-
Notifications
You must be signed in to change notification settings - Fork 882
100 lines (81 loc) · 3.61 KB
/
pss_test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: Apply PSS labels to namespaces
on:
pull_request:
paths:
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/*
- tests/gh-actions/kind-cluster.yaml
- apps/profiles/upstream/**
- apps/pipeline/upstream/**
- common/dex/**
- common/cert-manager/**
- common/oauth2-proxy/**
- common/istio*/**
- tests/gh-actions/install_istio-cni.sh
- tests/gh-actions/install_multitenancy.sh
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD, Create KinD cluster and Install kustomize
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- name: Install kubectl
run: ./tests/gh-actions/install_kubectl.sh
- name: Install cert-manager
run: ./tests/gh-actions/install_cert_manager.sh
- name: Install Istio CNI
run: ./tests/gh-actions/install_istio-cni.sh
- name: Configure istio init container with seccompProfile attribute
run: |
kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml
sed -i '0,/runAsNonRoot: true/{s//&\n seccompProfile:\n type: RuntimeDefault/}' temporary_patch.yaml
sed -i '/runAsNonRoot: true/{N; /runAsUser: {{ .ProxyUID | default "1337" }}/a\
seccompProfile:\n type: RuntimeDefault
}' temporary_patch.yaml
kubectl apply -f temporary_patch.yaml
rm temporary_patch.yaml
- name: Install oauth2-proxy
run: ./tests/gh-actions/install_oauth2-proxy.sh
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install kubeflow-istio-resources
run: kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install dex
run: |
echo "Installing Dex..."
kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f -
echo "Waiting for pods in auth namespace to become ready..."
kubectl wait --for=condition=ready pods --all --timeout=180s -n auth
- name: Install KF Pipelines
run: ./tests/gh-actions/install_pipelines.sh
- name: Apply patches to clear warnings
run: |
DIRECTORY="contrib/security/PSS/patches"
for file in "$DIRECTORY"/*.yaml; do
echo "Patching file: $file"
KIND=$(kubectl get -f "$file" -o jsonpath='{.kind}')
NAME=$(kubectl get -f "$file" -o jsonpath='{.metadata.name}')
NAMESPACE=$(kubectl get -f "$file" -o jsonpath='{.metadata.namespace}')
# Apply the patch
kubectl get "$KIND" "$NAME" -n "$NAMESPACE" &> /dev/null
if [ $? -eq 0 ]; then
kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file"
fi
done
sleep 300
- name: Apply Pod Security Standards baseline levels for static namespaces
run: ./tests/gh-actions/enable_baseline_PSS.sh
- name: Unapply applied baseline labels
run: |
NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
for NAMESPACE in "${NAMESPACES[@]}"; do
if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
fi
done
- name: Applying Pod Security Standards restricted levels for static namespaces
run: ./tests/gh-actions/enable_restricted_PSS.sh