Skip to content

Merge PSS_baseline and PSS_restricted #3220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Aug 26, 2025
Merged

Merge PSS_baseline and PSS_restricted #3220

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
cbd7c37
Merge PSS_baseline and PSS_restricted
kunal-511 Aug 19, 2025
e8ef30c
simplify the pss
kunal-511 Aug 19, 2025
768d4b9
fix namespace
kunal-511 Aug 19, 2025
a51a976
continue
kunal-511 Aug 19, 2025
f8735d0
Update to restriced
kunal-511 Aug 22, 2025
77728ce
PSS restricted in end to end test
kunal-511 Aug 23, 2025
9e29e86
Update istio PSS to restricted
kunal-511 Aug 25, 2025
d8c161e
lint fix
kunal-511 Aug 25, 2025
3d03171
Update oauth test
kunal-511 Aug 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 2 additions & 14 deletions .github/workflows/dex_oauth2-proxy_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,17 +66,5 @@ jobs:

echo "Dex login test completed successfully."

- name: Apply Pod Security Standards baseline levels for static namespaces
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels for static namespaces
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
12 changes: 1 addition & 11 deletions .github/workflows/full_kubeflow_integration_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@
- name: Install KServe
run: ./tests/kserve_install.sh

#- name: Install Pipelines

Check warning on line 66 in .github/workflows/full_kubeflow_integration_test.yaml

View workflow job for this annotation

GitHub Actions / format_YAML_files 

66:6 [comments] missing starting space in comment
# run: ./tests/pipelines_install.sh

- name: Install Pipelines with SeaweedFS
Expand Down Expand Up @@ -252,18 +252,8 @@
exit 1
fi

- name: Apply Pod Security Standards Baseline
run: ./tests/PSS_baseline_enable.sh

- name: Remove Pod Security Labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving")
for namespace in "${NAMESPACES[@]}"; do
kubectl label namespace $namespace pod-security.kubernetes.io/enforce-
done

- name: Apply Pod Security Standards Restricted
run: ./tests/PSS_restricted_enable.sh
run: ./tests/PSS_enable.sh restricted

- name: Verify Components
run: kubectl get pods --all-namespaces | grep -E '(Error|CrashLoopBackOff)' && exit 1 || true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/istio_validation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ jobs:

- name: Apply Pod Security Standards baseline levels
if: matrix.istio-mode == 'cni'
run: ./tests/PSS_baseline_enable.sh
run: ./tests/PSS_enable.sh baseline

- name: Collect debug information on failure
if: failure()
Expand Down
16 changes: 2 additions & 14 deletions .github/workflows/katib_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,17 +82,5 @@ jobs:
UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized)
kubectl get experiments.kubeflow.org -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null

- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
4 changes: 2 additions & 2 deletions .github/workflows/kserve_jwt_authentication_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,5 +84,5 @@ jobs:
fi


- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
4 changes: 2 additions & 2 deletions .github/workflows/kserve_secure_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,5 +79,5 @@ jobs:
- name: Run KServe secure authentication tests
run: ./tests/kserve_jwt_authentication_test.sh kubeflow-user-example-com

- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
16 changes: 2 additions & 14 deletions .github/workflows/kserve_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,17 +91,5 @@ jobs:
run: |
kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app

- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
16 changes: 2 additions & 14 deletions .github/workflows/pipeline_run_from_notebook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,17 +77,5 @@ jobs:
kubectl -n kubeflow-user-example-com exec -ti \
test-0 -- python /home/jovyan/pipeline_run_and_wait_kubeflow.py

- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
16 changes: 2 additions & 14 deletions .github/workflows/pipeline_swfs_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,20 +114,8 @@ jobs:
- name: Test SeaweedFS Namespace Isolation
run: ./tests/swfs_namespace_isolation_test.sh

- name: Apply Pod Security Standards baseline levels for static namespaces
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels for static namespaces
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh

- name: Collect Logs on Failure
if: failure()
Expand Down
16 changes: 2 additions & 14 deletions .github/workflows/pipeline_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,17 +95,5 @@ jobs:
python3 tests/pipeline_v2_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."

- name: Apply Pod Security Standards baseline levels for static namespaces
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels for static namespaces
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
16 changes: 2 additions & 14 deletions .github/workflows/trainer_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,20 +82,8 @@ jobs:
UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized)
kubectl get trainjobs -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null

- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "kubeflow-system")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh

- name: Collect Logs on Failure
if: failure()
Expand Down
16 changes: 2 additions & 14 deletions .github/workflows/training_operator_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,17 +81,5 @@ jobs:
UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized)
kubectl get pytorchjobs -n $KF_PROFILE --token="$UNAUTHORIZED_TOKEN" >/dev/null

- name: Apply Pod Security Standards baseline levels
run: ./tests/PSS_baseline_enable.sh

- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done

- name: Applying Pod Security Standards restricted levels
run: ./tests/PSS_restricted_enable.sh
- name: Apply Pod Security Standards restricted levels
run: ./tests/PSS_enable.sh
17 changes: 0 additions & 17 deletions tests/PSS_baseline_enable.sh
View file
Open in desktop

This file was deleted.

28 changes: 28 additions & 0 deletions tests/PSS_enable.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/bin/bash
set -euo pipefail

PSS_LEVEL="${1:-restricted}"

[[ "$PSS_LEVEL" == "baseline" || "$PSS_LEVEL" == "restricted" ]] || {
echo "ERROR: Invalid PSS level '$PSS_LEVEL'. Usage: $0 [baseline|restricted]"
exit 1
}

NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system")
[[ "$PSS_LEVEL" == "baseline" ]] && NAMESPACES+=("kubeflow-user-example-com")

echo "Applying PSS $PSS_LEVEL to: ${NAMESPACES[*]}"

for NAMESPACE in "${NAMESPACES[@]}"; do
if ! kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
continue
fi

PATCH_OUTPUT=$(kubectl label namespace "$NAMESPACE" "pod-security.kubernetes.io/enforce=$PSS_LEVEL" --overwrite 2>&1)
if echo "$PATCH_OUTPUT" | grep -q "violate the new PodSecurity"; then
echo "ERROR: PSS violation in namespace $NAMESPACE"
echo "$PATCH_OUTPUT" | grep -A 5 "violate the new PodSecurity"
exit 1
fi
echo "✅ $NAMESPACE"
done
16 changes: 0 additions & 16 deletions tests/PSS_restricted_enable.sh
View file
Open in desktop

This file was deleted.

Loading