[preview] remove commented out yaml related to PodSecurityPolicy

kylos101 · kylos101 · commit a10d7d571fd6 · 2023-05-03T18:32:09.000Z
diff --git a/.werft/vm/manifests/rook-ceph/common.yaml b/.werft/vm/manifests/rook-ceph/common.yaml
@@ -682,155 +682,6 @@ subjects:
   - kind: ServiceAccount
     name: rook-ceph-system
     namespace: rook-ceph # namespace:operator
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: rook-ceph-system-psp
-#   labels:
-#     operator: rook
-#     storage-backend: ceph
-#     app.kubernetes.io/part-of: rook-ceph-operator
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: 'psp:rook'
-# subjects:
-#   - kind: ServiceAccount
-#     name: rook-ceph-system
-#     namespace: rook-ceph # namespace:operator
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: rook-csi-cephfs-plugin-sa-psp
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: 'psp:rook'
-# subjects:
-#   - kind: ServiceAccount
-#     name: rook-csi-cephfs-plugin-sa
-#     namespace: rook-ceph # namespace:operator
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: rook-csi-cephfs-provisioner-sa-psp
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: 'psp:rook'
-# subjects:
-#   - kind: ServiceAccount
-#     name: rook-csi-cephfs-provisioner-sa
-#     namespace: rook-ceph # namespace:operator
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: rook-csi-rbd-plugin-sa-psp
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: 'psp:rook'
-# subjects:
-#   - kind: ServiceAccount
-#     name: rook-csi-rbd-plugin-sa
-#     namespace: rook-ceph # namespace:operator
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: rook-csi-rbd-provisioner-sa-psp
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: 'psp:rook'
-# subjects:
-#   - kind: ServiceAccount
-#     name: rook-csi-rbd-provisioner-sa
-#     namespace: rook-ceph # namespace:operator
-# ---
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-# apiVersion: policy/v1beta1
-# kind: PodSecurityPolicy
-# metadata:
-#   name: 00-rook-privileged
-#   annotations:
-#     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-#     seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-# spec:
-#   privileged: true
-#   allowedCapabilities:
-#     # required by CSI
-#     - SYS_ADMIN
-#     - MKNOD
-#   fsGroup:
-#     rule: RunAsAny
-#   # runAsUser, supplementalGroups - Rook needs to run some pods as root
-#   # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
-#   runAsUser:
-#     rule: RunAsAny
-#   supplementalGroups:
-#     rule: RunAsAny
-#   # seLinux - seLinux context is unknown ahead of time; set if this is well-known
-#   seLinux:
-#     rule: RunAsAny
-#   volumes:
-#     # recommended minimum set
-#     - configMap
-#     - downwardAPI
-#     - emptyDir
-#     - persistentVolumeClaim
-#     - secret
-#     - projected
-#     # required for Rook
-#     - hostPath
-#   # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
-#   # allowedHostPaths:
-#   #   - pathPrefix: "/run/udev"  # for OSD prep
-#   #     readOnly: false
-#   #   - pathPrefix: "/dev"  # for OSD prep
-#   #     readOnly: false
-#   #   - pathPrefix: "/var/lib/rook"  # or whatever the dataDirHostPath value is set to
-#   #     readOnly: false
-#   # Ceph requires host IPC for setting up encrypted devices
-#   hostIPC: true
-#   # Ceph OSDs need to share the same PID namespace
-#   hostPID: true
-#   # hostNetwork can be set to 'false' if host networking isn't used
-#   hostNetwork: true
-#   hostPorts:
-#     # Ceph messenger protocol v1
-#     - min: 6789
-#       max: 6790 # <- support old default port
-#     # Ceph messenger protocol v2
-#     - min: 3300
-#       max: 3300
-#     # Ceph RADOS ports for OSDs, MDSes
-#     - min: 6800
-#       max: 7300
-#     # # Ceph dashboard port HTTP (not recommended)
-#     # - min: 7000
-#     #   max: 7000
-#     # Ceph dashboard port HTTPS
-#     - min: 8443
-#       max: 8443
-#     # Ceph mgr Prometheus Metrics
-#     - min: 9283
-#       max: 9283
-#     # port for CSIAddons
-#     - min: 9070
-#       max: 9070
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
