Remove K8 Pod Security Policy

[treydock]

OSC will be using Kyverno to enforce security and not enabling Pod Security Policy admission controller

Move the Pod Security Policy to an example file so that other sites, if they do use the admission controller, can have an example to work off of

[johrstrom]

Maybe we should break the .yml files up and kubectl create $(envsubt < this.yml.env) instead of in-lining them? Then we can just say, look we do these 2 files at OSC because of X, if you want to run with PodSecurityPolicy also execute this file.

I'm guessing some of this stuff should be provided in the actual distro instead of here.

[treydock]

Not sure what you mean by split them up into separate files. The benefit to a single script is it allows one script execution to bootstrap things for testing or ensuring things work when getting deployment right. I could split things into multiple YAML files all generated in the single k8-boostrap.sh script and then make some things opt-in via a getopt flag or something, and we just don't pass that flag at OSC? This repo is OSC specific so not sure I see value in making things more dynamic when they don't need to be. Also not sure something like ood_core is appropriate since all these things have to be run as root and a lot simpler to deploy if the scripts are in this repo. Some things in the YAML will stay OSC specific too like the network policy for the namespace.

[treydock]

If we did put this with like ood_core, there is no good way to get those files into a more friendly and static location for easier deployment. That would require some changes to RPM spec I think along with deciding where to put the env files. I would prefer to keep the files here because it offers much greater flexibility and we are able to make adjustments much more quickly from this repo than if we moved the files into ood_core and then installed with ondemand RPM. I guess one alternative is a standalone OnDemand K8 app that entire purpose is to provide the bootstrap env YAML files. I just don't want to make it so we have to cut a new OnDemand release every time want to modify the K8 bootstrap logic.

[johrstrom]

Yes I mean splitting the YAML files instead of catting them in-line in the shell script.

[johrstrom]

Sorry! Hit enter too early. Yea we're outside of this pull request at this point.

But here's what I'm thinking:

1. supply the YAML.env files in the distro (probably installed through the RPM in some /opt/ood/hooks/share or something that makes sense).
2. Modify k8s-boostrap.sh to accept an input file So folks can use it like k8s-boostrap.sh /opt/ood/hooks/share/pod_secuity_policy.yml.env . Which would envsubst it and kubectl apply it.
3. also distribute k8s-boostrap.sh and set-k8s-creds.sh in maybe /opt/ood/hooks/bin.
4. We keep pre-hook.sh here because that's OSC specific, but we've got all the compossable parts in /opt/ood/hooks. So we run

     /bin/bash "/opt/ood/hooks/bin/k8s-bootstrap.sh" "$ONDEMAND_USERNAME"  /opt/ood/hooks/share/file1
      /bin/bash "/opt/ood/hooks/bin/set-k8s-creds.sh" "$ONDEMAND_USERNAME"

   and we instruct other sites if you want to apply pod security policies, have a file like ours (or some example) and bootstrap that that file also.

[treydock]

What repo would be the new home for the scripts and env YAML files? Would this go into main ondemand repo or would we create some standalone repo for this?