Merge PSS_baseline and PSS_restricted #595
Workflow file for this run
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Deploy and Test Katib | |
| on: | |
| pull_request: | |
| paths: | |
| - tests/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - tests/katib_install.sh | |
| - .github/workflows/katib_test.yaml | |
| - applications/katib/upstream/** | |
| - common/istio*/** | |
| - tests/istio* | |
| - common/cert-manager/** | |
| - experimental/security/PSS/* | |
| permissions: | |
| contents: read | |
| actions: read | |
| env: | |
| KF_PROFILE: kubeflow-user-example-com | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install KinD, Create KinD cluster and Install kustomize | |
| run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - name: Install kubectl | |
| run: ./tests/kubectl_install.sh | |
| - name: Create Kubeflow Namespace | |
| run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
| - name: Install Certificate Manager | |
| run: ./tests/cert_manager_install.sh | |
| - name: Install Istio CNI | |
| run: ./tests/istio-cni_install.sh | |
| - name: Install OAuth2 Proxy | |
| run: ./tests/oauth2-proxy_install.sh | |
| - name: Install Kubeflow Istio Resources | |
| run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f - | |
| - name: Install Multi-Tenancy | |
| run: ./tests/multi_tenancy_install.sh | |
| - name: Create KF Profile | |
| run: ./tests/kubeflow_profile_install.sh | |
| - name: Install Katib | |
| run: ./tests/katib_install.sh | |
| - name: Install Dependencies | |
| run: pip install pytest kubernetes kfp==2.13.0 requests | |
| - name: Port-forward the istio-ingress gateway | |
| run: ./tests/port_forward_gateway.sh | |
| - name: Run Katib Test | |
| run: | | |
| kubectl apply -f tests/katib_test.yaml | |
| kubectl wait --for=condition=Running experiments.kubeflow.org -n $KF_PROFILE --all --timeout=300s | |
| echo "Waiting for all Trials to be Completed..." | |
| kubectl wait --for=condition=Created trials.kubeflow.org -n $KF_PROFILE --all --timeout=60s | |
| kubectl get trials.kubeflow.org -n $KF_PROFILE | |
| kubectl wait --for=condition=Succeeded trials.kubeflow.org -n $KF_PROFILE --all --timeout 600s | |
| kubectl get trials.kubeflow.org -n $KF_PROFILE | |
| - name: Test Authorized Katib Access | |
| run: kubectl get experiments.kubeflow.org -n $KF_PROFILE --token="$(kubectl -n $KF_PROFILE create token default-editor)" | |
| - name: Test Unauthorized Katib Access | |
| run: | | |
| kubectl create namespace test-unauthorized | |
| kubectl create serviceaccount test-unauthorized -n test-unauthorized | |
| UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized) | |
| kubectl get experiments.kubeflow.org -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null | |
| - name: Apply Pod Security Standards baseline levels | |
| run: ./tests/PSS_enable.sh baseline | |
| - name: Unapply applied baseline labels | |
| run: | | |
| NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | |
| for NAMESPACE in "${NAMESPACES[@]}"; do | |
| if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
| kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
| fi | |
| done | |
| - name: Applying Pod Security Standards restricted levels | |
| run: ./tests/PSS_enable.sh restricted |