stackrox · gavin-stackrox · Feb 14, 2023 · Oct 4, 2022 · Jan 25, 2023 · Feb 2, 2023
diff --git a/Makefile b/Makefile
@@ -283,7 +283,7 @@ pkg/complianceoperator/api/v1alpha1/zz_generated.deepcopy.go: $(CONTROLLER_GEN_B
 .PHONY: go-generated-srcs
 go-generated-srcs: deps clean-easyjson-srcs go-easyjson-srcs $(MOCKGEN_BIN) $(STRINGER_BIN) pkg/complianceoperator/api/v1alpha1/zz_generated.deepcopy.go
 	@echo "+ $@"
-	PATH="$(PATH):$(BASE_DIR)/tools/generate-helpers" MOCKGEN_BIN="$(MOCKGEN_BIN)" go generate -v -x ./...
+	PATH="$(GOTOOLS_BIN):$(PATH):$(BASE_DIR)/tools/generate-helpers" MOCKGEN_BIN="$(MOCKGEN_BIN)" go generate -v -x ./...
 
 proto-generated-srcs: $(PROTO_GENERATED_SRCS) $(GENERATED_API_SWAGGER_SPECS)
 	@echo "+ $@"

diff --git a/central/deployment/store/postgres/gen.go b/central/deployment/store/postgres/gen.go
@@ -1,3 +1,3 @@
 package postgres
 
-//go:generate pg-table-bindings-wrapper --type=storage.Deployment --search-category DEPLOYMENTS --references=storage.Image,namespaces:storage.NamespaceMetadata --search-scope IMAGE_VULNERABILITIES,COMPONENT_VULN_EDGE,IMAGE_COMPONENTS,IMAGE_COMPONENT_EDGE,IMAGE_VULN_EDGE,IMAGES,DEPLOYMENTS,NAMESPACES,CLUSTERS,PROCESS_INDICATORS --migration-seq 3 --migrate-from dackbox
+//go:generate pg-table-bindings-wrapper --type=storage.Deployment --search-category DEPLOYMENTS --references=storage.Image,namespaces:storage.NamespaceMetadata --search-scope IMAGE_VULNERABILITIES,COMPONENT_VULN_EDGE,IMAGE_COMPONENTS,IMAGE_COMPONENT_EDGE,IMAGE_VULN_EDGE,IMAGES,DEPLOYMENTS,NAMESPACES,CLUSTERS,PROCESS_INDICATORS
diff --git a/deploy/README.md b/deploy/README.md
@@ -18,13 +18,14 @@ $ LOAD_BALANCER=route ./deploy/openshift/deploy.sh
 
 Most environment variables can be found in [common/env.sh](common/env.sh).
 
-| **Name**           | **Values**            | **Description**                                                                                                                                                            |
-|--------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `COLLECTION_METHOD`  | `ebpf`  \| `kernel-module` | Set the collection method for collector.                                                                                                                                   |
-| `HOTRELOAD`          | `true`  \| `false`         | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop.  Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 |
-| `LOAD_BALANCER`      | `route` \| `lb`            | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes.                                                 |
-| `MAIN_IMAGE_TAG`     | `string`                   | Configure the image tag of the `stackrox/main` image to be deployed.                                                                                                       |
-| `MONITORING_SUPPORT` | `true`  \| `false`         | Enable StackRox monitoring.                                                                                                                                                |
-| `REGISTRY_USERNAME`  | `string`                   | Set docker registry username to pull the docker.io/stackrox/main image. |
-| `REGISTRY_PASSWORD`  | `string`                   | Set docker registry password to pull the docker.io/stackrox/main image.  |
-| `STORAGE`            | `none`  \| `pvc`           | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`.                                                |
+| **Name**                | **Values**            | **Description**                                                                                                                                                            |
+|-------------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `COLLECTION_METHOD`     | `ebpf`  \| `kernel-module` | Set the collection method for collector.                                                                                                                                   |
+| `HOTRELOAD`             | `true`  \| `false`         | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop.  Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 |
+| `LOAD_BALANCER`         | `route` \| `lb`            | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes.                                                 |
+| `MAIN_IMAGE_TAG`        | `string`                   | Configure the image tag of the `stackrox/main` image to be deployed.                                                                                                       |
+| `MONITORING_SUPPORT`    | `true`  \| `false`         | Enable StackRox monitoring.                                                                                                                                                |
+| `MONITORING_ENABLE_PSP` | `true` \| `false`          | Generate PodSecurityPolicies for monitoring. Defaults to `false`, as PSPs were deprecated in k8s 1.25. |
+| `REGISTRY_USERNAME`     | `string`                   | Set docker registry username to pull the docker.io/stackrox/main image. |
+| `REGISTRY_PASSWORD`     | `string`                   | Set docker registry password to pull the docker.io/stackrox/main image.  |
+| `STORAGE`               | `none`  \| `pvc`           | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`.                                                |
diff --git a/...toring/templates/pod-security-policy.yaml → ...toring/templates/pod-security-config.yaml b/...toring/templates/pod-security-policy.yaml → ...toring/templates/pod-security-config.yaml
@@ -1,11 +1,12 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
   labels:
     app.kubernetes.io/name: stackrox
     app: monitoring
 rules:
+{{- if .Values.enableMonitoringPSPs }}
   - apiGroups:
       - policy
     resources:
@@ -14,6 +15,7 @@ rules:
       - stackrox-monitoring
     verbs:
       - use
+{{- end }}
   - apiGroups: [""]
     resources:
       - endpoints
@@ -25,20 +27,21 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: stackrox
     app: monitoring
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
 subjects:
   - kind: ServiceAccount
     name: monitoring
     namespace: {{ .Release.Namespace }}
 ---
+{{- if .Values.enableMonitoringPSPs }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -75,3 +78,4 @@ spec:
     ranges:
       - min: 4000
         max: 4000
+{{- end }}
diff --git a/deploy/charts/monitoring/values.yaml b/deploy/charts/monitoring/values.yaml
@@ -37,3 +37,5 @@ alertmanager:
       group_by: [alertname]
   configmapReload:
     enabled: true
+
+enableMonitoringPSPs: ${MONITORING_ENABLE_PSP}
diff --git a/deploy/common/env.sh b/deploy/common/env.sh
@@ -21,6 +21,9 @@ echo "ROX_HTPASSWD_AUTH set to $ROX_HTPASSWD_AUTH"
 
