Remove PodSecurityPolicy in Installer

corneliusludmann · corneliusludmann · commit 1e392e384749 · 2025-06-04T13:38:16.000Z
diff --git a/installer/pkg/components/alertmanager/role.go b/installer/pkg/components/alertmanager/role.go
@@ -6,7 +6,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/gitpod-io/observability/installer/pkg/common"
-	"github.com/gitpod-io/observability/installer/pkg/components/shared"
 )
 
 func role(ctx *common.RenderContext) ([]runtime.Object, error) {
@@ -21,14 +20,7 @@ func role(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Namespace: Namespace,
 				Labels:    common.Labels(Name, Component, App, Version),
 			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					Verbs:         []string{"use"},
-					ResourceNames: []string{shared.RestrictedPodsecurityPolicyName()},
-				},
-			},
+			Rules: []rbacv1.PolicyRule{},
 		},
 	}, nil
 }
diff --git a/installer/pkg/components/components.go b/installer/pkg/components/components.go
@@ -12,7 +12,6 @@ import (
 	"github.com/gitpod-io/observability/installer/pkg/components/prometheus"
 	prometheusoperator "github.com/gitpod-io/observability/installer/pkg/components/prometheus-operator"
 	"github.com/gitpod-io/observability/installer/pkg/components/pyrra"
-	"github.com/gitpod-io/observability/installer/pkg/components/shared"
 	"github.com/gitpod-io/observability/installer/pkg/components/werft"
 )
 
@@ -33,6 +32,5 @@ func MonitoringSatelliteObjects(ctx *common.RenderContext) common.RenderFunc {
 		gitpod.Objects(ctx),
 		certmanager.Objects(ctx),
 		kubernetes.Objects,
-		shared.Objects,
 	)
 }
diff --git a/installer/pkg/components/kubestate-metrics/clusterrole.go b/installer/pkg/components/kubestate-metrics/clusterrole.go
@@ -126,12 +126,6 @@ func clusterRole(ctx *common.RenderContext) ([]runtime.Object, error) {
 					Resources: []string{"subjectaccessreviews"},
 					Verbs:     []string{"create"},
 				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					Verbs:         []string{"use"},
-					ResourceNames: []string{Name},
-				},
 			},
 		},
 	}, nil
diff --git a/installer/pkg/components/kubestate-metrics/objects.go b/installer/pkg/components/kubestate-metrics/objects.go
@@ -8,7 +8,6 @@ var Objects = common.CompositeRenderFunc(
 	clusterRole,
 	clusterRoleBinding,
 	deployment,
-	podsecuritypolicy,
 	service,
 	serviceAccount,
 	serviceMonitor,
diff --git a/installer/pkg/components/kubestate-metrics/podsecuritypolicy.go b/installer/pkg/components/kubestate-metrics/podsecuritypolicy.go
diff --git a/installer/pkg/components/node-exporter/clusterrole.go b/installer/pkg/components/node-exporter/clusterrole.go
@@ -30,12 +30,6 @@ func clusterRole(ctx *common.RenderContext) ([]runtime.Object, error) {
 					Resources: []string{"subjectaccessreviews"},
 					Verbs:     []string{"create"},
 				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					Verbs:         []string{"use"},
-					ResourceNames: []string{Name},
-				},
 			},
 		},
 	}, nil
diff --git a/installer/pkg/components/node-exporter/objects.go b/installer/pkg/components/node-exporter/objects.go
@@ -8,7 +8,6 @@ var Objects = common.CompositeRenderFunc(
 	clusterRole,
 	clusterRoleBinding,
 	daemonset,
-	podsecuritypolicy,
 	service,
 	serviceAccount,
 	serviceMonitor,
diff --git a/installer/pkg/components/node-exporter/podsecuritypolicy.go b/installer/pkg/components/node-exporter/podsecuritypolicy.go
diff --git a/installer/pkg/components/otel-collector/clusterrole.go b/installer/pkg/components/otel-collector/clusterrole.go
@@ -19,14 +19,7 @@ func clusterRole(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Name:   Name,
 				Labels: common.Labels(Name, Component, App, Version),
 			},
-			Rules: []rbacv1.PolicyRule{
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					Verbs:         []string{"use"},
-					ResourceNames: []string{Name},
-				},
-			},
+			Rules: []rbacv1.PolicyRule{},
 		},
 	}, nil
 }
diff --git a/installer/pkg/components/otel-collector/objects.go b/installer/pkg/components/otel-collector/objects.go
@@ -21,7 +21,6 @@ func Objects(ctx *common.RenderContext) common.RenderFunc {
 			clusterRoleBinding,
 			configMap,
 			deployment,
-			podsecuritypolicy,
 			service,
 			serviceAccount,
 			serviceMonitor,
diff --git a/installer/pkg/components/otel-collector/podsecuritypolicy.go b/installer/pkg/components/otel-collector/podsecuritypolicy.go
diff --git a/installer/pkg/components/prometheus-operator/clusterrole.go b/installer/pkg/components/prometheus-operator/clusterrole.go
@@ -6,7 +6,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/gitpod-io/observability/installer/pkg/common"
-	"github.com/gitpod-io/observability/installer/pkg/components/shared"
 )
 
