diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml index e0acbe3298..ff319a6446 100644 --- a/.github/workflows/pss_test.yaml +++ b/.github/workflows/pss_test.yaml @@ -76,32 +76,32 @@ jobs: # fi fi done - for file in "$DIRECTORY"/*.yaml; do - KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}') - NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}') - NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}') - kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null - if [ $? -eq 0 ]; then - if [ "$NAME" = "oauth2-proxy" ]; then - echo "Fetching logs for pod: $NAME" - kubectl describe pod -l app.kubernetes.io/name: oauth2-proxy -n oauth2-proxy - elif [ "$NAME" = "metadata-envoy-deployment" ]; then - echo "Fetching logs for pod: $NAME" - kubectl describe pod -l 'component=metadata-envoy' -n kubeflow - elif [ "$NAME" = "metadata-grpc-deployment" ]; then - echo "Fetching logs for pod: $NAME" - kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow - elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then - echo "Fetching logs for pod: $NAME" - kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow - else - echo "Fetching logs for pod: $NAME" - kubectl describe pod -l app="$NAME" -n "$NAMESPACE" - fi - fi - done + # for file in "$DIRECTORY"/*.yaml; do + # KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}') + # NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}') + # NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}') + # kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null + # if [ $? -eq 0 ]; then + # if [ "$NAME" = "oauth2-proxy" ]; then + # echo "Fetching logs for pod: $NAME" + # kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy + # elif [ "$NAME" = "metadata-envoy-deployment" ]; then + # echo "Fetching logs for pod: $NAME" + # kubectl describe pod -l 'component=metadata-envoy' -n kubeflow + # elif [ "$NAME" = "metadata-grpc-deployment" ]; then + # echo "Fetching logs for pod: $NAME" + # kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow + # elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then + # echo "Fetching logs for pod: $NAME" + # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow + # else + # echo "Fetching logs for pod: $NAME" + # kubectl describe pod -l app="$NAME" -n "$NAMESPACE" + # fi + # fi + # done # sleep 300 - # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded + kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded - name: Apply Pod Security Standards baseline levels for static namespaces run: ./tests/gh-actions/enable_baseline_PSS.sh diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml index 51c1123020..f8fc2b5202 100644 --- a/contrib/security/PSS/patches/cache-server.yaml +++ b/contrib/security/PSS/patches/cache-server.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml index 0445d53764..ef34c06095 100644 --- a/contrib/security/PSS/patches/kfam.yaml +++ b/contrib/security/PSS/patches/kfam.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml index 342ca70f6e..df2caf1a08 100644 --- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml +++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml index b4080721fa..3050f2c702 100644 --- a/contrib/security/PSS/patches/manager.yaml +++ b/contrib/security/PSS/patches/manager.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml index 717bd851c1..024d64bf68 100644 --- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml +++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml index af6971827b..76a168ae63 100644 --- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml +++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml index 49f10ab0c9..aedb184c7f 100644 --- a/contrib/security/PSS/patches/metadata-writer.yaml +++ b/contrib/security/PSS/patches/metadata-writer.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml index 896233f298..b83d67cf3c 100644 --- a/contrib/security/PSS/patches/minio.yaml +++ b/contrib/security/PSS/patches/minio.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml index dfa05641ca..4a0f57f23c 100644 --- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml index bf9fc18e33..ec316d52aa 100644 --- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml index b5c35fcb42..5622c8575a 100644 --- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml index a52470533b..d6a0431786 100644 --- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml index a2bc3450ba..d175e45276 100644 --- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml index 097ad1b8f2..90d2e10bff 100644 --- a/contrib/security/PSS/patches/ml-pipeline.yaml +++ b/contrib/security/PSS/patches/ml-pipeline.yaml @@ -13,6 +13,7 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - ALL