giantswarm
diff --git a/‎CHANGELOG.md
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎diffs/helm__kong-app__templates__psp.yaml.patch
Lines changed: 0 additions & 10 deletions b/‎diffs/helm__kong-app__templates__psp.yaml.patch
Lines changed: 0 additions & 10 deletions
diff --git a/‎diffs/helm__kong-app__values.yaml.patch
Lines changed: 12 additions & 57 deletions b/‎diffs/helm__kong-app__values.yaml.patch
Lines changed: 12 additions & 57 deletions
diff --git a/‎helm/kong-app/Chart.lock
Lines changed: 3 additions & 3 deletions b/‎helm/kong-app/Chart.lock
Lines changed: 3 additions & 3 deletions
diff --git a/‎helm/kong-app/Chart.yaml
Lines changed: 1 addition & 1 deletion b/‎helm/kong-app/Chart.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎helm/kong-app/templates/psp.yaml
Lines changed: 1 addition & 1 deletion b/‎helm/kong-app/templates/psp.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎helm/kong-app/values.schema.json
Lines changed: 1 addition & 90 deletions b/‎helm/kong-app/values.schema.json
Lines changed: 1 addition & 90 deletions
@@ -14,6 +14,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 - Revert `ingressController.admissionWebhook` settings to upstream values. (Enabled by default with `failurePolicy: Ignore`)
 - Update Kong Gateway image to `3.8.1.0-debian`
 
+### Removed
+
+- Keep PSP disabled by default and remove Giant Swarm PSP-PSS migration hacks
+
 ## [4.4.0] - 2024-08-19
 
 ### Changed
 
@@ -1,5 +1,5 @@
 diff --git a/vendor/kong/charts/kong/values.yaml b/helm/kong-app/values.yaml
-index 0f43f0e..c70688a 100644
+index 0f43f0e..1a37c28 100644
 --- a/vendor/kong/charts/kong/values.yaml
 +++ b/helm/kong-app/values.yaml
@@ -91,6 +91,7 @@ deployment:
@@ -93,7 +93,7 @@ index 0f43f0e..c70688a 100644
 
    konnect:
      enabled: false
-@@ -733,12 +740,33 @@ postgresql:
+@@ -733,12 +740,31 @@ postgresql:
      username: kong
      database: kong
    image:
@@ -122,13 +122,11 @@ index 0f43f0e..c70688a 100644
 +        drop:
 +        - ALL
 +  rbac:
-+    create: true
-+  psp:
 +    create: true
 
  # -----------------------------------------------------------------------------
  # Configure cert-manager integration
-@@ -819,7 +847,8 @@ waitImage:
+@@ -819,7 +845,8 @@ waitImage:
    # Optionally specify an image that provides bash for pre-migration database
    # checks. If none is specified, the chart uses the Kong image. The official
    # Kong images provide bash
@@ -138,7 +136,7 @@ index 0f43f0e..c70688a 100644
    # tag: 5
    pullPolicy: IfNotPresent
 
-@@ -832,13 +861,13 @@ updateStrategy: {}
+@@ -832,13 +859,13 @@ updateStrategy: {}
 
  # If you want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
@@ -159,7 +157,7 @@ index 0f43f0e..c70688a 100644
 
  # readinessProbe for Kong pods
  readinessProbe:
-@@ -894,11 +923,44 @@ terminationGracePeriodSeconds: 30
+@@ -894,11 +921,44 @@ terminationGracePeriodSeconds: 30
 
  # Affinity for pod assignment
  # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
@@ -206,7 +204,7 @@ index 0f43f0e..c70688a 100644
 
  # Tolerations for pod assignment
  # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-@@ -909,16 +971,14 @@ tolerations: []
+@@ -909,16 +969,14 @@ tolerations: []
  nodeSelector: {}
 
  # Annotation to be added to Kong pods
@@ -225,7 +223,7 @@ index 0f43f0e..c70688a 100644
 
  # Annotations to be added to Kong deployment
  deploymentAnnotations: {}
-@@ -942,29 +1002,52 @@ autoscaling:
+@@ -942,11 +1000,24 @@ autoscaling:
            type: Utilization
            averageUtilization: 80
 
