-    rule: RunAsAny
-  privileged: true
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - '*'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: csi-lvm-reviver-psp
-  namespace: csi-lvm
-rules:
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - csi-lvm-reviver-psp
-  verbs:
-  - use
-{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -200,21 +163,6 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
-metadata:
-  name: csi-lvm-reviver-psp
-  namespace: csi-lvm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: csi-lvm-reviver-psp
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: csi-lvm-reviver
-  namespace: csi-lvm
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
 metadata:
   name: csi-lvm-reviver
   namespace: csi-lvm

diff --git a/charts/internal/shoot-storageclasses/values.yaml b/charts/internal/shoot-storageclasses/values.yaml
@@ -4,4 +4,3 @@ images:
     csi-lvm-provisioner: image-repository:image-tag
 
 isDefaultStorageClass: true
-pspDisabled: false
diff --git a/example/10-fake-shoot-controlplane.yaml b/example/10-fake-shoot-controlplane.yaml
@@ -129,7 +129,7 @@ spec:
       - command:
         - /hyperkube
         - apiserver
-        - --enable-admission-plugins=Priority,NamespaceLifecycle,LimitRanger,PodSecurityPolicy,ServiceAccount,NodeRestriction,DefaultStorageClass,Initializers,DefaultTolerationSeconds,ResourceQuota,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
+        - --enable-admission-plugins=Priority,NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,DefaultStorageClass,Initializers,DefaultTolerationSeconds,ResourceQuota,StorageObjectInUseProtection,MutatingAdmissionWebhook,ValidatingAdmissionWebhook
         - --disable-admission-plugins=PersistentVolumeLabel
         - --allow-privileged=true
         - --anonymous-auth=false

diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml
@@ -8,7 +8,7 @@ providerConfig:
   chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIuUXbQ6R9eO0EAnKoG7up7xJ7YfvSOxRFoJXoXcVaURUlO26a/37Dl0S9Vis7ddJGAwNeUZzhkJwZDodDLd3ExxFOLPwuxRENSGTFCbkOfCha49QNR4/uDWOAJ3t7/D9A9T//PdmdTaZ70/19Vj7Z3x3PHqG9+zfdDRlN3QShRwkh6aZ6Xe//orDsnP/nKzdJ7Vt3Hd61DTbB+7NZ6/xPd2fl+Z9C0fgRGn/MjrbBFz7/bhy8xgmbdwddTww3jvNHc2KPTcPH1EuCOOVFB+gnHK6Rx0QCXZIEpSuMXkgRQq+YvKC5FB+US5QRuWvsoE5RM65V02Mb2jY+9dh8CdCt/z7x7CW5Txtd+r+3+6Ri/5/MxnuD/j8EjEZL4iyZBLgpRnSFLA+Ztj2Cv2sc+SQZLYN0lS1sj6xHSliKHyvXuxopdMsjUZqQMATZSfAyoCmUgkTZQLYsVMhGX33ruSkSLb0+Ojs/Pj35Tj7id+46DvGojRxbi9Bz8XIeuhF2BNHj6DJxoVbmpVmiCn8myRVOxINpGKMRmgPP7hJLK4YjdxFiikrDkMUxkRZOFgbRkhs7jyQJ9lJU8IZKvBmxTv3zN2Hd+p9imAwYFXpnT7C3/zcd746ng//3ENBn/t+scBjDEm2ncS9fsMP+T6bT/cr8T/eng/1/EHj/3kI+vgwijEzmppnI+vDB6HbVGB6sD7y2oRMJ3QUOqQ2OpH2FbwU5/pAtcBJhkCM7ICPWVIlGC4lrN8wkT+/foyDywszPObWRRNzASB23yiCj4qCWGrJ93lK9F0EEwhN5mKPbZzjELsX2CTDXyFnOWrCGFUJwhhB7E1yilUvnCbx/h0y6cqd7+w40+5o1D02x+nbqLlGOESdBlF4i82v6/de0WjPBMaFBSpLbTSSgj7iJoHNngtBZrd/VCfFxHJLbNY5S6efnwkFHsPXQh+tTa8WXA33sP/g8l8Fy7cYWn/xr8INIYhGYzZskSHFrjKDL/5/t71bs/xNWNNj/BwBpfUpa/ZpP7KmaV2H7SmGCqyDyHeaCgzy8cmODSYrvpq4DlkBs9putdbPgSCQKrnODKeXFwsgIw+w0mHNG/g8oBFlO0YzVVuzwFumbspQ66A9GZGOvy+Q0o/app+yjwp30v2c0sEP/Z5NJ1f/bnewO+v8g8LEUO5eNP1WZRSu5CiMAy7L4f70jXHBtJcd2LtrUlgSU1NteSDIfvA83jFfuhBPKh0Du78VgZGJ/b1TspaTnhQHwCjUjMCJQTfQQ+K2UO7wUmPU8HLNyYCy9uI0x5UOV4N+yIME+Mjvo23UCKKA5vtnFXxO+ZJkPsirtyZWG2Y8dHTHn47e476gARr92GULe3iJLaNqzRY7Tr02BUl5SmqVq7Xor8JyP+Qqm+CwVcu1Jyf9YQGwjcuti1tzyJXTlxg3DY5iWJHJDsTMpmGh7v4GfVpKtrLGGdtCPx/99dQTDu4YVvIVbvEwwpYeYpkHEtTTns/5mA4cNZDbyhlPPVwpNwXWAgVaPTPNdSk+Uxay2BJi2RLHzmoUkAroLhjJIb7uxZUVNjF3vKosLTqi3wn4WtjMiEGxVT2fDx2HqnkduTFckneMkIH4XmQYURbEySH6WEFrwKQKxjfRVZzmGLSu2S29rddVU7CZpwGZY2PYNMlEmVcErxGMybZAP7lXOszCckzDwGqeyUqW9S3nFc+wlOIVOecTH/iHxrtQK9a/z05Na06K6GuQWrI2cdTf4d3WNvwjo4/8XAZx+G4DN/v9kMtmrnv/v7u4N5/8PArrbrCJxwgM+zGd7613An+L70xh7rOEEXweMz58CZpRvXwbrALy1MX8Tg/V0acmOycLnJItS0SgFXtgW35F+VOqtXm7Hx74goDRBEtAGhfv0UURS5WSolWbL8Eq+7K+wd0WztRZq40rYHDcpTcO3PICLvrIvJJf2DzDwczddIXOryJ35He+yCD4DDzpflZWthdWNW8M7MLsVWzC6LnCmRhiGKwk8teqfewkIeLQsLf4JgUornOUHEQ4yG+L3ZgsGZTQZTppkuKi0w+LcbhamSLLABiwmrJtBpB0XWwkIZLDGLdTZubPkp9yjOTuQ1rmqzYlSKlUhwukNSUCZa/vdlCguLBgeihMQBFD/MCQ32N8O3wcp74cRZwtQSEvW6Y2dBNcsxWArdPDjSZZ4MHh1QoBmgWtKUmqxw5xiAKzUi63ZbLeg3GEVnuZ+rbRQXC1gol3YdyX5RFhdJlMAV8zyzNfOXj58cGqvxQmMWabT4nUKjLjkb+b6TNZrUKRCfCw0anAOhDlawUY90WqWXQY9DwRoQpt6XUsaBOsyCPGzEewdRs1DIw3BSAv6VMmwVmKWAQLtvGMFXpYkMDdWgtkDNECflX1byVf+m2PbBeb5beRRfVxYSysMjv8Cu6mVL2/PNqxuTYhAG99YAdv8XsMIUcaf38pcjmdzvGOJdi6wqq0EpbyX/kNRxu8ajGAZEWiFxFiExKxi4WttgKOcKoyDHKFK+4Yn6/TvgcDr4vwGL0Dxr5T89ZzLCrY0Gsxe61zJWs/l9pFXkqa7RM0PKFugNFUpdU6+LqKQLBbxFlYTZD4222jJtpsI/SxftVCpuCnlJafUlnxlLcAIWq7vs5DJM6d1udrkQUgFCdNVOzXxvomR3DbJw2S907nVl+90XBxd6zZO2OaXRweHR2dvjl4ePb84Pj15c3Lw6uh8fvD8KK+JEE8F+BEWa0crZKEwHPpn+LJcKsuZR+PknqKdS9xd/UPF7/GrgxdHr4HZ07M3p6+Pzn4+O76o8eqgEU9C0w6/Ro2nYZsmKQyuYSQpnSdkgfU+rtI0flGEFgTEvL8jMWu/l19xx6ZzahmwSBTr5U8XF3PtRRAFaeCGhzh0b6UldNBknNdIsOsHvXllWLcPwuqeoTdA61KoLIywGhq53KmYVznbxtxwFzMlHgkddPF8Xo0w5c6SjpMXNsXGCow/UKQiYOOGCBiDaxJma/yKbcMauiyMqcbqmlUUatPtGtxXjdpOo5uYqamSVo/J0GkUgrPF9gTt6sTmJ/DwgecxwifdbuEOci8vmTDdOnkJEx//ALz3g4ZXKD+IOMxgi7U8F0Fd+HXM12BZfPQOe5l+ILUjx4W7ueeljbJ6yQeEbZqP3sXMTusb3aKGha7wbWs6VZ5wVcNDSDgU0Co6jhpec5PW0CBrcovkrTJaSmISkuXtvxmvZjmpa0VoyidC4ggBrrnzFQn01JGpbmS2PjFVILeQr4gPeLOpsm29xHs74e7Pb5eybOB9iA5/ttAn/gt2B9zJJOOXgRaZv8TbBYI773/MKvc/4MeT6RD/fQiQpmWZom9ZqKopevodmlRTwGIePhhdTxYgIipgPCf+YS4eP3Dx+Dwix7Cd/E/kXrtByLZCnDzNFp0dvnfE+K9g+vrof7JwvbtcBO3Qf9D6qv5PJ+Mng/4/BLD0KV2z+Ry7WboiSfC7uNJ09ZT7RUV2WAhjhpMzEuI++t1Hc5MsZB6XxbK6XiQki7n7ZSEtk6sc2TVKWxZWVaQjLDLvCqe0XjKCaU8z/QU0ngS4oaRclfITntKDXsETgyMftBhjQ4mO50eUhbkSv/qoVyoH6hrL9OoiKlb6XbwGD24hh4oZau78B1T8uGGWjv+K819ZDPOM61PSFmuvz4gIBft5aZkJ8x9mnbhHYAhkNo6Uwzpdvk5UqHmwJePeaa1X92xDlfNlSbyrBL+hKnvgSwfLGOQjXLeyeYi3eS7ahts0+T92VCtlUE1Qq+YKBH8d8D1b6baiXiEONO3SXmjnKm2jky/dtPI4gh2qGwa/KymE/UMktZHyvJJcK8RWSNaSB2dSFfJz6NrziHpuiCU5vrWm+oMr9tklxQTlw7UCFn6E/onyokbt1VuyED/AEy5+jGAnKQQ8S/lFURmU8fTEUVEddqSB31HHA7bIWo0wvzwTFG/lbHAHLNhKh2QioE3dmCtm4wwyzBqpHZFIazE/KrgMPNRmlmW1FKxmI3WV+1ca+JuAqUTf3ihSdr828yclcqqgLF1drat0sK7GebrYFvT8LRYyqKMvTcVjH1t+n5V0i6XpDgyApSJMfTfZFSCbglMegpap6sKSdI2r2J/UCTbsYNsXjj7LojBMIWYm+14e1Q/C3vxpjhU0IQ8r1JBt4NDIs+E1l6+DH9hZvYWVj5sJgXxeinp292ebjeCndpv/NtBn/yeX1d5bwI7933RvVs3/m+4P938eBhrv/0iN/fjRm1qO3DZJO5cJWbPMgNC3WCIQPztD3/zy3lTHWqZjXjyfm49N9s50tjse+/DrN/044IlDGPuWSACzQGzY8mHJbKESY1U+yofij6uc34kXdVq4iY+HGqB89i0VMpMcaDEzaLdy0lI6FwceBVETBqiGWGmPLWOAwPO4zF6cggdg8cUx57TIA4EhDFgWaeEbGeLQ6OL08NRBF6uAisWWbb8SAn41u/kDHiT4Q2AgfZ6IGBEUkmiJE2AHvHefZf+xD8dcZjy5Bp3xmyysaI1ciighEftf+7TO99cT+8ke+ywAWmAcgSfDNcq3+0mK8ISserd5mluTQN+J/kdTgrvEd1N+U036KMfsHL4I3G6X2ZsfyFvy8H822+XjUD4550eHfJR6HcR/ahu/Ce6w/stt9fZuQNf5z3Q2qaz/s+l4yP9/ENi0/iuP/ZMe4nzqAfqbQ7f+i8SL+3wAtEP/d8f7Vf0fz/aH858HAZF2ziMlKs3cQcuVlygHTYa5mnLBK5+EYmvj0kF8rWDb/FhLQj8Ib9xbahj6MauDJkYRn0HvPxiG5iI46On46dgoUu94wcQwtIxZ+UmA/ERF7CkqWcAi8a58TLKhYh6XF3Wa8q8dtMuyW8SRyqY229KeHXTphhQbRj3N10G//GpUknZ5mbGDmvJ+2GcQWFZTIO+D72gZQLGbUZFhzJMHDZH9JAb8TJ/u4guPhYOu/1yEZDFau8y9Gi2yIAQ3mpEeidugLI/fUMlnGlUhQ0tCliF+U9yLELiWu/b3ZxKNy425yz43KwryD8FO7MnEfvfX7tWk1ivzn89Yz6bihW3bhlHyHx1D5AqqhE/mjRo7O1CWsrMDyj9MKXXlMcL20kZU3XRa3CLu1BfXigBTKRYjDHTE5aj8opLC5S8NdRNb3Z2SSY2Gl7PW/FWLpm9awD6JqTurNHpLSaR0pfi+RGMN/uWHyVikkMnPMky4zpW/fsD0ovKFgMY7/6zeho8WiNfFdf7KPfXiKr8qUJfzBX+l+/b5bXtDZcXVb9AblSZKF+Hza/DCRIjC6oV1ZiwbrvocX55AI9B9zOOsjbfA2+6AG/lH/4T0YTkYysjLr6oM/tgAAwwwwAADDDDAAAMMMMAAAwwwwAADDDDAAAMMMMDnDf8HJasSEQB4AAA=
   values:
     image:
-      tag: v0.24.5
+      tag: v0.24.7
 ---
 apiVersion: core.gardener.cloud/v1beta1
 kind: ControllerRegistration