Remove PodSecurityPolicy from Terraform configs (#6874)

Remove also ClusterRole and ClusterRoleBinding resources that were
used to enact the PodSecurityPolicy policies.

The current recommended Kubernetes version for these configs is 1.23
 * updated autoscaler image tag v.1.21.0 -> v.1.23.0
 * updated autoscaler permissions to the recommended set for this version

The recommended mechanism to replace PodSecurityPolicy is [Pod
Security Standards](https://v1-23.docs.kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/).

 * removed SYS_RESOURCE from requested capability set for Haproxy
Deployment for compatibility with the PSS Baseline profile. Without
this change, the entire "default" namespace would have to run under
the Privileged profile, possibly compromising the security of the
validator nodes.

terraform/aptos-node-testnet/aws/addons.tf

@@ -94,14 +94,20 @@ data "aws_iam_policy_document" "cluster-autoscaler" {
     }
   }
 
+  # Recommended config https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
   statement {
     sid = "DescribeAutoscaling"
     actions = [
-      "autoscaling:DescribeAutoScalingInstances",
       "autoscaling:DescribeAutoScalingGroups",
-      "ec2:DescribeLaunchTemplateVersions",
+      "autoscaling:DescribeAutoScalingInstances",
+      "autoscaling:DescribeLaunchConfigurations",
+      "autoscaling:DescribeScalingActivities",
       "autoscaling:DescribeTags",
-      "autoscaling:DescribeLaunchConfigurations"
+      "ec2:DescribeInstanceTypes",
+      "ec2:DescribeLaunchTemplateVersions",
+      "ec2:DescribeImages",
+      "ec2:GetInstanceTypesFromInstanceRequirements",
+      "eks:DescribeNodegroup"
     ]
     resources = ["*"]
   }
@@ -150,7 +156,6 @@ resource "helm_release" "chaos-mesh" {
       }
       chaos-mesh = {
         chaosDaemon = {
-          podSecurityPolicy = true
           # tolerate pod assignment on nodes in the validator nodegroup
           tolerations = [{
             key    = "aptos.org/nodepool"

terraform/aptos-node-testnet/gcp/addons.tf

@@ -24,7 +24,6 @@ resource "helm_release" "chaos-mesh" {
     jsonencode({
       chaos-mesh = {
         chaosDaemon = {
-          podSecurityPolicy = true
         }
       }
     })

terraform/helm/aptos-node/README.md

@@ -127,10 +127,6 @@ ServiceAccounts:
 * `<RELEASE_NAME>-validator` - The validator service account
 * `<RELEASE_NAME>-fullnode` - The fullnode service account
 
-[optional] PodSecurityPolicy:
-* `<RELEASE_NAME>` - The default PodSecurityPolicy for validators and fullnodes
-* `<RELEASE_NAME>-haproxy` - The PodSecurityPolicy for HAProxy
-
 ## Common Operations
 
 ### Check Pod Status

terraform/helm/aptos-node/templates/haproxy.yaml

@@ -168,7 +168,6 @@ spec:
             drop:
             - ALL
             add:
-            - SYS_RESOURCE
             - SETUID
       {{- with .nodeSelector }}
       nodeSelector:

terraform/helm/aptos-node/values.yaml

@@ -175,9 +175,6 @@ serviceAccount:
   # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
   name:
 
-# -- LEGACY: create PodSecurityPolicy, which exists at the cluster-level
-podSecurityPolicy: true
-
 # -- Load test-data for starting a test network
 loadTestGenesis: false
 

terraform/helm/autoscaling/values.yaml

@@ -17,7 +17,7 @@ autoscaler:
   scaleDownDelayAfterAdd: 5m
   image:
     repo: k8s.gcr.io/autoscaling/cluster-autoscaler
-    tag: v1.21.0
+    tag: v1.23.0
   resources:
     requests:
       cpu: 1

terraform/helm/chaos/templates/psp.yaml → terraform/helm/chaos/templates/roles.yaml

@@ -41,49 +41,3 @@ subjects:
   namespace: {{ .Release.Namespace }}
 
 ---
-# Grant some basic permissions to the dashboard and controller manager
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: {{ include "chaos.fullname" . }}
-spec:
-  privileged: false  # Don't allow privileged pods!
-  # The rest fills in some required fields.
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
-  volumes:
-  - '*'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "chaos.fullname" . }}-psp
-rules:
-- apiGroups: ["policy"]
-  resources: ["podsecuritypolicies"]
-  verbs: ["use"]
-  resourceNames:
-  - {{ include "chaos.fullname" . }}
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "chaos.fullname" . }}-psp
-roleRef:
-  kind: ClusterRole
-  name: {{ include "chaos.fullname" . }}-psp
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
-  namespace: {{ .Release.Namespace }}
-  name: chaos-controller-manager
-- kind: ServiceAccount
-  namespace: {{ .Release.Namespace }}
-  name: chaos-dashboard

terraform/helm/genesis/README.md

@@ -44,7 +44,6 @@ Aptos blockchain automated genesis ceremony for testnets
 | genesis.validator.larger_stake_amount | string | `"1000000000000000"` | Stake amount for each validator in this testnet. Defaults to 1M APTOS coins with 8 decimals |
 | imageTag | string | `"testnet"` | Default image tag to use for all tools images |
 | labels | string | `nil` |  |
-| podSecurityPolicy | bool | `true` | LEGACY: create PodSecurityPolicy, which exists at the cluster-level |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `nil` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |