Fix PSS restricted warnings for kubeflow components #650
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test Pipeline run from Jupyterlab | |
on: | |
pull_request: | |
paths: | |
- tests/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- .github/workflows/pipeline_run_from_notebook.yaml | |
- applications/jupyter/notebook-controller/upstream/** | |
- applications/pipeline/upstream/** | |
- tests/istio* | |
- common/cert-manager/** | |
- common/oauth2-proxy/** | |
- common/istio*/** | |
- common/kubeflow-namespace/** | |
- applications/jupyter/** | |
permissions: | |
contents: read | |
actions: read | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install KinD, Create KinD cluster and Install kustomize | |
run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- name: Install Istio | |
run: ./tests/istio-cni_install.sh | |
- name: Install oauth2-proxy | |
run: ./tests/oauth2-proxy_install.sh | |
- name: Install cert-manager | |
run: ./tests/cert_manager_install.sh | |
- name: Create kubeflow namespace | |
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
- name: Install kubeflow-istio-resources | |
run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f - | |
- name: Install KF Pipelines | |
run: ./tests/pipelines_install.sh | |
- name: Install KF Multi Tenancy | |
run: ./tests/multi_tenancy_install.sh | |
- name: Build & Apply manifests | |
run: | | |
kustomize build applications/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f - | |
kustomize build applications/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f - | |
kustomize build applications/admission-webhook/upstream/overlays/cert-manager | kubectl apply -f - | |
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 300s \ | |
--field-selector=status.phase!=Succeeded | |
- name: Create KF Profile | |
run: ./tests/kubeflow_profile_install.sh | |
- name: Apply PodDefaults to access ml-pipeline with projected token | |
run: kubectl apply -f tests/poddefaults.access-ml-pipeline.kubeflow-user-example-com.yaml | |
- name: Create Kubeflow Notebook with PodDefaults | |
run: | | |
kubectl apply -f tests/notebook.test.kubeflow-user-example.com.yaml | |
kubectl wait --for=jsonpath='{.status.readyReplicas}'=1 \ | |
-f tests/notebook.test.kubeflow-user-example.com.yaml \ | |
--timeout 600s | |
- name: Copy and execute the pipeline run script in KF Notebook | |
run: | | |
kubectl -n kubeflow-user-example-com cp \ | |
./tests/pipeline_run_and_wait_kubeflow.py \ | |
test-0:/home/jovyan/pipeline_run_and_wait_kubeflow.py | |
kubectl -n kubeflow-user-example-com exec -ti \ | |
test-0 -- python /home/jovyan/pipeline_run_and_wait_kubeflow.py | |
- name: Apply Pod Security Standards baseline levels | |
run: ./tests/PSS_baseline_enable.sh | |
- name: Unapply applied baseline labels | |
run: | | |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving") | |
for NAMESPACE in "${NAMESPACES[@]}"; do | |
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
fi | |
done | |
- name: Applying Pod Security Standards restricted levels | |
run: ./tests/PSS_restricted_enable.sh |