PSS baseline / restricted also for Notebooks, Katib, Kserve and istio-ingressgateway #317
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy and test Kubeflow Pipelines manifests with m2m auth in KinD | |
on: | |
pull_request: | |
paths: | |
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- .github/workflows/pipeline_test.yaml | |
- apps/pipeline/upstream/** | |
- tests/gh-actions/install_istio.sh | |
- tests/gh-actions/install_cert_manager.sh | |
- tests/gh-actions/install_oauth2-proxy.sh | |
- common/cert-manager/** | |
- common/oauth2-proxy/** | |
- common/istio/** | |
- tests/gh-actions/pipeline_test.py | |
- experimental/security/PSS/* | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install KinD, Create KinD cluster and Install kustomize | |
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- name: Install kubectl | |
run: ./tests/gh-actions/install_kubectl.sh | |
- name: Install Istio | |
run: ./tests/gh-actions/install_istio.sh | |
- name: Install oauth2-proxy | |
run: ./tests/gh-actions/install_oauth2-proxy.sh | |
- name: Install cert-manager | |
run: ./tests/gh-actions/install_cert_manager.sh | |
- name: Create kubeflow namespace | |
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
- name: Install KF Pipelines | |
run: ./tests/gh-actions/install_pipelines.sh | |
- name: Install KF Multi Tenancy | |
run: ./tests/gh-actions/install_multi_tenancy.sh | |
- name: Install kubeflow-istio-resources | |
run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - | |
- name: Create KF Profile | |
run: | | |
kustomize build common/user-namespace/base | kubectl apply -f - | |
sleep 30 # for the metacontroller to create the secret | |
METACONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] | select(.metadata.name | startswith("metacontroller")) | .metadata.name') | |
if [[ -z "$METACONTROLLER_POD" ]]; then | |
echo "Error: metacontroller pod not found in kubeflow namespace." | |
exit 1 | |
fi | |
kubectl logs -n kubeflow "$METACONTROLLER_POD" | |
PIPELINES_PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] | select(.metadata.name | startswith("kubeflow-pipelines-profile-controller")) | .metadata.name') | |
if [[ -z "$PIPELINES_PROFILE_CONTROLLER_POD" ]]; then | |
echo "Error: kubeflow-pipelines-profile-controller pod not found in kubeflow namespace." | |
exit 1 | |
fi | |
kubectl logs -n kubeflow "$PIPELINES_PROFILE_CONTROLLER_POD" | |
KF_PROFILE=kubeflow-user-example-com | |
kubectl -n $KF_PROFILE get pods,configmaps,secrets | |
if ! kubectl get secret mlpipeline-minio-artifact -n $KF_PROFILE > /dev/null 2>&1; then | |
echo "Error: Secret mlpipeline-minio-artifact not found in namespace $KF_PROFILE" | |
exit 1 | |
fi | |
kubectl get secret mlpipeline-minio-artifact -n "$KF_PROFILE" -o json | jq -r '.data | keys[] as $k | "\($k): \(. | .[$k] | @base64d)"' | tr '\n' ' ' | |
- name: port forward | |
run: | | |
ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') | |
nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & | |
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready | |
- name: List and deploy test pipeline with authorized ServiceAccount Token | |
run: | | |
pip3 install kfp==2.11.0 | |
KF_PROFILE=kubeflow-user-example-com | |
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" | |
python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}" | |
- name: Fail to list pipelines with unauthorized ServiceAccount Token | |
run: | | |
pip3 install kfp==2.11.0 | |
KF_PROFILE=kubeflow-user-example-com | |
TOKEN="$(kubectl -n default create token default)" | |
python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}" | |
echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace." | |
- name: Apply Pod Security Standards baseline levels for static namespaces | |
run: ./tests/gh-actions/enable_baseline_PSS.sh | |
- name: Unapply applied baseline labels | |
run: | | |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | |
for NAMESPACE in "${NAMESPACES[@]}"; do | |
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
fi | |
done | |
- name: Applying Pod Security Standards restricted levels for static namespaces | |
run: ./tests/gh-actions/enable_restricted_PSS.sh | |