feat(kubernetes-admin): remove PodSecurityPolicy

kubernetes-admin/templates/podsecuritypolicy.yaml

@@ -1,58 +1,60 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: taito-restricted
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
-    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
-    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
-spec:
-  privileged: false
-  # Required to prevent escalations to root.
-  allowPrivilegeEscalation: false
-  # This is redundant with non-root + disallow privilege escalation,
-  # but we can provide it for defense in depth.
-  requiredDropCapabilities:
-    - ALL
-  # Allow core volume types.
-  volumes:
-    - 'configMap'
-    - 'emptyDir'
-    - 'projected'
-    - 'secret'
-    - 'downwardAPI'
-    # Assume that persistentVolumes set up by the cluster admin are safe to use.
-    - 'persistentVolumeClaim'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    # Require the container to run without root privileges.
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    # This policy assumes the nodes are using AppArmor rather than SELinux.
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      # Forbid adding the root group.
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: taito-restricted-pod
-rules:
-  - apiGroups:      ['policy']
-    resources:      ['podsecuritypolicies']
-    verbs:          ['use']
-    resourceNames:  ['restricted']
+# TODO: Implement Pod Security Admission as PodSecurityPolicy was removed on Kubernetes v1.25.
+
+# apiVersion: policy/v1beta1
+# kind: PodSecurityPolicy
+# metadata:
+#   name: taito-restricted
+#   annotations:
+#     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+#     apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+#     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+#     apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+# spec:
+#   privileged: false
+#   # Required to prevent escalations to root.
+#   allowPrivilegeEscalation: false
+#   # This is redundant with non-root + disallow privilege escalation,
+#   # but we can provide it for defense in depth.
+#   requiredDropCapabilities:
+#     - ALL
+#   # Allow core volume types.
+#   volumes:
+#     - 'configMap'
+#     - 'emptyDir'
+#     - 'projected'
+#     - 'secret'
+#     - 'downwardAPI'
+#     # Assume that persistentVolumes set up by the cluster admin are safe to use.
+#     - 'persistentVolumeClaim'
+#   hostNetwork: false
+#   hostIPC: false
+#   hostPID: false
+#   runAsUser:
+#     # Require the container to run without root privileges.
+#     rule: 'MustRunAsNonRoot'
+#   seLinux:
+#     # This policy assumes the nodes are using AppArmor rather than SELinux.
+#     rule: 'RunAsAny'
+#   supplementalGroups:
+#     rule: 'MustRunAs'
+#     ranges:
+#       # Forbid adding the root group.
+#       - min: 1
+#         max: 65535
+#   fsGroup:
+#     rule: 'MustRunAs'
+#     ranges:
+#       # Forbid adding the root group.
+#       - min: 1
+#         max: 65535
+#   readOnlyRootFilesystem: false
+# ---
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: ClusterRole
+# metadata:
+#   name: taito-restricted-pod
+# rules:
+#   - apiGroups:      ['policy']
+#     resources:      ['podsecuritypolicies']
+#     verbs:          ['use']
+#     resourceNames:  ['restricted']