From 7ab6e558090b41f83687f3c53ca1d602a640d191 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 2 Sep 2024 18:23:05 +0530
Subject: [PATCH 01/79] Debugging warnings in pss workflow

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 86c89fde2..62a339da3 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -90,3 +90,6 @@ jobs:
 
     - name: Applying Pod Security Standards restricted levels for static namespaces
       run: ./tests/gh-actions/enable_restricted_PSS.sh
+
+    - name: Debugging warnings
+      run: echo "Debugging workflow test"
\ No newline at end of file

From 0f00b27a44cfc4568c31d21973d71351f87234d6 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 10:39:53 +0530
Subject: [PATCH 02/79] Shifted order of applying patches to workflow

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 34 ++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 62a339da3..2a627ed1c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -44,6 +44,23 @@ jobs:
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
+    - name: Apply patches to clear warnings
+      run: |
+        DIRECTORY="contrib/security/PSS/patches"
+        for file in "$DIRECTORY"/*.yaml; do
+          echo "Patching file: $file"
+
+          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+
+          # Apply the patch
+          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
+          if [ $? -eq 0 ]; then
+            kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
+          fi
+        done
+
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 
@@ -71,23 +88,6 @@ jobs:
         done
         sleep 10
 
-    - name: Apply patches to clear warnings
-      run: |
-        DIRECTORY="contrib/security/PSS/patches"
-        for file in "$DIRECTORY"/*.yaml; do
-          echo "Patching file: $file"
-
-          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
-          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
-          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
-
-          # Apply the patch
-          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
-          if [ $? -eq 0 ]; then
-            kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-          fi
-        done
-
     - name: Applying Pod Security Standards restricted levels for static namespaces
       run: ./tests/gh-actions/enable_restricted_PSS.sh
 

From a3fd0ed4f85d1e3552c2d796ed36b5df7985ab49 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 10:42:27 +0530
Subject: [PATCH 03/79] Fixed linting

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 2a627ed1c..290f307b7 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -92,4 +92,4 @@ jobs:
       run: ./tests/gh-actions/enable_restricted_PSS.sh
 
     - name: Debugging warnings
-      run: echo "Debugging workflow test"
\ No newline at end of file
+      run: echo "Debugging workflow test"

From b239d2a9f32ecf85c5a927374b1e1e13fa0159b6 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 10:51:07 +0530
Subject: [PATCH 04/79] Increased timeout

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 290f307b7..e884ae92e 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -76,7 +76,7 @@ jobs:
         EOF
         kubectl apply -k .
         rm ./kustomization.yaml
-        kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s
+        kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
 
     - name: Unapply applied baseline values
       run: |

From 13f5972989ccc26d09e995faf1231787650e4172 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 11:02:04 +0530
Subject: [PATCH 05/79] Skip patching dynamic namespaces

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index e884ae92e..b8607de34 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -64,19 +64,19 @@ jobs:
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 
-    - name: Apply Pod Security Standards baseline levels for dynamic namespaces
-      run: |
-        cat << EOF > ./kustomization.yaml
-        apiVersion: kustomize.config.k8s.io/v1beta1
-        kind: Kustomization
-        resources:
-        - apps/profiles/upstream/overlays/kubeflow
-        components:
-        - contrib/security/PSS/dynamic/baseline
-        EOF
-        kubectl apply -k .
-        rm ./kustomization.yaml
-        kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
+    # - name: Apply Pod Security Standards baseline levels for dynamic namespaces
+    #   run: |
+    #     cat << EOF > ./kustomization.yaml
+    #     apiVersion: kustomize.config.k8s.io/v1beta1
+    #     kind: Kustomization
+    #     resources:
+    #     - apps/profiles/upstream/overlays/kubeflow
+    #     components:
+    #     - contrib/security/PSS/dynamic/baseline
+    #     EOF
+    #     kubectl apply -k .
+    #     rm ./kustomization.yaml
+    #     kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
 
     - name: Unapply applied baseline values
       run: |

From 66f64932cd701953d3d31af683486c1ac28b8e21 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 11:10:24 +0530
Subject: [PATCH 06/79] Remove debugging job

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index b8607de34..58f620424 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -90,6 +90,3 @@ jobs:
 
     - name: Applying Pod Security Standards restricted levels for static namespaces
       run: ./tests/gh-actions/enable_restricted_PSS.sh
-
-    - name: Debugging warnings
-      run: echo "Debugging workflow test"

From e8829c36bb462c5b87412d2f2316b0f667f1bd3f Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 21:00:05 +0530
Subject: [PATCH 07/79] Debugging by restarting deployments

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 58f620424..934756d4e 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -61,6 +61,11 @@ jobs:
           fi
         done
 
+    - name: Restart oauth2-proxy deployment
+      run: |
+        kubectl rollout restart deployment oauth2-proxy -n oauth2-proxy
+        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
+
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 

From b22ced2f06a79113adbc6e6dd4c1346ac098657c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 21:07:31 +0530
Subject: [PATCH 08/79] Removed redundant line from patch

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 contrib/security/PSS/patches/oauth2-proxy.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml
index 4fc94e93a..7f9afacf6 100644
--- a/contrib/security/PSS/patches/oauth2-proxy.yaml
+++ b/contrib/security/PSS/patches/oauth2-proxy.yaml
@@ -4,7 +4,6 @@ metadata:
   name: oauth2-proxy
   namespace: oauth2-proxy
 spec:
-  replicas: 2
   template:
     spec:
       containers:

From ab29ecf694bbb10d366f7149ff0c703843b09700 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 21:22:53 +0530
Subject: [PATCH 09/79] Replace restart with wait command

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 934756d4e..c09779468 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -61,10 +61,8 @@ jobs:
           fi
         done
 
-    - name: Restart oauth2-proxy deployment
-      run: |
-        kubectl rollout restart deployment oauth2-proxy -n oauth2-proxy
-        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
+    - name: Wait for all pods to restart
+      run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s \ --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From 39bd95b0bae3c9e7bd8b2aad267ccdf82e86dda3 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 23:19:54 +0530
Subject: [PATCH 10/79] Replace wait for all command with individual wait
 command

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index c09779468..b47f5e047 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -61,8 +61,8 @@ jobs:
           fi
         done
 
-    - name: Wait for all pods to restart
-      run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s \ --field-selector=status.phase!=Succeeded
+    - name: Wait for all oauth2-proxy pods to restart
+      run: kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From 5f0741a30bde149889ad1102731318aab269eb61 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 23:29:09 +0530
Subject: [PATCH 11/79] Added wait command for pods in kubeflow namespace

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index b47f5e047..db62816a2 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -61,8 +61,10 @@ jobs:
           fi
         done
 
-    - name: Wait for all oauth2-proxy pods to restart
-      run: kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
+    - name: Wait for all oauth2-proxy and kubeflow pods to restart
+      run: |
+        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
+        kubectl wait --for=condition-ready pods --all --timeout=300s -n kubeflow 
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From cbed79002b7c8a598b47d10fd1f6d92bf10cb07e Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 23:34:39 +0530
Subject: [PATCH 12/79] Fixed linting

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index db62816a2..ebff3a791 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -64,7 +64,7 @@ jobs:
     - name: Wait for all oauth2-proxy and kubeflow pods to restart
       run: |
         kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
-        kubectl wait --for=condition-ready pods --all --timeout=300s -n kubeflow 
+        kubectl wait --for=condition=ready pods --all --timeout=300s -n kubeflow
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From e00b5da747e64f201ed05e285dbcffba2e1a0c35 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 4 Sep 2024 23:48:52 +0530
Subject: [PATCH 13/79] Separated wait commands for separate namespaces

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index ebff3a791..8998ad30b 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -61,10 +61,11 @@ jobs:
           fi
         done
 
-    - name: Wait for all oauth2-proxy and kubeflow pods to restart
-      run: |
-        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
-        kubectl wait --for=condition=ready pods --all --timeout=300s -n kubeflow
+    - name: Wait for all oauth2-proxy pods to restart
+      run: kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
+
+    - name: Wait for all kubeflow pods to restart
+      run: kubectl wait --for=condition=ready pods --all --timeout=300s -n kubeflow
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From 519fef49794b2f5aaf0f40e656238eb27cc88cfc Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 5 Sep 2024 00:00:23 +0530
Subject: [PATCH 14/79] Increased timeout to 600s

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 8998ad30b..d3b19b4e7 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -65,7 +65,7 @@ jobs:
       run: kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
 
     - name: Wait for all kubeflow pods to restart
-      run: kubectl wait --for=condition=ready pods --all --timeout=300s -n kubeflow
+      run: kubectl wait --for=condition=ready pods --all --timeout=600s -n kubeflow
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From 928ffb9e287f73ef608e92ecbe9c93ae8b8ddc4c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 5 Sep 2024 20:02:23 +0530
Subject: [PATCH 15/79] Added wait commands in loop

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index d3b19b4e7..b188a41e9 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,15 +58,20 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
+            if [ "$NAME" = "oauth2-proxy" ]; then
+              kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
+            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
+            elif [ "$NAME" = "profiles-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
+            else
+              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l 'app="$NAME"' --timeout=180s
+            fi
           fi
         done
 
-    - name: Wait for all oauth2-proxy pods to restart
-      run: kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=300s -n oauth2-proxy
-
-    - name: Wait for all kubeflow pods to restart
-      run: kubectl wait --for=condition=ready pods --all --timeout=600s -n kubeflow
-
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 

From b504f36a5149a2c00b5b56668d6a9b28658288a8 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 5 Sep 2024 20:11:37 +0530
Subject: [PATCH 16/79] Fixed typo

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index b188a41e9..752b18b97 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -67,7 +67,7 @@ jobs:
             elif [ "$NAME" = "profiles-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
-              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l 'app="$NAME"' --timeout=180s
+              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=180s
             fi
           fi
         done

From 363113cfa5bebfe528a93667612c1e73f451729c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 5 Sep 2024 21:49:14 +0530
Subject: [PATCH 17/79] Debugging failing wait commands

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 752b18b97..81ae105c8 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -67,7 +67,11 @@ jobs:
             elif [ "$NAME" = "profiles-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
-              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=180s
+              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=250s
+              while [ $? -eq 0 ]; do
+                kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+                sleep 20
+              done
             fi
           fi
         done

From 63821aa1de906dd17048310da0bb3fee8aef6aee Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 12:43:08 +0530
Subject: [PATCH 18/79] Added log process in background

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 81ae105c8..ad0e4fab7 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -67,11 +67,15 @@ jobs:
             elif [ "$NAME" = "profiles-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
+              log_pod() {
+                while [ $! -eq 0 ]; do
+                  echo "Fetching logs for pod: $POD_NAME"
+                  kubectl logs -n "$NAMESPACE" "$POD_NAME"
+                  sleep 5
+                done
+              }
+              log_pod &
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=250s
-              while [ $? -eq 0 ]; do
-                kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-                sleep 20
-              done
             fi
           fi
         done

From c3a77980ec5acbbfe5a7dcb098383702f8e17ea0 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 12:53:37 +0530
Subject: [PATCH 19/79] Fixed type

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index ad0e4fab7..6c799b3c2 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -68,7 +68,7 @@ jobs:
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
               log_pod() {
-                while [ $! -eq 0 ]; do
+                while [ $? -eq 0 ]; do
                   echo "Fetching logs for pod: $POD_NAME"
                   kubectl logs -n "$NAMESPACE" "$POD_NAME"
                   sleep 5

From 262c78c8c035b02decbaec95bbb290add813c2a5 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 13:00:00 +0530
Subject: [PATCH 20/79] Fixed typo

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 6c799b3c2..8a5261716 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -69,8 +69,8 @@ jobs:
             else
               log_pod() {
                 while [ $? -eq 0 ]; do
-                  echo "Fetching logs for pod: $POD_NAME"
-                  kubectl logs -n "$NAMESPACE" "$POD_NAME"
+                  echo "Fetching logs for pod: $NAME"
+                  kubectl logs -n "$NAMESPACE" "$NAME"
                   sleep 5
                 done
               }

From 9a21438e6f674d7bc6b4be433240e75acd98926e Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 13:08:46 +0530
Subject: [PATCH 21/79] Added describe command

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 8a5261716..cdeeb92b0 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -69,8 +69,8 @@ jobs:
             else
               log_pod() {
                 while [ $? -eq 0 ]; do
-                  echo "Fetching logs for pod: $NAME"
-                  kubectl logs -n "$NAMESPACE" "$NAME"
+                  echo "Describing pod: $NAME"
+                  kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
                   sleep 5
                 done
               }

From 86c95772391b0bcad772e249f691bb663d42c5cd Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 13:24:42 +0530
Subject: [PATCH 22/79] Added runAsUser to debug

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml                                 | 2 +-
 contrib/security/PSS/patches/cache-server.yaml                  | 1 +
 contrib/security/PSS/patches/kfam.yaml                          | 1 +
 .../PSS/patches/kubeflow-pipelines-profile-controller.yaml      | 1 +
 contrib/security/PSS/patches/manager.yaml                       | 1 +
 contrib/security/PSS/patches/metadata-envoy-deployment.yaml     | 1 +
 6 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index cdeeb92b0..ef4e7ec93 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -71,7 +71,7 @@ jobs:
                 while [ $? -eq 0 ]; do
                   echo "Describing pod: $NAME"
                   kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-                  sleep 5
+                  sleep 30
                 done
               }
               log_pod &
diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index 51c112302..728972640 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
index 0445d5376..ef34c0609 100644
--- a/contrib/security/PSS/patches/kfam.yaml
+++ b/contrib/security/PSS/patches/kfam.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
index 342ca70f6..df2caf1a0 100644
--- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
+++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml
index b4080721f..3050f2c70 100644
--- a/contrib/security/PSS/patches/manager.yaml
+++ b/contrib/security/PSS/patches/manager.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
index 717bd851c..024d64bf6 100644
--- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

From 3db6583a51e8457fecc79fd1e449b5a02651a0e5 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 19:17:15 +0530
Subject: [PATCH 23/79] Added UID 1000 to all pods

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml                           | 8 --------
 .../security/PSS/patches/metadata-grpc-deployment.yaml    | 1 +
 contrib/security/PSS/patches/metadata-writer.yaml         | 1 +
 contrib/security/PSS/patches/minio.yaml                   | 1 +
 .../PSS/patches/ml-pipeline-persistenceagent.yaml         | 1 +
 .../PSS/patches/ml-pipeline-scheduledworkflow.yaml        | 1 +
 contrib/security/PSS/patches/ml-pipeline-ui.yaml          | 1 +
 contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml  | 1 +
 .../PSS/patches/ml-pipeline-visualizationserver.yaml      | 1 +
 contrib/security/PSS/patches/ml-pipeline.yaml             | 1 +
 contrib/security/PSS/patches/mysql.yaml                   | 1 +
 contrib/security/PSS/patches/oauth2-proxy.yaml            | 1 +
 12 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index ef4e7ec93..35ea06856 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -67,14 +67,6 @@ jobs:
             elif [ "$NAME" = "profiles-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
-              log_pod() {
-                while [ $? -eq 0 ]; do
-                  echo "Describing pod: $NAME"
-                  kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-                  sleep 30
-                done
-              }
-              log_pod &
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=250s
             fi
           fi
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index af6971827..76a168ae6 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index 49f10ab0c..aedb184c7 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index 896233f29..b83d67cf3 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
index dfa05641c..92b549f99 100644
--- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index bf9fc18e3..ec316d52a 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index b5c35fcb4..5622c8575 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index a52470533..d6a043178 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index a2bc3450b..d175e4527 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index 097ad1b8f..90d2e10bf 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
index b2663f5b5..7cd61b2dc 100644
--- a/contrib/security/PSS/patches/mysql.yaml
+++ b/contrib/security/PSS/patches/mysql.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml
index 7f9afacf6..9150b7dbb 100644
--- a/contrib/security/PSS/patches/oauth2-proxy.yaml
+++ b/contrib/security/PSS/patches/oauth2-proxy.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

From 74eb10e477a790fcac5954b40dc8f37c0d852c20 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 19:44:33 +0530
Subject: [PATCH 24/79] Added single wait command

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 35ea06856..f756faec2 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -71,6 +71,7 @@ jobs:
             fi
           fi
         done
+        # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From 9ace6acbd8a7f41ebeb25ee4dfeda8c7f3b39671 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 20:10:09 +0530
Subject: [PATCH 25/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index f756faec2..2ab7ab10e 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -67,6 +67,14 @@ jobs:
             elif [ "$NAME" = "profiles-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
+              log_pod() {
+                while [ $? -eq 0 ]; do
+                  echo "Fetching logs for pod: $NAME"
+                  kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+                  sleep 30
+                done
+              }
+              log_pod &
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=250s
             fi
           fi

From 005500c36a7dafe7da2e2ac047caa9641ac1cba5 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 20:19:53 +0530
Subject: [PATCH 26/79] Removed background process

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 2ab7ab10e..01adf08f3 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -67,14 +67,8 @@ jobs:
             elif [ "$NAME" = "profiles-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
-              log_pod() {
-                while [ $? -eq 0 ]; do
-                  echo "Fetching logs for pod: $NAME"
-                  kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-                  sleep 30
-                done
-              }
-              log_pod &
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=250s
             fi
           fi

From 77f400a73bbd4878afbbdbb5b10e7345e261f805 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 20:56:17 +0530
Subject: [PATCH 27/79] Increased timeout

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 01adf08f3..e609f3bd6 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -69,7 +69,7 @@ jobs:
             else
               echo "Fetching logs for pod: $NAME"
               kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=250s
+              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
             fi
           fi
         done

From 6f9d201c468a88f4b36275d547a3dd0e6afc7374 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 21:03:44 +0530
Subject: [PATCH 28/79] Retesting

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

From 241f9481a162190b0304b9fc1d95b7ede8139b08 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 21:20:42 +0530
Subject: [PATCH 29/79] Removed UID from profile controller

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 contrib/security/PSS/patches/kfam.yaml    | 1 -
 contrib/security/PSS/patches/manager.yaml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
index ef34c0609..0445d5376 100644
--- a/contrib/security/PSS/patches/kfam.yaml
+++ b/contrib/security/PSS/patches/kfam.yaml
@@ -13,7 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml
index 3050f2c70..b4080721f 100644
--- a/contrib/security/PSS/patches/manager.yaml
+++ b/contrib/security/PSS/patches/manager.yaml
@@ -13,7 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
           capabilities:
             drop:
             - ALL

From a564ded3e156eac93157d06b19d82e2fc918bce2 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 21:31:09 +0530
Subject: [PATCH 30/79] Debugging profiles-controller

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index e609f3bd6..d12d5f8ab 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -65,6 +65,7 @@ jobs:
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
             elif [ "$NAME" = "profiles-deployment" ]; then
+              kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
               kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
             else
               echo "Fetching logs for pod: $NAME"

From 3de18f41e1072c93a63a9014c661e7e540ecbef4 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Fri, 6 Sep 2024 21:44:33 +0530
Subject: [PATCH 31/79] Increased timeout for profiles-controller

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index d12d5f8ab..c062cc881 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -66,7 +66,7 @@ jobs:
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
             elif [ "$NAME" = "profiles-deployment" ]; then
               kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=180s
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
             else
               echo "Fetching logs for pod: $NAME"
               kubectl describe pod -l app="$NAME" -n "$NAMESPACE"

From b7dd0bf287295b2d4b822909a3bbb95fe8aba79c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 02:20:16 +0530
Subject: [PATCH 32/79] Pausing patch to profile-controller

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index c062cc881..59264d57e 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -65,8 +65,8 @@ jobs:
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
             elif [ "$NAME" = "profiles-deployment" ]; then
-              kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+              # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+              # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
             else
               echo "Fetching logs for pod: $NAME"
               kubectl describe pod -l app="$NAME" -n "$NAMESPACE"

From c5ccd37c26a99fe582327955bbb76e682add462c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 02:26:23 +0530
Subject: [PATCH 33/79] Fixed indentation

