Merge pull request #1188 from snyk/feat/remove-psp

ivanstanev · web-flow · commit e26ad5c87a9b · 2022-10-26T10:15:32.000+01:00
feat: remove pod security policy as it is deprecated by Kubernetes
diff --git a/snyk-monitor/README.md b/snyk-monitor/README.md
@@ -220,21 +220,6 @@ For example, run the following for first-time setup:
 And run the following for subsequent upgrades:
 `--set pvc.enabled=true`
 
-## PodSecurityPolicies
-**This should not be used when installing on OpenShift.**
-
-Using PodSecurityPolicies can be achieved by setting the following values in the Helm chart:
-* psp.enabled - default is `false`. Set to `true` if PodSecurityPolicy is needed
-* psp.name - default is empty. Leave it empty if you want us to install the necessary PodSecurityPolicy. Modify it to specify an existing PodSecurityPolicy rather than creating a new one.
-
-For example:
-```shell
-helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
-  --namespace snyk-monitor \
-  --set clusterName="Production cluster" \
-  --set psp.enabled=true
-```
-
 ## Configuring excluded namespaces ##
 
 By default, `snyk-monitor` does not scan containers that are internal to Kubernetes, in the following namespaces:
diff --git a/snyk-monitor/templates/clusterrole.yaml b/snyk-monitor/templates/clusterrole.yaml
@@ -69,16 +69,4 @@ rules:
   - get
   - list
   - watch
-{{- if .Values.psp.enabled }}
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - get
-  - list
-  - use
-  resourceNames:
-  - {{ if eq .Values.psp.name "" }}{{ include "snyk-monitor.name" . }}{{ else }}{{ .Values.psp.name }}{{- end }}
-{{- end }}
 {{- end }}
diff --git a/snyk-monitor/templates/psp.yaml b/snyk-monitor/templates/psp.yaml
diff --git a/snyk-monitor/templates/role.yaml b/snyk-monitor/templates/role.yaml
@@ -69,16 +69,4 @@ rules:
   - get
   - list
   - watch
-{{- if .Values.psp.enabled }}
-- apiGroups:
-  - policy
-  resources:
-  - podsecuritypolicies
-  verbs:
-  - get
-  - list
-  - use
-  resourceNames:
-  - {{ if eq .Values.psp.name "" }}{{ include "snyk-monitor.name" . }}{{ else }}{{ .Values.psp.name }}{{- end }}
-{{- end }}
 {{- end }}
diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml
@@ -113,10 +113,6 @@ networkPolicy:
   egress:
   - {}
 
-psp:
-  enabled: false
-  name: ""
-
 # Override the excluded namespaces
 excludedNamespaces:
 
diff --git a/snyk-operator-certified/helm-charts/snyk-monitor/README.md b/snyk-operator-certified/helm-charts/snyk-monitor/README.md
@@ -171,21 +171,6 @@ For example, run the following for first-time setup:
 And run the following for subsequent upgrades:
 `--set pvc.enabled=true`
 
-## PodSecurityPolicies
-**This should not be used when installing on OpenShift.**
-
-Using PodSecurityPolicies can be achieved by setting the following values in the Helm chart:
-* psp.enabled - default is `false`. Set to `true` if PodSecurityPolicy is needed
-* psp.name - default is empty. Leave it empty if you want us to install the necessary PodSecurityPolicy. Modify it to specify an existing PodSecurityPolicy rather than creating a new one.
-
-For example:
-```shell
-helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
-  --namespace snyk-monitor \
-  --set clusterName="Production cluster" \
-  --set psp.enabled=true
-```
-
 ## Configuring excluded namespaces ##
 
 By default, `snyk-monitor` does not scan containers that are internal to Kubernetes, in the following namespaces:
diff --git a/snyk-operator-certified/helm-charts/snyk-monitor/values.yaml b/snyk-operator-certified/helm-charts/snyk-monitor/values.yaml
@@ -91,9 +91,5 @@ log_level:
 
 nodeSelector: {}
 
-psp:
-  enabled: false
-  name: ""
-
 # Override the excluded namespaces
 excludedNamespaces:
diff --git a/test/helpers/kubectl.ts b/test/helpers/kubectl.ts
@@ -343,16 +343,3 @@ async function getLatestStableK8sRelease(): Promise<string> {
   console.log(`The latest stable K8s release is ${k8sRelease}`);
   return k8sRelease;
 }
-
-export async function verifyPodSecurityPolicy(name: string): Promise<boolean> {
-  console.log(`Trying to find Pod Security Policy ${name}`);
-  for (let attempt = 0; attempt < 60; attempt++) {
-    try {
-      await exec(`./kubectl get podsecuritypolicy ${name}`);
-      return true;
-    } catch (err) {
-      await sleep(500);
-    }
-  }
-  return false;
-}
diff --git a/test/integration/kubernetes.spec.ts b/test/integration/kubernetes.spec.ts
@@ -732,18 +732,6 @@ test('snyk-monitor has nodeSelector', async () => {
   );
 });
 
-test('snyk-monitor has PodSecurityPolicy', async () => {
-  if (process.env['DEPLOYMENT_TYPE'] !== 'Helm') {
-    console.log(
-      "Not testing PodSecurityPolicy because we're not installing with Helm",
-    );
-    return;
-  }
-
-  const pspExists = await kubectl.verifyPodSecurityPolicy('snyk-monitor');
-  expect(pspExists).toBeTruthy();
-});
-
 test('snyk-monitor secure configuration is as expected', async () => {
   const kubeConfig = new KubeConfig();
   kubeConfig.loadFromDefault();
diff --git a/test/setup/deployers/helm.ts b/test/setup/deployers/helm.ts
@@ -31,7 +31,6 @@ async function deployKubernetesMonitor(
       `--set image.pullPolicy=${imagePullPolicy} ` +
       '--set integrationApi=https://kubernetes-upstream.dev.snyk.io ' +
       '--set nodeSelector."kubernetes\\.io/os"=linux ' +
-      '--set psp.enabled=true ' +
       '--set pvc.enabled=true ' +
       '--set pvc.create=true ' +
       '--set log_level="INFO" ' +
