Skip to content

kserve enforce authentication #638

kserve enforce authentication

kserve enforce authentication #638

name: Test Pipeline run from Jupyterlab
on:
pull_request:
paths:
- tests/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/pipeline_run_from_notebook.yaml
- applications/jupyter/notebook-controller/upstream/**
- applications/pipeline/upstream/**
- tests/istio*
- common/cert-manager/**
- common/oauth2-proxy/**
- common/istio*/**
- common/kubeflow-namespace/**
- applications/jupyter/**
permissions:
contents: read
actions: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD, Create KinD cluster and Install kustomize
run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh
- name: Install Istio
run: ./tests/istio-cni_install.sh
- name: Install oauth2-proxy
run: ./tests/oauth2-proxy_install.sh
- name: Install cert-manager
run: ./tests/cert_manager_install.sh
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install kubeflow-istio-resources
run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Pipelines
run: ./tests/pipelines_install.sh
- name: Install KF Multi Tenancy
run: ./tests/multi_tenancy_install.sh
- name: Build & Apply manifests
run: |
kustomize build applications/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f -
kustomize build applications/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f -
kustomize build applications/admission-webhook/upstream/overlays/cert-manager | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 300s \
--field-selector=status.phase!=Succeeded
- name: Create KF Profile
run: ./tests/kubeflow_profile_install.sh
- name: Apply PodDefaults to access ml-pipeline with projected token
run: kubectl apply -f tests/poddefaults.access-ml-pipeline.kubeflow-user-example-com.yaml
- name: Create Kubeflow Notebook with PodDefaults
run: |
kubectl apply -f tests/notebook.test.kubeflow-user-example.com.yaml
kubectl wait --for=jsonpath='{.status.readyReplicas}'=1 \
-f tests/notebook.test.kubeflow-user-example.com.yaml \
--timeout 600s
- name: Copy and execute the pipeline run script in KF Notebook
run: |
kubectl -n kubeflow-user-example-com cp \
./tests/pipeline_run_and_wait_kubeflow.py \
test-0:/home/jovyan/pipeline_run_and_wait_kubeflow.py
kubectl -n kubeflow-user-example-com exec -ti \
test-0 -- python /home/jovyan/pipeline_run_and_wait_kubeflow.py
- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh
- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done
- name: Applying Pod Security Standards restricted levels
run: ./tests/PSS_restricted_enable.sh