 func clusterRole(ctx *common.RenderContext) ([]runtime.Object, error) {
@@ -84,12 +83,12 @@ func clusterRole(ctx *common.RenderContext) ([]runtime.Object, error) {
 					Resources: []string{"subjectaccessreviews"},
 					Verbs:     []string{"create"},
 				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					Verbs:         []string{"use"},
-					ResourceNames: []string{shared.RestrictedPodsecurityPolicyName()},
-				},
+				// {
+				// 	APIGroups:     []string{"policy"},
+				// 	Resources:     []string{"podsecuritypolicies"},
+				// 	Verbs:         []string{"use"},
+				// 	ResourceNames: []string{shared.RestrictedPodsecurityPolicyName()},
+				// },
 			},
 		},
 	}, nil
diff --git a/installer/pkg/components/prometheus/clusterrole.go b/installer/pkg/components/prometheus/clusterrole.go
@@ -6,7 +6,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/gitpod-io/observability/installer/pkg/common"
-	"github.com/gitpod-io/observability/installer/pkg/components/shared"
 )
 
 func clusterRole(ctx *common.RenderContext) ([]runtime.Object, error) {
@@ -40,12 +39,6 @@ func clusterRole(ctx *common.RenderContext) ([]runtime.Object, error) {
 
 					Verbs: []string{"get"},
 				},
-				{
-					APIGroups:     []string{"policy"},
-					Resources:     []string{"podsecuritypolicies"},
-					Verbs:         []string{"use"},
-					ResourceNames: []string{shared.RestrictedPodsecurityPolicyName()},
-				},
 			},
 		},
 	}, nil
diff --git a/installer/pkg/components/shared/objects.go b/installer/pkg/components/shared/objects.go
diff --git a/installer/pkg/components/shared/restrictedPodSecurityPolicy.go b/installer/pkg/components/shared/restrictedPodSecurityPolicy.go

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@ import (`
`12`	`12`	`"github.com/gitpod-io/observability/installer/pkg/components/prometheus"`
`13`	`13`	`prometheusoperator "github.com/gitpod-io/observability/installer/pkg/components/prometheus-operator"`
`14`	`14`	`"github.com/gitpod-io/observability/installer/pkg/components/pyrra"`
`15`		`- "github.com/gitpod-io/observability/installer/pkg/components/shared"`
`16`	`15`	`"github.com/gitpod-io/observability/installer/pkg/components/werft"`
`17`	`16`	`)`
`18`	`17`
`@@ -33,6 +32,5 @@ func MonitoringSatelliteObjects(ctx *common.RenderContext) common.RenderFunc {`
`33`	`32`	`gitpod.Objects(ctx),`
`34`	`33`	`certmanager.Objects(ctx),`
`35`	`34`	`kubernetes.Objects,`
`36`		`- shared.Objects,`
`37`	`35`	`)`
`38`	`36`	`}`