From f1ac59e077b1e8991f074ec4739f9bf122155943 Mon Sep 17 00:00:00 2001 From: f41gh7 Date: Wed, 17 Apr 2024 19:10:33 +0200 Subject: [PATCH] operator/api: delete PodSecurityPolicy from spec --- api/v1beta1/vmagent_types.go | 11 --- api/v1beta1/vmalert_types.go | 11 --- api/v1beta1/vmalertmanager_types.go | 11 --- api/v1beta1/vmauth_types.go | 11 --- api/v1beta1/vmcluster_types.go | 11 --- api/v1beta1/vmsingle_types.go | 11 --- api/victoriametrics/v1beta1/vmagent_types.go | 11 --- api/victoriametrics/v1beta1/vmalert_types.go | 11 --- .../v1beta1/vmalertmanager_types.go | 11 --- api/victoriametrics/v1beta1/vmauth_types.go | 11 --- .../v1beta1/vmcluster_types.go | 11 --- api/victoriametrics/v1beta1/vmsingle_types.go | 11 --- api/victoriametrics/v1beta1/vmuser_types.go | 15 ++++ .../v1beta1/zz_generated.deepcopy.go | 22 ++++++ ...operator.victoriametrics.com_vmagents.yaml | 5 -- ...r.victoriametrics.com_vmalertmanagers.yaml | 5 -- ...operator.victoriametrics.com_vmalerts.yaml | 5 -- .../operator.victoriametrics.com_vmauths.yaml | 5 -- ...erator.victoriametrics.com_vmclusters.yaml | 5 -- ...perator.victoriametrics.com_vmsingles.yaml | 5 -- controllers/factory/finalize/common.go | 72 +------------------ controllers/factory/finalize/vmagent.go | 4 -- controllers/factory/finalize/vmalert.go | 4 -- .../factory/finalize/vmalertmanager.go | 2 +- controllers/factory/finalize/vmauth.go | 2 +- controllers/factory/finalize/vmcluster.go | 3 - controllers/factory/finalize/vmsingle.go | 4 -- internal/manager/manager.go | 3 +- 28 files changed, 42 insertions(+), 251 deletions(-) diff --git a/api/v1beta1/vmagent_types.go b/api/v1beta1/vmagent_types.go index f53b7f44..be233873 100644 --- a/api/v1beta1/vmagent_types.go +++ b/api/v1beta1/vmagent_types.go @@ -113,10 +113,6 @@ type VMAgentSpec struct { // cannot be used with HostNetwork. // +optional HostAliases []v1.HostAlias `json:"host_aliases,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // Containers property allows to inject additions sidecars or to patch existing containers. // It can be useful for proxies, backup, etc. // +optional @@ -690,13 +686,6 @@ func (cr VMAgent) GetClusterRoleName() string { return fmt.Sprintf("monitoring:vmagent-cluster-access-%s", cr.Name) } -func (cr VMAgent) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAgent) GetNSName() string { return cr.GetNamespace() } diff --git a/api/v1beta1/vmalert_types.go b/api/v1beta1/vmalert_types.go index 8951c695..8aa2462f 100644 --- a/api/v1beta1/vmalert_types.go +++ b/api/v1beta1/vmalert_types.go @@ -111,10 +111,6 @@ type VMAlertSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // Containers property allows to inject additions sidecars or to patch existing containers. // It can be useful for proxies, backup, etc. // +optional @@ -508,13 +504,6 @@ func (cr VMAlert) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMAlert) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAlert) GetNSName() string { return cr.GetNamespace() } diff --git a/api/v1beta1/vmalertmanager_types.go b/api/v1beta1/vmalertmanager_types.go index 1f643ee1..fb8e2258 100644 --- a/api/v1beta1/vmalertmanager_types.go +++ b/api/v1beta1/vmalertmanager_types.go @@ -178,10 +178,6 @@ type VMAlertmanagerSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // ListenLocal makes the VMAlertmanager server listen on loopback, so that it // does not bind against the Pod IP. Note this is only for the VMAlertmanager // UI, not the gossip communication. @@ -408,13 +404,6 @@ func (cr VMAlertmanager) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMAlertmanager) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAlertmanager) GetNSName() string { return cr.GetNamespace() } diff --git a/api/v1beta1/vmauth_types.go b/api/v1beta1/vmauth_types.go index 7074f00a..b3315e91 100644 --- a/api/v1beta1/vmauth_types.go +++ b/api/v1beta1/vmauth_types.go @@ -97,10 +97,6 @@ type VMAuthSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // HostAliases provides mapping for ip and hostname, // that would be propagated to pod, // cannot be used with HostNetwork. @@ -432,13 +428,6 @@ func (cr VMAuth) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMAuth) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAuth) GetNSName() string { return cr.GetNamespace() } diff --git a/api/v1beta1/vmcluster_types.go b/api/v1beta1/vmcluster_types.go index 17354090..b4565cc7 100644 --- a/api/v1beta1/vmcluster_types.go +++ b/api/v1beta1/vmcluster_types.go @@ -32,10 +32,6 @@ type VMClusterSpec struct { // distinct storage nodes // +optional ReplicationFactor *int32 `json:"replicationFactor,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // ServiceAccountName is the name of the ServiceAccount to use to run the // VMSelect, VMStorage and VMInsert Pods. @@ -1040,13 +1036,6 @@ func (cr VMCluster) PrefixedName() string { return fmt.Sprintf("vmcluster-%s", cr.Name) } -func (cr VMCluster) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMCluster) SelectorLabels() map[string]string { return map[string]string{ "app.kubernetes.io/name": "vmcluster", diff --git a/api/v1beta1/vmsingle_types.go b/api/v1beta1/vmsingle_types.go index e9337ba1..25766417 100644 --- a/api/v1beta1/vmsingle_types.go +++ b/api/v1beta1/vmsingle_types.go @@ -111,10 +111,6 @@ type VMSingleSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // HostAliases provides mapping for ip and hostname, // that would be propagated to pod, // cannot be used with HostNetwork. @@ -369,13 +365,6 @@ func (cr VMSingle) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMSingle) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMSingle) GetNSName() string { return cr.GetNamespace() } diff --git a/api/victoriametrics/v1beta1/vmagent_types.go b/api/victoriametrics/v1beta1/vmagent_types.go index f53b7f44..be233873 100644 --- a/api/victoriametrics/v1beta1/vmagent_types.go +++ b/api/victoriametrics/v1beta1/vmagent_types.go @@ -113,10 +113,6 @@ type VMAgentSpec struct { // cannot be used with HostNetwork. // +optional HostAliases []v1.HostAlias `json:"host_aliases,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // Containers property allows to inject additions sidecars or to patch existing containers. // It can be useful for proxies, backup, etc. // +optional @@ -690,13 +686,6 @@ func (cr VMAgent) GetClusterRoleName() string { return fmt.Sprintf("monitoring:vmagent-cluster-access-%s", cr.Name) } -func (cr VMAgent) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAgent) GetNSName() string { return cr.GetNamespace() } diff --git a/api/victoriametrics/v1beta1/vmalert_types.go b/api/victoriametrics/v1beta1/vmalert_types.go index 8951c695..8aa2462f 100644 --- a/api/victoriametrics/v1beta1/vmalert_types.go +++ b/api/victoriametrics/v1beta1/vmalert_types.go @@ -111,10 +111,6 @@ type VMAlertSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // Containers property allows to inject additions sidecars or to patch existing containers. // It can be useful for proxies, backup, etc. // +optional @@ -508,13 +504,6 @@ func (cr VMAlert) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMAlert) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAlert) GetNSName() string { return cr.GetNamespace() } diff --git a/api/victoriametrics/v1beta1/vmalertmanager_types.go b/api/victoriametrics/v1beta1/vmalertmanager_types.go index 1f643ee1..fb8e2258 100644 --- a/api/victoriametrics/v1beta1/vmalertmanager_types.go +++ b/api/victoriametrics/v1beta1/vmalertmanager_types.go @@ -178,10 +178,6 @@ type VMAlertmanagerSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // ListenLocal makes the VMAlertmanager server listen on loopback, so that it // does not bind against the Pod IP. Note this is only for the VMAlertmanager // UI, not the gossip communication. @@ -408,13 +404,6 @@ func (cr VMAlertmanager) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMAlertmanager) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAlertmanager) GetNSName() string { return cr.GetNamespace() } diff --git a/api/victoriametrics/v1beta1/vmauth_types.go b/api/victoriametrics/v1beta1/vmauth_types.go index 7074f00a..b3315e91 100644 --- a/api/victoriametrics/v1beta1/vmauth_types.go +++ b/api/victoriametrics/v1beta1/vmauth_types.go @@ -97,10 +97,6 @@ type VMAuthSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // HostAliases provides mapping for ip and hostname, // that would be propagated to pod, // cannot be used with HostNetwork. @@ -432,13 +428,6 @@ func (cr VMAuth) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMAuth) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMAuth) GetNSName() string { return cr.GetNamespace() } diff --git a/api/victoriametrics/v1beta1/vmcluster_types.go b/api/victoriametrics/v1beta1/vmcluster_types.go index 17354090..b4565cc7 100644 --- a/api/victoriametrics/v1beta1/vmcluster_types.go +++ b/api/victoriametrics/v1beta1/vmcluster_types.go @@ -32,10 +32,6 @@ type VMClusterSpec struct { // distinct storage nodes // +optional ReplicationFactor *int32 `json:"replicationFactor,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // ServiceAccountName is the name of the ServiceAccount to use to run the // VMSelect, VMStorage and VMInsert Pods. @@ -1040,13 +1036,6 @@ func (cr VMCluster) PrefixedName() string { return fmt.Sprintf("vmcluster-%s", cr.Name) } -func (cr VMCluster) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMCluster) SelectorLabels() map[string]string { return map[string]string{ "app.kubernetes.io/name": "vmcluster", diff --git a/api/victoriametrics/v1beta1/vmsingle_types.go b/api/victoriametrics/v1beta1/vmsingle_types.go index e9337ba1..25766417 100644 --- a/api/victoriametrics/v1beta1/vmsingle_types.go +++ b/api/victoriametrics/v1beta1/vmsingle_types.go @@ -111,10 +111,6 @@ type VMSingleSpec struct { // https://kubernetes.io/docs/concepts/containers/runtime-class/ // +optional RuntimeClassName *string `json:"runtimeClassName,omitempty"` - // PodSecurityPolicyName - defines name for podSecurityPolicy - // in case of empty value, prefixedName will be used. - // +optional - PodSecurityPolicyName string `json:"podSecurityPolicyName,omitempty"` // HostAliases provides mapping for ip and hostname, // that would be propagated to pod, // cannot be used with HostNetwork. @@ -369,13 +365,6 @@ func (cr VMSingle) IsOwnsServiceAccount() bool { return cr.Spec.ServiceAccountName == "" } -func (cr VMSingle) GetPSPName() string { - if cr.Spec.PodSecurityPolicyName == "" { - return cr.PrefixedName() - } - return cr.Spec.PodSecurityPolicyName -} - func (cr VMSingle) GetNSName() string { return cr.GetNamespace() } diff --git