Debugging warnings in pss workflow #132
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Apply PSS labels to namespaces | |
on: | |
pull_request: | |
paths: | |
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- .github/workflows/* | |
- tests/gh-actions/kind-cluster.yaml | |
- apps/profiles/upstream/** | |
- apps/pipeline/upstream/** | |
- common/dex/** | |
- common/cert-manager/** | |
- common/oauth2-proxy/** | |
- common/istio*/** | |
- tests/gh-actions/install_istio_with_ext_auth.sh | |
- tests/gh-actions/install_multitenancy.sh | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install KinD, Create KinD cluster and Install kustomize | |
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- name: Install kubectl | |
run: ./tests/gh-actions/install_kubectl.sh | |
- name: Install all deployments from static namespaces | |
run: | | |
kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
./tests/gh-actions/install_cert_manager.sh | |
./tests/gh-actions/install_istio_with_ext_auth.sh | |
kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f - | |
./tests/gh-actions/install_multi_tenancy.sh | |
kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f - | |
echo "Waiting for all oauth2-proxy pods to become ready..." | |
kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy | |
kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f - | |
echo "Waiting for pods in auth namespace to become ready..." | |
kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth | |
- name: Install KF Pipelines | |
run: ./tests/gh-actions/install_pipelines.sh | |
- name: Apply patches to clear warnings | |
run: | | |
DIRECTORY="contrib/security/PSS/patches" | |
for file in "$DIRECTORY"/*.yaml; do | |
echo "Patching file: $file" | |
KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}') | |
NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}') | |
NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}') | |
# Apply the patch | |
kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null | |
if [ $? -eq 0 ]; then | |
kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file" | |
if [ "$NAME" = "oauth2-proxy" ]; then | |
kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s | |
elif [ "$NAME" = "metadata-envoy-deployment" ]; then | |
kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s | |
elif [ "$NAME" = "metadata-grpc-deployment" ]; then | |
kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s | |
elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then | |
echo "skipping this patch" | |
# kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow | |
# kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s | |
else | |
echo "Fetching logs for pod: $NAME" | |
kubectl describe pod -l app="$NAME" -n "$NAMESPACE" | |
kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s | |
fi | |
fi | |
done | |
# kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded | |
- name: Apply Pod Security Standards baseline levels for static namespaces | |
run: ./tests/gh-actions/enable_baseline_PSS.sh | |
# - name: Apply Pod Security Standards baseline levels for dynamic namespaces | |
# run: | | |
# cat << EOF > ./kustomization.yaml | |
# apiVersion: kustomize.config.k8s.io/v1beta1 | |
# kind: Kustomization | |
# resources: | |
# - apps/profiles/upstream/overlays/kubeflow | |
# components: | |
# - contrib/security/PSS/dynamic/baseline | |
# EOF | |
# kubectl apply -k . | |
# rm ./kustomization.yaml | |
# kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s | |
- name: Unapply applied baseline values | |
run: | | |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | |
for NAMESPACE in "${NAMESPACES[@]}"; do | |
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
fi | |
done | |
sleep 10 | |
- name: Applying Pod Security Standards restricted levels for static namespaces | |
run: ./tests/gh-actions/enable_restricted_PSS.sh |