 echo "MONITORING_SUPPORT set to ${MONITORING_SUPPORT}"
 
+export MONITORING_ENABLE_PSP=${MONITORING_ENABLE_PSP:-false}
+echo "MONITORING_ENABLE_PSP set to ${MONITORING_ENABLE_PSP}"
+
 export CLUSTER=${CLUSTER:-remote}
 echo "CLUSTER set to $CLUSTER"
 

diff --git a/operator/tests/common/delete-central-errors-cluster.envsubst.yaml b/operator/tests/common/delete-central-errors-cluster.envsubst.yaml
@@ -17,16 +17,6 @@ kind: ClusterRole
 metadata:
   name: stackrox-${NAMESPACE}-scanner-psp
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-${NAMESPACE}-central
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-${NAMESPACE}-scanner
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

diff --git a/operator/tests/common/delete-securedcluster-errors.yaml b/operator/tests/common/delete-securedcluster-errors.yaml
@@ -93,21 +93,6 @@ kind: ClusterRole
 metadata:
   name: stackrox:view-cluster
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-admission-control
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-collector
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: stackrox-sensor
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

diff --git a/qa-tests-backend/scripts/lib.sh b/qa-tests-backend/scripts/lib.sh
@@ -6,7 +6,11 @@ set -euo pipefail
 
 deploy_default_psp() {
     info "Deploy Default PSP for stackrox namespace"
-    "${ROOT}/scripts/ci/create-default-psp.sh"
+    if [[ "$POD_SECURITY_POLICIES" != "false" ]]; then
+        "${ROOT}/scripts/ci/create-default-psp.sh"
+    else
+        info "POD_SECURITY_POLICIES is false, skip Deploy Default PSP for stackrox namespace"
+    fi
 }
 
 deploy_webhook_server() {

diff --git a/qa-tests-backend/scripts/run-compatibility.sh b/qa-tests-backend/scripts/run-compatibility.sh
@@ -28,6 +28,7 @@ compatibility_test() {
         fi
 
         setup_deployment_env false false
+        setup_podsecuritypolicies_config
         remove_existing_stackrox_resources
         setup_default_TLS_certs
 

diff --git a/qa-tests-backend/scripts/run-part-1.sh b/qa-tests-backend/scripts/run-part-1.sh
@@ -22,6 +22,7 @@ test_part_1() {
 
     setup_gcp
     setup_deployment_env false false
+    setup_podsecuritypolicies_config
     remove_existing_stackrox_resources
     setup_default_TLS_certs
 

diff --git a/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy b/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy
@@ -106,6 +106,7 @@ import objects.Secret
 import objects.SecretKeyRef
 import util.Helpers
 import util.Timer
+import util.Env
 
