Skip to content

CASMPET-7666: Wrap rbac psp rolebindings with conditional#49

Merged
studenym-hpe merged 1 commit into
masterfrom
CASMPET-7666-psp-rolebindings
Sep 16, 2025
Merged

CASMPET-7666: Wrap rbac psp rolebindings with conditional#49
studenym-hpe merged 1 commit into
masterfrom
CASMPET-7666-psp-rolebindings

Conversation

@studenym-hpe
Copy link
Copy Markdown
Contributor

@studenym-hpe studenym-hpe commented Sep 15, 2025

Summary and Scope

CASMPET-7666: Wrap rbac psp rolebindings with conditional so only created when PodSecurityPolicy capability exists

Issues and Related PRs

Testing

Tested on beau

Cleaned out psp rolebindings with the remove-psp.sh script.

pit:~/studenym # ./remove_psp.sh
Checking if PSP has been disabled on all control plane nodes
No existing podsecuritypolices
CLUSTERROLE_NX:  cray-certmanager-cert-manager-cainjector-psp cray-certmanager-cert-manager-psp cray-certmanager-cert-manager-webhook-psp cray-externaldns-external-dns-services-psp cray-kyverno-admission-controller cray-kyverno-background-controller cray-kyverno-cleanup-admission-reports cray-kyverno-cleanup-cluster-admission-reports cray-kyverno-cleanup-controller cray-kyverno-psp cray-kyverno-reports-controller cray-spire cray-spire-agent-psp node-problem-detector-psp privileged-psp psp-cray-sysmgmt-health-kube-state-metrics psp-cray-sysmgmt-health-prometheus-node-exporter restricted-psp restricted-transition-net-raw-psp restricted-transition-psp sealed-secrets-kube-system-psp sma-vm-cluster-clusterrole spire spire-agent-psp uas-default-psp
CLUSTERROLE_ONLY_PSP:
CLUSTERROLE_MIXED_PSP:
ROLE_NX:  ceph-cephfs/cray-ceph-csi-cephfs-nodeplugin ceph-rbd/cray-ceph-csi-rbd-nodeplugin sma/sma-vm-cluster
ROLE_ONLY_PSP:
ROLE_MIXED_PSP:
CLUSTERROLEBINDING_ONLY_PSP:
CLUSTERROLEBINDING_MIXED_PSP:
CLUSTERROLEBINDING_OTHER:
error: resource(s) were provided, but no name was specified
ROLEBINDING_CLUSTER_ONLY_PSP:  services/cray-postgres-operator-psp
ROLEBINDING_CLUSTER_MIXED_PSP:
ROLEBINDING_ONLY_PSP:
ROLEBINDING_MIXED_PSP:
ROLEBINDING_OTHER:
rolebinding.rbac.authorization.k8s.io "cray-postgres-operator-psp" deleted
PSP_ONLY_SA=ServiceAccount/cray-postgres-operator/services:services

ServiceAccount/cray-postgres-operator/services:services ==> kind=ServiceAccount name=cray-postgres-operator ns=services
delete_sa(): NOP
pit:~/studenym #

Upgraded cray-drydock chart

pit:~/studenym/cray-drydock # helm history -n loftsman cray-drydock
REVISION	UPDATED                 	STATUS  	CHART              	APP VERSION	DESCRIPTION
1       	Mon Aug 11 15:06:14 2025	deployed	cray-drydock-2.20.2	0.2.2      	Install complete
pit:~/studenym/cray-drydock # helm upgrade -n loftsman cray-drydock cray-drydock-2.20.3-20250915215646+23c2a26.tgz
Release "cray-drydock" has been upgraded. Happy Helming!
NAME: cray-drydock
LAST DEPLOYED: Mon Sep 15 22:10:03 2025
NAMESPACE: loftsman
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
Foundational resources set up for a Cray Kubernetes cluster
pit:~/studenym/cray-drydock # helm history -n loftsman cray-drydock
REVISION	UPDATED                 	STATUS    	CHART                                     	APP VERSION                 DESCRIPTION
1       	Mon Aug 11 15:06:14 2025	superseded	cray-drydock-2.20.2                       	0.2.2                       Install complete
2       	Mon Sep 15 22:10:03 2025	deployed  	cray-drydock-2.20.3-20250915215646+23c2a26	0.2.2-20250915215646_23c2a26Upgrade complete
pit:~/studenym/cray-drydock #

Check psp rolebindings by running remove-psp.sh in DRY_RUN mode

pit:~/studenym # ./remove_psp.sh
Checking if PSP has been disabled on all control plane nodes
No existing podsecuritypolices
CLUSTERROLE_NX:  cray-certmanager-cert-manager-cainjector-psp cray-certmanager-cert-manager-psp cray-certmanager-cert-manager-webhook-psp cray-externaldns-external-dns-services-psp cray-kyverno-admission-controller cray-kyverno-background-controller cray-kyverno-cleanup-admission-reports cray-kyverno-cleanup-cluster-admission-reports cray-kyverno-cleanup-controller cray-kyverno-psp cray-kyverno-reports-controller cray-spire cray-spire-agent-psp node-problem-detector-psp privileged-psp psp-cray-sysmgmt-health-kube-state-metrics psp-cray-sysmgmt-health-prometheus-node-exporter restricted-psp restricted-transition-net-raw-psp restricted-transition-psp sealed-secrets-kube-system-psp sma-vm-cluster-clusterrole spire spire-agent-psp uas-default-psp
CLUSTERROLE_ONLY_PSP:
CLUSTERROLE_MIXED_PSP:
ROLE_NX:  ceph-cephfs/cray-ceph-csi-cephfs-nodeplugin ceph-rbd/cray-ceph-csi-rbd-nodeplugin sma/sma-vm-cluster
ROLE_ONLY_PSP:
ROLE_MIXED_PSP:
CLUSTERROLEBINDING_ONLY_PSP:
CLUSTERROLEBINDING_MIXED_PSP:
CLUSTERROLEBINDING_OTHER:
error: resource(s) were provided, but no name was specified
ROLEBINDING_CLUSTER_ONLY_PSP:
ROLEBINDING_CLUSTER_MIXED_PSP:
ROLEBINDING_ONLY_PSP:
ROLEBINDING_MIXED_PSP:
ROLEBINDING_OTHER:
PSP_ONLY_SA=

delete_sa(): NOP
pit:~/studenym #

Rollback to previous cray-drydock chart, which should create all the psp rolebindings again

