FSAT: Update fabric-operator for compatibility with v1.25.x

This patch updates fabric-operator to utilize PodSecurity Admission controller for Kubernetes v1.25.x. This change is based on the following PR: https://github.com/hyperledger-labs/fabric-operator/pull/82 Signed-off-by: Tatsuya Sato <tatsuya.sato.so@hitachi.com>
2026-06-17 15:35:09 +00:00 · 2023-09-28 11:27:07 +00:00 · 2023-09-28 11:27:07 +00:00 · f4f3201c0e
commit f4f3201c0e
parent d07bac37df
4 changed files with 3 additions and 57 deletions
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml
@ -27,14 +27,6 @@ metadata:
    app.kubernetes.io/instance: "ibm-hlfsupport"
    app.kubernetes.io/managed-by: "ibm-hlfsupport-operator"
 rules:
-  - apiGroups:
-      - extensions
-    resourceNames:
-      - ibm-hlfsupport-psp
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
  - apiGroups:
      - apiextensions.k8s.io
    resources:
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml
@ -1,48 +0,0 @@
-#
-# Copyright contributors to the Hyperledger Fabric Operator project
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-# 	  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: ibm-hlfsupport-psp
-spec:
-  hostIPC: false
-  hostNetwork: false
-  hostPID: false
-  privileged: true
-  allowPrivilegeEscalation: true
-  readOnlyRootFilesystem: false
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
-  requiredDropCapabilities:
-    - ALL
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-    - CHOWN
-    - DAC_OVERRIDE
-    - SETGID
-    - SETUID
-    - FOWNER
-  volumes:
-    - '*'
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml
@ -19,7 +19,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - fabric-operator-psp.yaml
  - fabric-operator-serviceaccount.yaml
  - fabric-operator-clusterrole.yaml
  - fabric-operator-clusterrolebinding.yaml
--- a/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh
+++ b/full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh
@ -60,6 +60,9 @@ metadata:
  name: ${NS}
 EOF

+  # https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
+  kubectl label --overwrite namespace $NS pod-security.kubernetes.io/enforce=baseline
+
  pop_fn
 }