Debugging warnings in pss workflow #191
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Apply PSS labels to namespaces | |
on: | |
pull_request: | |
paths: | |
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- .github/workflows/* | |
- tests/gh-actions/kind-cluster.yaml | |
- apps/profiles/upstream/** | |
- apps/pipeline/upstream/** | |
- common/dex/** | |
- common/cert-manager/** | |
- common/oauth2-proxy/** | |
- common/istio*/** | |
- tests/gh-actions/install_istio-cni.sh | |
- tests/gh-actions/install_multitenancy.sh | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install KinD, Create KinD cluster and Install kustomize | |
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- name: Install kubectl | |
run: ./tests/gh-actions/install_kubectl.sh | |
- name: Install all istio-cni resources and kubeflow namespace | |
run: | | |
kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
./tests/gh-actions/install_cert_manager.sh | |
./tests/gh-actions/install_istio-cni.sh | |
kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f - | |
- name: Configure istio init container with seccompProfile attribute | |
run: | | |
kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml | |
sed -i '0,/runAsNonRoot: true/{s//&\n seccompProfile:\n type: RuntimeDefault/}' temporary_patch.yaml | |
sed -i '/runAsNonRoot: true/{N; /runAsUser: {{ .ProxyUID | default "1337" }}/a\ | |
seccompProfile:\n type: RuntimeDefault | |
}' temporary_patch.yaml | |
kubectl apply -f temporary_patch.yaml | |
rm temporary_patch.yaml | |
- name: Install all other deployments of static namespaces | |
run: | | |
./tests/gh-actions/install_multi_tenancy.sh | |
kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f - | |
echo "Waiting for all oauth2-proxy pods to become ready..." | |
kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy | |
kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f - | |
echo "Waiting for pods in auth namespace to become ready..." | |
kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth | |
# - name: Configure profile-controller's manager configmap with PSS restricted label | |
# run: | | |
# CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data") | |
# kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml | |
# sed -i '/app.kubernetes.io\/part-of: "kubeflow-profile"/{s/.*/&\n pod-security.kubernetes.io\/enforce: "restricted"/}' temporary.yaml | |
# kubectl apply -f temporary.yaml | |
# rm temporary.yaml | |
- name: Install KF Pipelines | |
run: ./tests/gh-actions/install_pipelines.sh | |
# - name: Create dynamic user namespace and check for PSS labels present | |
# run: | | |
# kustomize build common/user-namespace/base | kubectl apply -f - | |
# LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}') | |
# if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then | |
# echo "PSS restricted label is present in dynamic namespace." | |
# else | |
# echo "PSS restricted label is absent in dynamic namespace." | |
# exit 1 | |
# fi | |
- name: Apply patches to clear warnings | |
run: | | |
DIRECTORY="contrib/security/PSS/patches" | |
for file in "$DIRECTORY"/*.yaml; do | |
echo "Patching file: $file" | |
KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}') | |
NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}') | |
NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}') | |
# Apply the patch | |
kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null | |
if [ $? -eq 0 ]; then | |
kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file" | |
fi | |
done | |
sleep 600 | |
- name: Apply Pod Security Standards baseline levels for static namespaces | |
run: ./tests/gh-actions/enable_baseline_PSS.sh | |
- name: Unapply applied baseline labels | |
run: | | |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | |
for NAMESPACE in "${NAMESPACES[@]}"; do | |
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
fi | |
done | |
- name: Applying Pod Security Standards restricted levels for static namespaces | |
run: ./tests/gh-actions/enable_restricted_PSS.sh |