PSS labels for the profile controller #2778

biswajit-9776 · 2024-06-29T16:44:39Z

Pull Request Template for Kubeflow manifests Issues

Please include a summary of changes and the related issue.
List any dependencies that are required for this change.
Please delete the options that are not relevant.
The following checklist will help you to satisfy the requirements.

✏️ A brief description of the changes

I patched PSS labels for namespaces in contrib/dynamic kustomize component

📦 List any dependencies that are required for this change

My PR depends on #

🐛 If this PR is related to an issue, please put the link of the issue here.

The following issues are related, because ...

✅ Unit Test Checklist

🛠️ Make sure you have installed kustomize == 5.2.1+
✍️ Have you written new tests for your core changes, as applicable?
🔄 Have you successfully run existing tests with your changes ?
🚀 Have you successfully run existing and new tests with your changes ?

✅ Contributor checklist

All the commits have been signed-off (To pass the DCO check)
Submit the Contributor License Agreements (To pass the cla/google check)

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

juliusvonkohout · 2024-06-30T09:37:03Z

@biswajit-9776 where is profiles-system coming from? The patch should touch only the in the Kubeflow namespace at build time and you need to keep the existing labels https://github.com/kubeflow/manifests/blob/60348d70f1614d1661d365ae868c844f7bca5e3d/apps/profiles/upstream/base/namespace-labels.yaml#L15C1-L18C46 .

When the cluster is running and new namespaces are generated dynamically, the labels from this file will be applied to each.

juliusvonkohout · 2024-06-30T10:59:35Z

No, it works differently. Please check out https://github.com/kubeflow/manifests/blob/60348d70f1614d1661d365ae868c844f7bca5e3d/apps/profiles/upstream/base/kustomization.yaml#L17C1-L20C26 to understand how the configuration map is created for the profile controller. You have to patch the config map for the dynamic stuff. At runtime the profile controller will use this configmap to create namespace of yet unknown names based on Profile CRs. The static patch for the kubeflow namespace is something completely different and belongs to the static folder.

biswajit-9776 · 2024-06-30T11:02:04Z

Okay I will push a commit later to this PR

biswajit-9776 · 2024-06-30T14:12:53Z

Okay so if our kustomize component is going to patch the https://github.com/kubeflow/manifests/blob/60348d70f1614d1661d365ae868c844f7bca5e3d/apps/profiles/upstream/base/namespace-labels.yaml with out PSS labels, can we do it by providing the path as resources to our kustomize component?

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

resources: ../../../../../apps/profiles/upstream/base/namespace-labels.yaml
patches:
- path: patches/profiles-labels.yaml

If not this then may I know which namespace the configmap namespace-labels-data is mounted to, in which case I can just patch the configmap with PSS labels to that namespace?

juliusvonkohout · 2024-06-30T16:24:50Z

Always consider that gpt4 or Gemini can guide you a bit on such general ideas ;-)

Yes just try it and the profile controller and therefore the configmap is in the kubeflow namespace.

contrib/security/PSS/dynamic/baseline/namespace-labels.yaml

contrib/security/PSS/dynamic/restricted/namespace-labels.yaml

contrib/security/PSS/dynamic/baseline/kustomization.yaml

example/kustomization.yaml

biswajit-9776 · 2024-07-02T09:50:18Z

Yeah it works now, but I'd also like to point out a few things that occurs with the above changes

biswajit-9776 · 2024-07-02T14:19:31Z

So, we have to use the below change in the base kustomization:

options:
  disableNameSuffixHash: true

I tried without it and as a result the configMap instead of getting overridden, still exists along with a new configMap with our changes.

biswajit-9776 · 2024-07-02T14:27:15Z

After making the above change, I tried commenting the unrequired section of namespacea-labels.yam and after applying our component, I discovered this:

Name:         namespace-labels-data
Namespace:    kubeflow
Labels:       kustomize.component=profiles
Annotations:  <none>

Data
====
namespace-labels.yaml:
----

# # Below is a list of labels to be set by default.
# #
# # To add a namespace label, use `key: 'value'`, for example:
# # istio.io/rev: 'asm-191-1'
# #
# # To remove a namespace label, use `key: ''`. For example:
# # istio-injection: ''
# #
# # Profile controller will not replace a namespace label if its key already
# # exists. If you want to override the value of a previously applied label, you
# # need to:
# # 1. Remove the label by using `key: ''` and deploy.
# # 2. Add the label by using `key: 'value'` and deploy.