a/api/victoriametrics/v1beta1/vmuser_types.go b/api/victoriametrics/v1beta1/vmuser_types.go index 1eeefd7b..ddd68075 100644 --- a/api/victoriametrics/v1beta1/vmuser_types.go +++ b/api/victoriametrics/v1beta1/vmuser_types.go @@ -150,6 +150,9 @@ type TargetRef struct { // See https://docs.victoriametrics.com/vmauth.html#dropping-request-path-prefix for more details. // +optional DropSrcPathPrefixParts *int `json:"drop_src_path_prefix_parts,omitempty"` + // TargetRefBasicAuth allow an target endpoint to authenticate over basic authentication + // +optional + TargetRefBasicAuth *TargetRefBasicAuth `json:"targetRefBasicAuth,omitempty"` } // VMUserIPFilters defines filters for IP addresses @@ -191,6 +194,18 @@ type StaticRef struct { URLs []string `json:"urls,omitempty"` } +// TargetRefBasicAuth target basic authentication +type TargetRefBasicAuth struct { + // The secret in the service scrape namespace that contains the username + // for authentication. + // It must be at them same namespace as CRD + Username v1.SecretKeySelector `json:"username"` + // The secret in the service scrape namespace that contains the password + // for authentication. + // It must be at them same namespace as CRD + Password v1.SecretKeySelector `json:"password"` +} + // VMUserStatus defines the observed state of VMUser type VMUserStatus struct{} diff --git a/api/victoriametrics/v1beta1/zz_generated.deepcopy.go b/api/victoriametrics/v1beta1/zz_generated.deepcopy.go index 206fc0c5..e009a041 100644 --- a/api/victoriametrics/v1beta1/zz_generated.deepcopy.go +++ b/api/victoriametrics/v1beta1/zz_generated.deepcopy.go @@ -2741,6 +2741,11 @@ func (in *TargetRef) DeepCopyInto(out *TargetRef) { *out = new(int) **out = **in } + if in.TargetRefBasicAuth != nil { + in, out := &in.TargetRefBasicAuth, &out.TargetRefBasicAuth + *out = new(TargetRefBasicAuth) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetRef. @@ -2753,6 +2758,23 @@ func (in *TargetRef) DeepCopy() *TargetRef { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TargetRefBasicAuth) DeepCopyInto(out *TargetRefBasicAuth) { + *out = *in + in.Username.DeepCopyInto(&out.Username) + in.Password.DeepCopyInto(&out.Password) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetRefBasicAuth. +func (in *TargetRefBasicAuth) DeepCopy() *TargetRefBasicAuth { + if in == nil { + return nil + } + out := new(TargetRefBasicAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TelegramConfig) DeepCopyInto(out *TelegramConfig) { *out = *in diff --git a/config/crd/bases/operator.victoriametrics.com_vmagents.yaml b/config/crd/bases/operator.victoriametrics.com_vmagents.yaml index ae0ff886..8160ee7b 100644 --- a/config/crd/bases/operator.victoriametrics.com_vmagents.yaml +++ b/config/crd/bases/operator.victoriametrics.com_vmagents.yaml @@ -1478,11 +1478,6 @@ spec: type: object type: object x-kubernetes-map-type: atomic - podSecurityPolicyName: - description: |- - PodSecurityPolicyName - defines name for podSecurityPolicy - in case of empty value, prefixedName will be used. - type: string port: description: Port listen address type: string diff --git a/config/crd/bases/operator.victoriametrics.com_vmalertmanagers.yaml b/config/crd/bases/operator.victoriametrics.com_vmalertmanagers.yaml index a0369812..b6613ed6 100644 --- a/config/crd/bases/operator.victoriametrics.com_vmalertmanagers.yaml +++ b/config/crd/bases/operator.victoriametrics.com_vmalertmanagers.yaml @@ -787,11 +787,6 @@ spec: More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string type: object - podSecurityPolicyName: - description: |- - PodSecurityPolicyName - defines name for podSecurityPolicy - in case of empty value, prefixedName will be used. - type: string portName: description: |- PortName used for the pods and governing service. diff --git a/config/crd/bases/operator.victoriametrics.com_vmalerts.yaml b/config/crd/bases/operator.victoriametrics.com_vmalerts.yaml index 912eec25..f3553572 100644 --- a/config/crd/bases/operator.victoriametrics.com_vmalerts.yaml +++ b/config/crd/bases/operator.victoriametrics.com_vmalerts.yaml @@ -1124,11 +1124,6 @@ spec: More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string type: object - podSecurityPolicyName: - description: |- - PodSecurityPolicyName - defines name for podSecurityPolicy - in case of empty value, prefixedName will be used. - type: string port: description: Port for listen type: string diff --git a/config/crd/bases/operator.victoriametrics.com_vmauths.yaml b/config/crd/bases/operator.victoriametrics.com_vmauths.yaml index aeb79453..016dedcd 100644 --- a/config/crd/bases/operator.victoriametrics.com_vmauths.yaml +++ b/config/crd/bases/operator.victoriametrics.com_vmauths.yaml @@ -593,11 +593,6 @@ spec: More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string type: object - podSecurityPolicyName: - description: |- - PodSecurityPolicyName - defines name for podSecurityPolicy - in case of empty value, prefixedName will be used. - type: string port: description: Port listen port type: string diff --git a/config/crd/bases/operator.victoriametrics.com_vmclusters.yaml b/config/crd/bases/operator.victoriametrics.com_vmclusters.yaml index a52ade8e..f9245f78 100644 --- a/config/crd/bases/operator.victoriametrics.com_vmclusters.yaml +++ b/config/crd/bases/operator.victoriametrics.com_vmclusters.yaml @@ -120,11 +120,6 @@ spec: type: object x-kubernetes-map-type: atomic type: object - podSecurityPolicyName: - description: |- - PodSecurityPolicyName - defines name for podSecurityPolicy - in case of empty value, prefixedName will be used. - type: string replicationFactor: description: |- ReplicationFactor defines how many copies of data make among diff --git a/config/crd/bases/operator.victoriametrics.com_vmsingles.yaml b/config/crd/bases/operator.victoriametrics.com_vmsingles.yaml index a6a64116..694b3828 100644 --- a/config/crd/bases/operator.victoriametrics.com_vmsingles.yaml +++ b/config/crd/bases/operator.victoriametrics.com_vmsingles.yaml @@ -329,11 +329,6 @@ spec: More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string type: object - podSecurityPolicyName: - description: |- - PodSecurityPolicyName - defines name for podSecurityPolicy - in case of empty value, prefixedName will be used. - type: string port: description: Port listen port type: string diff --git a/controllers/factory/finalize/common.go b/controllers/factory/finalize/common.go index 5fe6cdd4..8a8b7167 100644 --- a/controllers/factory/finalize/common.go +++ b/controllers/factory/finalize/common.go @@ -4,12 +4,8 @@ import ( "context" victoriametricsv1beta1 "github.com/VictoriaMetrics/operator/api/v1beta1" - "github.com/VictoriaMetrics/operator/controllers/factory/k8stools" - "github.com/VictoriaMetrics/operator/internal/config" v12 "k8s.io/api/core/v1" policyv1 "k8s.io/api/policy/v1" - "k8s.io/api/policy/v1beta1" - policyv1beta1 "k8s.io/api/policy/v1beta1" v1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -23,7 +19,6 @@ type crdObject interface { PrefixedName() string GetServiceAccountName() string IsOwnsServiceAccount() bool - GetPSPName() string GetNSName() string } @@ -80,75 +75,12 @@ func deleteSA(ctx context.Context, rclient client.Client, crd crdObject) error { return SafeDelete(ctx, rclient, &v12.