From d00508105bd1a95a15807386f514b1ecd301df19 Mon Sep 17 00:00:00 2001
From: yanggang <gang.yang@daocloud.io>
Date: Mon, 31 Oct 2022 11:08:44 +0800
Subject: [PATCH] Removed PodSecurityPolicy from ingress-nginx (#9448)

---
 .../ingress_nginx/tasks/main.yml              |  7 ---
 .../templates/psp-ingress-nginx.yml.j2        | 47 -------------------
 2 files changed, 54 deletions(-)
 delete mode 100644 roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2

diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
index d99b6c265..cc0ed71c3 100644
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
@@ -23,8 +23,6 @@
       - { name: role-ingress-nginx, file: role-ingress-nginx.yml, type: role }
       - { name: rolebinding-ingress-nginx, file: rolebinding-ingress-nginx.yml, type: rolebinding }
       - { name: ds-ingress-nginx-controller, file: ds-ingress-nginx-controller.yml, type: ds }
-    ingress_nginx_templates_for_psp:
-      - { name: psp-ingress-nginx, file: psp-ingress-nginx.yml, type: podsecuritypolicy }
     ingress_nginx_templates_for_webhook:
       - { name: admission-webhook-configuration, file: admission-webhook-configuration.yml, type: sa }
       - { name: sa-admission-webhook, file: sa-admission-webhook.yml, type: sa }
@@ -34,11 +32,6 @@
       - { name: rolebinding-admission-webhook, file: rolebinding-admission-webhook.yml, type: rolebinding }
       - { name: admission-webhook-job, file: admission-webhook-job.yml, type: job }
 
-- name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for PodSecurityPolicy
-  set_fact:
-    ingress_nginx_templates: "{{ ingress_nginx_templates_for_psp + ingress_nginx_templates }}"
-  when: podsecuritypolicy_enabled
-
 - name: NGINX Ingress Controller | Append extra templates to NGINX Ingress Templates list for webhook
   set_fact:
     ingress_nginx_templates: "{{ ingress_nginx_templates + ingress_nginx_templates_for_webhook }}"
diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
deleted file mode 100644
index 903f26808..000000000
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/psp-ingress-nginx.yml.j2
+++ /dev/null
@@ -1,47 +0,0 @@
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: ingress-nginx
-  annotations:
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% if apparmor_enabled %}
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-{% endif %}
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-spec:
-  privileged: false
-  allowPrivilegeEscalation: true
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    - 'persistentVolumeClaim'
-  hostNetwork: {{ ingress_nginx_host_network|bool }}
-  hostPorts:
-  - min: 0
-    max: 65535
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false