Merge pull request #2308 from geethub97/k8s-1.24-psp-fixes

Fixed errors found after investigating rancher/rancher#39997

charts/rancher-monitoring/101.1.0+up40.1.2/templates/alertmanager/psp.yaml

@@ -1,3 +1,4 @@
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 {{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -43,4 +44,4 @@ spec:
         max: 65535
   readOnlyRootFilesystem: false
 {{- end }}
-
+{{- end }}

charts/rancher-monitoring/101.1.0+up40.1.2/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml

@@ -1,3 +1,4 @@
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -45,3 +46,4 @@ spec:
         max: 65535
   readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}

charts/rancher-monitoring/101.1.0+up40.1.2/templates/prometheus-operator/psp.yaml

@@ -1,3 +1,4 @@
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -43,3 +44,4 @@ spec:
         max: 65535
   readOnlyRootFilesystem: false
 {{- end }}
+{{- end }}

charts/rancher-monitoring/101.1.0+up40.1.2/templates/prometheus/psp.yaml

@@ -1,3 +1,4 @@
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 {{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
@@ -54,3 +55,4 @@ spec:
 {{ toYaml .Values.prometheus.podSecurityPolicy.allowedHostPaths | indent 4 }}
 {{- end }}
 {{- end }}
+{{- end }}

charts/rancher-monitoring/101.1.0+up40.1.2/templates/rancher-monitoring/hardened.yaml

@@ -47,11 +47,13 @@ rules:
   resources:
   - serviceaccounts
   verbs: ['get', 'patch']
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 - apiGroups: ['policy']
   resources: ['podsecuritypolicies']
   verbs:     ['use']
   resourceNames:
   - {{ .Chart.Name }}-patch-sa
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -76,6 +78,7 @@ metadata:
   labels:
     app: {{ .Chart.Name }}-patch-sa
 ---
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -122,3 +125,4 @@ spec:
   - Ingress
   - Egress
 {{- end }}
+{{- end }}

charts/rancher-monitoring/101.1.0+up40.1.2/templates/rancher-monitoring/upgrade/rbac.yaml

@@ -52,11 +52,13 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
     "helm.sh/hook-weight": "1"
 rules:
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 - apiGroups: ['policy']
   resources: ['podsecuritypolicies']
   verbs:     ['use']
   resourceNames:
   - {{ template "kube-prometheus-stack.fullname" . }}-upgrade
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -89,6 +91,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
     "helm.sh/hook-weight": "1"
 ---
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -125,3 +128,4 @@ spec:
     - 'configMap'
     - 'secret'
 {{- end }}
+{{- end }}

index.yaml

@@ -8369,7 +8369,7 @@ entries:
       catalog.cattle.io/upstream-version: 19.0.3
     apiVersion: v2
     appVersion: 0.59.1
-    created: "2023-01-03T10:56:12.63741-08:00"
+    created: "2023-01-03T13:40:11.420386-08:00"
     dependencies:
     - condition: grafana.enabled
       name: grafana
@@ -8440,7 +8440,7 @@ entries:
     description: Collects several related Helm charts, Grafana dashboards, and Prometheus
       rules combined with documentation and scripts to provide easy to operate end-to-end
       Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.
-    digest: 1eb971b791af1e2b3241902465023e30ce39f47cedf42403b5fdc1a9f6017630
+    digest: be542f97143637b298eaef6723a97bdeaed1ab9fd0ca4a68423744c793dc7a9c
     home: https://github.com/prometheus-operator/kube-prometheus
     icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
     keywords:

packages/rancher-monitoring/rancher-monitoring/generated-changes/overlay/templates/rancher-monitoring/hardened.yaml

@@ -47,11 +47,13 @@ rules:
   resources:
   - serviceaccounts
   verbs: ['get', 'patch']
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 - apiGroups: ['policy']
   resources: ['podsecuritypolicies']
   verbs:     ['use']
   resourceNames:
   - {{ .Chart.Name }}-patch-sa
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -76,6 +78,7 @@ metadata:
   labels:
     app: {{ .Chart.Name }}-patch-sa
 ---
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -122,3 +125,4 @@ spec:
   - Ingress
   - Egress
 {{- end }}
+{{- end }}

packages/rancher-monitoring/rancher-monitoring/generated-changes/overlay/templates/rancher-monitoring/upgrade/rbac.yaml

@@ -52,11 +52,13 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
     "helm.sh/hook-weight": "1"
 rules:
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 - apiGroups: ['policy']
   resources: ['podsecuritypolicies']
   verbs:     ['use']
   resourceNames:
   - {{ template "kube-prometheus-stack.fullname" . }}-upgrade
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -89,6 +91,7 @@ metadata:
     "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded, hook-failed
     "helm.sh/hook-weight": "1"
 ---
+{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -125,3 +128,4 @@ spec:
     - 'configMap'
     - 'secret'
 {{- end }}
+{{- end }}

packages/rancher-monitoring/rancher-monitoring/generated-changes/patch/templates/alertmanager/psp.yaml.patch

@@ -0,0 +1,14 @@
+--- charts-original/templates/alertmanager/psp.yaml
++++ charts/templates/alertmanager/psp.yaml
+@@ -1,3 +1,4 @@
++{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
+ {{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+@@ -43,4 +44,4 @@
+         max: 65535
+   readOnlyRootFilesystem: false
+ {{- end }}
+-
++{{- end }}
+\ No newline at end of file

packages/rancher-monitoring/rancher-monitoring/generated-changes/patch/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml.patch

@@ -0,0 +1,15 @@
+--- charts-original/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml
++++ charts/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml
+@@ -1,3 +1,4 @@
++{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
+ {{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }}
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+@@ -44,4 +45,5 @@
+       - min: 0
+         max: 65535
+   readOnlyRootFilesystem: false
+-{{- end }}
++{{- end }}
++{{- end }}
+\ No newline at end of file

packages/rancher-monitoring/rancher-monitoring/generated-changes/patch/templates/prometheus-operator/psp.yaml.patch

@@ -0,0 +1,15 @@
+--- charts-original/templates/prometheus-operator/psp.yaml
++++ charts/templates/prometheus-operator/psp.yaml
+@@ -1,3 +1,4 @@
++{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
+ {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+@@ -42,4 +43,5 @@
+       - min: 0
+         max: 65535
+   readOnlyRootFilesystem: false
+-{{- end }}
++{{- end }}
++{{- end }}
+\ No newline at end of file

packages/rancher-monitoring/rancher-monitoring/generated-changes/patch/templates/prometheus/psp.yaml.patch

@@ -0,0 +1,16 @@
+--- charts-original/templates/prometheus/psp.yaml
++++ charts/templates/prometheus/psp.yaml
+@@ -1,3 +1,4 @@
++{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }}
+ {{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }}
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+@@ -52,5 +53,6 @@
+ {{- if .Values.prometheus.podSecurityPolicy.allowedHostPaths }}
+   allowedHostPaths:
+ {{ toYaml .Values.prometheus.podSecurityPolicy.allowedHostPaths | indent 4 }}
++{{- end }}
+ {{- end }}
+-{{- end }}
++{{- end }}
+\ No newline at end of file