Added securityContext profile to cronjob in istio-system and remove P…

…SS workflow warnings (#2848) * Added securityContext profile to cronjob in istio-system Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Limited script to run for a minute Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Undo change to script Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added time constraint to waiting for job loop Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added if condition to script Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added version to curl image Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Undo change to curl image Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed failing cronjob Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Refactored the script Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added workflow job to clear PSS warnings Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Removed cluster-local-gateway PSS patch Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed typo in patches Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Debugging failing warnings Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Empty commit Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed trigger paths for m2m tests Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Remove debug commands Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed typo Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Increases cronjob time from 60s to 100s Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Change UID to debug Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> --------- Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
kubeflow · Aug 29, 2024 · b91cbc4 · b91cbc4
1 parent afc358d
commit b91cbc4
Show file tree

Hide file tree

Showing 25 changed files with 65 additions and 23 deletions.
diff --git a/.github/workflows/kserve_m2m_test.yaml b/.github/workflows/kserve_m2m_test.yaml
@@ -5,7 +5,7 @@ on:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/kserve_m2m_test.yaml
     - contrib/kserve/**
-    - common/oidc-client/oauth2-proxy/**
+    - common/oauth2-proxy/**
     - common/istio*/**
     - tests/gh-actions/install_istio_with_ext_auth.sh*
     - tests/gh-actions/install_cert_manager.sh

diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml
@@ -5,7 +5,7 @@ on:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/notebook_controller_m2m_test.yaml
     - apps/jupyter/**
-    - common/oidc-client/oauth2-proxy/**
+    - common/oauth2-proxy/**
     - common/istio*/**
     - tests/gh-actions/install_istio_with_ext_auth.sh*
     - tests/gh-actions/install_multi_tenancy.sh

diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml
@@ -11,7 +11,7 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - common/oidc-client/**
+    - common/**
     - apps/jupyter/**
 
 jobs:

diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml
@@ -8,7 +8,7 @@ on:
     - tests/gh-actions/install_istio.sh
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
-    - common/oidc-client/oauth2-proxy/**
+    - common/oauth2-proxy/**
     - common/istio*/**
     - tests/gh-actions/install_istio_with_ext_auth.sh
 

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
@@ -44,10 +44,10 @@ jobs:
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-    - name: Applying Pod Security Standards baseline levels for static namespaces
+    - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 
-    - name: Applying Pod Security Standards baseline levels for dynamic namespaces
+    - name: Apply Pod Security Standards baseline levels for dynamic namespaces
       run: |
         cat << EOF > ./kustomization.yaml
         apiVersion: kustomize.config.k8s.io/v1beta1
@@ -61,14 +61,32 @@ jobs:
         rm ./kustomization.yaml
         kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s
 
-    - name: Unapplying applied baseline values
+    - name: Unapply applied baseline values
       run: |
         NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
         for NAMESPACE in "${NAMESPACES[@]}"; do
           if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
             kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
           fi
         done
+        sleep 10
+
+    - name: Apply patches to clear warnings
+      run: |
+        DIRECTORY="contrib/security/PSS/patches"
+        for file in "$DIRECTORY"/*.yaml; do
+          echo "Patching file: $file"
+
+          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+
+          # Apply the patch
+          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
+          if [ $? -eq 0 ]; then
+            kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
+          fi
+        done
 
     - name: Applying Pod Security Standards restricted levels for static namespaces
       run: ./tests/gh-actions/enable_restricted_PSS.sh
diff --git a/.../configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/.../configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml
@@ -29,6 +29,15 @@ spec:
               name: script
               subPath: script.sh
             resources: {}
+            securityContext:
+              allowPrivilegeEscalation: false
+              seccompProfile:
+                type: RuntimeDefault
+              runAsNonRoot: true
+              runAsUser: 1000
+              capabilities:
+                drop:
+                - ALL
           volumes:
           - name: script
             configMap:

diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: cache-server
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/cluster-local-gateway.yaml b/contrib/security/PSS/patches/cluster-local-gateway.yaml
diff --git a/contrib/security/PSS/patches/dex.yaml b/contrib/security/PSS/patches/dex.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: dex
+  namespace: auth
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: profiles-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: kubeflow-pipelines-profile-controller
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: profiles-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: metadata-envoy-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: metadata-grpc-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: metadata-writer
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: minio
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-persistenceagent
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-scheduledworkflow
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-ui
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-viewer-crd
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-visualizationserver
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: mysql
+  namespace: kubeflow
 spec:
   template:
     spec:

diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: oauth2-proxy
+  namespace: oauth2-proxy
 spec:
   replicas: 2
   template:

diff --git a/tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh b/tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh
@@ -2,6 +2,8 @@
 
 CRONJOB_NAME=kubeflow-m2m-oidc-configurator
 NAMESPACE=istio-system
+RETRY_INTERVAL=5    # Each loop iterates after 'RETRY_INTERVAL' seconds
+MAX_RETRIES=20    # Each loop iterates for a total number of 'MAX_RETRIES'
 
 # Function to get the latest Job created by the CronJob
 get_latest_job() {
@@ -13,19 +15,23 @@ get_latest_job() {
 
 # Wait until a Job is created
 echo "Waiting for a Job to be created by the ${CRONJOB_NAME} CronJob..."
-while true; do
+for ((i=1; i<=MAX_RETRIES; i++)); do
   JOB_NAME=$(get_latest_job)
   if [[ -n "${JOB_NAME}" ]]; then
     echo "Job ${JOB_NAME} created."
     break
   fi
-  sleep 5
+  if [[ $i -eq $MAX_RETRIES ]]; then
+    echo "Job creation timed out."
+    exit 1
+  fi
+  sleep "${RETRY_INTERVAL}"
   echo "Waiting..."
 done
 
 # Wait for the Job to complete successfully
 echo "Waiting for the Job ${JOB_NAME} to complete..."
-while true; do
+for ((i=1; i<=MAX_RETRIES; i++)); do
   STATUS=$(kubectl get job "${JOB_NAME}" -n "${NAMESPACE}" -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}')
   if [[ "${STATUS}" == "True" ]]; then
     echo "Job ${JOB_NAME} completed successfully."
@@ -37,5 +43,9 @@ while true; do
     echo "Job ${JOB_NAME} failed."
     exit 1
   fi
-  sleep 5
+  if [[ $i -eq $MAX_RETRIES ]]; then
+    echo "Job completion timed out."
+    exit 1
+  fi
+  sleep "${RETRY_INTERVAL}"
 done