Added PSS profile seccompProfile to pods of istio

[biswajit-9776]

Pull Request Template for Kubeflow manifests Issues

• Please include a summary of changes and the related issue.
• List any dependencies that are required for this change.
• Please delete the options that are not relevant.
• The following checklist will help you to satisfy the requirements.

✏️ A brief description of the changes

I added the seccompProfile to istio pods to enable pod-security.kubernetes.io/: restricted labels.

📦 List any dependencies that are required for this change

My PR depends on #

🐛 If this PR is related to an issue, please put the link of the issue here.

The following issues are related, because ...

✅ Unit Test Checklist

• 🛠️ Make sure you have installed kustomize == 5.2.1+
• ✍️ Have you written new tests for your core changes, as applicable?
• 🔄 Have you successfully run existing tests with your changes ?
• 🚀 Have you successfully run existing and new tests with your changes ?

✅ Contributor checklist

• All the commits have been signed-off (To pass the DCO check)
• Submit the Contributor License Agreements (To pass the cla/google check)

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[biswajit-9776]

I have tested on cluster for both audit and enforce mode of PSS labels.
Previously the pods were only failing for the enforce=restricted label.
Post the changes in this PR, the pods are successfully created for all modes of PSS.

[juliusvonkohout]

Hello, this must be done automatically via istioctl or istio profiles or kustomize overlays/components, not manually.

[biswajit-9776]

Hi, I'm looking for a method of setting seccompProfile during installation like:

istioctl install --set values.global.proxy.seccompProfile.type=RuntimeDefault

I haven't encountered anything like it yet; meanwhile, I would set these changes as kustomize component in our contrib/security directory.

[juliusvonkohout]

Hi, I'm looking for a method of setting seccompProfile during installation like:

istioctl install --set values.global.proxy.seccompProfile.type=RuntimeDefault

I haven't encountered anything like it yet; meanwhile, I would set these changes as kustomize component in our contrib/security directory.

You can add them directly to both istio folders in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml as long as this is a static file that is not modified by the synchronization scripts in /hack.

[biswajit-9776]

Hi, I'm looking for a method of setting seccompProfile during installation like:

istioctl install --set values.global.proxy.seccompProfile.type=RuntimeDefault

I haven't encountered anything like it yet; meanwhile, I would set these changes as kustomize component in our contrib/security directory.

You can add them directly to both istio folders in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml as long as this is a static file that is not modified by the synchronization scripts in /hack.

So, the two patches should be used in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml instead of the example/kustomization.yaml?

[juliusvonkohout]

Should the two patches be used in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml instead of the example/kustomization.yaml?

Yes, this is something we can do directly. Please check whether the kustoization.yaml is static.

[biswajit-9776]

No, this file isn't modified by any scripts or other files. It's just used in workflows and some tests.
Do you wish for the seccompProfile to be applied to istio only when PSS/static/restricted components are applied or in general?

[juliusvonkohout]

Let's try in general.

[biswajit-9776]

https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml

This kustomization doesn't have the required resources for the deployments in our patches as our deployments are part of istio-install/base/install.yaml

A better idea I could think of is istio-1-22/istio-install/base/patches. Since, the install.yaml is in the resources: section of istio-1-22/istio-install/base/kustomization.yaml, our deployments can get patched successfully.

[juliusvonkohout]

Then lets go with https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/istio-install/base/kustomization.yaml and the same for CNI.

[juliusvonkohout]

It looks good so far an will take a closer look soon.
We have to make sure, that this is also copied to the istio-1-23 folder if we upgrade with the synchronisation script in /hack to 1.23+ and I have to merge this after the 1.9 release this week.

[biswajit-9776]

I have taken a look at the scripts in /hack and the script doesn't touch the istio-install/patches in any way and copies all of its content to newer istio versions. If we face any issue, I would take a look at it right away or run a pre-upgrade from the script anytime.

[juliusvonkohout]

/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[biswajit-9776]

/hold

i think we are missing istio-cni

I have added seccompProfile for both deployments in istii-cni-1-22/istio-install/base/patches in this PR. Do you mean anything else for istio-cni?

[juliusvonkohout]

/unhold