Skip to content

Fix PSS restricted warnings #2528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 29, 2025
Merged

Fix PSS restricted warnings #2528

merged 2 commits into from
Apr 29, 2025

Conversation

akagami-harsh
Copy link
Contributor

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
related to kubeflow/manifests#3050

Checklist:

  • Docs included if any changes are user facing

@akagami-harsh
fix pss warnings
305fc36 
Signed-off-by: Harshvir Potpose <hpotpose62@gmail.com>
@juliusvonkohout
Copy link
Member

/ok-to-test

@juliusvonkohout
Copy link
Member

/ok-to-test

tenzen-y
tenzen-y reviewed Mar 16, 2025
View reviewed changes
Copy link
Member

@tenzen-y tenzen-y left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to relate to istio-ingressgateway. I would vote to add these parameters only to kubeflow integration

https://github.com/kubeflow/katib/tree/master/manifests/v1beta1/installs/katib-with-kubeflow

@tenzen-y
Copy link
Member

/hold

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Mar 16, 2025
edited
Loading

This seems to relate to istio-ingressgateway. I would vote to add these parameters only to kubeflow integration

https://github.com/kubeflow/katib/tree/master/manifests/v1beta1/installs/katib-with-kubeflow

Actually this is best practices for all Kubernetes pods and basic container security stuff https://kubernetes.io/docs/concepts/security/pod-security-standards/

So you should also have this as standalone application and i do not see how this is related to istio.

@tenzen-y
Copy link
Member

This seems to relate to istio-ingressgateway. I would vote to add these parameters only to kubeflow integration
https://github.com/kubeflow/katib/tree/master/manifests/v1beta1/installs/katib-with-kubeflow

Actually this is best practices for all Kubernetes pods and basic container security stuff https://kubernetes.io/docs/concepts/security/pod-security-standards/

So you should also have this as standalone application and i do not see how this is related to istio.

I do not think so. PSS is not enforced by default.

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Mar 16, 2025
edited
Loading

This seems to relate to istio-ingressgateway. I would vote to add these parameters only to kubeflow integration
https://github.com/kubeflow/katib/tree/master/manifests/v1beta1/installs/katib-with-kubeflow

Actually this is best practices for all Kubernetes pods and basic container security stuff https://kubernetes.io/docs/concepts/security/pod-security-standards/
So you should also have this as standalone application and i do not see how this is related to istio.

I do not think so. PSS is not enforced by default.

"PSS is not enforced by default" this is a severe security flaw. Pods should not be able to exploit the whole cluster by default and take over the infrastructure. Whether as standalone or Kubeflow platform installation.

This was referenced Mar 17, 2025
Open
Open
@andreyvelich
Copy link
Member

@tenzen-y Do you have a specific use-case when PSS should not be enforced by default ?
I noticed that Kueue and Argo Workflow also adds them by default:

@andreyvelich
Copy link
Member

@juliusvonkohout @akagami-harsh Is it a blocker for Katib 0.18 and Kubeflow 1.10 release, or we can post-pone it ?

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Mar 20, 2025
edited
Loading

@juliusvonkohout @akagami-harsh Is it a blocker for Katib 0.18 and Kubeflow 1.10 release, or we can post-pone it ?

@andreyvelich I am also fine if you merge it after the Katib release this week, but in the next weeks for Kubeflow 1.10.1 we need it, since also most other working groups have this implemented or are close to it (Manifests, KFP, Modelregistry, Spark, ...) @tenzen-y.

@akagami-harsh can you run this locally and check whether the MySQL really needs no fsgroup as KFP does for its database? I am not sure whether this is covered by the tests here.

https://github.com/kubeflow/pipelines/blob/d1b15ef4da33cbeafa491564318c7e2a68dc431f/manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml#L74-L75 is the pod-level fsgroup and fsGroupChangePolicy securitycontext for GCP.

Otherwise this should be good to merge if the tests are green.

@akagami-harsh
Copy link
Contributor Author

@akagami-harsh can you run this locally and check whether the MySQL really needs no fsgroup as KFP does for its database? I am not sure whether this is covered by the tests here.

https://github.com/kubeflow/pipelines/blob/d1b15ef4da33cbeafa491564318c7e2a68dc431f/manifests/kustomize/third-party/mysql/base/mysql-deployment.yaml#L74-L75 is the pod-level fsgroup and fsGroupChangePolicy securitycontext for GCP.

Yes you are right Mysql need fsgroup, I tested it on my local machine and it wasn't working,

harshvir@msi:~/manifests$ k logs katib-mysql-6949b64577-8njxk  -n kubeflow
2025-03-21 12:47:36+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.0.29-1.el8 started.
'/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
mysqld: File './binlog.index' not found (OS errno 13 - Permission denied)
2025-03-21T12:47:36.405577Z 0 [Warning] [MY-010091] [Server] Can't create test file /var/lib/mysql/datadir/mysqld_tmp_file_case_insensitive_test.lower-test
2025-03-21T12:47:36.405628Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.29) starting as process 1
2025-03-21T12:47:36.408271Z 0 [Warning] [MY-010091] [Server] Can't create test file /var/lib/mysql/datadir/mysqld_tmp_file_case_insensitive_test.lower-test
2025-03-21T12:47:36.408277Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /var/lib/mysql/datadir/ is case insensitive
2025-03-21T12:47:36.408601Z 0 [Warning] [MY-010122] [Server] One can only use the --user switch if running as root
2025-03-21T12:47:36.408905Z 0 [ERROR] [MY-010119] [Server] Aborting
2025-03-21T12:47:36.409010Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.29)  MySQL Community Server - GPL.

@akagami-harsh
fix mysql
e17f0d2 
Signed-off-by: Harshvir Potpose <hpotpose62@gmail.com>
@juliusvonkohout
Copy link
Member

It works in kubeflow/manifests#3050 and the tests here are green as well so
/lgtm

@andreyvelich @tenzen-y for approval

@google-oss-prow google-oss-prow bot added the lgtm label Mar 27, 2025
Electronic-Waste
Electronic-Waste approved these changes Mar 27, 2025
View reviewed changes
Copy link
Member

@Electronic-Waste Electronic-Waste left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this! @akagami-harsh

/lgtm
/assign @andreyvelich @tenzen-y

andreyvelich
andreyvelich reviewed Apr 7, 2025
View reviewed changes
Copy link
Member

@andreyvelich andreyvelich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, we can move this forward, but I let @tenzen-y for the final approval.
/lgtm

andreyvelich
andreyvelich reviewed Apr 29, 2025
View reviewed changes
Copy link
Member

@andreyvelich andreyvelich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andreyvelich

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@andreyvelich
Copy link
Member

@akagami-harsh @juliusvonkohout Feel free to unhold.

@juliusvonkohout
Copy link
Member

/unhold

congratulations @akagami-harsh

@google-oss-prow google-oss-prow bot merged commit c9513c6 into kubeflow:master Apr 29, 2025
66 checks passed
@akagami-harsh akagami-harsh deleted the fix-pss-warnings branch May 1, 2025 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andreyvelich andreyvelich andreyvelich left review comments

@tenzen-y tenzen-y tenzen-y left review comments

@Electronic-Waste Electronic-Waste Electronic-Waste approved these changes

@anencore94 anencore94 Awaiting requested review from anencore94

Assignees

@andreyvelich andreyvelich

@juliusvonkohout juliusvonkohout

@tenzen-y tenzen-y

@Electronic-Waste Electronic-Waste

Labels
approved lgtm ok-to-test size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@akagami-harsh @juliusvonkohout @tenzen-y @andreyvelich @Electronic-Waste