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: crd.GetNSName(), Name: crd.GetServiceAccountName()}}) } -// DeletePSPChain - removes psp, cluster role and cluster role binding, -// on finalize request for given CRD -func DeletePSPChain(ctx context.Context, rclient client.Client, crd crdObject) error { - if k8stools.IsPSPSupported() { - if err := ensurePSPRemoved(ctx, rclient, crd); err != nil { - return err - } - } - - if err := ensureCRBRemoved(ctx, rclient, crd); err != nil { - return err - } - return ensureCRRemoved(ctx, rclient, crd) -} - -func ensurePSPRemoved(ctx context.Context, rclient client.Client, crd crdObject) error { - return SafeDelete(ctx, rclient, &v1beta1.PodSecurityPolicy{ObjectMeta: metav1.ObjectMeta{ - Name: crd.GetPSPName(), - }}) -} - -func ensureCRRemoved(ctx context.Context, rclient client.Client, crd crdObject) error { - return SafeDelete(ctx, rclient, &v1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: crd.PrefixedName()}}) -} - -func ensureCRBRemoved(ctx context.Context, rclient client.Client, crd crdObject) error { - return SafeDelete(ctx, rclient, &v1.ClusterRoleBinding{ObjectMeta: metav1.ObjectMeta{Name: crd.PrefixedName()}}) -} - -func finalizePsp(ctx context.Context, rclient client.Client, crd crdObject) error { - // check sa - if err := deleteSA(ctx, rclient, crd); err != nil { - return err - } - // fast path, cluster wide permissions is missing - if !config.IsClusterWideAccessAllowed() { - return nil - } - // check binding - if err := removeFinalizeObjByName(ctx, rclient, &v1.ClusterRoleBinding{}, crd.PrefixedName(), crd.GetNSName()); err != nil { - return err - } - // check role - if err := removeFinalizeObjByName(ctx, rclient, &v1.ClusterRole{}, crd.PrefixedName(), crd.GetNSName()); err != nil { - return err - } - - // check psp - if k8stools.IsPSPSupported() { - if err := removeFinalizeObjByName(ctx, rclient, &v1beta1.PodSecurityPolicy{}, crd.GetPSPName(), crd.GetNSName()); err != nil { - return err - } - } - - return DeletePSPChain(ctx, rclient, crd) -} - func finalizePBD(ctx context.Context, rclient client.Client, crd crdObject) error { - if k8stools.IsPDBV1APISupported() { - return removeFinalizeObjByName(ctx, rclient, &policyv1.PodDisruptionBudget{}, crd.PrefixedName(), crd.GetNSName()) - } - return removeFinalizeObjByName(ctx, rclient, &policyv1beta1.PodDisruptionBudget{}, crd.PrefixedName(), crd.GetNSName()) + return removeFinalizeObjByName(ctx, rclient, &policyv1.PodDisruptionBudget{}, crd.PrefixedName(), crd.GetNSName()) } func finalizePBDWithName(ctx context.Context, rclient client.Client, ns, name string) error { - if k8stools.IsPDBV1APISupported() { - return removeFinalizeObjByName(ctx, rclient, &policyv1.PodDisruptionBudget{}, name, ns) - } - return removeFinalizeObjByName(ctx, rclient, &policyv1beta1.PodDisruptionBudget{}, name, ns) + return removeFinalizeObjByName(ctx, rclient, &policyv1.PodDisruptionBudget{}, name, ns) } func removeConfigReloaderRole(ctx context.Context, rclient client.Client, crd crdObject) error { diff --git a/controllers/factory/finalize/vmagent.go b/controllers/factory/finalize/vmagent.go index f4da3ff5..daf3367d 100644 --- a/controllers/factory/finalize/vmagent.go +++ b/controllers/factory/finalize/vmagent.go @@ -102,10 +102,6 @@ func OnVMAgentDelete(ctx context.Context, rclient client.Client, crd *victoriame } } } - - if err := finalizePsp(ctx, rclient, crd); err != nil { - return err - } // remove from self. if err := removeFinalizeObjByName(ctx, rclient, crd, crd.Name, crd.Namespace); err != nil { return err diff --git a/controllers/factory/finalize/vmalert.go b/controllers/factory/finalize/vmalert.go index 64d24b69..e52e0185 100644 --- a/controllers/factory/finalize/vmalert.go +++ b/controllers/factory/finalize/vmalert.go @@ -41,10 +41,6 @@ func OnVMAlertDelete(ctx context.Context, rclient client.Client, crd *victoriame if err := finalizePBD(ctx, rclient, crd); err != nil { return err } - - if err := finalizePsp(ctx, rclient, crd); err != nil { - return err - } if err := deleteSA(ctx, rclient, crd); err != nil { return err } diff --git a/controllers/factory/finalize/vmalertmanager.go b/controllers/factory/finalize/vmalertmanager.go index 7521136c..ccf5b8e3 100644 --- a/controllers/factory/finalize/vmalertmanager.go +++ b/controllers/factory/finalize/vmalertmanager.go @@ -41,7 +41,7 @@ func OnVMAlertManagerDelete(ctx context.Context, rclient client.Client, crd *vic return err } - if err := finalizePsp(ctx, rclient, crd); err != nil { + if err := deleteSA(ctx, rclient, crd); err != nil { return err } if err := removeConfigReloaderRole(ctx, rclient, crd); err != nil { diff --git a/controllers/factory/finalize/vmauth.go b/controllers/factory/finalize/vmauth.go index 9b485618..e80ace10 100644 --- a/controllers/factory/finalize/vmauth.go +++ b/controllers/factory/finalize/vmauth.go @@ -60,7 +60,7 @@ func OnVMAuthDelete(ctx context.Context, rclient client.Client, crd *victoriamet return err } - if err := finalizePsp(ctx, rclient, crd); err != nil { + if err := deleteSA(ctx, rclient, crd); err != nil { return err } if err := removeConfigReloaderRole(ctx, rclient, crd); err != nil { diff --git a/controllers/factory/finalize/vmcluster.go b/controllers/factory/finalize/vmcluster.go index 0f08eba4..e6eea04d 100644 --- a/controllers/factory/finalize/vmcluster.go +++ b/controllers/factory/finalize/vmcluster.go @@ -100,9 +100,6 @@ func OnVMClusterDelete(ctx context.Context, rclient client.Client, crd *victoria return err } } - if err := finalizePsp(ctx, rclient, crd); err != nil { - return err - } if err := deleteSA(ctx, rclient, crd); err != nil { return err diff --git a/controllers/factory/finalize/vmsingle.go b/controllers/factory/finalize/vmsingle.go index bdff27dd..8b615c4f 100644 --- a/controllers/factory/finalize/vmsingle.go +++ b/controllers/factory/finalize/vmsingle.go @@ -32,10 +32,6 @@ func OnVMSingleDelete(ctx context.Context, rclient client.Client, crd *victoriam if err := removeFinalizeObjByName(ctx, rclient, &v1.ConfigMap{}, crd.StreamAggrConfigName(), crd.Namespace); err != nil { return err } - - if err := finalizePsp(ctx, rclient, crd); err != nil { - return err - } if err := deleteSA(ctx, rclient, crd); err != nil { return err } diff --git a/internal/manager/manager.go b/internal/manager/manager.go index dd20533b..b4eb1d2e 100644 --- a/internal/manager/manager.go +++ b/internal/manager/manager.go @@ -22,7 +22,6 @@ import ( "github.com/prometheus/client_golang/prometheus" "github.com/spf13/pflag" v1 "k8s.io/api/core/v1" - "k8s.io/api/policy/v1beta1" metav1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -157,7 +156,7 @@ func RunManager(ctx context.Context) error { Client: client.Options{ Cache: &client.CacheOptions{DisableFor: []client.Object{ &v1.Secret{}, &v1.ConfigMap{}, &v1.Pod{}, - &v1beta1.PodSecurityPolicy{}, &v1beta1.PodDisruptionBudget{}, &v1.Namespace{}, + &v1.Namespace{}, }}, }, })