From ace875bbed9e284483c545cdc1c2cb60ad5b24a3 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <115724497+biswajit-9776@users.noreply.github.com>
Date: Tue, 23 Jul 2024 19:21:02 +0530
Subject: [PATCH] PSS labels for the profile controller (#2778)

* Patched PSS labels with profiles

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Patched profiles/upstream/base/namespace-labels.yaml and updated example.yaml

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Tried to override the base configMap

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Made changes for overriding base configMap with kustomize component

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Undone changes to profiles/upstream/base

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Added comments for duplicated file

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Resolved conflict

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Fixed yaml lint to example

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

---------

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .../PSS/dynamic/baseline/kustomization.yaml   |  9 ++++++++
 .../dynamic/baseline/namespace-labels.yaml    | 23 +++++++++++++++++++
 .../PSS/dynamic/restricted/kustomization.yaml |  9 ++++++++
 .../dynamic/restricted/namespace-labels.yaml  | 23 +++++++++++++++++++
 .../PSS/static/restricted/kustomization.yaml  |  3 ++-
 example/kustomization.yaml                    |  7 +++++-
 6 files changed, 72 insertions(+), 2 deletions(-)
 create mode 100644 contrib/security/PSS/dynamic/baseline/kustomization.yaml
 create mode 100644 contrib/security/PSS/dynamic/baseline/namespace-labels.yaml
 create mode 100644 contrib/security/PSS/dynamic/restricted/kustomization.yaml
 create mode 100644 contrib/security/PSS/dynamic/restricted/namespace-labels.yaml

diff --git a/contrib/security/PSS/dynamic/baseline/kustomization.yaml b/contrib/security/PSS/dynamic/baseline/kustomization.yaml
new file mode 100644
index 0000000000..8d8ea77e00
--- /dev/null
+++ b/contrib/security/PSS/dynamic/baseline/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+- name: namespace-labels-data
+  namespace: kubeflow
+  behavior: merge
+  files:
+  - namespace-labels.yaml
diff --git a/contrib/security/PSS/dynamic/baseline/namespace-labels.yaml b/contrib/security/PSS/dynamic/baseline/namespace-labels.yaml
new file mode 100644
index 0000000000..08f6690272
--- /dev/null
+++ b/contrib/security/PSS/dynamic/baseline/namespace-labels.yaml
@@ -0,0 +1,23 @@
+# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml
+# as using only the required label to merge it with the existing config map of profiles
+# deployment to enable PSS for profile namespaces, leads to creation of a new config map
+# with just the PSS label and replaces the pre-exisiting labels in the deployed config map.
+# Below is a list of labels to be set by default.
+#
+# To add a namespace label, use `key: 'value'`, for example:
+# istio.io/rev: 'asm-191-1'
+#
+# To remove a namespace label, use `key: ''`. For example:
+# istio-injection: ''
+#
+# Profile controller will not replace a namespace label if its key already
+# exists. If you want to override the value of a previously applied label, you
+# need to:
+# 1. Remove the label by using `key: ''` and deploy.
+# 2. Add the label by using `key: 'value'` and deploy.
+#
+katib.kubeflow.org/metrics-collector-injection: "enabled"
+serving.kubeflow.org/inferenceservice: "enabled"
+pipelines.kubeflow.org/enabled: "true"
+app.kubernetes.io/part-of: "kubeflow-profile"
+pod-security.kubernetes.io/enforce: "baseline"
diff --git a/contrib/security/PSS/dynamic/restricted/kustomization.yaml b/contrib/security/PSS/dynamic/restricted/kustomization.yaml
new file mode 100644
index 0000000000..8d8ea77e00
--- /dev/null
+++ b/contrib/security/PSS/dynamic/restricted/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+- name: namespace-labels-data
+  namespace: kubeflow
+  behavior: merge
+  files:
+  - namespace-labels.yaml
diff --git a/contrib/security/PSS/dynamic/restricted/namespace-labels.yaml b/contrib/security/PSS/dynamic/restricted/namespace-labels.yaml
new file mode 100644
index 0000000000..7d1fc7d114
--- /dev/null
+++ b/contrib/security/PSS/dynamic/restricted/namespace-labels.yaml
@@ -0,0 +1,23 @@
+# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml
+# as using only the required label to merge it with the existing config map of profiles
+# deployment to enable PSS for profile namespaces, leads to creation of a new config map
+# with just the PSS label and replaces the pre-exisiting labels in the deployed config map.
+# Below is a list of labels to be set by default.
+#
+# To add a namespace label, use `key: 'value'`, for example:
+# istio.io/rev: 'asm-191-1'
+#
+# To remove a namespace label, use `key: ''`. For example:
+# istio-injection: ''
+#
+# Profile controller will not replace a namespace label if its key already
+# exists. If you want to override the value of a previously applied label, you
+# need to:
+# 1. Remove the label by using `key: ''` and deploy.
+# 2. Add the label by using `key: 'value'` and deploy.
+#
+katib.kubeflow.org/metrics-collector-injection: "enabled"
+serving.kubeflow.org/inferenceservice: "enabled"
+pipelines.kubeflow.org/enabled: "true"
+app.kubernetes.io/part-of: "kubeflow-profile"
+pod-security.kubernetes.io/enforce: "restricted"
diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml
index ec133f809c..f42ff9746b 100644
--- a/contrib/security/PSS/static/restricted/kustomization.yaml
+++ b/contrib/security/PSS/static/restricted/kustomization.yaml
@@ -6,4 +6,5 @@ patches:
 - path: patches/istio-labels.yaml
 - path: patches/cert-manager-labels.yaml
 - path: patches/dex-labels.yaml
-- path: patches/oauth2-proxy-labels.yaml
\ No newline at end of file
+- path: patches/oauth2-proxy-labels.yaml
+- path: patches/istio-labels.yaml
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index 3591a8bd18..3e028a16df 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -90,9 +90,14 @@ resources:
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
 
+components:
 # Pod Security Standards
 # https://kubernetes.io/docs/concepts/security/pod-security-standards/
 # Uncomment to enable baseline level standards
 # - ../contrib/security/PSS/static/baseline
 # Uncomment to enable restricted level standards
-# - ../contrib/security/PSS/static/restricted
\ No newline at end of file
+# - ../contrib/security/PSS/static/restricted
+# Uncomment to enable baseline level standards for dynamic namespaces
+# - ../contrib/security/PSS/dynamic/baseline
+# Uncomment to enable restricted level standards for dynamic namespaces
+# - ../contrib/security/PSS/dynamic/restricted