Debugging warnings in pss workflow #2866
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| name: Apply PSS labels to namespaces | ||
| on: | ||
| pull_request: | ||
| paths: | ||
| - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | ||
|
|
@@ -11,7 +11,7 @@ | |
| - common/cert-manager/** | ||
| - common/oauth2-proxy/** | ||
| - common/istio*/** | ||
| - tests/gh-actions/install_istio-cni.sh | ||
| - tests/gh-actions/install_multitenancy.sh | ||
|
|
||
| jobs: | ||
|
|
@@ -27,12 +27,25 @@ | |
| - name: Install kubectl | ||
| run: ./tests/gh-actions/install_kubectl.sh | ||
|
|
||
| - name: Install all istio-cni resources and kubeflow namespace | ||
| run: | | ||
| kustomize build common/kubeflow-namespace/base | kubectl apply -f - | ||
| ./tests/gh-actions/install_cert_manager.sh | ||
| ./tests/gh-actions/install_istio-cni.sh | ||
| kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f - | ||
|
|
||
| - name: Configure istio init container with seccompProfile attribute | ||
| run: | | ||
| kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml | ||
| sed -i '0,/runAsNonRoot: true/{s//&\n seccompProfile:\n type: RuntimeDefault/}' temporary_patch.yaml | ||
| sed -i '/runAsNonRoot: true/{N; /runAsUser: {{ .ProxyUID | default "1337" }}/a\ | ||
| seccompProfile:\n type: RuntimeDefault | ||
| }' temporary_patch.yaml | ||
| kubectl apply -f temporary_patch.yaml | ||
| rm temporary_patch.yaml | ||
|
|
||
| - name: Install all other deployments of static namespaces | ||
| run: | | ||
| ./tests/gh-actions/install_multi_tenancy.sh | ||
| kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f - | ||
| echo "Waiting for all oauth2-proxy pods to become ready..." | ||
|
|
@@ -41,35 +54,27 @@ | |
| echo "Waiting for pods in auth namespace to become ready..." | ||
| kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth | ||
|
|
||
| # - name: Configure profile-controller's manager configmap with PSS restricted label | ||
| # run: | | ||
| # CONFIGMAP=$(kubectl get cm -n kubeflow | awk '{print $1}' | grep -e "namespace-labels-data") | ||
| # kubectl get cm $CONFIGMAP -n kubeflow -o yaml > temporary.yaml | ||
| # sed -i '/app.kubernetes.io\/part-of: "kubeflow-profile"/{s/.*/&\n pod-security.kubernetes.io\/enforce: "restricted"/}' temporary.yaml | ||
| # kubectl apply -f temporary.yaml | ||
| # rm temporary.yaml | ||
|
|
||
| - name: Install KF Pipelines | ||
| run: ./tests/gh-actions/install_pipelines.sh | ||
|
|
||
| # - name: Create dynamic user namespace and check for PSS labels present | ||
|
There was a problem hiding this comment. Please remove the debugging parts, such that we can merge soon. Let's just finish these three comments and merge. This PR is getting too big and we should continue in new ones. There was a problem hiding this comment. Debugging parts along with patch for dynamic namespaces have also been removed in the commit e40311f. I believe that can be done in a new PR to keep things simple. |
||
| # run: | | ||
| # kustomize build common/user-namespace/base | kubectl apply -f - | ||
| # LABELS=$(kubectl get namespace kubeflow-user-example-com --show-labels | awk 'NR==2 {print $NF}') | ||
| # if [[ "$LABELS" == *pod-security.kubernetes.io/enforce=restricted* ]]; then | ||
| # echo "PSS restricted label is present in dynamic namespace." | ||
| # else | ||
| # echo "PSS restricted label is absent in dynamic namespace." | ||
| # exit 1 | ||
| # fi | ||
|
|
||
| - name: Apply patches to clear warnings | ||
| run: | | ||
|
|
@@ -87,6 +92,19 @@ | |
| kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file" | ||
| fi | ||
| done | ||
| sleep 600 | ||
|
|
||
| - name: Apply Pod Security Standards baseline levels for static namespaces | ||
| run: ./tests/gh-actions/enable_baseline_PSS.sh | ||
|
|
||
| - name: Unapply applied baseline labels | ||
| run: | | ||
| NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | ||
| for NAMESPACE in "${NAMESPACES[@]}"; do | ||
| if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | ||
| kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | ||
| fi | ||
| done | ||
|
|
||
| - name: Applying Pod Security Standards restricted levels for static namespaces | ||
| run: ./tests/gh-actions/enable_restricted_PSS.sh | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| apiVersion: apps/v1 | ||
| kind: StatefulSet | ||
| metadata: | ||
| name: metacontroller | ||
| namespace: kubeflow | ||
| spec: | ||
| template: | ||
| spec: | ||
| containers: | ||
| - name: metacontroller | ||
| securityContext: | ||
| seccompProfile: | ||
| type: RuntimeDefault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,6 +13,14 @@ spec: | |
| seccompProfile: | ||
| type: RuntimeDefault | ||
| runAsNonRoot: true | ||
| runAsUser: 1000 | ||
| runAsGroup: 0 | ||
| capabilities: | ||
| drop: | ||
| - ALL | ||
| initContainers: | ||
|
There was a problem hiding this comment. Please remove all the istio initcontainer patches from all There was a problem hiding this comment. initContainers have been removed in the commit e40311f |
||
| - image: docker.io/istio/proxyv2:1.22.1 | ||
| name: istio-validation | ||
| securityContext: | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,6 @@ metadata: | |
| name: oauth2-proxy | ||
| namespace: oauth2-proxy | ||
| spec: | ||
| template: | ||
| spec: | ||
| containers: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: workflow-controller | ||
| namespace: kubeflow | ||
| spec: | ||
| template: | ||
| spec: | ||
| containers: | ||
| - name: workflow-controller | ||
| securityContext: | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| runAsNonRoot: true | ||
| initContainers: | ||
| - image: docker.io/istio/proxyv2:1.22.1 | ||
| name: istio-validation | ||
| securityContext: | ||
| seccompProfile: | ||
| type: RuntimeDefault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good :-) according to the workflow results it seems to work, but please verify it manually.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I did run it manually and opened up the configmap to observe the changes in place as we want. Also, I have removed the comments which I can later add as commits for dynamic namespace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ml-pipeline pod in my local system does seem to fail with CrashLoopBackOff as I open it up. Maybe I need to increase my fs.inotify.max_user_{instances, watches} .