Limit Istio Sidecar Scope to reduce memory usage #58
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test KServe JWT Authentication | |
| on: | |
| pull_request: | |
| paths: | |
| - tests/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - .github/workflows/kserve_jwt_auth_test.yaml | |
| - common/istio/** | |
| - common/oauth2-proxy/** | |
| - tests/oauth2-proxy_install.sh | |
| - tests/istio* | |
| - common/knative/** | |
| - tests/knative_install.sh | |
| - tests/*authentication*test.sh | |
| - tests/final_validation.sh | |
| jobs: | |
| test-jwt-authentication: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install KinD, Create KinD cluster and Install kustomize | |
| run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - name: Install kubectl | |
| run: ./tests/kubectl_install.sh | |
| - name: Create kubeflow namespace | |
| run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
| - name: Install Istio CNI | |
| run: ./tests/istio-cni_install.sh | |
| - name: Install oauth2-proxy | |
| run: ./tests/oauth2-proxy_install.sh | |
| - name: Install knative CNI with secure cluster-local-gateway | |
| run: ./tests/knative_install.sh | |
| - name: Verify secure cluster-local-gateway configuration | |
| run: | | |
| kubectl get authorizationpolicy,requestauthentication -n istio-system | grep cluster-local-gateway | |
| kubectl get requestauthentication cluster-local-gateway-jwt -n istio-system -o yaml | |
| kubectl get authorizationpolicy cluster-local-gateway -n istio-system -o yaml | |
| kubectl get authorizationpolicy cluster-local-gateway-require-jwt -n istio-system -o yaml | |
| - name: Setup python 3.12 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.12 | |
| - name: Port forward | |
| run: ./tests/port_forward_gateway.sh | |
| - name: Wait for cluster-local-gateway to be ready | |
| run: | | |
| kubectl wait --for=condition=Available --timeout=120s deployment/cluster-local-gateway -n istio-system | |
| sleep 100 | |
| - name: Run Basic JWT Authentication Tests | |
| run: | | |
| export KSERVE_INGRESS_HOST_PORT=localhost:8080 | |
| curl -s -o /dev/null -w "%{http_code}" -H "Host: test.example.com" "http://localhost:8080/" | grep -q "403" | |
| - name: Run Knative Service JWT Authentication Tests | |
| run: | | |
| export KSERVE_INGRESS_HOST_PORT=localhost:8080 | |
| ./tests/knative_authentication_test.sh | |
| - name: Test External Access Configuration | |
| run: | | |
| export KSERVE_INGRESS_HOST_PORT=localhost:8080 | |
| ./tests/kserve_setup_external_access.sh kubeflow-user-example-com secure-model-predictor | |
| # Test external access pattern | |
| TOKEN=$(kubectl -n kubeflow-user-example-com create token default-editor) | |
| RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \ | |
| -H "Authorization: Bearer $TOKEN" \ | |
| -H "Content-Type: application/json" \ | |
| "http://localhost:8080/kserve/kubeflow-user-example-com/secure-model-predictor/" \ | |
| 2>/dev/null || echo "404") | |
| if [ "$RESPONSE" != "404" ] && [ "$RESPONSE" != "200" ] && [ "$RESPONSE" != "503" ]; then | |
| exit 1 | |
| fi | |
| - name: Apply Pod Security Standards baseline levels | |
| run: ./tests/PSS_baseline_enable.sh |