pit:~/studenym # helm rollback -n loftsman cray-drydock 1
Rollback was a success! Happy Helming!
pit:~/studenym # helm history -n loftsman cray-drydock
REVISION	UPDATED                 	STATUS    	CHART                                     	APP VERSION                 DESCRIPTION
1       	Mon Aug 11 15:06:14 2025	superseded	cray-drydock-2.20.2                       	0.2.2                       Install complete
2       	Mon Sep 15 22:10:03 2025	superseded	cray-drydock-2.20.3-20250915215646+23c2a26	0.2.2-20250915215646_23c2a26Upgrade complete
3       	Mon Sep 15 22:18:43 2025	deployed  	cray-drydock-2.20.2                       	0.2.2                       Rollback to 1
pit:~/studenym #
pit:~/studenym # ./remove_psp.sh
Checking if PSP has been disabled on all control plane nodes
No existing podsecuritypolices
CLUSTERROLE_NX:  cray-certmanager-cert-manager-cainjector-psp cray-certmanager-cert-manager-psp cray-certmanager-cert-manager-webhook-psp cray-externaldns-external-dns-services-psp cray-kyverno-admission-controller cray-kyverno-background-controller cray-kyverno-cleanup-admission-reports cray-kyverno-cleanup-cluster-admission-reports cray-kyverno-cleanup-controller cray-kyverno-psp cray-kyverno-reports-controller cray-spire cray-spire-agent-psp node-problem-detector-psp privileged-psp psp-cray-sysmgmt-health-kube-state-metrics psp-cray-sysmgmt-health-prometheus-node-exporter restricted-psp restricted-transition-net-raw-psp restricted-transition-psp sealed-secrets-kube-system-psp sma-vm-cluster-clusterrole spire spire-agent-psp uas-default-psp
CLUSTERROLE_ONLY_PSP:
CLUSTERROLE_MIXED_PSP:
ROLE_NX:  ceph-cephfs/cray-ceph-csi-cephfs-nodeplugin ceph-rbd/cray-ceph-csi-rbd-nodeplugin sma/sma-vm-cluster
ROLE_ONLY_PSP:
ROLE_MIXED_PSP:
CLUSTERROLEBINDING_ONLY_PSP:
CLUSTERROLEBINDING_MIXED_PSP:
CLUSTERROLEBINDING_OTHER:
error: resource(s) were provided, but no name was specified
ROLEBINDING_CLUSTER_ONLY_PSP:  argo/argo-psp cert-manager/cert-manager-psp istio-system/istio-system-psp loftsman/loftsman-psp operators/operators-psp services/cray-postgres-operator-psp services/services-default-psp services/sonar-psp
ROLEBINDING_CLUSTER_MIXED_PSP:
ROLEBINDING_ONLY_PSP:
ROLEBINDING_MIXED_PSP:
ROLEBINDING_OTHER:
rolebinding.rbac.authorization.k8s.io "argo-psp" deleted (server dry run)
rolebinding.rbac.authorization.k8s.io "cert-manager-psp" deleted (server dry run)
rolebinding.rbac.authorization.k8s.io "istio-system-psp" deleted (server dry run)
rolebinding.rbac.authorization.k8s.io "loftsman-psp" deleted (server dry run)
rolebinding.rbac.authorization.k8s.io "operators-psp" deleted (server dry run)
rolebinding.rbac.authorization.k8s.io "cray-postgres-operator-psp" deleted (server dry run)
rolebinding.rbac.authorization.k8s.io "services-default-psp" deleted (server dry run)
rolebinding.rbac.authorization.k8s.io "sonar-psp" deleted (server dry run)
PSP_ONLY_SA=Group/system:serviceaccounts:argo/:argo Group/system:serviceaccounts:cert-manager/:cert-manager Group/system:serviceaccounts:istio-system/:istio-system Group/system:serviceaccounts:loftsman/:loftsman Group/system:serviceaccounts:operators/:operators ServiceAccount/cray-postgres-operator/services:services ServiceAccount/default/services:services ServiceAccount/sonar/services:services ServiceAccount/jobs-watcher/services:services

ServiceAccount/cray-postgres-operator/services:services ==> kind=ServiceAccount name=cray-postgres-operator ns=services
ServiceAccount/default/services:services ==> kind=ServiceAccount name=default ns=services
ServiceAccount/sonar/services:services ==> kind=ServiceAccount name=sonar ns=services
ServiceAccount/jobs-watcher/services:services ==> kind=ServiceAccount name=jobs-watcher ns=services
delete_sa(): NOP
pit:~/studenym #

Risks and Mitigations

Low

Pull Request Checklist

  • Version number(s) incremented, if applicable
  • Copyrights updated
  • License file intact
  • Target branch correct
  • CHANGELOG.md updated
  • Testing is appropriate and complete, if applicable
  • HPC Product Announcement prepared, if applicable

@studenym-hpe
CASMPET-7666: Wrap rbac psp rolebindings with conditional so only cre…
23c2a26 
…ated when PodSecurityPolicy capability exists
@studenym-hpe studenym-hpe requested a review from a team as a code owner September 15, 2025 22:37
@studenym-hpe studenym-hpe merged commit 0e9585d into master Sep 16, 2025
5 checks passed
@studenym-hpe studenym-hpe deleted the CASMPET-7666-psp-rolebindings branch September 16, 2025 17:37
@studenym-hpe studenym-hpe mentioned this pull request Sep 18, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bo-quan bo-quan bo-quan approved these changes

@bmcdonald3 bmcdonald3 bmcdonald3 approved these changes

@davidfluck-hpe davidfluck-hpe Awaiting requested review from davidfluck-hpe

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@studenym-hpe @bo-quan @bmcdonald3