Added securityContext profile to cronjob in istio-system and remove PSS workflow warnings

[biswajit-9776]

Pull Request Template for Kubeflow manifests Issues

✏️ A brief description of the changes

I added securityContext profile to cronjob kubeflow-m2m-oidc-configurator in istio-system.

📦 List any dependencies that are required for this change

My PR depends on #

🐛 If this PR is related to an issue, please put the link to the issue here.

The following issues are related, because ...

✅ Contributor checklist

• Make sure you have tested with kustomize. See Installation Prerequisites
• All the commits have been signed-off (To pass the DCO check)
• Submit the Contributor License Agreements (To pass the cla/google check)

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[juliusvonkohout]

Why are you suing while instead of for ?

https://stackoverflow.com/questions/49110/how-do-i-write-a-for-loop-in-bash

[biswajit-9776]

What range would you like me to put in the for loop's condition?
I think whichever loop we use, we should constrain the script to not run beyond a specified time that I implemented using SECONDS variable.

[juliusvonkohout]

The range is up to you. 60 seconds is a good start.

[biswajit-9776]

Perhaps I should change this PR for cronjob to just constraining loop time to the script.
Since, changing the cronjob in anyway leads to failure of pipeline workflows.

[juliusvonkohout]

Perhaps I should change this PR for cronjob to just constraining loop time to the script. Since, changing the cronjob in anyway leads to failure of pipeline workflows.

Maybe you need to check the script and OCI image

[biswajit-9776]

I also thought the curlimages/curl image might have some issue so I added the latest verion 8.9.1 and pushed in one of the above commits. Seems like it's still facing the same.
Let me add some commands to view the logs in the script before the loop that's failing.

[juliusvonkohout]

Please also check that you use a rootless image. Most bitnami images support runasnonroot.

[biswajit-9776]

I believe the following was the reason for the failing cronjob even in my local system. I added runAsUser:999 to counter it.

https://stackoverflow.com/questions/49720308/kubernetes-podsecuritypolicy-set-to-runasnonroot-container-has-runasnonroot-and#:~:text=And%20here%20is%20the%20validation%20call%20with%20the%20comment%3A

[juliusvonkohout]

Now it is down to

Warning: existing pods in namespace "auth" violate the new PodSecurity enforce level "restricted:latest"
Warning: dex-7b97f48486-9rwl2: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
Patching the PSS-restricted labels for namespace cert-manager...
namespace/cert-manager patched
Patching the PSS-restricted labels for namespace oauth2-proxy...
Warning: existing pods in namespace "oauth2-proxy" violate the new PodSecurity enforce level "restricted:latest"
Warning: oauth2-proxy-86d8c97455-58btw (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/oauth2-proxy patched
Patching the PSS-restricted labels for namespace kubeflow...
Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
Warning: cache-server-69f48c65dd-cctpm (and 11 other pods): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
Warning: kubeflow-pipelines-profile-controller-5dcf75b69f-x2h4v (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: metacontroller-0: seccompProfile
Warning: workflow-controller-68d76bcb8b-vcwvm: unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
namespace/kubeflow patched

After fixing this we can create PRs to upstream all patches into the right places/repositories

[biswajit-9776]

Now it is down to

Warning: existing pods in namespace "auth" violate the new PodSecurity enforce level "restricted:latest"
Warning: dex-7b97f48486-9rwl2: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
Patching the PSS-restricted labels for namespace cert-manager...
namespace/cert-manager patched
Patching the PSS-restricted labels for namespace oauth2-proxy...
Warning: existing pods in namespace "oauth2-proxy" violate the new PodSecurity enforce level "restricted:latest"
Warning: oauth2-proxy-86d8c97455-58btw (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/oauth2-proxy patched
Patching the PSS-restricted labels for namespace kubeflow...
Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
Warning: cache-server-69f48c65dd-cctpm (and 11 other pods): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
Warning: kubeflow-pipelines-profile-controller-5dcf75b69f-x2h4v (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
Warning: metacontroller-0: seccompProfile
Warning: workflow-controller-68d76bcb8b-vcwvm: unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
namespace/kubeflow patched

After fixing this we can create PRs to upstream all patches into the right places/repositories

Shall I fix these warnings in this PR itself?

[juliusvonkohout]

changes to the m2m script should trigger many workflows in the CICD. There seem to be missing trigger paths.

[biswajit-9776]

changes to the m2m script should trigger many workflows in the CICD. There seem to be missing trigger paths.

Yes, that happened due to the typo Hansini made in her previous merged PR replacing /common/oauth2-proxy with common/oidc-client/oauth2-proxy. If she creates the PR, I could rebase and run the tests here again, or I could push a PR to fix the trigger paths myself and then rebase.

[juliusvonkohout]

Rebase to master first and see what is needed. Then lets merge and continue in a new PR, because this one here is getting too big.

[biswajit-9776]

Let me change the trigger paths for the m2m tests in this PR itself.

[biswajit-9776]

Hey @juliusvonkohout, the UID 1000 works for the cronjob as of now. It passes the m2m tests in 25s for the latest commits. I have also increased the time of cronjob test from 60s to 100s. In future we may change it as per requirement.

[juliusvonkohout]

This line is probably too much. Let's revisit it in your follow up PR

[juliusvonkohout]

/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment