Added securityContext profile to cronjob in istio-system and remove PSS workflow warnings

.github/workflows/kserve_m2m_test.yaml

@@ -1,11 +1,11 @@
 name: Deploy and test KServe with m2m auth in KinD
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/kserve_m2m_test.yaml
     - contrib/kserve/**
-    - common/oidc-client/oauth2-proxy/**
+    - common/oauth2-proxy/**
     - common/istio*/**
     - tests/gh-actions/install_istio_with_ext_auth.sh*
     - tests/gh-actions/install_cert_manager.sh

.github/workflows/notebook_controller_m2m_test.yaml

@@ -1,11 +1,11 @@
 name: Test Notebook Controller with m2m auth manifests in KinD
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/notebook_controller_m2m_test.yaml
     - apps/jupyter/**
-    - common/oidc-client/oauth2-proxy/**
+    - common/oauth2-proxy/**
     - common/istio*/**
     - tests/gh-actions/install_istio_with_ext_auth.sh*
     - tests/gh-actions/install_multi_tenancy.sh

.github/workflows/pipeline_run_from_notebook.yaml

@@ -1,5 +1,5 @@
 name: Create Pipeline Run from Kubeflow Notebook
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -11,7 +11,7 @@
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - common/oidc-client/**
+    - common/**
     - apps/jupyter/**
 
 jobs:

.github/workflows/pipeline_test.yaml

@@ -1,5 +1,5 @@
 name: Deploy and test Kubeflow Pipelines manifests with m2m auth in KinD
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -8,7 +8,7 @@
     - tests/gh-actions/install_istio.sh
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
-    - common/oidc-client/oauth2-proxy/**
+    - common/oauth2-proxy/**
     - common/istio*/**
     - tests/gh-actions/install_istio_with_ext_auth.sh
 

.github/workflows/pss_test.yaml

@@ -1,5 +1,5 @@
 name: Apply PSS labels to namespaces
 on:
   pull_request:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
@@ -44,10 +44,10 @@
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-    - name: Applying Pod Security Standards baseline levels for static namespaces
+    - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 
-    - name: Applying Pod Security Standards baseline levels for dynamic namespaces
+    - name: Apply Pod Security Standards baseline levels for dynamic namespaces
       run: |
         cat << EOF > ./kustomization.yaml
         apiVersion: kustomize.config.k8s.io/v1beta1
@@ -61,14 +61,32 @@
         rm ./kustomization.yaml
         kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s
 
-    - name: Unapplying applied baseline values
+    - name: Unapply applied baseline values
       run: |
         NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
         for NAMESPACE in "${NAMESPACES[@]}"; do
           if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
             kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
           fi
         done
+        sleep 10
+
+    - name: Apply patches to clear warnings
+      run: |
+        DIRECTORY="contrib/security/PSS/patches"
+        for file in "$DIRECTORY"/*.yaml; do
+          echo "Patching file: $file"
+
+          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+
+          # Apply the patch
+          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
+          if [ $? -eq 0 ]; then
+            kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
+          fi
+        done
 
     - name: Applying Pod Security Standards restricted levels for static namespaces
       run: ./tests/gh-actions/enable_restricted_PSS.sh

common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml

@@ -29,6 +29,15 @@ spec:
               name: script
               subPath: script.sh
             resources: {}
+            securityContext:
+              allowPrivilegeEscalation: false
+              seccompProfile:
+                type: RuntimeDefault
+              runAsNonRoot: true
+              runAsUser: 1000
+              capabilities:
+                drop:
+                - ALL
           volumes:
           - name: script
             configMap:

contrib/security/PSS/patches/cache-server.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: cache-server
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/dex.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: dex
+  namespace: auth
 spec:
   template:
     spec:

contrib/security/PSS/patches/kfam.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: profiles-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: kubeflow-pipelines-profile-controller
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/manager.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: profiles-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/metadata-envoy-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: metadata-envoy-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/metadata-grpc-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: metadata-grpc-deployment
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/metadata-writer.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: metadata-writer
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/minio.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: minio
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-persistenceagent
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-scheduledworkflow
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/ml-pipeline-ui.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-ui
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-viewer-crd
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline-visualizationserver
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/ml-pipeline.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ml-pipeline
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/mysql.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: mysql
+  namespace: kubeflow
 spec:
   template:
     spec:

contrib/security/PSS/patches/oauth2-proxy.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: oauth2-proxy
+  namespace: oauth2-proxy
 spec:
   replicas: 2
   template:

tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh

@@ -2,6 +2,8 @@
 
 CRONJOB_NAME=kubeflow-m2m-oidc-configurator
 NAMESPACE=istio-system
+RETRY_INTERVAL=5    # Each loop iterates after 'RETRY_INTERVAL' seconds
+MAX_RETRIES=20    # Each loop iterates for a total number of 'MAX_RETRIES'
 
 # Function to get the latest Job created by the CronJob
 get_latest_job() {
@@ -13,19 +15,23 @@ get_latest_job() {
 
 # Wait until a Job is created
 echo "Waiting for a Job to be created by the ${CRONJOB_NAME} CronJob..."
-while true; do
+for ((i=1; i<=MAX_RETRIES; i++)); do
   JOB_NAME=$(get_latest_job)
   if [[ -n "${JOB_NAME}" ]]; then
     echo "Job ${JOB_NAME} created."
     break
   fi
-  sleep 5
+  if [[ $i -eq $MAX_RETRIES ]]; then
+    echo "Job creation timed out."
+    exit 1
+  fi
+  sleep "${RETRY_INTERVAL}"
   echo "Waiting..."
 done
 
 # Wait for the Job to complete successfully
 echo "Waiting for the Job ${JOB_NAME} to complete..."
-while true; do
+for ((i=1; i<=MAX_RETRIES; i++)); do
   STATUS=$(kubectl get job "${JOB_NAME}" -n "${NAMESPACE}" -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}')
   if [[ "${STATUS}" == "True" ]]; then
     echo "Job ${JOB_NAME} completed successfully."
@@ -37,5 +43,9 @@ while true; do
     echo "Job ${JOB_NAME} failed."
     exit 1
   fi
-  sleep 5
+  if [[ $i -eq $MAX_RETRIES ]]; then
+    echo "Job completion timed out."
+    exit 1
+  fi
+  sleep "${RETRY_INTERVAL}"
 done