Adding PSS label to dynamic ns

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
kubeflow · Sep 16, 2024 · 0cd2870 · 0cd2870
1 parent 0cd0454
commit 0cd2870
Showing 1 changed file with 17 additions and 24 deletions.
diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
@@ -57,31 +57,24 @@ jobs:
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-    # - name: Apply Pod Security Standards baseline levels for dynamic namespaces
-    #   run: |
-    #     cat << EOF > ./kustomization.yaml
-    #     apiVersion: kustomize.config.k8s.io/v1beta1
-    #     kind: Kustomization
-    #     resources:
-    #     - apps/profiles/upstream/overlays/kubeflow
-    #     components:
-    #     - contrib/security/PSS/dynamic/restricted
-    #     EOF
-    #     kubectl apply -k .
-    #     rm ./kustomization.yaml
-    #     kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
-    #     sleep 100
+    - name: Configure profile-controller's manager with PSS restricted label 
+      run: |
+        CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data")
+        kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml
+        sed -i '/app.kubernetes.io\/part-of: "kubeflow-profile"/{s/.*/&\n    pod-security.kubernetes.io\/enforce: "restricted"/}' temporary.yaml
+        kubectl apply -f temporary.yaml
+        rm temporary.yaml
 
-    # - name: Create dynamic user namespace and check for PSS labels present
-    #   run: |
-    #     kustomize build common/user-namespace/base | kubectl apply -f -
-    #     LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
-    #     if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
-    #       echo "PSS restricted label is present in dynamic namespace."
-    #     else
-    #       echo "PSS restricted label is absent in dynamic namespace."
-    #       exit 1
-    #     fi
+    - name: Create dynamic user namespace and check for PSS labels present
+      run: |
+        kustomize build common/user-namespace/base | kubectl apply -f -
+        LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
+        if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
+          echo "PSS restricted label is present in dynamic namespace."
+        else
+          echo "PSS restricted label is absent in dynamic namespace."
+          exit 1
+        fi
 
     - name: Apply patches to clear warnings
       run: |