Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
biswajit-9776 · Sep 14, 2024 · 9b95dc6 · 9b95dc6
1 parent bce60a3
commit 9b95dc6
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 17 deletions.
diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
@@ -58,25 +58,19 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            # if [ "$NAME" = "oauth2-proxy" ]; then
-            #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
-            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            # elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-            #   echo "skipping this patch"
-            #   # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-            #   # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
-            # else
-            #   echo "Fetching logs for pod: $NAME"
-            #   # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-            #   # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
-            #   kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
-            # fi
+            if [ "$NAME" = "oauth2-proxy" ]; then
+              kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=600s
+            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=600s
+            elif [ "$NAME" = "profiles-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            else
+              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
+            fi
           fi
         done
-        sleep 60
         # for file in "$DIRECTORY"/*.yaml; do
         #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
         #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')

diff --git a/contrib/security/PSS/patches/metacontroller.yaml b/contrib/security/PSS/patches/metacontroller.yaml
@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: metacontroller
+spec:
+  template:
+    spec:
+      containers:
+      - name: metacontroller
+        securityContext:
+          seccompProfile: 
+            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/workflow-controller.yaml b/contrib/security/PSS/patches/workflow-controller.yaml
@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workflow-controller
+  namespace: kubeflow
+spec:
+  template:
+    spec:
+      containers:
+      - name: workflow-controller
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true