Skip to content
Apply PSS labels to namespaces

Debugging warnings in pss workflow #162

Sign in to view logs

Debugging warnings in pss workflow

Debugging warnings in pss workflow #162

Workflow file for this run

.github/workflows/pss_test.yaml at 5a2f711
name: Apply PSS labels to namespaces
on:
pull_request:
paths:
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/*
- tests/gh-actions/kind-cluster.yaml
- apps/profiles/upstream/**
- apps/pipeline/upstream/**
- common/dex/**
- common/cert-manager/**
- common/oauth2-proxy/**
- common/istio*/**
- tests/gh-actions/install_istio_with_ext_auth.sh
- tests/gh-actions/install_multitenancy.sh
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD, Create KinD cluster and Install kustomize
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- name: Install kubectl
run: ./tests/gh-actions/install_kubectl.sh
- name: Install all deployments from static namespaces
run: |
kustomize build common/kubeflow-namespace/base | kubectl apply -f -
./tests/gh-actions/install_cert_manager.sh
./tests/gh-actions/install_istio_with_ext_auth.sh
kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
./tests/gh-actions/install_multi_tenancy.sh
kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f -
echo "Waiting for all oauth2-proxy pods to become ready..."
kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f -
echo "Waiting for pods in auth namespace to become ready..."
kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
- name: Install KF Pipelines
run: ./tests/gh-actions/install_pipelines.sh
- name: Apply patches to clear warnings
run: |
DIRECTORY="contrib/security/PSS/patches"
for file in "$DIRECTORY"/*.yaml; do
echo "Patching file: $file"
KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
# Apply the patch
kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
if [ $? -eq 0 ]; then
kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
# if [ "$NAME" = "oauth2-proxy" ]; then
# kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
# elif [ "$NAME" = "metadata-envoy-deployment" ]; then
# kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
# elif [ "$NAME" = "metadata-grpc-deployment" ]; then
# kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
# elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
# echo "skipping this patch"
# # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
# # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
# else
# echo "Fetching logs for pod: $NAME"
# # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
# # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
# kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
# fi
fi
done
sleep 60
for file in "$DIRECTORY"/*.yaml; do
KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
if [ $? -eq 0 ]; then
if [ "$NAME" = "oauth2-proxy" ]; then
echo "Fetching logs for pod: $NAME"
kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
elif [ "$NAME" = "metadata-envoy-deployment" ]; then
echo "Fetching logs for pod: $NAME"
kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
elif [ "$NAME" = "metadata-grpc-deployment" ]; then
echo "Fetching logs for pod: $NAME"
kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
elif [ "$NAME" = "profiles-deployment" ]; then
echo "Fetching logs for pod: $NAME"
kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
else
echo "Fetching logs for pod: $NAME"
kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
fi
fi
done
# sleep 60
# kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
- name: Restarting cache-server
run: |
kubectl rollout restart deployment cache-server -n kubeflow
kubectl wait --for=condition=ready pod -l app=cache-server -n kubeflow --timeot=180s
- name: Apply Pod Security Standards baseline levels for static namespaces
run: ./tests/gh-actions/enable_baseline_PSS.sh
# - name: Apply Pod Security Standards baseline levels for dynamic namespaces
# run: |
# cat << EOF > ./kustomization.yaml
# apiVersion: kustomize.config.k8s.io/v1beta1
# kind: Kustomization
# resources:
# - apps/profiles/upstream/overlays/kubeflow
# components:
# - contrib/security/PSS/dynamic/baseline
# EOF
# kubectl apply -k .
# rm ./kustomization.yaml
# kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
- name: Unapply applied baseline values
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done
sleep 10
- name: Applying Pod Security Standards restricted levels for static namespaces
run: ./tests/gh-actions/enable_restricted_PSS.sh