Fix PSS restricted warnings for kubeflow components

[akagami-harsh]

Pull Request Template for Kubeflow Manifests

✏️ Summary of Changes

• fixed PSS restricted warning for katib
• working on fixing for other components

📦 Dependencies

List any dependencies or related PRs (e.g., "Depends on #123").

🐛 Related Issues

• PSS baseline / restricted also for Notebooks, Katib, Kserve, Dashboard and istio-ingressgateway #3015

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign juliusvonkohout for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[akagami-harsh]

testing CI here, if it works then i'll make separate PRs to upstream repos

[juliusvonkohout]

testing CI here, if it works then i'll make separate PRs to upstream repos

Thank you, please also leave this one here open as well :-)

[akagami-harsh]

The cache-server is experiencing issues that appear to be related to the istio-init container. To mitigate this, Should i disable Istio sidecar injection for the cache-server deployment by adding the sidecar.istio.io/inject: "false" annotation to the cache-deployment.yaml file https://github.com/kubeflow/manifests/blob/master/apps/pipeline/upstream/base/cache/cache-deployment.yaml

[akagami-harsh]

The cache-server is experiencing issues that appear to be related to the istio-init container. To mitigate this, Should i disable Istio sidecar injection for the cache-server deployment by adding the sidecar.istio.io/inject: "false" annotation to the cache-deployment.yaml file https://github.com/kubeflow/manifests/blob/master/apps/pipeline/upstream/base/cache/cache-deployment.yaml

update: we can fix this by using istio-cni istio/istio#35894

[akagami-harsh]

opened PR in respective upstream repos

[juliusvonkohout]

I still see in the tests

Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
Warning: centraldashboard-5796446d58-4h5jm: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
namespace/kubeflow patched

now i also see why you have to set the seccomprofile at the pod level

[juliusvonkohout]

kubeflow/pipelines#11751 for KFP has been merged

[juliusvonkohout]

kubeflow/dashboard#87 for tracking in Kubeflow/ dashboard

[juliusvonkohout]

@akagami-harsh there is something you can fix directly in kubeflow / manifests overlays, not the upstream part.

++ kubectl patch namespace knative-serving --patch-file ./experimental/security/PSS/static/restricted/patches/knative-serving-labels.yaml
+ PATCH_OUTPUT='Warning: existing pods in namespace "knative-serving" violate the new PodSecurity enforce level "restricted:latest"
Warning: activator-5f95966686-pgcpc (and 4 other pods): seccompProfile
namespace/knative-serving patched'
+ echo 'Warning: existing pods in namespace "knative-serving" violate the new PodSecurity enforce level "restricted:latest"
Warning: activator-5f95966686-pgcpc (and 4 other pods): seccompProfile
namespace/knative-serving patched'

[akagami-harsh]

@akagami-harsh there is something you can fix directly in kubeflow / manifests overlays, not the upstream part.

++ kubectl patch namespace knative-serving --patch-file ./experimental/security/PSS/static/restricted/patches/knative-serving-labels.yaml
+ PATCH_OUTPUT='Warning: existing pods in namespace "knative-serving" violate the new PodSecurity enforce level "restricted:latest"
Warning: activator-5f95966686-pgcpc (and 4 other pods): seccompProfile
namespace/knative-serving patched'
+ echo 'Warning: existing pods in namespace "knative-serving" violate the new PodSecurity enforce level "restricted:latest"
Warning: activator-5f95966686-pgcpc (and 4 other pods): seccompProfile
namespace/knative-serving patched'

opened a pr #3118

[juliusvonkohout]

Please rebase to master to fix the conflict

[juliusvonkohout]

This must happen in an overlay.in apps/kserve Kserve_kubeflow.yaml comes from upstream and should not be modified

[juliusvonkohout]

I think this can be removed sinc eit is already patched here https://github.com/kubeflow/manifests/blob/master/apps/kserve/kserve/kustomization.yaml

[juliusvonkohout]

Is this patch still needed or can it be removed?

[juliusvonkohout]

Did you fix this in another PR already?

[akagami-harsh]

Yes, in this pr #3108

[juliusvonkohout]

Is this not yet upstream in KFP?

[akagami-harsh]

I think i made a mistake here in this pr kubeflow/pipelines#11751 , accidentally modified this upstream argo deployment instead of adding a overlay. I'll create another pr in pipelines to fix this

[juliusvonkohout]

Is this already upstream?

[akagami-harsh]

I had created a PR in kubeflow/kubeflow for this, but it was closed since the code has been moved to a new repo, kubeflow/notebooks. So, I’ll need to create a PR there now.

[juliusvonkohout]

/retest

please split this up into separate PRs that are easy and faster to merge.