apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: longhorn-uninstall-psp
spec:
  privileged: true
  allowPrivilegeEscalation: true
  requiredDropCapabilities:
  - NET_RAW
  allowedCapabilities:
  - SYS_ADMIN
  hostNetwork: false
  hostIPC: false
  hostPID: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - secret
  - projected
  - hostPath
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: longhorn-uninstall-service-account
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: longhorn-uninstall-role
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - "*"
  - apiGroups: [""]
    resources: ["pods", "persistentvolumes", "persistentvolumeclaims", "nodes", "configmaps", "secrets", "services", "endpoints"]
    verbs: ["*"]
  - apiGroups: ["apps"]
    resources: ["daemonsets", "statefulsets", "deployments"]
    verbs: ["*"]
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["*"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["*"]
  - apiGroups: ["scheduling.k8s.io"]
    resources: ["priorityclasses"]
    verbs: ["watch", "list"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["csidrivers", "storageclasses"]
    verbs: ["*"]
  - apiGroups: ["longhorn.io"]
    resources: ["volumes", "engines", "replicas", "settings", "engineimages", "nodes", "instancemanagers", "sharemanagers",
                "backingimages", "backingimagemanagers", "backingimagedatasources", "backuptargets", "backupvolumes", "backups",
                "recurringjobs", "orphans", "snapshots"]
    verbs: ["*"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["*"]
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies"]
    verbs: ["use"]
    resourceNames: ["longhorn-uninstall-psp"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
    verbs: ["get", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: longhorn-uninstall-bind
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: longhorn-uninstall-role
subjects:
  - kind: ServiceAccount
    name: longhorn-uninstall-service-account
    namespace: default
---
apiVersion: batch/v1
kind: Job
metadata:
  name: longhorn-uninstall
  namespace: default
spec:
  activeDeadlineSeconds: 900
  backoffLimit: 1
  template:
    metadata:
      name: longhorn-uninstall
    spec:
      containers:
      - name: longhorn-uninstall
        image: longhornio/longhorn-manager:v1.3.0
        imagePullPolicy: IfNotPresent
        securityContext:
          privileged: true
        command:
        - longhorn-manager
        - uninstall
        - --force
        env:
        - name: LONGHORN_NAMESPACE
          value: longhorn-system
      restartPolicy: OnFailure
      serviceAccountName: longhorn-uninstall-service-account
#      imagePullSecrets:
#      - name: ""
#      priorityClassName:
#      tolerations:
#        - key: "key"
#          operator: "Equal"
#          value: "value"
#          effect: "NoSchedule"
#      nodeSelector:
#        label-key1: "label-value1"
#        label-key2: "label-value2"