Merge pull request #2370 from aiyengar2/add_global_psp_fields_to_alerting

Add global.cattle.psp.enabled to rancher-alerting charts

charts/rancher-alerting-drivers/101.0.1/app-readme.md

@@ -1,11 +0,0 @@
-# Rancher Alerting Drivers
-
-This chart installs one or more [Alertmanager Webhook Receiver Integrations](https://prometheus.io/docs/operating/integrations/#alertmanager-webhook-receiver) (i.e. Drivers).
-
-Those Drivers can be targeted by an existing deployment of Alertmanager to send alerts to notification mechanisms that are not natively supported.
-
-Currently, this chart supports the following Drivers:
-- Microsoft Teams, based on [prom2teams](https://github.com/idealista/prom2teams)
-- SMS, based on [Sachet](https://github.com/messagebird/sachet)
-
-After installing rancher-alerting-drivers, please refer to the upstream documentation for each Driver for configuration options.

charts/rancher-alerting-drivers/101.0.1/charts/prom2teams/templates/psp.yaml

@@ -1,31 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "prom2teams.fullname" . }}-psp
-  labels: {{ include "prom2teams.labels" . | nindent 4 }}
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-  volumes:
-    - 'configMap'
-    - 'secret'
-{{- end }}

charts/rancher-alerting-drivers/101.0.1/charts/prom2teams/templates/role.yaml

@@ -1,17 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "prom2teams.fullname" . }}-psp
-  namespace: {{ include "prom2teams.namespace" . }}
-  labels: {{ include "prom2teams.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - policy
-    resourceNames:
-      - {{ include "prom2teams.fullname" . }}-psp
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-{{- end }}

charts/rancher-alerting-drivers/101.0.1/charts/prom2teams/templates/rolebinding.yaml

@@ -1,15 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "prom2teams.fullname" . }}-psp
-  namespace: {{ include "prom2teams.namespace" . }}
-  labels: {{ include "prom2teams.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "prom2teams.fullname" . }}-psp
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "prom2teams.fullname" . }}
-{{- end }}

charts/rancher-alerting-drivers/101.0.1/charts/sachet/templates/psp.yaml

@@ -1,31 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "sachet.fullname" . }}-psp
-  labels: {{ include "sachet.labels" . | nindent 4 }}
-spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'MustRunAsNonRoot'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  fsGroup:
-    rule: 'MustRunAs'
-    ranges:
-      - min: 1
-        max: 65535
-  readOnlyRootFilesystem: false
-  volumes:
-    - 'configMap'
-    - 'secret'
-{{- end }}

charts/rancher-alerting-drivers/101.0.1/charts/sachet/templates/role.yaml

@@ -1,17 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "sachet.fullname" . }}-psp
-  namespace: {{ include "sachet.namespace" . }}
-  labels: {{ include "sachet.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - policy
-    resourceNames:
-      - {{ include "sachet.fullname" . }}-psp
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-{{- end }}

charts/rancher-alerting-drivers/101.0.1/charts/sachet/templates/rolebinding.yaml

@@ -1,15 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "sachet.fullname" . }}-psp
-  namespace: {{ include "sachet.namespace" . }}
-  labels: {{ include "sachet.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "sachet.fullname" . }}-psp
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "sachet.fullname" . }}
-{{- end }}

charts/rancher-alerting-drivers/101.0.1/questions.yml

@@ -1,14 +0,0 @@
-categories:
-  - monitoring
-namespace: cattle-monitoring-system
-questions:
-  - variable: prom2teams.enabled
-    default: false
-    label: Enable Microsoft Teams
-    type: boolean
-    group: "General"
-  - variable: sachet.enabled
-    default: false
-    label: Enable SMS
-    type: boolean
-    group: "General"

charts/rancher-alerting-drivers/102.0.0/Chart.yaml

@@ -24,4 +24,4 @@ keywords:
 - alertmanger
 - webhook
 name: rancher-alerting-drivers
-version: 101.0.1
+version: 102.0.0

charts/rancher-alerting-drivers/102.0.0/app-readme.md

@@ -0,0 +1,29 @@
+# Rancher Alerting Drivers
+
+This chart installs one or more [Alertmanager Webhook Receiver Integrations](https://prometheus.io/docs/operating/integrations/#alertmanager-webhook-receiver) (i.e. Drivers).
+
+Those Drivers can be targeted by an existing deployment of Alertmanager to send alerts to notification mechanisms that are not natively supported.
+
+Currently, this chart supports the following Drivers:
+- Microsoft Teams, based on [prom2teams](https://github.com/idealista/prom2teams)
+- SMS, based on [Sachet](https://github.com/messagebird/sachet)
+
+After installing rancher-alerting-drivers, please refer to the upstream documentation for each Driver for configuration options.
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. 
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+​
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+    ​
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+​
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

charts/rancher-alerting-drivers/102.0.0/charts/prom2teams/templates/psp.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.global.cattle.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "prom2teams.fullname" . }}-psp
+  labels: {{ include "prom2teams.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'configMap'
+    - 'secret'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "prom2teams.fullname" . }}-psp
+  namespace: {{ include "prom2teams.namespace" . }}
+  labels: {{ include "prom2teams.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ include "prom2teams.fullname" . }}-psp
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "prom2teams.fullname" . }}-psp
+  namespace: {{ include "prom2teams.namespace" . }}
+  labels: {{ include "prom2teams.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "prom2teams.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "prom2teams.fullname" . }}
+{{- end }}

charts/rancher-alerting-drivers/102.0.0/charts/prom2teams/values.yaml

@@ -4,6 +4,8 @@
 
 global:
   cattle:
+    psp:
+      enabled: false
     systemDefaultRegistry: ""
   namespaceOverride: ""
 

charts/rancher-alerting-drivers/102.0.0/charts/sachet/templates/psp.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.global.cattle.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "sachet.fullname" . }}-psp
+  labels: {{ include "sachet.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'configMap'
+    - 'secret'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "sachet.fullname" . }}-psp
+  namespace: {{ include "sachet.namespace" . }}
+  labels: {{ include "sachet.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ include "sachet.fullname" . }}-psp
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "sachet.fullname" . }}-psp
+  namespace: {{ include "sachet.namespace" . }}
+  labels: {{ include "sachet.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "sachet.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "sachet.fullname" . }}
+{{- end }}

charts/rancher-alerting-drivers/102.0.0/charts/sachet/values.yaml

@@ -4,6 +4,8 @@
 
 global:
   cattle:
+    psp:
+      enabled: false
     systemDefaultRegistry: ""
   namespaceOverride: ""
 

charts/rancher-alerting-drivers/102.0.0/questions.yml

@@ -0,0 +1,20 @@
+categories:
+  - monitoring
+namespace: cattle-monitoring-system
+questions:
+  - variable: global.cattle.psp.enabled
+    default: "false"
+    description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false."
+    label: "Enable PodSecurityPolicies"
+    type: boolean
+    group: "Security Settings"
+  - variable: prom2teams.enabled
+    default: false
+    label: Enable Microsoft Teams
+    type: boolean
+    group: "General"
+  - variable: sachet.enabled
+    default: false
+    label: Enable SMS
+    type: boolean
+    group: "General"

charts/rancher-alerting-drivers/102.0.0/templates/hardened.yaml

@@ -52,7 +52,7 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["get", "patch"]
-  {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+  {{- if .Values.global.cattle.psp.enabled }}
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
     verbs:     ["use"]
@@ -77,7 +77,7 @@ subjects:
     name: {{ include "drivers.fullname" . }}-patch-sa
     namespace: {{ .Release.Namespace }}
 ---
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

charts/rancher-alerting-drivers/102.0.0/templates/validate-psp-install.yaml

@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}

charts/rancher-alerting-drivers/102.0.0/values.yaml

@@ -4,6 +4,8 @@
 
 global:
   cattle:
+    psp:
+      enabled: false
     # the registry where all images will be pulled from
     systemDefaultRegistry: ""
   kubectl:

index.yaml

@@ -3628,7 +3628,7 @@ entries:
       catalog.cattle.io/upstream-version: 100.0.1
     apiVersion: v2
     appVersion: 1.16.0
-    created: "2022-12-20T08:57:54.694788904+05:30"
+    created: "2023-01-27T14:59:41.208842-08:00"
     dependencies:
     - condition: prom2teams.enabled
       name: prom2teams
@@ -3638,7 +3638,7 @@ entries:
       repository: file://./charts/sachet
     description: The manager for third-party webhook receivers used in Prometheus
       Alertmanager
-    digest: 0ae55e483f38a4b1ffdbb025178b3822f9534c6f2dae8401fd81c26ef587a62f
+    digest: 926f4e9a2f5e5253332eabeb8b8b49aaeefb700174df577f68161308112d6f93
     icon: https://charts.rancher.io/assets/logos/alerting-drivers.svg
     keywords:
     - monitoring
@@ -3646,8 +3646,8 @@ entries:
     - webhook
     name: rancher-alerting-drivers
     urls:
-    - assets/rancher-alerting-drivers/rancher-alerting-drivers-101.0.1.tgz
-    version: 101.0.1
+    - assets/rancher-alerting-drivers/rancher-alerting-drivers-102.0.0.tgz
+    version: 102.0.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/display-name: Alerting Drivers

packages/rancher-alerting/rancher-alerting-drivers/charts/app-readme.md

@@ -8,4 +8,22 @@ Currently, this chart supports the following Drivers:
 - Microsoft Teams, based on [prom2teams](https://github.com/idealista/prom2teams)
 - SMS, based on [Sachet](https://github.com/messagebird/sachet)
 
-After installing rancher-alerting-drivers, please refer to the upstream documentation for each Driver for configuration options.
+After installing rancher-alerting-drivers, please refer to the upstream documentation for each Driver for configuration options.
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. 
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+​
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+    ​
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+​
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

packages/rancher-alerting/rancher-alerting-drivers/charts/questions.yml

@@ -2,6 +2,12 @@ categories:
   - monitoring
 namespace: cattle-monitoring-system
 questions:
+  - variable: global.cattle.psp.enabled
+    default: "false"
+    description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false."
+    label: "Enable PodSecurityPolicies"
+    type: boolean
+    group: "Security Settings"
   - variable: prom2teams.enabled
     default: false
     label: Enable Microsoft Teams

packages/rancher-alerting/rancher-alerting-drivers/charts/templates/hardened.yaml

@@ -52,7 +52,7 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["get", "patch"]
-  {{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+  {{- if .Values.global.cattle.psp.enabled }}
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
     verbs:     ["use"]
@@ -77,7 +77,7 @@ subjects:
     name: {{ include "drivers.fullname" . }}-patch-sa
     namespace: {{ .Release.Namespace }}
 ---
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

packages/rancher-alerting/rancher-alerting-drivers/charts/templates/validate-psp-install.yaml

@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}

packages/rancher-alerting/rancher-alerting-drivers/charts/values.yaml

@@ -4,6 +4,8 @@
 
 global:
   cattle:
+    psp:
+      enabled: false
     # the registry where all images will be pulled from
     systemDefaultRegistry: ""
   kubectl:

packages/rancher-alerting/rancher-alerting-drivers/package.yaml

@@ -1,2 +1,2 @@
 url: local
-version: 101.0.1
+version: 102.0.0

packages/rancher-alerting/rancher-prom2teams/generated-changes/overlay/templates/psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -28,4 +28,34 @@ spec:
   volumes:
     - 'configMap'
     - 'secret'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "prom2teams.fullname" . }}-psp
+  namespace: {{ include "prom2teams.namespace" . }}
+  labels: {{ include "prom2teams.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ include "prom2teams.fullname" . }}-psp
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "prom2teams.fullname" . }}-psp
+  namespace: {{ include "prom2teams.namespace" . }}
+  labels: {{ include "prom2teams.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "prom2teams.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "prom2teams.fullname" . }}
 {{- end }}

packages/rancher-alerting/rancher-prom2teams/generated-changes/overlay/templates/role.yaml

@@ -1,17 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "prom2teams.fullname" . }}-psp
-  namespace: {{ include "prom2teams.namespace" . }}
-  labels: {{ include "prom2teams.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - policy
-    resourceNames:
-      - {{ include "prom2teams.fullname" . }}-psp
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-{{- end }}

packages/rancher-alerting/rancher-prom2teams/generated-changes/overlay/templates/rolebinding.yaml

@@ -1,15 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "prom2teams.fullname" . }}-psp
-  namespace: {{ include "prom2teams.namespace" . }}
-  labels: {{ include "prom2teams.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "prom2teams.fullname" . }}-psp
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "prom2teams.fullname" . }}
-{{- end }}

packages/rancher-alerting/rancher-prom2teams/generated-changes/patch/values.yaml.patch

@@ -1,11 +1,13 @@
 --- charts-original/values.yaml
 +++ charts/values.yaml
-@@ -2,9 +2,19 @@
+@@ -2,9 +2,21 @@
  # This is a YAML-formatted file.
  # Declare variables to be passed into your templates.
  
 +global:
 +  cattle:
++    psp:
++      enabled: false
 +    systemDefaultRegistry: ""
 +  namespaceOverride: ""
 +
@@ -22,7 +24,7 @@
    pullPolicy: IfNotPresent
  
  resources:
-@@ -22,7 +32,7 @@
+@@ -22,7 +34,7 @@
  prom2teams:
    host: 0.0.0.0
    port: 8089
@@ -31,7 +33,7 @@
    connectors: {}
    # group_alerts_by can be one of
    # ("name" | "description" | "instance" | "severity" | "status" | "summary" | "fingerprint" | "runbook_url")
-@@ -45,3 +55,13 @@
+@@ -45,3 +57,13 @@
    fsGroup: 101
    # readOnlyRootFilesystem is a flag to enable readOnlyRootFilesystem for the Hazelcast security context
    readOnlyRootFilesystem: true

packages/rancher-alerting/rancher-prom2teams/package.yaml

@@ -1,5 +1,5 @@
 url: https://github.com/idealista/prom2teams.git
 subdirectory: helm
 commit: d8d595292312643986f690cca5e2270eb105b59c # the commit points to the tag 4.2.0
-version: 101.0.1
+version: 102.0.0
 doNotRelease: true

packages/rancher-alerting/rancher-sachet/charts/templates/psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -28,4 +28,34 @@ spec:
   volumes:
     - 'configMap'
     - 'secret'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "sachet.fullname" . }}-psp
+  namespace: {{ include "sachet.namespace" . }}
+  labels: {{ include "sachet.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ include "sachet.fullname" . }}-psp
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "sachet.fullname" . }}-psp
+  namespace: {{ include "sachet.namespace" . }}
+  labels: {{ include "sachet.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "sachet.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "sachet.fullname" . }}
 {{- end }}

packages/rancher-alerting/rancher-sachet/charts/templates/role.yaml

@@ -1,17 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "sachet.fullname" . }}-psp
-  namespace: {{ include "sachet.namespace" . }}
-  labels: {{ include "sachet.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - policy
-    resourceNames:
-      - {{ include "sachet.fullname" . }}-psp
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-{{- end }}

packages/rancher-alerting/rancher-sachet/charts/templates/rolebinding.yaml

@@ -1,15 +0,0 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "sachet.fullname" . }}-psp
-  namespace: {{ include "sachet.namespace" . }}
-  labels: {{ include "sachet.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "sachet.fullname" . }}-psp
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "sachet.fullname" . }}
-{{- end }}

packages/rancher-alerting/rancher-sachet/charts/values.yaml

@@ -4,6 +4,8 @@
 
 global:
   cattle:
+    psp:
+      enabled: false
     systemDefaultRegistry: ""
   namespaceOverride: ""
 

packages/rancher-alerting/rancher-sachet/package.yaml

@@ -1,3 +1,3 @@
 url: local
-version: 101.0.1
+version: 102.0.0
 doNotRelease: true

release.yaml

@@ -23,7 +23,7 @@ rancher-aks-operator:
 rancher-aks-operator-crd:
 - 101.0.1+up1.1.0-rc2
 rancher-alerting-drivers:
-- 101.0.1
+- 102.0.0
 rancher-backup:
 - 102.0.0+up3.1.0-rc1
 rancher-backup-crd: