FSAT: Update fabric-operator for compatibility with v1.25.x

This patch updates fabric-operator to utilize PodSecurity Admission
controller for Kubernetes v1.25.x.

This change is based on the following PR:
https://github.com/hyperledger-labs/fabric-operator/pull/82

Signed-off-by: Tatsuya Sato <tatsuya.sato.so@hitachi.com>

full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-clusterrole.yaml

@@ -27,14 +27,6 @@ metadata:
     app.kubernetes.io/instance: "ibm-hlfsupport"
     app.kubernetes.io/managed-by: "ibm-hlfsupport-operator"
 rules:
-  - apiGroups:
-      - extensions
-    resourceNames:
-      - ibm-hlfsupport-psp
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
   - apiGroups:
       - apiextensions.k8s.io
     resources:

full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/fabric-operator-psp.yaml

@@ -1,48 +0,0 @@
-#
-# Copyright contributors to the Hyperledger Fabric Operator project
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-# 	  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  name: ibm-hlfsupport-psp
-spec:
-  hostIPC: false
-  hostNetwork: false
-  hostPID: false
-  privileged: true
-  allowPrivilegeEscalation: true
-  readOnlyRootFilesystem: false
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  runAsUser:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
-  requiredDropCapabilities:
-    - ALL
-  allowedCapabilities:
-    - NET_BIND_SERVICE
-    - CHOWN
-    - DAC_OVERRIDE
-    - SETGID
-    - SETUID
-    - FOWNER
-  volumes:
-    - '*'

full-stack-asset-transfer-guide/infrastructure/sample-network/config/rbac/kustomization.yaml

@@ -19,7 +19,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - fabric-operator-psp.yaml
   - fabric-operator-serviceaccount.yaml
   - fabric-operator-clusterrole.yaml
   - fabric-operator-clusterrolebinding.yaml

full-stack-asset-transfer-guide/infrastructure/sample-network/scripts/sample_network.sh

@@ -60,6 +60,9 @@ metadata:
   name: ${NS}
 EOF
 
+  # https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
+  kubectl label --overwrite namespace $NS pod-security.kubernetes.io/enforce=baseline
+
   pop_fn
 }