Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

.github/workflows/pss_test.yaml

@@ -76,32 +76,32 @@ jobs:
             # fi
           fi
         done
-        for file in "$DIRECTORY"/*.yaml; do
-          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
-          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
-          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
-          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
-          if [ $? -eq 0 ]; then
-            if [ "$NAME" = "oauth2-proxy" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l app.kubernetes.io/name: oauth2-proxy -n oauth2-proxy
-            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
-            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
-            elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-            else
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-            fi
-          fi
-        done
+        # for file in "$DIRECTORY"/*.yaml; do
+        #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+        #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+        #   NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+        #   kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
+        #   if [ $? -eq 0 ]; then
+        #     if [ "$NAME" = "oauth2-proxy" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
+        #     elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
+        #     elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
+        #     elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+        #     else
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+        #     fi
+        #   fi
+        # done
         # sleep 300
-        # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
+        kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

contrib/security/PSS/patches/cache-server.yaml

@@ -13,6 +13,8 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/kfam.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/manager.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/metadata-envoy-deployment.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/metadata-grpc-deployment.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/metadata-writer.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/minio.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml

@@ -13,6 +13,8 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/ml-pipeline-ui.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

contrib/security/PSS/patches/ml-pipeline.yaml

@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL