Remove unused PodSecurityPolicy feature (#17176)

Author: aledbf

components/ws-manager-mk2/controllers/create.go

@@ -369,7 +369,6 @@ func createDefiniteWorkspacePod(sctx *startWorkspaceContext) (*corev1.Pod, error
 			Affinity:                     affinity,
 			SecurityContext: &corev1.PodSecurityContext{
 				// We're using a custom seccomp profile for user namespaces to allow clone, mount and chroot.
-				// Those syscalls don't make much sense in a non-userns setting, where we default to runtime/default using the PodSecurityPolicy.
 				SeccompProfile: &corev1.SeccompProfile{
 					Type:             corev1.SeccompProfileTypeLocalhost,
 					LocalhostProfile: pointer.String(sctx.Config.SeccompProfile),

components/ws-manager/cmd/integrationtest-objs.go

@@ -45,7 +45,6 @@ func init() {
 
 var desiredObjTypes = []string{
 	"ServiceAccount",
-	"PodSecurityPolicy",
 }
 
 func getIntegrationTestPrerequisiteObjects(out io.Writer, namespace, gpHelmChartPath, version string) error {

components/ws-manager/pkg/manager/create.go

@@ -495,7 +495,6 @@ func (m *Manager) createDefiniteWorkspacePod(startContext *startWorkspaceContext
 			Affinity:                     affinity,
 			SecurityContext: &corev1.PodSecurityContext{
 				// We're using a custom seccomp profile for user namespaces to allow clone, mount and chroot.
-				// Those syscalls don't make much sense in a non-userns setting, where we default to runtime/default using the PodSecurityPolicy.
 				SeccompProfile: &corev1.SeccompProfile{
 					Type:             corev1.SeccompProfileTypeLocalhost,
 					LocalhostProfile: pointer.String(m.Config.SeccompProfile),

install/installer/pkg/common/common.go

@@ -723,10 +723,6 @@ var (
 		APIVersion: "v1",
 		Kind:       "Secret",
 	}
-	TypeMetaPodSecurityPolicy = metav1.TypeMeta{
-		APIVersion: "policy/v1beta1",
-		Kind:       "PodSecurityPolicy",
-	}
 	TypeMetaResourceQuota = metav1.TypeMeta{
 		APIVersion: "v1",
 		Kind:       "ResourceQuota",

install/installer/pkg/common/display.go

@@ -25,7 +25,6 @@ var sortOrder = []string{
 	"Issuer",
 	"Certificate",
 	"LimitRange",
-	"PodSecurityPolicy",
 	"PodDisruptionBudget",
 	"ServiceAccount",
 	"Secret",

install/installer/pkg/components/agent-smith/role.go

@@ -5,10 +5,7 @@
 package agentsmith
 
 import (
-	"fmt"
-
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
-	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
 
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -18,18 +15,6 @@ import (
 func role(ctx *common.RenderContext) ([]runtime.Object, error) {
 	var rules []rbacv1.PolicyRule
 
-	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
-		if cfg.Common != nil && cfg.Common.UsePodSecurityPolicies {
-			rules = append(rules, rbacv1.PolicyRule{
-				APIGroups:     []string{"policy"},
-				Resources:     []string{"podsecuritypolicies"},
-				Verbs:         []string{"use"},
-				ResourceNames: []string{fmt.Sprintf("%s-ns-privileged-unconfined", ctx.Namespace)},
-			})
-		}
-		return nil
-	})
-
 	return []runtime.Object{
 		&rbacv1.Role{
 			TypeMeta: common.TypeMetaRole,

install/installer/pkg/components/cluster/clusterrole.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
-	"github.com/gitpod-io/gitpod/installer/pkg/config/v1/experimental"
 	v1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -36,55 +35,5 @@ func clusterrole(ctx *common.RenderContext) ([]runtime.Object, error) {
 		},
 	}
 
-	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
-		if cfg.Common != nil && cfg.Common.UsePodSecurityPolicies {
-			resources = append(resources,
-				&v1.ClusterRole{
-					TypeMeta: common.TypeMetaClusterRole,
-					ObjectMeta: metav1.ObjectMeta{
-						Name: fmt.Sprintf("%s-ns-psp:privileged", ctx.Namespace),
-					},
-					Rules: []v1.PolicyRule{
-						{
-							APIGroups:     []string{"policy"},
-							Resources:     []string{"podsecuritypolicies"},
-							Verbs:         []string{"use"},
-							ResourceNames: []string{fmt.Sprintf("%s-ns-privileged", ctx.Namespace)},
-						},
-					},
-				},
-				&v1.ClusterRole{
-					TypeMeta: common.TypeMetaClusterRole,
-					ObjectMeta: metav1.ObjectMeta{
-						Name: fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
-					},
-					Rules: []v1.PolicyRule{
-						{
-							APIGroups:     []string{"policy"},
-							Resources:     []string{"podsecuritypolicies"},
-							Verbs:         []string{"use"},
-							ResourceNames: []string{fmt.Sprintf("%s-ns-restricted-root-user", ctx.Namespace)},
-						},
-					},
-				},
-				&v1.ClusterRole{
-					TypeMeta: common.TypeMetaClusterRole,
-					ObjectMeta: metav1.ObjectMeta{
-						Name: fmt.Sprintf("%s-ns-psp:unprivileged", ctx.Namespace),
-					},
-					Rules: []v1.PolicyRule{
-						{
-							APIGroups:     []string{"policy"},
-							Resources:     []string{"podsecuritypolicies"},
-							Verbs:         []string{"use"},
-							ResourceNames: []string{fmt.Sprintf("%s-ns-unprivileged", ctx.Namespace)},
-						},
-					},
-				},
-			)
-		}
-		return nil
-	})
-
 	return resources, nil
 }

install/installer/pkg/components/cluster/objects.go

@@ -12,7 +12,6 @@ import "github.com/gitpod-io/gitpod/installer/pkg/common"
 var Objects = common.CompositeRenderFunc(
 	certmanager,
 	clusterrole,
-	podsecuritypolicies,
 	resourcequota,
 	rolebinding,
 	common.DefaultServiceAccount(NobodyComponent),

install/installer/pkg/components/cluster/podsecuritypolicies.go

@@ -23,7 +23,6 @@ var Objects common.RenderFunc = func(cfg *common.RenderContext) ([]runtime.Objec
 	}
 
 	return common.CompositeRenderFunc(
-		clusterrole,
 		configmap,
 		deployment,
 		networkpolicy,