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 59264d57e..ae0aad520 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -64,9 +64,9 @@ jobs:
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            elif [ "$NAME" = "profiles-deployment" ]; then
-              # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-              # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            # elif [ "$NAME" = "profiles-deployment" ]; then
+            #   kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
             else
               echo "Fetching logs for pod: $NAME"
               kubectl describe pod -l app="$NAME" -n "$NAMESPACE"

From 94a351f667fdde30f885964cc5be0afd428f527c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 02:34:00 +0530
Subject: [PATCH 34/79] Fixed error

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index ae0aad520..5108343c0 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -64,9 +64,10 @@ jobs:
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            # elif [ "$NAME" = "profiles-deployment" ]; then
-            #   kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            elif [ "$NAME" = "profiles-deployment" ]; then
+              echo " "
+              # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+              # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
             else
               echo "Fetching logs for pod: $NAME"
               kubectl describe pod -l app="$NAME" -n "$NAMESPACE"

From 17a35c4b3913c2caebc7e5af9943f928453c5102 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 02:44:43 +0530
Subject: [PATCH 35/79] Fixed error

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 5108343c0..e4b09d906 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -65,7 +65,7 @@ jobs:
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
             elif [ "$NAME" = "profiles-deployment" ]; then
-              echo " "
+              echo "skipping this patch"
               # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
               # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
             else

From 7f521f2e566e52f95d59bb3b459078b6d8568f51 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 03:01:35 +0530
Subject: [PATCH 36/79] Fixed error

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index e4b09d906..c78bea2d4 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -64,7 +64,7 @@ jobs:
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            elif [ "$NAME" = "profiles-deployment" ]; then
+            elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
               echo "skipping this patch"
               # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
               # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s

From 04fb9a7749233f7fb61d2bb962fda68d6ec60523 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 20:13:45 +0530
Subject: [PATCH 37/79] Debugging cache-server

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index c78bea2d4..03975be9d 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -60,6 +60,9 @@ jobs:
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
             if [ "$NAME" = "oauth2-proxy" ]; then
               kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            elif [ "$NAME" = "cache-server" ]; then
+              kubectl rollout restart deployment cache-server -n kubeflow
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'app=cache-server' --timeout=180s
             elif [ "$NAME" = "metadata-envoy-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
@@ -70,7 +73,7 @@ jobs:
               # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
             else
               echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+              # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
             fi
           fi

From 09e0c84b547a5bb121ad2d8dc7550c50a931e045 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 20:22:21 +0530
Subject: [PATCH 38/79] Debugging cache-server

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 03975be9d..51ae7b703 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -62,6 +62,7 @@ jobs:
               kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
             elif [ "$NAME" = "cache-server" ]; then
               kubectl rollout restart deployment cache-server -n kubeflow
+              kubectl describe pod -l 'app=cache-server' -n kubeflow
               kubectl wait -n kubeflow --for=condition=ready pod -l 'app=cache-server' --timeout=180s
             elif [ "$NAME" = "metadata-envoy-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s

From 74922903bdb72ffadc450fb16f377cfec3b00d9f Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 20:30:52 +0530
Subject: [PATCH 39/79] Increased timeout for cache-server

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 51ae7b703..c43bc2f46 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -63,7 +63,7 @@ jobs:
             elif [ "$NAME" = "cache-server" ]; then
               kubectl rollout restart deployment cache-server -n kubeflow
               kubectl describe pod -l 'app=cache-server' -n kubeflow
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'app=cache-server' --timeout=180s
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'app=cache-server' --timeout=300s
             elif [ "$NAME" = "metadata-envoy-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then

From bd13b6d4f5661bceb0e27d9cd71703128b897574 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 20:43:25 +0530
Subject: [PATCH 40/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index c43bc2f46..d2ca00943 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -60,10 +60,6 @@ jobs:
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
             if [ "$NAME" = "oauth2-proxy" ]; then
               kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            elif [ "$NAME" = "cache-server" ]; then
-              kubectl rollout restart deployment cache-server -n kubeflow
-              kubectl describe pod -l 'app=cache-server' -n kubeflow
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'app=cache-server' --timeout=300s
             elif [ "$NAME" = "metadata-envoy-deployment" ]; then
               kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
             elif [ "$NAME" = "metadata-grpc-deployment" ]; then
@@ -75,6 +71,7 @@ jobs:
             else
               echo "Fetching logs for pod: $NAME"
               # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+              kubectl rollout restart "$KIND" -n "$NAMESPACE"
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
             fi
           fi

From 5cc7aa6af9ae005e066aeca1304e13a1cb31f02f Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 7 Sep 2024 20:59:50 +0530
Subject: [PATCH 41/79] Deleting pods exclusively

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index d2ca00943..029c1683f 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -71,7 +71,7 @@ jobs:
             else
               echo "Fetching logs for pod: $NAME"
               # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-              kubectl rollout restart "$KIND" -n "$NAMESPACE"
+              kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
             fi
           fi

From 43f6b3b2326eb4a6345df05089a3d66a792f0a4d Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 08:02:59 +0530
Subject: [PATCH 42/79] Added GID

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 contrib/security/PSS/patches/cache-server.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index 728972640..f8fc2b520 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL

From a495be7fac7b034233ee2faa917c367306402a27 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 09:13:14 +0530
Subject: [PATCH 43/79] Debugging cache-server

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 029c1683f..ef4e2758b 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -71,7 +71,7 @@ jobs:
             else
               echo "Fetching logs for pod: $NAME"
               # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-              kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
+              # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
               kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
             fi
           fi

From f49607276c3baf50f515053ee05ef1230f951734 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 18:03:24 +0530
Subject: [PATCH 44/79] Sleeping for 300s

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index ef4e2758b..a544c64ff 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,24 +58,25 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            if [ "$NAME" = "oauth2-proxy" ]; then
-              kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
-            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-              echo "skipping this patch"
-              # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-              # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
-            else
-              echo "Fetching logs for pod: $NAME"
-              # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-              # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
-              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
-            fi
+            # if [ "$NAME" = "oauth2-proxy" ]; then
+            #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
+            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
+            # elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
+            #   echo "skipping this patch"
+            #   # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+            #   # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            # else
+            #   echo "Fetching logs for pod: $NAME"
+            #   # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+            #   # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
+            #   kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
+            # fi
           fi
         done
+        sleep 300
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces

From 523febc6b394b19807e4b1ba4dd472c5f96961a3 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 18:21:42 +0530
Subject: [PATCH 45/79] Updated GID to 1000

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 contrib/security/PSS/patches/cache-server.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index f8fc2b520..212b406e7 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -14,7 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
-          runAsGroup: 0
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL

From cdbea53bf7f92034a21f8aeef524682451987a3d Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 18:33:45 +0530
Subject: [PATCH 46/79] Added GID to all pods

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .../PSS/patches/kubeflow-pipelines-profile-controller.yaml       | 1 +
 contrib/security/PSS/patches/metadata-envoy-deployment.yaml      | 1 +
 contrib/security/PSS/patches/metadata-grpc-deployment.yaml       | 1 +
 contrib/security/PSS/patches/metadata-writer.yaml                | 1 +
 contrib/security/PSS/patches/minio.yaml                          | 1 +
 contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml   | 1 +
 contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml  | 1 +
 contrib/security/PSS/patches/ml-pipeline-ui.yaml                 | 1 +
 contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml         | 1 +
 .../security/PSS/patches/ml-pipeline-visualizationserver.yaml    | 1 +
 contrib/security/PSS/patches/ml-pipeline.yaml                    | 1 +
 contrib/security/PSS/patches/mysql.yaml                          | 1 +
 12 files changed, 12 insertions(+)

diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
index df2caf1a0..4b5bde14b 100644
--- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
+++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsGroup: 1000
           runAsUser: 1000
           capabilities:
             drop:
diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
index 024d64bf6..ab9d9b95b 100644
--- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index 76a168ae6..0ed907fb0 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index aedb184c7..e12b596dd 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index b83d67cf3..e3710b78e 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
index 92b549f99..ff25bd60b 100644
--- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index ec316d52a..3f6a6cc1c 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index 5622c8575..134f46b61 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index d6a043178..201125e34 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index d175e4527..a27b67f7f 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index 90d2e10bf..2412165a6 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
index 7cd61b2dc..418c18f43 100644
--- a/contrib/security/PSS/patches/mysql.yaml
+++ b/contrib/security/PSS/patches/mysql.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 1000
           capabilities:
             drop:
             - ALL

From cb04ee9d879ef15bd09fd695ede2c4e008df5aa5 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 18:56:39 +0530
Subject: [PATCH 47/79] Checking pods securityContext

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index a544c64ff..f234e6f9a 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,6 +58,7 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
+            sleep 30
             # if [ "$NAME" = "oauth2-proxy" ]; then
             #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
             # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
@@ -76,7 +77,15 @@ jobs:
             # fi
           fi
         done
-        sleep 300
+        for file in "$DIRECTORY"/*.yaml; do
+          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+          if [ $? -eq 0 ]; then
+            kubectl get pod -l app="$NAME" -n "$NAMESPACE" -o yaml | grep -A 10 securityContext
+          fi
+        done
+        # sleep 300
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces

From 8448450e3c22b73d933b73a3b04b11466c9d361c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 19:32:40 +0530
Subject: [PATCH 48/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index f234e6f9a..08edf6be1 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -81,6 +81,7 @@ jobs:
           KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
           NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
           NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl get pod -l app="$NAME" -n "$NAMESPACE" -o yaml | grep -A 10 securityContext
           fi

From 233dc59d3384cdcebacf397d5acdc0ab18dc99f3 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 9 Sep 2024 20:04:06 +0530
Subject: [PATCH 49/79] Debugging without IDs

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml                | 18 ++++++++++++++++--
 contrib/security/PSS/patches/cache-server.yaml |  2 --
 .../kubeflow-pipelines-profile-controller.yaml |  2 --
 .../PSS/patches/metadata-envoy-deployment.yaml |  2 --
 .../PSS/patches/metadata-grpc-deployment.yaml  |  2 --
 .../security/PSS/patches/metadata-writer.yaml  |  2 --
 contrib/security/PSS/patches/minio.yaml        |  2 --
 .../patches/ml-pipeline-persistenceagent.yaml  |  2 --
 .../patches/ml-pipeline-scheduledworkflow.yaml |  2 --
 .../security/PSS/patches/ml-pipeline-ui.yaml   |  2 --
 .../PSS/patches/ml-pipeline-viewer-crd.yaml    |  2 --
 .../ml-pipeline-visualizationserver.yaml       |  2 --
 contrib/security/PSS/patches/ml-pipeline.yaml  |  2 --
 contrib/security/PSS/patches/mysql.yaml        |  2 --
 contrib/security/PSS/patches/oauth2-proxy.yaml |  1 -
 15 files changed, 16 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 08edf6be1..e0acbe329 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,7 +58,6 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            sleep 30
             # if [ "$NAME" = "oauth2-proxy" ]; then
             #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
             # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
@@ -83,7 +82,22 @@ jobs:
           NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
-            kubectl get pod -l app="$NAME" -n "$NAMESPACE" -o yaml | grep -A 10 securityContext
+            if [ "$NAME" = "oauth2-proxy" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l app.kubernetes.io/name: oauth2-proxy -n oauth2-proxy
+            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
+            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
+            elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+            else
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+            fi
           fi
         done
         # sleep 300
diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index 212b406e7..51c112302 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
index 4b5bde14b..342ca70f6 100644
--- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
+++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsGroup: 1000
-          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
index ab9d9b95b..717bd851c 100644
--- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index 0ed907fb0..af6971827 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index e12b596dd..49f10ab0c 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index e3710b78e..896233f29 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
index ff25bd60b..dfa05641c 100644
--- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index 3f6a6cc1c..bf9fc18e3 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index 134f46b61..b5c35fcb4 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index 201125e34..a52470533 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index a27b67f7f..a2bc3450b 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index 2412165a6..097ad1b8f 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
index 418c18f43..b2663f5b5 100644
--- a/contrib/security/PSS/patches/mysql.yaml
+++ b/contrib/security/PSS/patches/mysql.yaml
@@ -13,8 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
-          runAsGroup: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml
index 9150b7dbb..7f9afacf6 100644
--- a/contrib/security/PSS/patches/oauth2-proxy.yaml
+++ b/contrib/security/PSS/patches/oauth2-proxy.yaml
@@ -13,7 +13,6 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-          runAsUser: 1000
           capabilities:
             drop:
             - ALL

From 4bbbdeb2a04cf5d04fcd998590532eb0c4a8c34f Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 11 Sep 2024 22:41:26 +0530
Subject: [PATCH 50/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml               | 50 +++++++++----------
 .../security/PSS/patches/cache-server.yaml    |  2 +
 contrib/security/PSS/patches/kfam.yaml        |  1 +
 ...kubeflow-pipelines-profile-controller.yaml |  1 +
 contrib/security/PSS/patches/manager.yaml     |  1 +
 .../patches/metadata-envoy-deployment.yaml    |  1 +
 .../PSS/patches/metadata-grpc-deployment.yaml |  1 +
 .../security/PSS/patches/metadata-writer.yaml |  1 +
 contrib/security/PSS/patches/minio.yaml       |  1 +
 .../patches/ml-pipeline-persistenceagent.yaml |  2 +
 .../ml-pipeline-scheduledworkflow.yaml        |  1 +
 .../security/PSS/patches/ml-pipeline-ui.yaml  |  1 +
 .../PSS/patches/ml-pipeline-viewer-crd.yaml   |  1 +
 .../ml-pipeline-visualizationserver.yaml      |  1 +
 contrib/security/PSS/patches/ml-pipeline.yaml |  1 +
 15 files changed, 41 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index e0acbe329..ff319a644 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -76,32 +76,32 @@ jobs:
             # fi
           fi
         done
-        for file in "$DIRECTORY"/*.yaml; do
-          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
-          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
-          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
-          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
-          if [ $? -eq 0 ]; then
-            if [ "$NAME" = "oauth2-proxy" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l app.kubernetes.io/name: oauth2-proxy -n oauth2-proxy
-            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
-            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
-            elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-            else
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-            fi
-          fi
-        done
+        # for file in "$DIRECTORY"/*.yaml; do
+        #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+        #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+        #   NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+        #   kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
+        #   if [ $? -eq 0 ]; then
+        #     if [ "$NAME" = "oauth2-proxy" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
+        #     elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
+        #     elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
+        #     elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+        #     else
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+        #     fi
+        #   fi
+        # done
         # sleep 300
-        # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
+        kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index 51c112302..f8fc2b520 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -13,6 +13,8 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
index 0445d5376..ef34c0609 100644
--- a/contrib/security/PSS/patches/kfam.yaml
+++ b/contrib/security/PSS/patches/kfam.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
index 342ca70f6..df2caf1a0 100644
--- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
+++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml
index b4080721f..3050f2c70 100644
--- a/contrib/security/PSS/patches/manager.yaml
+++ b/contrib/security/PSS/patches/manager.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
index 717bd851c..024d64bf6 100644
--- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index af6971827..76a168ae6 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index 49f10ab0c..aedb184c7 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index 896233f29..b83d67cf3 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
index dfa05641c..4a0f57f23 100644
--- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -13,6 +13,8 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index bf9fc18e3..ec316d52a 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index b5c35fcb4..5622c8575 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index a52470533..d6a043178 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index a2bc3450b..d175e4527 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index 097ad1b8f..90d2e10bf 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -13,6 +13,7 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
           capabilities:
             drop:
             - ALL

From 9d8d641ef72816580a303a9d308a60538eb3ecb0 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Wed, 11 Sep 2024 23:04:24 +0530
Subject: [PATCH 51/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index ff319a644..973b3547c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -100,8 +100,8 @@ jobs:
         #     fi
         #   fi
         # done
-        # sleep 300
-        kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
+        sleep 300
+        # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From f31179a813101bdea47faf392ad60a13d67155f2 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 12:13:43 +0530
Subject: [PATCH 52/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 51 +++++++++++++++++----------------
 1 file changed, 26 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 973b3547c..2a38f1a5c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -76,31 +76,32 @@ jobs:
             # fi
           fi
         done
-        # for file in "$DIRECTORY"/*.yaml; do
-        #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
-        #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
-        #   NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
-        #   kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
-        #   if [ $? -eq 0 ]; then
-        #     if [ "$NAME" = "oauth2-proxy" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
-        #     elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
-        #     elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
-        #     elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-        #     else
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-        #     fi
-        #   fi
-        # done
-        sleep 300
+        sleep 60
+        for file in "$DIRECTORY"/*.yaml; do
+          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
+          if [ $? -eq 0 ]; then
+            if [ "$NAME" = "oauth2-proxy" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
+            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
+            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
+            elif [ "$NAME" = "profiles-deployment" ]; then
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+            else
+              echo "Fetching logs for pod: $NAME"
+              kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+            fi
+          fi
+        done
+        # sleep 60
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Apply Pod Security Standards baseline levels for static namespaces

From c4693b16caf2985c1752a41b4d4572c7782af565 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 18:46:17 +0530
Subject: [PATCH 53/79] Added GID

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 contrib/security/PSS/patches/kfam.yaml                          | 1 +
 .../PSS/patches/kubeflow-pipelines-profile-controller.yaml      | 1 +
 contrib/security/PSS/patches/manager.yaml                       | 1 +
 contrib/security/PSS/patches/metadata-envoy-deployment.yaml     | 1 +
 contrib/security/PSS/patches/metadata-grpc-deployment.yaml      | 1 +
 contrib/security/PSS/patches/metadata-writer.yaml               | 1 +
 contrib/security/PSS/patches/minio.yaml                         | 1 +
 contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml | 1 +
 contrib/security/PSS/patches/ml-pipeline-ui.yaml                | 1 +
 contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml        | 1 +
 .../security/PSS/patches/ml-pipeline-visualizationserver.yaml   | 1 +
 contrib/security/PSS/patches/ml-pipeline.yaml                   | 1 +
 contrib/security/PSS/patches/mysql.yaml                         | 2 ++
 13 files changed, 14 insertions(+)

diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
index ef34c0609..1ad3d2430 100644
--- a/contrib/security/PSS/patches/kfam.yaml
+++ b/contrib/security/PSS/patches/kfam.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
index df2caf1a0..de95a8a26 100644
--- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
+++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml
index 3050f2c70..deece6802 100644
--- a/contrib/security/PSS/patches/manager.yaml
+++ b/contrib/security/PSS/patches/manager.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
index 024d64bf6..d540ba98e 100644
--- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index 76a168ae6..2392bc0f7 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index aedb184c7..6e597e667 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index b83d67cf3..35ce8d5ba 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index ec316d52a..46e27a7d5 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index 5622c8575..9d86557c3 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index d6a043178..f099a17f2 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index d175e4527..8b1233944 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index 90d2e10bf..8ab9e6628 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -14,6 +14,7 @@ spec:
             type: RuntimeDefault
           runAsNonRoot: true
           runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL
diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
index b2663f5b5..0464b89fb 100644
--- a/contrib/security/PSS/patches/mysql.yaml
+++ b/contrib/security/PSS/patches/mysql.yaml
@@ -13,6 +13,8 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 0
           capabilities:
             drop:
             - ALL

From d9b6250e5d782762e9463b5326cb4c016d3e8757 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 19:35:05 +0530
Subject: [PATCH 54/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 2a38f1a5c..678a15422 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -104,6 +104,9 @@ jobs:
         # sleep 60
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
+    - name: Restarting cache-server
+      run: kubectl rollout restart deployment cache-server -n kubeflow
+
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 

