From cbd7c379e7e052d4a0d2567a1e75d2511d712296 Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Tue, 19 Aug 2025 10:12:37 +0530 Subject: [PATCH 1/9] Merge PSS_baseline and PSS_restricted Signed-off-by: kunal-511 --- .github/workflows/dex_oauth2-proxy_test.yaml | 4 +- .../full_kubeflow_integration_test.yaml | 6 +-- .github/workflows/istio_validation.yaml | 2 +- .github/workflows/katib_test.yaml | 4 +- .../kserve_jwt_authentication_test.yaml | 2 +- .github/workflows/kserve_secure_test.yaml | 2 +- .github/workflows/kserve_test.yaml | 4 +- .../workflows/pipeline_run_from_notebook.yaml | 4 +- .github/workflows/pipeline_swfs_test.yaml | 4 +- .github/workflows/pipeline_test.yaml | 4 +- .github/workflows/trainer_test.yaml | 4 +- .github/workflows/training_operator_test.yaml | 4 +- tests/PSS_baseline_enable.sh | 17 --------- tests/PSS_enable.sh | 38 +++++++++++++++++++ tests/PSS_restricted_enable.sh | 16 -------- 15 files changed, 60 insertions(+), 55 deletions(-) delete mode 100755 tests/PSS_baseline_enable.sh create mode 100755 tests/PSS_enable.sh delete mode 100755 tests/PSS_restricted_enable.sh diff --git a/.github/workflows/dex_oauth2-proxy_test.yaml b/.github/workflows/dex_oauth2-proxy_test.yaml index b6f7213a6..5a45af120 100644 --- a/.github/workflows/dex_oauth2-proxy_test.yaml +++ b/.github/workflows/dex_oauth2-proxy_test.yaml @@ -67,7 +67,7 @@ jobs: echo "Dex login test completed successfully." - name: Apply Pod Security Standards baseline levels for static namespaces - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -79,4 +79,4 @@ jobs: done - name: Applying Pod Security Standards restricted levels for static namespaces - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted diff --git a/.github/workflows/full_kubeflow_integration_test.yaml b/.github/workflows/full_kubeflow_integration_test.yaml index 7f6826627..115cb0f2d 100644 --- a/.github/workflows/full_kubeflow_integration_test.yaml +++ b/.github/workflows/full_kubeflow_integration_test.yaml @@ -253,17 +253,17 @@ jobs: fi - name: Apply Pod Security Standards Baseline - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Remove Pod Security Labels run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving") + NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system" "kubeflow-user-example-com") for namespace in "${NAMESPACES[@]}"; do kubectl label namespace $namespace pod-security.kubernetes.io/enforce- done - name: Apply Pod Security Standards Restricted - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted - name: Verify Components run: kubectl get pods --all-namespaces | grep -E '(Error|CrashLoopBackOff)' && exit 1 || true diff --git a/.github/workflows/istio_validation.yaml b/.github/workflows/istio_validation.yaml index 2fcc533f1..bba54344b 100644 --- a/.github/workflows/istio_validation.yaml +++ b/.github/workflows/istio_validation.yaml @@ -192,7 +192,7 @@ jobs: - name: Apply Pod Security Standards baseline levels if: matrix.istio-mode == 'cni' - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Collect debug information on failure if: failure() diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index 139e9df5d..8bd37ec9b 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -83,7 +83,7 @@ jobs: kubectl get experiments.kubeflow.org -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -95,4 +95,4 @@ jobs: done - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted diff --git a/.github/workflows/kserve_jwt_authentication_test.yaml b/.github/workflows/kserve_jwt_authentication_test.yaml index 3414ad99f..9d14f0729 100644 --- a/.github/workflows/kserve_jwt_authentication_test.yaml +++ b/.github/workflows/kserve_jwt_authentication_test.yaml @@ -85,4 +85,4 @@ jobs: - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline diff --git a/.github/workflows/kserve_secure_test.yaml b/.github/workflows/kserve_secure_test.yaml index c4f9a2f47..05bd26667 100644 --- a/.github/workflows/kserve_secure_test.yaml +++ b/.github/workflows/kserve_secure_test.yaml @@ -80,4 +80,4 @@ jobs: run: ./tests/kserve_jwt_authentication_test.sh kubeflow-user-example-com - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline diff --git a/.github/workflows/kserve_test.yaml b/.github/workflows/kserve_test.yaml index 094f4d60a..f6d0cf931 100644 --- a/.github/workflows/kserve_test.yaml +++ b/.github/workflows/kserve_test.yaml @@ -92,7 +92,7 @@ jobs: kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -104,4 +104,4 @@ jobs: done - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 49200fb4e..d46596520 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -78,7 +78,7 @@ jobs: test-0 -- python /home/jovyan/pipeline_run_and_wait_kubeflow.py - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -90,4 +90,4 @@ jobs: done - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml index 218584028..b42086030 100644 --- a/.github/workflows/pipeline_swfs_test.yaml +++ b/.github/workflows/pipeline_swfs_test.yaml @@ -115,7 +115,7 @@ jobs: run: ./tests/swfs_namespace_isolation_test.sh - name: Apply Pod Security Standards baseline levels for static namespaces - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -127,7 +127,7 @@ jobs: done - name: Applying Pod Security Standards restricted levels for static namespaces - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted - name: Collect Logs on Failure if: failure() diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 4d7c6660d..4fd9a2ee6 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -96,7 +96,7 @@ jobs: echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace." - name: Apply Pod Security Standards baseline levels for static namespaces - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -108,4 +108,4 @@ jobs: done - name: Applying Pod Security Standards restricted levels for static namespaces - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted diff --git a/.github/workflows/trainer_test.yaml b/.github/workflows/trainer_test.yaml index 8454c17db..7e8d74fa5 100644 --- a/.github/workflows/trainer_test.yaml +++ b/.github/workflows/trainer_test.yaml @@ -83,7 +83,7 @@ jobs: kubectl get trainjobs -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -95,7 +95,7 @@ jobs: done - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted - name: Collect Logs on Failure if: failure() diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index ebb39b9d7..0a735cea8 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -82,7 +82,7 @@ jobs: kubectl get pytorchjobs -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_baseline_enable.sh + run: ./tests/PSS_enable.sh baseline - name: Unapply applied baseline labels run: | @@ -94,4 +94,4 @@ jobs: done - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_restricted_enable.sh + run: ./tests/PSS_enable.sh restricted diff --git a/tests/PSS_baseline_enable.sh b/tests/PSS_baseline_enable.sh deleted file mode 100755 index 9d6ece645..000000000 --- a/tests/PSS_baseline_enable.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -euo pipefail - -NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system", "kubeflow-user-example-com") - -for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - PATCH_OUTPUT=$(kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce=baseline --overwrite 2>&1) - if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then - echo "ERROR: PSS violation detected for namespace $NAMESPACE" - echo "$PATCH_OUTPUT" | grep -A 5 "violate the new PodSecurity" - exit 1 - else - echo "✅ Namespace '$NAMESPACE' labeled successfully." - fi - fi -done diff --git a/tests/PSS_enable.sh b/tests/PSS_enable.sh new file mode 100755 index 000000000..66cd38f35 --- /dev/null +++ b/tests/PSS_enable.sh @@ -0,0 +1,38 @@ +#!/bin/bash +set -euo pipefail + + +PSS_LEVEL="${1:-baseline}" + +if [[ "$PSS_LEVEL" != "baseline" && "$PSS_LEVEL" != "restricted" ]]; then + echo "ERROR: Invalid PSS level '$PSS_LEVEL'. Must be 'baseline' or 'restricted'." + echo "Usage: $0 [baseline|restricted]" + exit 1 +fi + +if [[ "$PSS_LEVEL" == "baseline" ]]; then + NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system" "kubeflow-user-example-com") +else + NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system") +fi + +echo "Enabling Pod Security Standards with level: $PSS_LEVEL" +echo "Namespaces to process: ${NAMESPACES[*]}" + +for NAMESPACE in "${NAMESPACES[@]}"; do + if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then + echo "Processing namespace: $NAMESPACE" + PATCH_OUTPUT=$(kubectl label namespace "$NAMESPACE" "pod-security.kubernetes.io/enforce=$PSS_LEVEL" --overwrite 2>&1) + if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then + echo "ERROR: PSS violation detected for namespace $NAMESPACE" + echo "$PATCH_OUTPUT" | grep -A 5 "violate the new PodSecurity" + exit 1 + else + echo "✅ Namespace '$NAMESPACE' labeled successfully with $PSS_LEVEL PSS." + fi + else + echo "Namespace '$NAMESPACE' not found, skipping." + fi +done + +echo "Pod Security Standards ($PSS_LEVEL) enforcement completed successfully!" \ No newline at end of file diff --git a/tests/PSS_restricted_enable.sh b/tests/PSS_restricted_enable.sh deleted file mode 100755 index 8781aac9b..000000000 --- a/tests/PSS_restricted_enable.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -set -euo pipefail - -NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system") -for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - PATCH_OUTPUT=$(kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce=restricted --overwrite 2>&1) - if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then - echo "ERROR: PSS violation detected for namespace $NAMESPACE" - echo "$PATCH_OUTPUT" | grep -A 5 "violate the new PodSecurity" - exit 1 - else - echo "✅ Namespace '$NAMESPACE' labeled successfully." - fi - fi -done From e8ef30cad6e8a012f185773a7a25b3bc6e9639aa Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Tue, 19 Aug 2025 10:20:04 +0530 Subject: [PATCH 2/9] simplify the pss Signed-off-by: kunal-511 --- tests/PSS_enable.sh | 42 +++++++++++++++--------------------------- 1 file changed, 15 insertions(+), 27 deletions(-) diff --git a/tests/PSS_enable.sh b/tests/PSS_enable.sh index 66cd38f35..ca518ec11 100755 --- a/tests/PSS_enable.sh +++ b/tests/PSS_enable.sh @@ -1,38 +1,26 @@ #!/bin/bash set -euo pipefail - PSS_LEVEL="${1:-baseline}" -if [[ "$PSS_LEVEL" != "baseline" && "$PSS_LEVEL" != "restricted" ]]; then - echo "ERROR: Invalid PSS level '$PSS_LEVEL'. Must be 'baseline' or 'restricted'." - echo "Usage: $0 [baseline|restricted]" +[[ "$PSS_LEVEL" == "baseline" || "$PSS_LEVEL" == "restricted" ]] || { + echo "ERROR: Invalid PSS level '$PSS_LEVEL'. Usage: $0 [baseline|restricted]" exit 1 -fi +} -if [[ "$PSS_LEVEL" == "baseline" ]]; then - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system" "kubeflow-user-example-com") -else - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system") -fi +NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system") +[[ "$PSS_LEVEL" == "baseline" ]] && NAMESPACES+=("kubeflow-user-example-com") -echo "Enabling Pod Security Standards with level: $PSS_LEVEL" -echo "Namespaces to process: ${NAMESPACES[*]}" +echo "Applying PSS $PSS_LEVEL to: ${NAMESPACES[*]}" for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - echo "Processing namespace: $NAMESPACE" - PATCH_OUTPUT=$(kubectl label namespace "$NAMESPACE" "pod-security.kubernetes.io/enforce=$PSS_LEVEL" --overwrite 2>&1) - if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then - echo "ERROR: PSS violation detected for namespace $NAMESPACE" - echo "$PATCH_OUTPUT" | grep -A 5 "violate the new PodSecurity" - exit 1 - else - echo "✅ Namespace '$NAMESPACE' labeled successfully with $PSS_LEVEL PSS." - fi - else - echo "Namespace '$NAMESPACE' not found, skipping." + kubectl get namespace "$NAMESPACE" + + PATCH_OUTPUT=$(kubectl label namespace "$NAMESPACE" "pod-security.kubernetes.io/enforce=$PSS_LEVEL" --overwrite 2>&1) + if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then + echo "ERROR: PSS violation in namespace $NAMESPACE" + echo "$PATCH_OUTPUT" | grep -A 5 "violate the new PodSecurity" + exit 1 fi -done - -echo "Pod Security Standards ($PSS_LEVEL) enforcement completed successfully!" \ No newline at end of file + echo "✅ $NAMESPACE" +done \ No newline at end of file From 768d4b9508daae4a370285442ad56f8ebd4601b1 Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Tue, 19 Aug 2025 10:31:31 +0530 Subject: [PATCH 3/9] fix namespace Signed-off-by: kunal-511 --- tests/PSS_enable.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/PSS_enable.sh b/tests/PSS_enable.sh index ca518ec11..b017098d7 100755 --- a/tests/PSS_enable.sh +++ b/tests/PSS_enable.sh @@ -14,7 +14,7 @@ NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knat echo "Applying PSS $PSS_LEVEL to: ${NAMESPACES[*]}" for NAMESPACE in "${NAMESPACES[@]}"; do - kubectl get namespace "$NAMESPACE" + kubectl get namespace "$NAMESPACE" >/dev/null 2>&1 PATCH_OUTPUT=$(kubectl label namespace "$NAMESPACE" "pod-security.kubernetes.io/enforce=$PSS_LEVEL" --overwrite 2>&1) if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then From a51a976e9d8f9309236541c75d725711d2e1a63f Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Tue, 19 Aug 2025 12:39:36 +0530 Subject: [PATCH 4/9] continue Signed-off-by: kunal-511 --- tests/PSS_enable.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/PSS_enable.sh b/tests/PSS_enable.sh index b017098d7..fcfa1ef3d 100755 --- a/tests/PSS_enable.sh +++ b/tests/PSS_enable.sh @@ -14,7 +14,9 @@ NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knat echo "Applying PSS $PSS_LEVEL to: ${NAMESPACES[*]}" for NAMESPACE in "${NAMESPACES[@]}"; do - kubectl get namespace "$NAMESPACE" >/dev/null 2>&1 + if ! kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then + continue + fi PATCH_OUTPUT=$(kubectl label namespace "$NAMESPACE" "pod-security.kubernetes.io/enforce=$PSS_LEVEL" --overwrite 2>&1) if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then From f8735d040c4f9a2e1ad40cecb1124b1348f09cea Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Sat, 23 Aug 2025 00:43:22 +0530 Subject: [PATCH 5/9] Update to restriced Signed-off-by: kunal-511 --- .github/workflows/dex_oauth2-proxy_test.yaml | 16 ++-------------- .github/workflows/katib_test.yaml | 16 ++-------------- .../kserve_jwt_authentication_test.yaml | 4 ++-- .github/workflows/kserve_secure_test.yaml | 4 ++-- .github/workflows/kserve_test.yaml | 16 ++-------------- .../workflows/pipeline_run_from_notebook.yaml | 16 ++-------------- .github/workflows/pipeline_swfs_test.yaml | 16 ++-------------- .github/workflows/pipeline_test.yaml | 16 ++-------------- .github/workflows/trainer_test.yaml | 16 ++-------------- .github/workflows/training_operator_test.yaml | 16 ++-------------- tests/PSS_enable.sh | 2 +- 11 files changed, 21 insertions(+), 117 deletions(-) diff --git a/.github/workflows/dex_oauth2-proxy_test.yaml b/.github/workflows/dex_oauth2-proxy_test.yaml index 5a45af120..3b9d561eb 100644 --- a/.github/workflows/dex_oauth2-proxy_test.yaml +++ b/.github/workflows/dex_oauth2-proxy_test.yaml @@ -66,17 +66,5 @@ jobs: echo "Dex login test completed successfully." - - name: Apply Pod Security Standards baseline levels for static namespaces - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels for static namespaces - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index 8bd37ec9b..e86a34050 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -82,17 +82,5 @@ jobs: UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized) kubectl get experiments.kubeflow.org -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null - - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/.github/workflows/kserve_jwt_authentication_test.yaml b/.github/workflows/kserve_jwt_authentication_test.yaml index 9d14f0729..0c7f2cbd4 100644 --- a/.github/workflows/kserve_jwt_authentication_test.yaml +++ b/.github/workflows/kserve_jwt_authentication_test.yaml @@ -84,5 +84,5 @@ jobs: fi - - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_enable.sh baseline + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/.github/workflows/kserve_secure_test.yaml b/.github/workflows/kserve_secure_test.yaml index 05bd26667..cd4cb83c9 100644 --- a/.github/workflows/kserve_secure_test.yaml +++ b/.github/workflows/kserve_secure_test.yaml @@ -79,5 +79,5 @@ jobs: - name: Run KServe secure authentication tests run: ./tests/kserve_jwt_authentication_test.sh kubeflow-user-example-com - - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_enable.sh baseline + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/.github/workflows/kserve_test.yaml b/.github/workflows/kserve_test.yaml index f6d0cf931..e12b12ca0 100644 --- a/.github/workflows/kserve_test.yaml +++ b/.github/workflows/kserve_test.yaml @@ -91,17 +91,5 @@ jobs: run: | kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app - - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index d46596520..be87575f1 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -77,17 +77,5 @@ jobs: kubectl -n kubeflow-user-example-com exec -ti \ test-0 -- python /home/jovyan/pipeline_run_and_wait_kubeflow.py - - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml index b42086030..d6681d201 100644 --- a/.github/workflows/pipeline_swfs_test.yaml +++ b/.github/workflows/pipeline_swfs_test.yaml @@ -114,20 +114,8 @@ jobs: - name: Test SeaweedFS Namespace Isolation run: ./tests/swfs_namespace_isolation_test.sh - - name: Apply Pod Security Standards baseline levels for static namespaces - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels for static namespaces - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh - name: Collect Logs on Failure if: failure() diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 4fd9a2ee6..20d5b09ae 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -95,17 +95,5 @@ jobs: python3 tests/pipeline_v2_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}" echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace." - - name: Apply Pod Security Standards baseline levels for static namespaces - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels for static namespaces - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/.github/workflows/trainer_test.yaml b/.github/workflows/trainer_test.yaml index 7e8d74fa5..06ee6a6b9 100644 --- a/.github/workflows/trainer_test.yaml +++ b/.github/workflows/trainer_test.yaml @@ -82,20 +82,8 @@ jobs: UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized) kubectl get trainjobs -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null - - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "kubeflow-system") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh - name: Collect Logs on Failure if: failure() diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index 0a735cea8..685ac8ec2 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -81,17 +81,5 @@ jobs: UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized) kubectl get pytorchjobs -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null - - name: Apply Pod Security Standards baseline levels - run: ./tests/PSS_enable.sh baseline - - - name: Unapply applied baseline labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - - - name: Applying Pod Security Standards restricted levels - run: ./tests/PSS_enable.sh restricted + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh diff --git a/tests/PSS_enable.sh b/tests/PSS_enable.sh index fcfa1ef3d..e0fa461de 100755 --- a/tests/PSS_enable.sh +++ b/tests/PSS_enable.sh @@ -1,7 +1,7 @@ #!/bin/bash set -euo pipefail -PSS_LEVEL="${1:-baseline}" +PSS_LEVEL="${1:-restricted}" [[ "$PSS_LEVEL" == "baseline" || "$PSS_LEVEL" == "restricted" ]] || { echo "ERROR: Invalid PSS level '$PSS_LEVEL'. Usage: $0 [baseline|restricted]" From 77728cedb65e32b202b803caf6ebbfce1238c778 Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Sat, 23 Aug 2025 09:13:50 +0530 Subject: [PATCH 6/9] PSS restricted in end to end test Signed-off-by: kunal-511 --- .github/workflows/full_kubeflow_integration_test.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.github/workflows/full_kubeflow_integration_test.yaml b/.github/workflows/full_kubeflow_integration_test.yaml index 115cb0f2d..9cbedf960 100644 --- a/.github/workflows/full_kubeflow_integration_test.yaml +++ b/.github/workflows/full_kubeflow_integration_test.yaml @@ -252,16 +252,6 @@ jobs: exit 1 fi - - name: Apply Pod Security Standards Baseline - run: ./tests/PSS_enable.sh baseline - - - name: Remove Pod Security Labels - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system" "kubeflow-user-example-com") - for namespace in "${NAMESPACES[@]}"; do - kubectl label namespace $namespace pod-security.kubernetes.io/enforce- - done - - name: Apply Pod Security Standards Restricted run: ./tests/PSS_enable.sh restricted From 9e29e862eae7f781d875c30926e9b242f44e548c Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Mon, 25 Aug 2025 11:53:05 +0530 Subject: [PATCH 7/9] Update istio PSS to restricted Signed-off-by: kunal-511 --- .github/workflows/istio_validation.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/istio_validation.yaml b/.github/workflows/istio_validation.yaml index bba54344b..a914d2298 100644 --- a/.github/workflows/istio_validation.yaml +++ b/.github/workflows/istio_validation.yaml @@ -190,9 +190,9 @@ jobs: kubectl run test-client --image=busybox --rm -i --restart=Never -n $KF_PROFILE -- \ wget -qO- --timeout=10 test-application.$KF_PROFILE.svc.cluster.local - - name: Apply Pod Security Standards baseline levels + - name: Apply Pod Security Standards Restricted levels if: matrix.istio-mode == 'cni' - run: ./tests/PSS_enable.sh baseline + run: ./tests/PSS_enable.sh - name: Collect debug information on failure if: failure() From d8c161e537f07c54e0b5732e674d5a07a6bea28f Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Mon, 25 Aug 2025 11:55:05 +0530 Subject: [PATCH 8/9] lint fix Signed-off-by: kunal-511 --- .github/workflows/istio_validation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/istio_validation.yaml b/.github/workflows/istio_validation.yaml index a914d2298..9a2e33316 100644 --- a/.github/workflows/istio_validation.yaml +++ b/.github/workflows/istio_validation.yaml @@ -192,7 +192,7 @@ jobs: - name: Apply Pod Security Standards Restricted levels if: matrix.istio-mode == 'cni' - run: ./tests/PSS_enable.sh + run: ./tests/PSS_enable.sh - name: Collect debug information on failure if: failure() From 3d0317178598ad3ed251b40f24796bcefdeef69b Mon Sep 17 00:00:00 2001 From: kunal-511 Date: Mon, 25 Aug 2025 14:20:09 +0530 Subject: [PATCH 9/9] Update oauth test Signed-off-by: kunal-511 --- .github/workflows/dex_oauth2-proxy_test.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dex_oauth2-proxy_test.yaml b/.github/workflows/dex_oauth2-proxy_test.yaml index 3b9d561eb..7610f3b53 100644 --- a/.github/workflows/dex_oauth2-proxy_test.yaml +++ b/.github/workflows/dex_oauth2-proxy_test.yaml @@ -53,6 +53,9 @@ jobs: - name: Create KF Profile run: ./tests/kubeflow_profile_install.sh + - name: Apply Pod Security Standards restricted levels + run: ./tests/PSS_enable.sh + - name: Port forward the istio-ingress gateway run: ./tests/port_forward_gateway.sh @@ -65,6 +68,3 @@ jobs: python3 tests/dex_login_test.py echo "Dex login test completed successfully." - - - name: Apply Pod Security Standards restricted levels - run: ./tests/PSS_enable.sh