# katib.kubeflow.org/metrics-collector-injection: "enabled"
# serving.kubeflow.org/inferenceservice: "enabled"
# pipelines.kubeflow.org/enabled: "true"
# app.kubernetes.io/part-of: "kubeflow-profile"
pod-security.kubernetes.io/enforce: "baseline"

what I believe is that instead of adding the uncommented stuff, it replaced the everything else with the new stuff we tried to add. To deal with this temporarily, I wish to have an exact copy of base namespace-label.yaml in my component's directory along with PSS labels.

juliusvonkohout · 2024-07-02T16:05:48Z

After making the above change, I tried commenting the unrequired section of namespacea-labels.yam and after applying our component, I discovered this:
Name:         namespace-labels-data
Namespace:    kubeflow
Labels:       kustomize.component=profiles
Annotations:  <none>

Data
====
namespace-labels.yaml:
----

# # Below is a list of labels to be set by default.
# #
# # To add a namespace label, use `key: 'value'`, for example:
# # istio.io/rev: 'asm-191-1'
# #
# # To remove a namespace label, use `key: ''`. For example:
# # istio-injection: ''
# #
# # Profile controller will not replace a namespace label if its key already
# # exists. If you want to override the value of a previously applied label, you
# # need to:
# # 1. Remove the label by using `key: ''` and deploy.
# # 2. Add the label by using `key: 'value'` and deploy.

# katib.kubeflow.org/metrics-collector-injection: "enabled"
# serving.kubeflow.org/inferenceservice: "enabled"
# pipelines.kubeflow.org/enabled: "true"
# app.kubernetes.io/part-of: "kubeflow-profile"
pod-security.kubernetes.io/enforce: "baseline"
what I believe is that instead of adding the uncommented stuff, it replaced the everything else with the new stuff we tried to add. To deal with this temporarily, I wish to have an exact copy of base namespace-label.yaml in my component's directory along with PSS labels.

Please investigate the officially documented behavior of merge in the configmapgenerator. We need to be sure.
I am strongly opposed to duplicating stuff and increasing the maintenance burden.

apps/profiles/upstream/base/kustomization.yaml

contrib/security/PSS/dynamic/baseline/namespace-labels.yaml

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

…ple.yaml Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

juliusvonkohout · 2024-07-23T12:23:05Z

/hold
/approve
/lgtm

google-oss-prow · 2024-07-23T12:23:11Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

biswajit-9776 · 2024-07-23T12:50:35Z

Should I rebase my branch locally and push it?

juliusvonkohout · 2024-07-23T13:50:32Z

/unhold

* Patched PSS labels with profiles Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Patched profiles/upstream/base/namespace-labels.yaml and updated example.yaml Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Tried to override the base configMap Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Made changes for overriding base configMap with kustomize component Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Undone changes to profiles/upstream/base Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added comments for duplicated file Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Resolved conflict Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed yaml lint to example Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> --------- Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> Signed-off-by: Patrick Schönthaler <patrick.schoenthaler@itsc.de>

google-oss-prow bot requested review from juliusvonkohout and kimwnasptd June 29, 2024 16:44

google-oss-prow bot added the size/S label Jun 29, 2024

google-oss-prow bot added size/M and removed size/S labels Jun 30, 2024

juliusvonkohout changed the title ~~Patched PSS labels with profiles~~ Patched PSS labels for the profile controller Jul 1, 2024

juliusvonkohout changed the title ~~Patched PSS labels for the profile controller~~ PSS labels for the profile controller Jul 1, 2024

juliusvonkohout self-assigned this Jul 2, 2024