Update PSP approach for rancher-cis-benchmark.

* Remove all previous capabilities checks.
* Bump version from 3.0.1-rc6 to 4.0.0-rc1.
* Add new flag global.cattle.psp.enabled to control installation of PodSecurityPolicies.
* Add new validate-psp-install.yaml file to check whether PSPs can be installed.
* Update app-readme.md with PSP notice.
* Bump Kubernetes compatibility versions to < 1.26.0.

packages/rancher-cis-benchmark/charts/Chart.yaml

@@ -2,7 +2,7 @@ annotations:
   catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/display-name: CIS Benchmark
-  catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0'
+  catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.26.0-0'
   catalog.cattle.io/namespace: cis-operator-system
   catalog.cattle.io/os: linux
   catalog.cattle.io/permits-os: linux,windows

packages/rancher-cis-benchmark/charts/app-readme.md

@@ -13,3 +13,21 @@ This chart installs the following components:
 - Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
     - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
     - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

packages/rancher-cis-benchmark/charts/templates/psp.yaml

@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

packages/rancher-cis-benchmark/charts/templates/rbac.yaml

@@ -46,7 +46,7 @@ metadata:
     app.kubernetes.io/instance: release-name
   name: cis-scan-ns
 rules:
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if .Values.global.cattle.psp.enabled }}
 - apiGroups:
   - "*"
   resources:

packages/rancher-cis-benchmark/charts/templates/validate-psp-install.yaml

@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}

packages/rancher-cis-benchmark/charts/values.yaml

@@ -43,6 +43,8 @@ global:
   cattle:
     systemDefaultRegistry: ""
     clusterName: ""
+    psp:
+      enabled: false
   kubectl:
     repository: rancher/kubectl
     tag: v1.20.2

packages/rancher-cis-benchmark/package.yaml

@@ -1,5 +1,5 @@
 url: local
-version: 3.0.1-rc8
+version: 4.0.0-rc1
 additionalCharts:
   - workingDir: charts-crd
     crdOptions: