Replace PSP installation condition (#95)

* replace PSP installation condition * replace PSP installation condition * replace PSP installation condition
giantswarm · Oct 10, 2023 · e6469a8 · e6469a8
1 parent c0eb0cf
commit e6469a8
Show file tree

Hide file tree

Showing 9 changed files with 27 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Replace condition for PSP CR installation.
+
 ## [0.13.0] - 2023-09-26
 
 ### Added

diff --git a/helm/cilium/templates/cilium-agent/podsecuritypolicy.yaml b/helm/cilium/templates/cilium-agent/podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

diff --git a/helm/cilium/templates/cilium-operator/podsecuritypolicy.yaml b/helm/cilium/templates/cilium-operator/podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

diff --git a/helm/cilium/templates/default-policies/podsecuritypolicy.yaml b/helm/cilium/templates/default-policies/podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if and (or .Values.defaultPolicies.enabled .Values.defaultPolicies.remove) (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") -}}
+{{- if and (or .Values.defaultPolicies.enabled .Values.defaultPolicies.remove) (not .Values.global.podSecurityStandards.enforced) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

diff --git a/helm/cilium/templates/extra-policies/podsecuritypolicy.yaml b/helm/cilium/templates/extra-policies/podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.extraPolicies.allowEgressToCoreDNS.enabled .Values.extraPolicies.allowEgressToProxy.enabled -}}
+{{- if and (or .Values.extraPolicies.allowEgressToCoreDNS.enabled .Values.extraPolicies.allowEgressToProxy.enabled) (not .Values.global.podSecurityStandards.enforced) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

diff --git a/helm/cilium/templates/hubble-relay/podsecuritypolicy.yaml b/helm/cilium/templates/hubble-relay/podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

diff --git a/helm/cilium/templates/hubble-ui/podsecuritypolicy.yaml b/helm/cilium/templates/hubble-ui/podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
+{{- if not .Values.global.podSecurityStandards.enforced }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

diff --git a/helm/cilium/values.schema.json b/helm/cilium/values.schema.json
@@ -1118,6 +1118,19 @@
                 }
             }
         },
+        "global": {
+            "type": "object",
+            "properties": {
+                "podSecurityStandards": {
+                    "type": "object",
+                    "properties": {
+                        "enforced": {
+                            "type": "boolean"
+                        }
+                    }
+                }
+            }
+        },
         "healthChecking": {
             "type": "boolean"
         },

diff --git a/helm/cilium/values.yaml b/helm/cilium/values.yaml
@@ -2592,3 +2592,7 @@ extraPolicies:
 # If true, it adds an initContainer to cilium-agent pods that cleans up any legacy kube-proxy iptables rules from the node before running cilium.
 # Only makes sense when `kubeProxyReplacement` is enabled (i.e. not set to 'disabled').
 cleanupKubeProxy: false
+
+global:
+  podSecurityStandards:
+    enforced: false