PSS labels for the profile controller (#2778)

* Patched PSS labels with profiles Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Patched profiles/upstream/base/namespace-labels.yaml and updated example.yaml Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Tried to override the base configMap Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Made changes for overriding base configMap with kustomize component Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Undone changes to profiles/upstream/base Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added comments for duplicated file Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Resolved conflict Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed yaml lint to example Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> --------- Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
kubeflow · Jul 23, 2024 · ace875b · ace875b
1 parent a0468b8
commit ace875b
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 2 deletions.
diff --git a/contrib/security/PSS/dynamic/baseline/kustomization.yaml b/contrib/security/PSS/dynamic/baseline/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+- name: namespace-labels-data
+  namespace: kubeflow
+  behavior: merge
+  files:
+  - namespace-labels.yaml
diff --git a/contrib/security/PSS/dynamic/baseline/namespace-labels.yaml b/contrib/security/PSS/dynamic/baseline/namespace-labels.yaml
@@ -0,0 +1,23 @@
+# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml
+# as using only the required label to merge it with the existing config map of profiles
+# deployment to enable PSS for profile namespaces, leads to creation of a new config map
+# with just the PSS label and replaces the pre-exisiting labels in the deployed config map.
+# Below is a list of labels to be set by default.
+#
+# To add a namespace label, use `key: 'value'`, for example:
+# istio.io/rev: 'asm-191-1'
+#
+# To remove a namespace label, use `key: ''`. For example:
+# istio-injection: ''
+#
+# Profile controller will not replace a namespace label if its key already
+# exists. If you want to override the value of a previously applied label, you
+# need to:
+# 1. Remove the label by using `key: ''` and deploy.
+# 2. Add the label by using `key: 'value'` and deploy.
+#
+katib.kubeflow.org/metrics-collector-injection: "enabled"
+serving.kubeflow.org/inferenceservice: "enabled"
+pipelines.kubeflow.org/enabled: "true"
+app.kubernetes.io/part-of: "kubeflow-profile"
+pod-security.kubernetes.io/enforce: "baseline"
diff --git a/contrib/security/PSS/dynamic/restricted/kustomization.yaml b/contrib/security/PSS/dynamic/restricted/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+- name: namespace-labels-data
+  namespace: kubeflow
+  behavior: merge
+  files:
+  - namespace-labels.yaml
diff --git a/contrib/security/PSS/dynamic/restricted/namespace-labels.yaml b/contrib/security/PSS/dynamic/restricted/namespace-labels.yaml
@@ -0,0 +1,23 @@
+# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml
+# as using only the required label to merge it with the existing config map of profiles
+# deployment to enable PSS for profile namespaces, leads to creation of a new config map
+# with just the PSS label and replaces the pre-exisiting labels in the deployed config map.
+# Below is a list of labels to be set by default.
+#
+# To add a namespace label, use `key: 'value'`, for example:
+# istio.io/rev: 'asm-191-1'
+#
+# To remove a namespace label, use `key: ''`. For example:
+# istio-injection: ''
+#
+# Profile controller will not replace a namespace label if its key already
+# exists. If you want to override the value of a previously applied label, you
+# need to:
+# 1. Remove the label by using `key: ''` and deploy.
+# 2. Add the label by using `key: 'value'` and deploy.
+#
+katib.kubeflow.org/metrics-collector-injection: "enabled"
+serving.kubeflow.org/inferenceservice: "enabled"
+pipelines.kubeflow.org/enabled: "true"
+app.kubernetes.io/part-of: "kubeflow-profile"
+pod-security.kubernetes.io/enforce: "restricted"
diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml
@@ -6,4 +6,5 @@ patches:
 - path: patches/istio-labels.yaml
 - path: patches/cert-manager-labels.yaml
 - path: patches/dex-labels.yaml
-- path: patches/oauth2-proxy-labels.yaml
+- path: patches/oauth2-proxy-labels.yaml
+- path: patches/istio-labels.yaml
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
@@ -90,9 +90,14 @@ resources:
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
 
+components:
 # Pod Security Standards
 # https://kubernetes.io/docs/concepts/security/pod-security-standards/
 # Uncomment to enable baseline level standards
 # - ../contrib/security/PSS/static/baseline
 # Uncomment to enable restricted level standards
-# - ../contrib/security/PSS/static/restricted
+# - ../contrib/security/PSS/static/restricted
+# Uncomment to enable baseline level standards for dynamic namespaces
+# - ../contrib/security/PSS/dynamic/baseline
+# Uncomment to enable restricted level standards for dynamic namespaces
+# - ../contrib/security/PSS/dynamic/restricted