@@ -252,41 +250,7 @@ index 0f43f0e..c70688a 100644
    # minAvailable: "50%"
 
  podSecurityPolicy:
--  enabled: false
-+  enabled: true
-   labels: {}
--  annotations: {}
-+  annotations:
-+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-   spec:
-     privileged: false
-     fsGroup:
--      rule: RunAsAny
-+      rule: MustRunAs
-+      ranges:
-+        - min: 1
-+          max: 65533
-     runAsUser:
--      rule: RunAsAny
-+      rule: MustRunAsNonRoot
-     runAsGroup:
--      rule: RunAsAny
-+      rule: MustRunAs
-+      ranges:
-+        - min: 1
-+          max: 65535
-     seLinux:
-       rule: RunAsAny
-     supplementalGroups:
--      rule: RunAsAny
-+      rule: MustRunAs
-+      ranges:
-+        - min: 1
-+          max: 65535
-     volumes:
-       - 'configMap'
-       - 'secret'
-@@ -982,13 +1065,19 @@ podSecurityPolicy:
+@@ -982,13 +1053,19 @@ podSecurityPolicy:
  priorityClassName: ""
 
  # securityContext for Kong pods.
@@ -308,7 +272,7 @@ index 0f43f0e..c70688a 100644
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
-@@ -1014,9 +1103,9 @@ serviceMonitor:
+@@ -1014,9 +1091,9 @@ serviceMonitor:
    # Specifies whether ServiceMonitor for Prometheus operator should be created
    # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
    # https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
@@ -320,7 +284,7 @@ index 0f43f0e..c70688a 100644
    # Specifies namespace, where ServiceMonitor should be installed
    # namespace: monitoring
    # labels:
-@@ -1026,7 +1115,15 @@ serviceMonitor:
+@@ -1026,7 +1103,15 @@ serviceMonitor:
 
    # honorLabels: false
    # metricRelabelings: []
@@ -337,7 +301,7 @@ index 0f43f0e..c70688a 100644
 
  # -----------------------------------------------------------------------------
  # Kong Enterprise parameters
-@@ -1036,12 +1133,12 @@ serviceMonitor:
+@@ -1036,12 +1121,12 @@ serviceMonitor:
  # RBAC and SMTP configuration have additional options that must all be set together
  # Other settings should be added to the "env" settings below
  enterprise:
@@ -352,7 +316,7 @@ index 0f43f0e..c70688a 100644
    vitals:
      enabled: true
    portal:
-@@ -1277,3 +1374,18 @@ extraObjects: []
+@@ -1277,3 +1362,9 @@ extraObjects: []
  #   config:
  #     per_consumer: false
  #   plugin: prometheus
@@ -362,12 +326,3 @@ index 0f43f0e..c70688a 100644
 +kubectlApplyJob:
 +  files:
 +  - crds/custom-resource-definitions.yaml
-+  podSecurityPolicy:
-+    annotations:
-+      seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
-+  securityContext:
-+    seccompProfileType: RuntimeDefault
-+
-+global:
-+  podSecurityStandards:
-+    enforced: false
@@ -4,6 +4,6 @@ dependencies:
   version: 11.9.13
 - name: kubectl-apply-job
   repository: oci://giantswarmpublic.azurecr.io/giantswarm-playground-catalog
-  version: 0.8.0
-digest: sha256:e51bb892e434a9e518083a7fbe8944ccf709c269e91e7e7719b02955834c0c7c
-generated: "2024-07-08T16:50:20.619353016+02:00"
+  version: 0.9.0
+digest: sha256:7065cc931b5106e74c171660d4b4a2dc0973890e8b9c6d0f3ad20cb7c73f4442
+generated: "2025-01-24T17:25:49.543767739+01:00"
@@ -20,5 +20,5 @@ dependencies:
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - name: kubectl-apply-job
-    version: "0.8.0"
+    version: "0.9.0"
     repository: oci://giantswarmpublic.azurecr.io/giantswarm-playground-catalog
@@ -1,4 +1,4 @@
-{{- if and (not .Values.global.podSecurityStandards.enforced) (.Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1") }}
+{{- if and (.Values.podSecurityPolicy.enabled) }}
 apiVersion: {{ include "kong.policyVersion" . }}
 kind: PodSecurityPolicy
 metadata:
 
@@ -631,19 +631,6 @@
         "extraSecrets": {
             "type": "array"
         },
-        "global": {
-            "type": "object",
-            "properties": {
-                "podSecurityStandards": {
-                    "type": "object",
-                    "properties": {
-                        "enforced": {
-                            "type": "boolean"
-                        }
-                    }
-                }
-            }
-        },
         "image": {
             "type": "object",
             "properties": {
@@ -989,27 +976,6 @@
                     "items": {
                         "type": "string"
                     }
-                },
-                "podSecurityPolicy": {
-                    "type": "object",
-                    "properties": {
-                        "annotations": {
-                            "type": "object",
-                            "properties": {
-                                "seccomp.security.alpha.kubernetes.io/allowedProfileNames": {
-                                    "type": "string"
-                                }
-                            }
-                        }
-                    }
-                },
-                "securityContext": {
-                    "type": "object",
-                    "properties": {
-                        "seccompProfileType": {
-                            "type": "string"
-                        }
-                    }
                 }
             }
         },
@@ -1209,12 +1175,7 @@
             "type": "object",
             "properties": {
                 "annotations": {
-                    "type": "object",
-                    "properties": {
-                        "seccomp.security.alpha.kubernetes.io/allowedProfileNames": {
-                            "type": "string"
-                        }
-                    }
+                    "type": "object"
                 },
                 "enabled": {
                     "type": "boolean"
@@ -1231,20 +1192,6 @@
                         "fsGroup": {
                             "type": "object",
                             "properties": {
-                                "ranges": {
-                                    "type": "array",
-                                    "items": {
-                                        "type": "object",
-                                        "properties": {
-                                            "max": {
-                                                "type": "integer"
-                                            },
-                                            "min": {
-                                                "type": "integer"
-                                            }
-                                        }
-                                    }
-                                },
                                 "rule": {
                                     "type": "string"
                                 }
@@ -1268,20 +1215,6 @@
                         "runAsGroup": {
                             "type": "object",
                             "properties": {
-                                "ranges": {
-                                    "type": "array",
-                                    "items": {
-                                        "type": "object",
-                                        "properties": {
-                                            "max": {
-                                                "type": "integer"
-                                            },
-                                            "min": {
-                                                "type": "integer"
-                                            }
-                                        }
-                                    }
-                                },
                                 "rule": {
                                     "type": "string"
                                 }
@@ -1306,20 +1239,6 @@
                         "supplementalGroups": {
                             "type": "object",
                             "properties": {
-                                "ranges": {
-                                    "type": "array",
-                                    "items": {
-                                        "type": "object",
-                                        "properties": {
-                                            "max": {
-                                                "type": "integer"
-                                            },
-                                            "min": {
-                                                "type": "integer"
-                                            }
-                                        }
-                                    }
-                                },
                                 "rule": {
                                     "type": "string"
                                 }
@@ -1585,14 +1504,6 @@
                         }
                     }
                 },
-                "psp": {
-                    "type": "object",
-                    "properties": {
-                        "create": {
-                            "type": "boolean"
-                        }
-                    }
-                },
                 "rbac": {
                     "type": "object",
                     "properties": {
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{{- if and (not .Values.global.podSecurityStandards.enforced) (.Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1") }}`
	`1`	`+{{- if and (.Values.podSecurityPolicy.enabled) }}`
`2`	`2`	`apiVersion: {{ include "kong.policyVersion" . }}`
`3`	`3`	`kind: PodSecurityPolicy`
`4`	`4`	`metadata:`