diff --git a/.ci/clusters/values-psp.yaml b/.ci/clusters/values-psp.yaml deleted file mode 100644 index 493455e..0000000 --- a/.ci/clusters/values-psp.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -rbac: - enabled: true - psp: true diff --git a/.github/workflows/pulsar-helm-chart-ci.yaml b/.github/workflows/pulsar-helm-chart-ci.yaml index 13aade0..86a70e8 100644 --- a/.github/workflows/pulsar-helm-chart-ci.yaml +++ b/.github/workflows/pulsar-helm-chart-ci.yaml @@ -131,7 +131,7 @@ jobs: --validate-maintainers=false \ --target-branch ${{ github.event.repository.default_branch }} - - name: Run kubeconform check for helm template with every major k8s version 1.23.0-1.32.0 + - name: Run kubeconform check for helm template with every major k8s version 1.25.0-1.32.0 if: ${{ steps.check_changes.outputs.docs_only != 'true' }} run: | PULSAR_CHART_HOME=$(pwd) @@ -155,7 +155,7 @@ jobs: kubeconform -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' -strict -kubernetes-version $kube_version -summary } set -o pipefail - for k8s_version_part in {23..32}; do + for k8s_version_part in {25..32}; do k8s_version="1.${k8s_version_part}.0" echo "Validating default values with k8s version $k8s_version" validate_helm_template_with_k8s_version $k8s_version @@ -190,8 +190,8 @@ jobs: # see https://github.com/kubernetes-sigs/kind/releases/tag/v0.27.0 for the list of supported k8s versions for kind 0.27.0 # docker images are available at https://hub.docker.com/r/kindest/node/tags k8sVersion: - - version: "1.23.17" - kind_image_tag: v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3 + - version: "1.25.16" + kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025 - version: "1.32.2" kind_image_tag: v1.32.2@sha256:f226345927d7e348497136874b6d207e0b32cc52154ad8323129352923a3142f testScenario: @@ -223,9 +223,6 @@ jobs: - name: ZK & BK TLS Only values_file: .ci/clusters/values-zkbk-tls.yaml shortname: zkbk-tls - - name: PSP - values_file: .ci/clusters/values-psp.yaml - shortname: psp - name: Pulsar Manager values_file: .ci/clusters/values-pulsar-manager.yaml shortname: pulsar-manager @@ -234,24 +231,16 @@ jobs: shortname: oxia include: - k8sVersion: - version: "1.23.17" - kind_image_tag: v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3 + version: "1.25.16" + kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025 testScenario: name: "Upgrade TLS" values_file: .ci/clusters/values-tls.yaml shortname: tls type: upgrade - k8sVersion: - version: "1.23.17" - kind_image_tag: v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3 - testScenario: - name: "Upgrade PSP" - values_file: .ci/clusters/values-psp.yaml - shortname: psp - type: upgrade - - k8sVersion: - version: "1.23.17" - kind_image_tag: v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3 + version: "1.25.16" + kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025 testScenario: name: "Upgrade kube-prometheus-stack for previous LTS" values_file: .ci/clusters/values-prometheus-grafana.yaml --values .ci/clusters/values-pulsar-previous-lts.yaml @@ -259,8 +248,8 @@ jobs: type: upgrade upgradeFromVersion: 3.2.0 - k8sVersion: - version: "1.23.17" - kind_image_tag: v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3 + version: "1.25.16" + kind_image_tag: v1.25.16@sha256:6110314339b3b44d10da7d27881849a87e092124afab5956f2e10ecdb463b025 testScenario: name: "TLS with helm 3.12.0" values_file: .ci/clusters/values-tls.yaml diff --git a/README.md b/README.md index 1124401..20b68b1 100644 --- a/README.md +++ b/README.md @@ -177,9 +177,9 @@ It includes support for: In order to use this chart to deploy Apache Pulsar on Kubernetes, the followings are required. -1. kubectl 1.23 or higher, compatible with your cluster ([+/- 1 minor release from your cluster](https://kubernetes.io/docs/tasks/tools/install-kubectl/#before-you-begin)) +1. kubectl 1.25 or higher, compatible with your cluster ([+/- 1 minor release from your cluster](https://kubernetes.io/docs/tasks/tools/install-kubectl/#before-you-begin)) 2. Helm v3 (3.12.0 or higher) -3. A Kubernetes cluster, version 1.23 or higher. +3. A Kubernetes cluster, version 1.25 or higher. ## Environment setup @@ -200,7 +200,7 @@ helm repo update ## Kubernetes cluster preparation -You need a Kubernetes cluster whose version is 1.23 or higher in order to use this chart, due to the usage of certain Kubernetes features. +You need a Kubernetes cluster whose version is 1.25 or higher in order to use this chart, due to the usage of certain Kubernetes features. We provide some instructions to guide you through the preparation: http://pulsar.apache.org/docs/helm-prepare/ diff --git a/charts/pulsar/Chart.yaml b/charts/pulsar/Chart.yaml index 9d96741..1cd0cd4 100644 --- a/charts/pulsar/Chart.yaml +++ b/charts/pulsar/Chart.yaml @@ -22,7 +22,7 @@ appVersion: "4.0.3" description: Apache Pulsar Helm chart for Kubernetes name: pulsar version: 4.0.0 -kubeVersion: ">=1.23.0-0" +kubeVersion: ">=1.25.0-0" home: https://pulsar.apache.org sources: - https://github.com/apache/pulsar diff --git a/charts/pulsar/templates/autorecovery-psp.yaml b/charts/pulsar/templates/autorecovery-psp.yaml deleted file mode 100644 index d089f39..0000000 --- a/charts/pulsar/templates/autorecovery-psp.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - namespace: {{ template "pulsar.namespace" . }} -rules: - - apiGroups: - - policy - resourceNames: - - "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - resources: - - podsecuritypolicies - verbs: - - use ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - namespace: {{ template "pulsar.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" -subjects: -- kind: ServiceAccount - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.rbac.limit_to_namespace }} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}-{{ template "pulsar.namespace" . }}" -{{- else}} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" -{{- end}} -spec: - readOnlyRootFilesystem: false - privileged: false - allowPrivilegeEscalation: false - runAsUser: - rule: 'RunAsAny' - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - seLinux: - rule: 'RunAsAny' - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end }} diff --git a/charts/pulsar/templates/autorecovery-statefulset.yaml b/charts/pulsar/templates/autorecovery-statefulset.yaml index 3d8e6cf..7d01f93 100644 --- a/charts/pulsar/templates/autorecovery-statefulset.yaml +++ b/charts/pulsar/templates/autorecovery-statefulset.yaml @@ -140,10 +140,6 @@ spec: resources: {{ toYaml .Values.autorecovery.resources | indent 10 }} {{- end }} - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end}} command: ["sh", "-c"] args: - | diff --git a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml index c4ecbfb..8b9885c 100755 --- a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml +++ b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml @@ -101,10 +101,6 @@ spec: {{- if .Values.extraInitCommand }} {{ .Values.extraInitCommand }} {{- end }} - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end }} envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" diff --git a/charts/pulsar/templates/bookkeeper-psp.yaml b/charts/pulsar/templates/bookkeeper-psp.yaml deleted file mode 100644 index ed7c6e6..0000000 --- a/charts/pulsar/templates/bookkeeper-psp.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} -rules: - - apiGroups: - - policy - resourceNames: - - "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - resources: - - podsecuritypolicies - verbs: - - use ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" -subjects: -- kind: ServiceAccount - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.rbac.limit_to_namespace }} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ template "pulsar.namespace" . }}" -{{- else}} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" -{{- end}} -spec: - readOnlyRootFilesystem: false - privileged: false - allowPrivilegeEscalation: false - runAsUser: - rule: 'RunAsAny' - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - seLinux: - rule: 'RunAsAny' - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - {{- end}} diff --git a/charts/pulsar/templates/bookkeeper-statefulset.yaml b/charts/pulsar/templates/bookkeeper-statefulset.yaml index 43189c2..03c6ad0 100644 --- a/charts/pulsar/templates/bookkeeper-statefulset.yaml +++ b/charts/pulsar/templates/bookkeeper-statefulset.yaml @@ -128,10 +128,6 @@ spec: envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end}} volumeMounts: {{- include "pulsar.bookkeeper.certs.volumeMounts" . | nindent 8 }} {{- end }} @@ -201,10 +197,6 @@ spec: bin/apply-config-from-env.py conf/bookkeeper.conf; {{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }} OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie; - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end}} ports: - name: "{{ .Values.tcpPrefix }}bookie" containerPort: {{ .Values.bookkeeper.ports.bookie }} diff --git a/charts/pulsar/templates/broker-psp.yaml b/charts/pulsar/templates/broker-psp.yaml deleted file mode 100644 index 35416be..0000000 --- a/charts/pulsar/templates/broker-psp.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" - namespace: {{ template "pulsar.namespace" . }} -rules: - - apiGroups: - - policy - resourceNames: - - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" - resources: - - podsecuritypolicies - verbs: - - use ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" - namespace: {{ template "pulsar.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" -subjects: -- kind: ServiceAccount - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" - namespace: {{ template "pulsar.namespace" . }} ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.rbac.limit_to_namespace }} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{ template "pulsar.namespace" . }}" -{{- else}} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" -{{- end}} -spec: - readOnlyRootFilesystem: false - privileged: false - allowPrivilegeEscalation: false - runAsUser: - rule: 'RunAsAny' - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - seLinux: - rule: 'RunAsAny' - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end}} diff --git a/charts/pulsar/templates/broker-statefulset.yaml b/charts/pulsar/templates/broker-statefulset.yaml index 9e1da2b..e44e1b0 100644 --- a/charts/pulsar/templates/broker-statefulset.yaml +++ b/charts/pulsar/templates/broker-statefulset.yaml @@ -149,10 +149,6 @@ spec: {{- end }} echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 3 seconds ..." && sleep 3; done; - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end }} volumeMounts: {{- include "pulsar.broker.certs.volumeMounts" . | nindent 8 }} {{- end }} @@ -196,10 +192,6 @@ spec: envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end }} volumeMounts: {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} {{- end }} @@ -303,10 +295,6 @@ spec: {{ toYaml .Values.broker.extraVolumeMounts | indent 10 }} {{- end }} {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end }} env: {{- if and (and .Values.broker.storageOffload (eq .Values.broker.storageOffload.driver "aws-s3")) .Values.broker.storageOffload.secret }} - name: AWS_ACCESS_KEY_ID diff --git a/charts/pulsar/templates/proxy-psp.yaml b/charts/pulsar/templates/proxy-psp.yaml deleted file mode 100644 index 768bfde..0000000 --- a/charts/pulsar/templates/proxy-psp.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - namespace: {{ template "pulsar.namespace" . }} -rules: - - apiGroups: - - policy - resourceNames: - - "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - resources: - - podsecuritypolicies - verbs: - - use ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - namespace: {{ template "pulsar.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" -subjects: -- kind: ServiceAccount - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.rbac.limit_to_namespace }} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}-{{ template "pulsar.namespace" . }}" -{{- else}} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" -{{- end}} -spec: - readOnlyRootFilesystem: false - privileged: false - allowPrivilegeEscalation: false - runAsUser: - rule: 'RunAsAny' - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - seLinux: - rule: 'RunAsAny' - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - {{- end}} diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index df2b10b..6b858b3 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -226,10 +226,6 @@ spec: - name: "sts-{{ .Values.tlsPrefix }}pulsarssl" containerPort: {{ .Values.proxy.ports.pulsarssl }} {{- end }} - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end }} {{- if .Values.proxy.extraEnvs }} env: {{ toYaml .Values.proxy.extraEnvs | indent 8 }} diff --git a/charts/pulsar/templates/toolset-psp.yaml b/charts/pulsar/templates/toolset-psp.yaml deleted file mode 100644 index b1adc3b..0000000 --- a/charts/pulsar/templates/toolset-psp.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - namespace: {{ template "pulsar.namespace" . }} -rules: - - apiGroups: - - policy - resourceNames: - - "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - resources: - - podsecuritypolicies - verbs: - - use ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - namespace: {{ template "pulsar.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" -subjects: -- kind: ServiceAccount - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.rbac.limit_to_namespace }} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}-{{ template "pulsar.namespace" . }}" -{{- else}} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" -{{- end}} -spec: - readOnlyRootFilesystem: false - privileged: false - allowPrivilegeEscalation: false - runAsUser: - rule: 'RunAsAny' - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - seLinux: - rule: 'RunAsAny' - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - {{- end}} diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml index 602e39d..06eee76 100644 --- a/charts/pulsar/templates/toolset-statefulset.yaml +++ b/charts/pulsar/templates/toolset-statefulset.yaml @@ -90,10 +90,6 @@ spec: bin/apply-config-from-env.py conf/bookkeeper.conf; {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} sleep 10000000000 - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end }} envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" diff --git a/charts/pulsar/templates/zookeeper-psp.yaml b/charts/pulsar/templates/zookeeper-psp.yaml deleted file mode 100644 index fd32e3c..0000000 --- a/charts/pulsar/templates/zookeeper-psp.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} -rules: - - apiGroups: - - policy - resourceNames: - - "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - resources: - - podsecuritypolicies - verbs: - - use ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" -subjects: -- kind: ServiceAccount - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.rbac.limit_to_namespace }} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ template "pulsar.namespace" . }}" -{{- else}} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" -{{- end}} -spec: - readOnlyRootFilesystem: false - privileged: false - allowPrivilegeEscalation: false - runAsUser: - rule: 'RunAsAny' - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - seLinux: - rule: 'RunAsAny' - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim - {{- end}} diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml index c4757ac..55ad6bb 100755 --- a/charts/pulsar/templates/zookeeper-statefulset.yaml +++ b/charts/pulsar/templates/zookeeper-statefulset.yaml @@ -177,10 +177,6 @@ spec: {{- $zkConnectCommand = print "nc 127.0.0.1 " .Values.zookeeper.ports.client -}} {{- end }} {{- if .Values.zookeeper.probe.readiness.enabled }} - {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} - securityContext: - readOnlyRootFilesystem: false - {{- end}} readinessProbe: exec: command: diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml index f1da3ce..20d68a6 100755 --- a/charts/pulsar/values.yaml +++ b/charts/pulsar/values.yaml @@ -96,7 +96,6 @@ volumes: rbac: enabled: false - psp: false # DEPRECATED: PodSecurityPolicy is not supported in Kubernetes 1.25+ limit_to_namespace: true ## AntiAffinity