 @Slf4j
 class Kubernetes implements OrchestratorMain {
@@ -1647,7 +1648,8 @@ class Kubernetes implements OrchestratorMain {
     }
 
     protected defaultPspForNamespace(String namespace) {
-        PodSecurityPolicy psp = new PodSecurityPolicyBuilder().withNewMetadata()
+        if (Env.get("POD_SECURITY_POLICIES") != "false") {
+            PodSecurityPolicy psp = new PodSecurityPolicyBuilder().withNewMetadata()
                 .withName("allow-all-for-test")
                 .endMetadata()
                 .withNewSpec()
@@ -1665,9 +1667,10 @@ class Kubernetes implements OrchestratorMain {
                 .withNewFsGroup().withRule("RunAsAny").endFsGroup()
                 .endSpec()
                 .build()
-        client.policy().v1beta1().podSecurityPolicies().createOrReplace(psp)
-        createClusterRole(generatePspRole())
-        createClusterRoleBinding(generatePspRoleBinding(namespace))
+            client.policy().v1beta1().podSecurityPolicies().createOrReplace(psp)
+            createClusterRole(generatePspRole())
+            createClusterRoleBinding(generatePspRoleBinding(namespace))
+        }
     }
 
     /*

diff --git a/scripts/ci/clair/deploy.sh b/scripts/ci/clair/deploy.sh
@@ -45,7 +45,9 @@ if kubectl get ns "${namespace}"; then
     kubectl delete ns "${namespace}" # handle CI re-runs
 fi
 kubectl create ns "${namespace}"
-kubectl -n "${namespace}" apply -f "${DIR}/psp.yaml"
+if [[ "$POD_SECURITY_POLICIES" != "false" ]]; then
+    kubectl -n "${namespace}" apply -f "${DIR}/psp.yaml"
+fi
 
 export POSTGRES_PASSWORD="${CLAIR_DB_PASSWORD}"
 kubectl -n "${namespace}" create secret generic clairsecret --from-file="${DIR}/config.yaml"

diff --git a/sensor/kubernetes/listener/resource_event_handler.go b/sensor/kubernetes/listener/resource_event_handler.go
@@ -202,7 +202,7 @@ func (k *listenerImpl) handleAllEvents() {
 	handle(resyncingSif.Apps().V1().DaemonSets().Informer(), dispatchers.ForDeployments(kubernetes.DaemonSet), k.outputQueue, &syncingResources, wg, stopSignal, &eventLock)
 	handle(resyncingSif.Apps().V1().Deployments().Informer(), dispatchers.ForDeployments(kubernetes.Deployment), k.outputQueue, &syncingResources, wg, stopSignal, &eventLock)
 	handle(resyncingSif.Apps().V1().StatefulSets().Informer(), dispatchers.ForDeployments(kubernetes.StatefulSet), k.outputQueue, &syncingResources, wg, stopSignal, &eventLock)
-	handle(resyncingSif.Batch().V1beta1().CronJobs().Informer(), dispatchers.ForDeployments(kubernetes.CronJob), k.outputQueue, &syncingResources, wg, stopSignal, &eventLock)
+	handle(resyncingSif.Batch().V1().CronJobs().Informer(), dispatchers.ForDeployments(kubernetes.CronJob), k.outputQueue, &syncingResources, wg, stopSignal, &eventLock)
 
 	if osAppsFactory != nil {
 		handle(osAppsFactory.Apps().V1().DeploymentConfigs().Informer(), dispatchers.ForDeployments(kubernetes.DeploymentConfig), k.outputQueue, &syncingResources, wg, stopSignal, &eventLock)

diff --git a/sensor/kubernetes/listener/resources/convert.go b/sensor/kubernetes/listener/resources/convert.go
@@ -23,7 +23,7 @@ import (
 	"github.com/stackrox/rox/sensor/kubernetes/listener/resources/references"
 	"github.com/stackrox/rox/sensor/kubernetes/orchestratornamespaces"
 	"github.com/stackrox/rox/sensor/kubernetes/selector"
-	"k8s.io/api/batch/v1beta1"
+	batchv1 "k8s.io/api/batch/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -189,7 +189,7 @@ func (w *deploymentWrap) populateNonStaticFields(obj interface{}, action *centra
 		// instead of looking for it inside a PodTemplate.
 		podLabels = o.Labels
 		labelSelector = w.populateK8sComponentIfNecessary(o, hierarchy)
-	case *v1beta1.CronJob:
+	case *batchv1.CronJob:
 		// Cron jobs have a Job spec that then have a Pod Template underneath
 		podLabels = o.Spec.JobTemplate.Spec.Template.GetLabels()
 		podSpec = o.Spec.JobTemplate.Spec.Template.Spec