From 5a2f71187d8bb9bce1bdfe4edb648541722c57bb Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 19:43:05 +0530
Subject: [PATCH 55/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 678a15422..4a9e19c5c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -105,7 +105,9 @@ jobs:
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
     - name: Restarting cache-server
-      run: kubectl rollout restart deployment cache-server -n kubeflow
+      run: |
+        kubectl rollout restart deployment cache-server -n kubeflow
+        kubectl wait --for=condition=ready pod -l app=cache-server -n kubeflow --timeot=180s
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From c59a8f8bb07888a1c0150aeb0ad29e8f43aa46a7 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 19:53:49 +0530
Subject: [PATCH 56/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 4a9e19c5c..e2966119b 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -107,7 +107,7 @@ jobs:
     - name: Restarting cache-server
       run: |
         kubectl rollout restart deployment cache-server -n kubeflow
-        kubectl wait --for=condition=ready pod -l app=cache-server -n kubeflow --timeot=180s
+        kubectl wait --for=condition=ready pod -l app=cache-server -n kubeflow --timeout=180s
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From 8754c92b4c9cba7fc9dd35146df025fbade4aa3e Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 20:13:15 +0530
Subject: [PATCH 57/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 64 +++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index e2966119b..0bda23bab 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -77,37 +77,47 @@ jobs:
           fi
         done
         sleep 60
-        for file in "$DIRECTORY"/*.yaml; do
-          KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
-          NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
-          NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
-          kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
-          if [ $? -eq 0 ]; then
-            if [ "$NAME" = "oauth2-proxy" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
-            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
-            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
-            elif [ "$NAME" = "profiles-deployment" ]; then
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-            else
-              echo "Fetching logs for pod: $NAME"
-              kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-            fi
-          fi
-        done
+        # for file in "$DIRECTORY"/*.yaml; do
+        #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
+        #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
+        #   NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
+        #   kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
+        #   if [ $? -eq 0 ]; then
+        #     if [ "$NAME" = "oauth2-proxy" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
+        #     elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
+        #     elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
+        #     elif [ "$NAME" = "profiles-deployment" ]; then
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+        #     else
+        #       echo "Fetching logs for pod: $NAME"
+        #       kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+        #     fi
+        #   fi
+        # done
         # sleep 60
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
-    - name: Restarting cache-server
+    - name: Reapplying all resources
       run: |
-        kubectl rollout restart deployment cache-server -n kubeflow
-        kubectl wait --for=condition=ready pod -l app=cache-server -n kubeflow --timeout=180s
+        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
+        ./tests/gh-actions/install_cert_manager.sh
+        ./tests/gh-actions/install_istio_with_ext_auth.sh
+        kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+        ./tests/gh-actions/install_multi_tenancy.sh
+        kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f -
+        echo "Waiting for all oauth2-proxy pods to become ready..."
+        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
+        kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f -
+        echo "Waiting for pods in auth namespace to become ready..."
+        kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
+        ./tests/gh-actions/install_pipelines.sh
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh

From 5e8fd1476471cef20ebc0ecf0b825a47089c51ca Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 20:25:14 +0530
Subject: [PATCH 58/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 0bda23bab..17f5de9e0 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -104,19 +104,9 @@ jobs:
         # sleep 60
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
-    - name: Reapplying all resources
+    - name: Reapplying kubeflow resources
       run: |
-        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
-        ./tests/gh-actions/install_cert_manager.sh
-        ./tests/gh-actions/install_istio_with_ext_auth.sh
-        kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
         ./tests/gh-actions/install_multi_tenancy.sh
-        kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f -
-        echo "Waiting for all oauth2-proxy pods to become ready..."
-        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
-        kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f -
-        echo "Waiting for pods in auth namespace to become ready..."
-        kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
         ./tests/gh-actions/install_pipelines.sh
 
     - name: Apply Pod Security Standards baseline levels for static namespaces

From 10a23aeb9041f03bcfe0e6cba2e77b4e9f6c9acd Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Thu, 12 Sep 2024 21:44:47 +0530
Subject: [PATCH 59/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 37 ++++++++++++++-------------------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 17f5de9e0..55c569e5b 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,22 +58,22 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            # if [ "$NAME" = "oauth2-proxy" ]; then
-            #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
-            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            # elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-            #   echo "skipping this patch"
-            #   # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-            #   # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
-            # else
-            #   echo "Fetching logs for pod: $NAME"
-            #   # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-            #   # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
-            #   kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
-            # fi
+            if [ "$NAME" = "oauth2-proxy" ]; then
+              kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
+            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
+            elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
+              echo "skipping this patch"
+              # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+              # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            else
+              echo "Fetching logs for pod: $NAME"
+              # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+              # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
+              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
+            fi
           fi
         done
         sleep 60
@@ -104,11 +104,6 @@ jobs:
         # sleep 60
         # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
 
-    - name: Reapplying kubeflow resources
-      run: |
-        ./tests/gh-actions/install_multi_tenancy.sh
-        ./tests/gh-actions/install_pipelines.sh
-
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 

From bce60a3349658dade0652503c6a932d28329e811 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 14 Sep 2024 22:27:53 +0530
Subject: [PATCH 60/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml               | 35 +++++++++----------
 .../security/PSS/patches/cache-server.yaml    | 11 ++++++
 contrib/security/PSS/patches/kfam.yaml        | 11 ++++++
 .../PSS/patches/metadata-grpc-deployment.yaml | 11 ++++++
 .../security/PSS/patches/metadata-writer.yaml | 11 ++++++
 contrib/security/PSS/patches/minio.yaml       | 11 ++++++
 .../patches/ml-pipeline-persistenceagent.yaml | 11 ++++++
 .../ml-pipeline-scheduledworkflow.yaml        | 11 ++++++
 .../security/PSS/patches/ml-pipeline-ui.yaml  | 11 ++++++
 .../PSS/patches/ml-pipeline-viewer-crd.yaml   | 11 ++++++
 .../ml-pipeline-visualizationserver.yaml      | 11 ++++++
 contrib/security/PSS/patches/ml-pipeline.yaml | 10 ++++++
 contrib/security/PSS/patches/mysql.yaml       | 11 ++++++
 13 files changed, 148 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 55c569e5b..878f55d98 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,22 +58,22 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            if [ "$NAME" = "oauth2-proxy" ]; then
-              kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
-            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-              echo "skipping this patch"
-              # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-              # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
-            else
-              echo "Fetching logs for pod: $NAME"
-              # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-              # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
-              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
-            fi
+            # if [ "$NAME" = "oauth2-proxy" ]; then
+            #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
+            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
+            # elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
+            #   echo "skipping this patch"
+            #   # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
+            #   # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            # else
+            #   echo "Fetching logs for pod: $NAME"
+            #   # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
+            #   # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
+            #   kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
+            # fi
           fi
         done
         sleep 60
@@ -121,7 +121,7 @@ jobs:
     #     rm ./kustomization.yaml
     #     kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
 
-    - name: Unapply applied baseline values
+    - name: Unapply applied baseline labels
       run: |
         NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
         for NAMESPACE in "${NAMESPACES[@]}"; do
@@ -129,7 +129,6 @@ jobs:
             kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
           fi
         done
-        sleep 10
 
     - name: Applying Pod Security Standards restricted levels for static namespaces
       run: ./tests/gh-actions/enable_restricted_PSS.sh
diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index f8fc2b520..490a09794 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
index 1ad3d2430..0c8bcd3cc 100644
--- a/contrib/security/PSS/patches/kfam.yaml
+++ b/contrib/security/PSS/patches/kfam.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index 2392bc0f7..763b6968f 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index 6e597e667..a66826437 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index 35ce8d5ba..90abec259 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
index 4a0f57f23..51aa0337d 100644
--- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index 46e27a7d5..95acefb4f 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index 9d86557c3..62abd3ae2 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index f099a17f2..88d10805e 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index 8b1233944..44696e548 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index 8ab9e6628..d2baddc9f 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -18,3 +18,13 @@ spec:
           capabilities:
             drop:
             - ALL
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
index 0464b89fb..622ece8f4 100644
--- a/contrib/security/PSS/patches/mysql.yaml
+++ b/contrib/security/PSS/patches/mysql.yaml
@@ -18,3 +18,14 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true

From 9b95dc62ca37d79bc0b248f900e5395228f370e1 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 14 Sep 2024 23:18:57 +0530
Subject: [PATCH 61/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml               | 28 ++++++++-----------
 .../security/PSS/patches/metacontroller.yaml  | 12 ++++++++
 .../PSS/patches/workflow-controller.yaml      | 25 +++++++++++++++++
 3 files changed, 48 insertions(+), 17 deletions(-)
 create mode 100644 contrib/security/PSS/patches/metacontroller.yaml
 create mode 100644 contrib/security/PSS/patches/workflow-controller.yaml

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 878f55d98..fc1dad874 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,25 +58,19 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            # if [ "$NAME" = "oauth2-proxy" ]; then
-            #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=180s
-            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=180s
-            # elif [ "$NAME" = "profiles-deployment" -o "$NAME" = "ml-pipeline" ]; then
-            #   echo "skipping this patch"
-            #   # kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-            #   # kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
-            # else
-            #   echo "Fetching logs for pod: $NAME"
-            #   # kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-            #   # kubectl delete pod -l app="$NAME" -n "$NAMESPACE"
-            #   kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
-            # fi
+            if [ "$NAME" = "oauth2-proxy" ]; then
+              kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=600s
+            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=600s
+            elif [ "$NAME" = "profiles-deployment" ]; then
+              kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            else
+              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
+            fi
           fi
         done
-        sleep 60
         # for file in "$DIRECTORY"/*.yaml; do
         #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
         #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
diff --git a/contrib/security/PSS/patches/metacontroller.yaml b/contrib/security/PSS/patches/metacontroller.yaml
new file mode 100644
index 000000000..ca3364911
--- /dev/null
+++ b/contrib/security/PSS/patches/metacontroller.yaml
@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: metacontroller
+spec:
+  template:
+    spec:
+      containers:
+      - name: metacontroller
+        securityContext:
+          seccompProfile: 
+            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/workflow-controller.yaml b/contrib/security/PSS/patches/workflow-controller.yaml
new file mode 100644
index 000000000..ba6ec2fac
--- /dev/null
+++ b/contrib/security/PSS/patches/workflow-controller.yaml
@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: workflow-controller
+  namespace: kubeflow
+spec:
+  template:
+    spec:
+      containers:
+      - name: workflow-controller
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          runAsNonRoot: true
+      initContainers:
+      - image: docker.io/istio/proxyv2:1.22.1
+        name: istio-init
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+          runAsUser: 1337
+          runAsNonRoot: true

From a713a4c3fcc14bb3e5521f447fcbf8b02e887507 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 14 Sep 2024 23:34:25 +0530
Subject: [PATCH 62/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index fc1dad874..49ade491c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -58,19 +58,20 @@ jobs:
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            if [ "$NAME" = "oauth2-proxy" ]; then
-              kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=600s
-            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=600s
-            elif [ "$NAME" = "profiles-deployment" ]; then
-              kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
-            else
-              kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
-            fi
+            # if [ "$NAME" = "oauth2-proxy" ]; then
+            #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
+            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=600s
+            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=600s
+            # elif [ "$NAME" = "profiles-deployment" ]; then
+            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
+            # else
+            #   kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
+            # fi
           fi
         done
+        sleep 300
         # for file in "$DIRECTORY"/*.yaml; do
         #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
         #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')

From bb20a6bd0f1f311e33ff0ca9d9f3eb82bb75de1e Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 14 Sep 2024 23:43:28 +0530
Subject: [PATCH 63/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 49ade491c..99d4cd130 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -57,7 +57,11 @@ jobs:
           # Apply the patch
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
-            kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
+            if [ "$NAME" = "metacontroller" ]; then
+              kubectl patch "$KIND" statefulset -n kubeflow --patch-file "$file"
+            else
+              kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
+            fi
             # if [ "$NAME" = "oauth2-proxy" ]; then
             #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
             # elif [ "$NAME" = "metadata-envoy-deployment" ]; then

From c2af2450408ad7051c6ad552a290d612e9cd4b88 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 14 Sep 2024 23:49:56 +0530
Subject: [PATCH 64/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml                  | 6 +-----
 contrib/security/PSS/patches/metacontroller.yaml | 1 +
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 99d4cd130..49ade491c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -57,11 +57,7 @@ jobs:
           # Apply the patch
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
-            if [ "$NAME" = "metacontroller" ]; then
-              kubectl patch "$KIND" statefulset -n kubeflow --patch-file "$file"
-            else
-              kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            fi
+            kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
             # if [ "$NAME" = "oauth2-proxy" ]; then
             #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
             # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
diff --git a/contrib/security/PSS/patches/metacontroller.yaml b/contrib/security/PSS/patches/metacontroller.yaml
index ca3364911..0ca5d7778 100644
--- a/contrib/security/PSS/patches/metacontroller.yaml
+++ b/contrib/security/PSS/patches/metacontroller.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: metacontroller
+  namespace: kubeflow
 spec:
   template:
     spec:

From d6ebc3f53e6ea28d036af91e67b01ffa04c7b513 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sun, 15 Sep 2024 09:23:59 +0530
Subject: [PATCH 65/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 49ade491c..fd08242c2 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -57,18 +57,18 @@ jobs:
           # Apply the patch
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
+            if [ "$NAME" = "oauth2-proxy" ]; then
+              kubectl delete pod -n oauth2-proxy -l 'app.kubernetes.io/name=oauth2-proxy'
+            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+              kubectl delete pod -n kubeflow -l 'component=metadata-envoy'
+            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+              kubectl delete pod -n kubeflow -l 'component=metadata-grpc-server'
+            elif [ "$NAME" = "profiles-deployment" ]; then
+              kubectl delete pod -n kubeflow -l 'kustomize.component=profiles'
+            else
+              kubectl delete pod -n "$NAMESPACE" -l app="$NAME"
+            fi
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
-            # if [ "$NAME" = "oauth2-proxy" ]; then
-            #   kubectl wait -n oauth2-proxy --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s
-            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-envoy' --timeout=600s
-            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'component=metadata-grpc-server' --timeout=600s
-            # elif [ "$NAME" = "profiles-deployment" ]; then
-            #   kubectl wait -n kubeflow --for=condition=ready pod -l 'kustomize.component=profiles' --timeout=300s
-            # else
-            #   kubectl wait -n "$NAMESPACE" --for=condition=ready pod -l app="$NAME" --timeout=600s
-            # fi
           fi
         done
         sleep 300

From 86c372cd1cdb972169ac548fa4c5a88770ecdfad Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sun, 15 Sep 2024 10:06:57 +0530
Subject: [PATCH 66/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml                           | 4 ++--
 contrib/security/PSS/patches/cache-server.yaml            | 7 +------
 contrib/security/PSS/patches/kfam.yaml                    | 7 +------
 .../security/PSS/patches/metadata-grpc-deployment.yaml    | 7 +------
 contrib/security/PSS/patches/metadata-writer.yaml         | 7 +------
 contrib/security/PSS/patches/minio.yaml                   | 7 +------
 .../PSS/patches/ml-pipeline-persistenceagent.yaml         | 7 +------
 .../PSS/patches/ml-pipeline-scheduledworkflow.yaml        | 7 +------
 contrib/security/PSS/patches/ml-pipeline-ui.yaml          | 7 +------
 contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml  | 7 +------
 .../PSS/patches/ml-pipeline-visualizationserver.yaml      | 7 +------
 contrib/security/PSS/patches/ml-pipeline.yaml             | 8 ++------
 contrib/security/PSS/patches/mysql.yaml                   | 7 +------
 contrib/security/PSS/patches/workflow-controller.yaml     | 7 +------
 14 files changed, 16 insertions(+), 80 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index fd08242c2..5d52d32ad 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -31,8 +31,8 @@ jobs:
       run: |
         kustomize build common/kubeflow-namespace/base | kubectl apply -f -
         ./tests/gh-actions/install_cert_manager.sh
-        ./tests/gh-actions/install_istio_with_ext_auth.sh
-        kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+        ./tests/gh-actions/install_istio-cni.sh
+        kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f -
         ./tests/gh-actions/install_multi_tenancy.sh
         kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f -
         echo "Waiting for all oauth2-proxy pods to become ready..."
diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index 490a09794..172bb64f4 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
index 0c8bcd3cc..cf418b77b 100644
--- a/contrib/security/PSS/patches/kfam.yaml
+++ b/contrib/security/PSS/patches/kfam.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index 763b6968f..84e8a32bd 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index a66826437..bc07c3ebc 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index 90abec259..90a0f0039 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
index 51aa0337d..47df95922 100644
--- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index 95acefb4f..91e001653 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index 62abd3ae2..b5bbf521f 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index 88d10805e..ed7518742 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index 44696e548..33516be68 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index d2baddc9f..74866d44e 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -18,13 +18,9 @@ spec:
           capabilities:
             drop:
             - ALL
+      initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
index 622ece8f4..1abf4c7e4 100644
--- a/contrib/security/PSS/patches/mysql.yaml
+++ b/contrib/security/PSS/patches/mysql.yaml
@@ -20,12 +20,7 @@ spec:
             - ALL
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true
diff --git a/contrib/security/PSS/patches/workflow-controller.yaml b/contrib/security/PSS/patches/workflow-controller.yaml
index ba6ec2fac..4e618e2a8 100644
--- a/contrib/security/PSS/patches/workflow-controller.yaml
+++ b/contrib/security/PSS/patches/workflow-controller.yaml
@@ -14,12 +14,7 @@ spec:
           runAsNonRoot: true
       initContainers:
       - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-init
+        name: istio-validation
         securityContext:
-          capabilities:
-            drop:
-            - ALL
           seccompProfile:
             type: RuntimeDefault
-          runAsUser: 1337
-          runAsNonRoot: true

From b88fe8ff8bc40bf30c29551e47c2327c215a202a Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sun, 15 Sep 2024 10:14:44 +0530
Subject: [PATCH 67/79] Added wait time for istio-cni test

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 tests/gh-actions/install_istio-cni.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh
index 6c6925ffb..93d4b32b1 100755
--- a/tests/gh-actions/install_istio-cni.sh
+++ b/tests/gh-actions/install_istio-cni.sh
@@ -4,4 +4,7 @@ echo "Installing Istio-cni ..."
 cd common/istio-cni-1-22
 kustomize build istio-crds/base | kubectl apply -f -
 kustomize build istio-namespace/base | kubectl apply -f -
-kustomize build istio-install/base | kubectl apply -f -
\ No newline at end of file
+kustomize build istio-install/base | kubectl apply -f -
+
+echo "Waiting for all Istio Pods to become ready..."
+kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s

From 523f9a041404cf0295557d1072b23728e2018238 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sun, 15 Sep 2024 10:36:28 +0530
Subject: [PATCH 68/79] Debugging

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 5d52d32ad..562f1aa7a 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -57,21 +57,21 @@ jobs:
           # Apply the patch
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
-            if [ "$NAME" = "oauth2-proxy" ]; then
-              kubectl delete pod -n oauth2-proxy -l 'app.kubernetes.io/name=oauth2-proxy'
-            elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-              kubectl delete pod -n kubeflow -l 'component=metadata-envoy'
-            elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-              kubectl delete pod -n kubeflow -l 'component=metadata-grpc-server'
-            elif [ "$NAME" = "profiles-deployment" ]; then
-              kubectl delete pod -n kubeflow -l 'kustomize.component=profiles'
-            else
-              kubectl delete pod -n "$NAMESPACE" -l app="$NAME"
-            fi
+            # if [ "$NAME" = "oauth2-proxy" ]; then
+            #   kubectl delete pod -n oauth2-proxy -l 'app.kubernetes.io/name=oauth2-proxy'
+            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
+            #   kubectl delete pod -n kubeflow -l 'component=metadata-envoy'
+            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
+            #   kubectl delete pod -n kubeflow -l 'component=metadata-grpc-server'
+            # elif [ "$NAME" = "profiles-deployment" ]; then
+            #   kubectl delete pod -n kubeflow -l 'kustomize.component=profiles'
+            # else
+            #   kubectl delete pod -n "$NAMESPACE" -l app="$NAME"
+            # fi
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
           fi
         done
-        sleep 300
+        sleep 600
         # for file in "$DIRECTORY"/*.yaml; do
         #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
         #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')

From 2bd7e0782960f4f35df14e647b577b8343bde40e Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sun, 15 Sep 2024 12:21:47 +0530
Subject: [PATCH 69/79] Increased timeout

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 562f1aa7a..5512e378d 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -71,7 +71,7 @@ jobs:
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
           fi
         done
-        sleep 600
+        sleep 1200
         # for file in "$DIRECTORY"/*.yaml; do
         #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
         #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')

From d0f3cc6476169c370aec73443b24cfbcd5dfe5b8 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sun, 15 Sep 2024 23:27:04 +0530
Subject: [PATCH 70/79] Added dynamic ns to pss_test

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 80 +++++++++++----------------------
 1 file changed, 27 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 5512e378d..e947875e1 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -11,7 +11,7 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - tests/gh-actions/install_istio_with_ext_auth.sh
+    - tests/gh-actions/install_istio-cni.sh
     - tests/gh-actions/install_multitenancy.sh
 
 jobs:
@@ -44,6 +44,31 @@ jobs:
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
+  - name: Apply Pod Security Standards baseline levels for dynamic namespaces
+    run: |
+      cat << EOF > ./kustomization.yaml
+      apiVersion: kustomize.config.k8s.io/v1beta1
+      kind: Kustomization
+      resources:
+      - apps/profiles/upstream/overlays/kubeflow
+      components:
+      - contrib/security/PSS/dynamic/restricted
+      EOF
+      kubectl apply -k .
+      rm ./kustomization.yaml
+      kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 500s
+
+    - name: Create dynamic user namespace and check for PSS labels present
+      run: |
+        kustomize build common/user-namespace/base | kubectl apply -f -
+        LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
+        if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
+          echo "PSS restricted label is present in dynamic namespace."
+        else
+          echo "PSS restricted label is absent in dynamic namespace."
+          exit 1
+        fi
+
     - name: Apply patches to clear warnings
       run: |
         DIRECTORY="contrib/security/PSS/patches"
@@ -57,65 +82,14 @@ jobs:
           # Apply the patch
           kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
           if [ $? -eq 0 ]; then
-            # if [ "$NAME" = "oauth2-proxy" ]; then
-            #   kubectl delete pod -n oauth2-proxy -l 'app.kubernetes.io/name=oauth2-proxy'
-            # elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-            #   kubectl delete pod -n kubeflow -l 'component=metadata-envoy'
-            # elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-            #   kubectl delete pod -n kubeflow -l 'component=metadata-grpc-server'
-            # elif [ "$NAME" = "profiles-deployment" ]; then
-            #   kubectl delete pod -n kubeflow -l 'kustomize.component=profiles'
-            # else
-            #   kubectl delete pod -n "$NAMESPACE" -l app="$NAME"
-            # fi
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
           fi
         done
-        sleep 1200
-        # for file in "$DIRECTORY"/*.yaml; do
-        #   KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
-        #   NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
-        #   NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
-        #   kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
-        #   if [ $? -eq 0 ]; then
-        #     if [ "$NAME" = "oauth2-proxy" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l app.kubernetes.io/name=oauth2-proxy -n oauth2-proxy
-        #     elif [ "$NAME" = "metadata-envoy-deployment" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l 'component=metadata-envoy' -n kubeflow
-        #     elif [ "$NAME" = "metadata-grpc-deployment" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l 'component=metadata-grpc-server' -n kubeflow
-        #     elif [ "$NAME" = "profiles-deployment" ]; then
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l 'kustomize.component=profiles' -n kubeflow
-        #     else
-        #       echo "Fetching logs for pod: $NAME"
-        #       kubectl describe pod -l app="$NAME" -n "$NAMESPACE"
-        #     fi
-        #   fi
-        # done
-        # sleep 60
-        # kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s --field-selector=status.phase!=Succeeded
+        sleep 600
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
 
-    # - name: Apply Pod Security Standards baseline levels for dynamic namespaces
-    #   run: |
-    #     cat << EOF > ./kustomization.yaml
-    #     apiVersion: kustomize.config.k8s.io/v1beta1
-    #     kind: Kustomization
-    #     resources:
-    #     - apps/profiles/upstream/overlays/kubeflow
-    #     components:
-    #     - contrib/security/PSS/dynamic/baseline
-    #     EOF
-    #     kubectl apply -k .
-    #     rm ./kustomization.yaml
-    #     kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
-
     - name: Unapply applied baseline labels
       run: |
         NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")

From 5743a1fd8b3defa63c0dea92fb5c5003a60e4176 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sun, 15 Sep 2024 23:29:53 +0530
Subject: [PATCH 71/79] Fix lint

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index e947875e1..e6084fa09 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -44,19 +44,19 @@ jobs:
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-  - name: Apply Pod Security Standards baseline levels for dynamic namespaces
-    run: |
-      cat << EOF > ./kustomization.yaml
-      apiVersion: kustomize.config.k8s.io/v1beta1
-      kind: Kustomization
-      resources:
-      - apps/profiles/upstream/overlays/kubeflow
-      components:
-      - contrib/security/PSS/dynamic/restricted
-      EOF
-      kubectl apply -k .
-      rm ./kustomization.yaml
-      kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 500s
+    - name: Apply Pod Security Standards baseline levels for dynamic namespaces
+      run: |
+        cat << EOF > ./kustomization.yaml
+        apiVersion: kustomize.config.k8s.io/v1beta1
+        kind: Kustomization
+        resources:
+        - apps/profiles/upstream/overlays/kubeflow
+        components:
+        - contrib/security/PSS/dynamic/restricted
+        EOF
+        kubectl apply -k .
+        rm ./kustomization.yaml
+        kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 500s
 
     - name: Create dynamic user namespace and check for PSS labels present
       run: |

From 65ec9f75e0b02ac743660d54294f61efa981cb23 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 14:02:29 +0530
Subject: [PATCH 72/79] Configured istio initContainer

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 63 +++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index e6084fa09..d86df663c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -27,12 +27,22 @@ jobs:
     - name: Install kubectl
       run: ./tests/gh-actions/install_kubectl.sh
 
-    - name: Install all deployments from static namespaces
+    - name: Install all istio-cni resources
       run: |
-        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
         ./tests/gh-actions/install_cert_manager.sh
         ./tests/gh-actions/install_istio-cni.sh
         kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+
+    - name: Configure istio init container with seccompProfile attribute
+      run: |
+        kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml
+        sed -i '0,/runAsNonRoot: true/{s//&\n              seccompProfile:\n                type: RuntimeDefault/}' temporary_patch.yaml
+        kubectl apply -f temporary_patch.yaml
+        rm temporary_patch.yaml
+
+    - name: Install all other deployments of static namespaces
+      run: |
+        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
         ./tests/gh-actions/install_multi_tenancy.sh
         kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f -
         echo "Waiting for all oauth2-proxy pods to become ready..."
@@ -44,30 +54,31 @@ jobs:
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-    - name: Apply Pod Security Standards baseline levels for dynamic namespaces
-      run: |
-        cat << EOF > ./kustomization.yaml
-        apiVersion: kustomize.config.k8s.io/v1beta1
-        kind: Kustomization
-        resources:
-        - apps/profiles/upstream/overlays/kubeflow
-        components:
-        - contrib/security/PSS/dynamic/restricted
-        EOF
-        kubectl apply -k .
-        rm ./kustomization.yaml
-        kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 500s
-
-    - name: Create dynamic user namespace and check for PSS labels present
-      run: |
-        kustomize build common/user-namespace/base | kubectl apply -f -
-        LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
-        if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
-          echo "PSS restricted label is present in dynamic namespace."
-        else
-          echo "PSS restricted label is absent in dynamic namespace."
-          exit 1
-        fi
+    # - name: Apply Pod Security Standards baseline levels for dynamic namespaces
+    #   run: |
+    #     cat << EOF > ./kustomization.yaml
+    #     apiVersion: kustomize.config.k8s.io/v1beta1
+    #     kind: Kustomization
+    #     resources:
+    #     - apps/profiles/upstream/overlays/kubeflow
+    #     components:
+    #     - contrib/security/PSS/dynamic/restricted
+    #     EOF
+    #     kubectl apply -k .
+    #     rm ./kustomization.yaml
+    #     kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
+    #     sleep 100
+        
+    # - name: Create dynamic user namespace and check for PSS labels present
+    #   run: |
+    #     kustomize build common/user-namespace/base | kubectl apply -f -
+    #     LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
+    #     if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
+    #       echo "PSS restricted label is present in dynamic namespace."
+    #     else
+    #       echo "PSS restricted label is absent in dynamic namespace."
+    #       exit 1
+    #     fi
 
     - name: Apply patches to clear warnings
       run: |

From b00fe48feb826858335883f8e1514ce2a5be124a Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 14:06:41 +0530
Subject: [PATCH 73/79] Fixed lint

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index d86df663c..25a319023 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -27,8 +27,9 @@ jobs:
     - name: Install kubectl
       run: ./tests/gh-actions/install_kubectl.sh
 
-    - name: Install all istio-cni resources
+    - name: Install all istio-cni resources and kubeflow namespace
       run: |
+        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
         ./tests/gh-actions/install_cert_manager.sh
         ./tests/gh-actions/install_istio-cni.sh
         kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f -
@@ -42,7 +43,6 @@ jobs:
 
     - name: Install all other deployments of static namespaces
       run: |
-        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
         ./tests/gh-actions/install_multi_tenancy.sh
         kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f -
         echo "Waiting for all oauth2-proxy pods to become ready..."
@@ -68,7 +68,7 @@ jobs:
     #     rm ./kustomization.yaml
     #     kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
     #     sleep 100
-        
+
     # - name: Create dynamic user namespace and check for PSS labels present
     #   run: |
     #     kustomize build common/user-namespace/base | kubectl apply -f -

From 0cd04543357f5aab9c983a65542186d707baf785 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 17:40:29 +0530
Subject: [PATCH 74/79] Added seccompProfile attribute for istio-proxy

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 25a319023..55bfa2914 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -38,6 +38,9 @@ jobs:
       run: |
         kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml
         sed -i '0,/runAsNonRoot: true/{s//&\n              seccompProfile:\n                type: RuntimeDefault/}' temporary_patch.yaml
+        sed -i '/runAsNonRoot: true/{N; /runAsUser: {{ .ProxyUID | default "1337" }}/a\
+                      seccompProfile:\n                type: RuntimeDefault
+        }' temporary_patch.yaml
         kubectl apply -f temporary_patch.yaml
         rm temporary_patch.yaml
 

From 0cd28708d6d4c1984b7bf0c54041a1f49253207d Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 19:25:43 +0530
Subject: [PATCH 75/79] Adding PSS label to dynamic ns

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 41 ++++++++++++++-------------------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 55bfa2914..1606e0657 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -57,31 +57,24 @@ jobs:
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-    # - name: Apply Pod Security Standards baseline levels for dynamic namespaces
-    #   run: |
-    #     cat << EOF > ./kustomization.yaml
-    #     apiVersion: kustomize.config.k8s.io/v1beta1
-    #     kind: Kustomization
-    #     resources:
-    #     - apps/profiles/upstream/overlays/kubeflow
-    #     components:
-    #     - contrib/security/PSS/dynamic/restricted
-    #     EOF
-    #     kubectl apply -k .
-    #     rm ./kustomization.yaml
-    #     kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 200s
-    #     sleep 100
+    - name: Configure profile-controller's manager with PSS restricted label 
+      run: |
+        CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data")
+        kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml
+        sed -i '/app.kubernetes.io\/part-of: "kubeflow-profile"/{s/.*/&\n    pod-security.kubernetes.io\/enforce: "restricted"/}' temporary.yaml
+        kubectl apply -f temporary.yaml
+        rm temporary.yaml
 
-    # - name: Create dynamic user namespace and check for PSS labels present
-    #   run: |
-    #     kustomize build common/user-namespace/base | kubectl apply -f -
-    #     LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
-    #     if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
-    #       echo "PSS restricted label is present in dynamic namespace."
-    #     else
-    #       echo "PSS restricted label is absent in dynamic namespace."
-    #       exit 1
-    #     fi
+    - name: Create dynamic user namespace and check for PSS labels present
+      run: |
+        kustomize build common/user-namespace/base | kubectl apply -f -
+        LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
+        if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
+          echo "PSS restricted label is present in dynamic namespace."
+        else
+          echo "PSS restricted label is absent in dynamic namespace."
+          exit 1
+        fi
 
     - name: Apply patches to clear warnings
       run: |

From f3cace5f81bc03b8eab415a2d743efe4197bb8da Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 19:39:15 +0530
Subject: [PATCH 76/79] Reordered dynamic ns test

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 1606e0657..fdbfaf3b3 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -54,10 +54,7 @@ jobs:
         echo "Waiting for pods in auth namespace to become ready..."
         kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
 
-    - name: Install KF Pipelines
-      run: ./tests/gh-actions/install_pipelines.sh
-
-    - name: Configure profile-controller's manager with PSS restricted label 
+    - name: Configure profile-controller's manager configmap with PSS restricted label 
       run: |
         CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data")
         kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml
@@ -65,6 +62,9 @@ jobs:
         kubectl apply -f temporary.yaml
         rm temporary.yaml
 
+    - name: Install KF Pipelines
+      run: ./tests/gh-actions/install_pipelines.sh
+
     - name: Create dynamic user namespace and check for PSS labels present
       run: |
         kustomize build common/user-namespace/base | kubectl apply -f -

From 2cb79fb71b1aef06174abe45ca64111add7558f2 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 19:48:03 +0530
Subject: [PATCH 77/79] Commented the dynamic ns tests

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 34 ++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index fdbfaf3b3..271c2de64 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -54,27 +54,27 @@ jobs:
         echo "Waiting for pods in auth namespace to become ready..."
         kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
 
-    - name: Configure profile-controller's manager configmap with PSS restricted label 
-      run: |
-        CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data")
-        kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml
-        sed -i '/app.kubernetes.io\/part-of: "kubeflow-profile"/{s/.*/&\n    pod-security.kubernetes.io\/enforce: "restricted"/}' temporary.yaml
-        kubectl apply -f temporary.yaml
-        rm temporary.yaml
+    # - name: Configure profile-controller's manager configmap with PSS restricted label 
+    #   run: |
+    #     CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data")
+    #     kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml
+    #     sed -i '/app.kubernetes.io\/part-of: "kubeflow-profile"/{s/.*/&\n    pod-security.kubernetes.io\/enforce: "restricted"/}' temporary.yaml
+    #     kubectl apply -f temporary.yaml
+    #     rm temporary.yaml
 
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-    - name: Create dynamic user namespace and check for PSS labels present
-      run: |
-        kustomize build common/user-namespace/base | kubectl apply -f -
-        LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
-        if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
-          echo "PSS restricted label is present in dynamic namespace."
-        else
-          echo "PSS restricted label is absent in dynamic namespace."
-          exit 1
-        fi
+    # - name: Create dynamic user namespace and check for PSS labels present
+    #   run: |
+    #     kustomize build common/user-namespace/base | kubectl apply -f -
+    #     LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
+    #     if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
+    #       echo "PSS restricted label is present in dynamic namespace."
+    #     else
+    #       echo "PSS restricted label is absent in dynamic namespace."
+    #       exit 1
+    #     fi
 
     - name: Apply patches to clear warnings
       run: |

From 5ed56cfbdb947459cfe3a376799e2363ebdaa266 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 19:51:03 +0530
Subject: [PATCH 78/79] Fix lint

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 271c2de64..65f8ffb32 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -54,7 +54,7 @@ jobs:
         echo "Waiting for pods in auth namespace to become ready..."
         kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
 
-    # - name: Configure profile-controller's manager configmap with PSS restricted label 
+    # - name: Configure profile-controller's manager configmap with PSS restricted label
     #   run: |
     #     CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data")
     #     kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml

From e40311f4032ed586f8144574bb4e8c742687e5ed Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 16 Sep 2024 21:55:40 +0530
Subject: [PATCH 79/79] Removing debugging stuffs

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml               | 21 +------------------
 .../security/PSS/patches/cache-server.yaml    |  6 ------
 contrib/security/PSS/patches/kfam.yaml        |  6 ------
 .../PSS/patches/metadata-grpc-deployment.yaml |  6 ------
 .../security/PSS/patches/metadata-writer.yaml |  6 ------
 contrib/security/PSS/patches/minio.yaml       |  6 ------
 .../patches/ml-pipeline-persistenceagent.yaml |  6 ------
 .../ml-pipeline-scheduledworkflow.yaml        |  6 ------
 .../security/PSS/patches/ml-pipeline-ui.yaml  |  6 ------
 .../PSS/patches/ml-pipeline-viewer-crd.yaml   |  6 ------
 .../ml-pipeline-visualizationserver.yaml      |  6 ------
 contrib/security/PSS/patches/ml-pipeline.yaml |  6 ------
 contrib/security/PSS/patches/mysql.yaml       |  6 ------
 .../PSS/patches/workflow-controller.yaml      |  6 ------
 14 files changed, 1 insertion(+), 98 deletions(-)

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 65f8ffb32..8e313638c 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -54,28 +54,9 @@ jobs:
         echo "Waiting for pods in auth namespace to become ready..."
         kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
 
-    # - name: Configure profile-controller's manager configmap with PSS restricted label
-    #   run: |
-    #     CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data")
-    #     kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml
-    #     sed -i '/app.kubernetes.io\/part-of: "kubeflow-profile"/{s/.*/&\n    pod-security.kubernetes.io\/enforce: "restricted"/}' temporary.yaml
-    #     kubectl apply -f temporary.yaml
-    #     rm temporary.yaml
-
     - name: Install KF Pipelines
       run: ./tests/gh-actions/install_pipelines.sh
 
-    # - name: Create dynamic user namespace and check for PSS labels present
-    #   run: |
-    #     kustomize build common/user-namespace/base | kubectl apply -f -
-    #     LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}')
-    #     if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then
-    #       echo "PSS restricted label is present in dynamic namespace."
-    #     else
-    #       echo "PSS restricted label is absent in dynamic namespace."
-    #       exit 1
-    #     fi
-
     - name: Apply patches to clear warnings
       run: |
         DIRECTORY="contrib/security/PSS/patches"
@@ -92,7 +73,7 @@ jobs:
             kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
           fi
         done
-        sleep 600
+        sleep 300
 
     - name: Apply Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml
index 172bb64f4..f8fc2b520 100644
--- a/contrib/security/PSS/patches/cache-server.yaml
+++ b/contrib/security/PSS/patches/cache-server.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml
index cf418b77b..1ad3d2430 100644
--- a/contrib/security/PSS/patches/kfam.yaml
+++ b/contrib/security/PSS/patches/kfam.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
index 84e8a32bd..2392bc0f7 100644
--- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
+++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml
index bc07c3ebc..6e597e667 100644
--- a/contrib/security/PSS/patches/metadata-writer.yaml
+++ b/contrib/security/PSS/patches/metadata-writer.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml
index 90a0f0039..35ce8d5ba 100644
--- a/contrib/security/PSS/patches/minio.yaml
+++ b/contrib/security/PSS/patches/minio.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
index 47df95922..4a0f57f23 100644
--- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
index 91e001653..46e27a7d5 100644
--- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
index b5bbf521f..9d86557c3 100644
--- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
index ed7518742..f099a17f2 100644
--- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
index 33516be68..8b1233944 100644
--- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml
index 74866d44e..8ab9e6628 100644
--- a/contrib/security/PSS/patches/ml-pipeline.yaml
+++ b/contrib/security/PSS/patches/ml-pipeline.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml
index 1abf4c7e4..0464b89fb 100644
--- a/contrib/security/PSS/patches/mysql.yaml
+++ b/contrib/security/PSS/patches/mysql.yaml
@@ -18,9 +18,3 @@ spec:
           capabilities:
             drop:
             - ALL
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault
diff --git a/contrib/security/PSS/patches/workflow-controller.yaml b/contrib/security/PSS/patches/workflow-controller.yaml
index 4e618e2a8..5932fa9d1 100644
--- a/contrib/security/PSS/patches/workflow-controller.yaml
+++ b/contrib/security/PSS/patches/workflow-controller.yaml
@@ -12,9 +12,3 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           runAsNonRoot: true
-      initContainers:
-      - image: docker.io/istio/proxyv2:1.22.1
-        name: istio-validation
-        securityContext:
-          seccompProfile:
-            type: RuntimeDefault