diff --git a/.github/workflows/kserve_m2m_test.yaml b/.github/workflows/kserve_m2m_test.yaml index 8a057accc1..2f0b679c9f 100644 --- a/.github/workflows/kserve_m2m_test.yaml +++ b/.github/workflows/kserve_m2m_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/kserve_m2m_test.yaml - contrib/kserve/** - - common/oidc-client/oauth2-proxy/** + - common/oauth2-proxy/** - common/istio*/** - tests/gh-actions/install_istio_with_ext_auth.sh* - tests/gh-actions/install_cert_manager.sh diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index 54a53e5f19..4fddc3c326 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/notebook_controller_m2m_test.yaml - apps/jupyter/** - - common/oidc-client/oauth2-proxy/** + - common/oauth2-proxy/** - common/istio*/** - tests/gh-actions/install_istio_with_ext_auth.sh* - tests/gh-actions/install_multi_tenancy.sh diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 2e9c07e9cc..f83b729a06 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -11,7 +11,7 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - common/oidc-client/** + - common/** - apps/jupyter/** jobs: diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 61b05258ca..fec9c9eccd 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -8,7 +8,7 @@ on: - tests/gh-actions/install_istio.sh - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - - common/oidc-client/oauth2-proxy/** + - common/oauth2-proxy/** - common/istio*/** - tests/gh-actions/install_istio_with_ext_auth.sh diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml index 9922aa2ef3..86c89fde2b 100644 --- a/.github/workflows/pss_test.yaml +++ b/.github/workflows/pss_test.yaml @@ -44,10 +44,10 @@ jobs: - name: Install KF Pipelines run: ./tests/gh-actions/install_pipelines.sh - - name: Applying Pod Security Standards baseline levels for static namespaces + - name: Apply Pod Security Standards baseline levels for static namespaces run: ./tests/gh-actions/enable_baseline_PSS.sh - - name: Applying Pod Security Standards baseline levels for dynamic namespaces + - name: Apply Pod Security Standards baseline levels for dynamic namespaces run: | cat << EOF > ./kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -61,7 +61,7 @@ jobs: rm ./kustomization.yaml kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s - - name: Unapplying applied baseline values + - name: Unapply applied baseline values run: | NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") for NAMESPACE in "${NAMESPACES[@]}"; do @@ -69,6 +69,24 @@ jobs: kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- fi done + sleep 10 + + - name: Apply patches to clear warnings + run: | + DIRECTORY="contrib/security/PSS/patches" + for file in "$DIRECTORY"/*.yaml; do + echo "Patching file: $file" + + KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}') + NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}') + NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}') + + # Apply the patch + kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null + if [ $? -eq 0 ]; then + kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file" + fi + done - name: Applying Pod Security Standards restricted levels for static namespaces run: ./tests/gh-actions/enable_restricted_PSS.sh diff --git a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml index 639e96cb49..5c3e305b5e 100644 --- a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml +++ b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml @@ -29,6 +29,15 @@ spec: name: script subPath: script.sh resources: {} + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + capabilities: + drop: + - ALL volumes: - name: script configMap: diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml index e62a8bcc49..51c1123020 100644 --- a/contrib/security/PSS/patches/cache-server.yaml +++ b/contrib/security/PSS/patches/cache-server.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: cache-server + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/cluster-local-gateway.yaml b/contrib/security/PSS/patches/cluster-local-gateway.yaml deleted file mode 100644 index 09b890872f..0000000000 --- a/contrib/security/PSS/patches/cluster-local-gateway.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cluster-local-gateway -spec: - template: - spec: - containers: - - name: istio-proxy - securityContext: - seccompProfile: - type: RuntimeDefault diff --git a/contrib/security/PSS/patches/dex.yaml b/contrib/security/PSS/patches/dex.yaml index d82ecba673..edde313997 100644 --- a/contrib/security/PSS/patches/dex.yaml +++ b/contrib/security/PSS/patches/dex.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: dex + namespace: auth spec: template: spec: diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml index cfd999f56a..0445d53764 100644 --- a/contrib/security/PSS/patches/kfam.yaml +++ b/contrib/security/PSS/patches/kfam.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: profiles-deployment + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml index 9c29bfb9ab..342ca70f6e 100644 --- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml +++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: kubeflow-pipelines-profile-controller + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml index cbf3f3579d..b4080721fa 100644 --- a/contrib/security/PSS/patches/manager.yaml +++ b/contrib/security/PSS/patches/manager.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: profiles-deployment + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml index ff0370c0f5..717bd851c1 100644 --- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml +++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: metadata-envoy-deployment + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml index 778f849a08..af6971827b 100644 --- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml +++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: metadata-grpc-deployment + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml index ada39a1bc1..49f10ab0c9 100644 --- a/contrib/security/PSS/patches/metadata-writer.yaml +++ b/contrib/security/PSS/patches/metadata-writer.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: metadata-writer + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml index 0dc2a0e5fb..896233f298 100644 --- a/contrib/security/PSS/patches/minio.yaml +++ b/contrib/security/PSS/patches/minio.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: minio + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml index 61aa1f2a69..dfa05641ca 100644 --- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: ml-pipeline-persistenceagent + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml index 72e8773638..bf9fc18e33 100644 --- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: ml-pipeline-scheduledworkflow + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml index c3ce8228d5..b5c35fcb42 100644 --- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: ml-pipeline-ui + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml index cf52aef9e7..a52470533b 100644 --- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: ml-pipeline-viewer-crd + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml index 1673b60c66..a2bc3450ba 100644 --- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: ml-pipeline-visualizationserver + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml index 67fc9a41f8..097ad1b8f2 100644 --- a/contrib/security/PSS/patches/ml-pipeline.yaml +++ b/contrib/security/PSS/patches/ml-pipeline.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: ml-pipeline + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml index 257264d6a3..b2663f5b55 100644 --- a/contrib/security/PSS/patches/mysql.yaml +++ b/contrib/security/PSS/patches/mysql.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: mysql + namespace: kubeflow spec: template: spec: diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml index 007e4d8bdc..4fc94e93af 100644 --- a/contrib/security/PSS/patches/oauth2-proxy.yaml +++ b/contrib/security/PSS/patches/oauth2-proxy.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: oauth2-proxy + namespace: oauth2-proxy spec: replicas: 2 template: diff --git a/tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh b/tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh index 726ae62fca..2968885a72 100755 --- a/tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh +++ b/tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh @@ -2,6 +2,8 @@ CRONJOB_NAME=kubeflow-m2m-oidc-configurator NAMESPACE=istio-system +RETRY_INTERVAL=5 # Each loop iterates after 'RETRY_INTERVAL' seconds +MAX_RETRIES=20 # Each loop iterates for a total number of 'MAX_RETRIES' # Function to get the latest Job created by the CronJob get_latest_job() { @@ -13,19 +15,23 @@ get_latest_job() { # Wait until a Job is created echo "Waiting for a Job to be created by the ${CRONJOB_NAME} CronJob..." -while true; do +for ((i=1; i<=MAX_RETRIES; i++)); do JOB_NAME=$(get_latest_job) if [[ -n "${JOB_NAME}" ]]; then echo "Job ${JOB_NAME} created." break fi - sleep 5 + if [[ $i -eq $MAX_RETRIES ]]; then + echo "Job creation timed out." + exit 1 + fi + sleep "${RETRY_INTERVAL}" echo "Waiting..." done # Wait for the Job to complete successfully echo "Waiting for the Job ${JOB_NAME} to complete..." -while true; do +for ((i=1; i<=MAX_RETRIES; i++)); do STATUS=$(kubectl get job "${JOB_NAME}" -n "${NAMESPACE}" -o jsonpath='{.status.conditions[?(@.type=="Complete")].status}') if [[ "${STATUS}" == "True" ]]; then echo "Job ${JOB_NAME} completed successfully." @@ -37,5 +43,9 @@ while true; do echo "Job ${JOB_NAME} failed." exit 1 fi - sleep 5 + if [[ $i -eq $MAX_RETRIES ]]; then + echo "Job completion timed out." + exit 1 + fi + sleep "${RETRY_INTERVAL}" done