diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml index 86c89fde2b..8e313638cc 100644 --- a/.github/workflows/pss_test.yaml +++ b/.github/workflows/pss_test.yaml @@ -11,7 +11,7 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - tests/gh-actions/install_istio_with_ext_auth.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_multitenancy.sh jobs: @@ -27,12 +27,25 @@ jobs: - name: Install kubectl run: ./tests/gh-actions/install_kubectl.sh - - name: Install all deployments from static namespaces + - name: Install all istio-cni resources and kubeflow namespace run: | kustomize build common/kubeflow-namespace/base | kubectl apply -f - ./tests/gh-actions/install_cert_manager.sh - ./tests/gh-actions/install_istio_with_ext_auth.sh - kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f - + ./tests/gh-actions/install_istio-cni.sh + kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f - + + - name: Configure istio init container with seccompProfile attribute + run: | + kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml + sed -i '0,/runAsNonRoot: true/{s//&\n seccompProfile:\n type: RuntimeDefault/}' temporary_patch.yaml + sed -i '/runAsNonRoot: true/{N; /runAsUser: {{ .ProxyUID | default "1337" }}/a\ + seccompProfile:\n type: RuntimeDefault + }' temporary_patch.yaml + kubectl apply -f temporary_patch.yaml + rm temporary_patch.yaml + + - name: Install all other deployments of static namespaces + run: | ./tests/gh-actions/install_multi_tenancy.sh kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f - echo "Waiting for all oauth2-proxy pods to become ready..." @@ -44,33 +57,6 @@ jobs: - name: Install KF Pipelines run: ./tests/gh-actions/install_pipelines.sh - - name: Apply Pod Security Standards baseline levels for static namespaces - run: ./tests/gh-actions/enable_baseline_PSS.sh - - - name: Apply Pod Security Standards baseline levels for dynamic namespaces - run: | - cat << EOF > ./kustomization.yaml - apiVersion: kustomize.config.k8s.io/v1beta1 - kind: Kustomization - resources: - - apps/profiles/upstream/overlays/kubeflow - components: - - contrib/security/PSS/dynamic/baseline - EOF - kubectl apply -k . - rm ./kustomization.yaml - kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s - - - name: Unapply applied baseline values - run: | - NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") - for NAMESPACE in "${NAMESPACES[@]}"; do - if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then - kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- - fi - done - sleep 10 - - name: Apply patches to clear warnings run: | DIRECTORY="contrib/security/PSS/patches" @@ -87,6 +73,19 @@ jobs: kubectl patch "$KIND" "$NAME" -n "$NAMESPACE" --patch-file "$file" fi done + sleep 300 + + - name: Apply Pod Security Standards baseline levels for static namespaces + run: ./tests/gh-actions/enable_baseline_PSS.sh + + - name: Unapply applied baseline labels + run: | + NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") + for NAMESPACE in "${NAMESPACES[@]}"; do + if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then + kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- + fi + done - name: Applying Pod Security Standards restricted levels for static namespaces run: ./tests/gh-actions/enable_restricted_PSS.sh diff --git a/contrib/security/PSS/patches/cache-server.yaml b/contrib/security/PSS/patches/cache-server.yaml index 51c1123020..f8fc2b5202 100644 --- a/contrib/security/PSS/patches/cache-server.yaml +++ b/contrib/security/PSS/patches/cache-server.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/kfam.yaml b/contrib/security/PSS/patches/kfam.yaml index 0445d53764..1ad3d2430e 100644 --- a/contrib/security/PSS/patches/kfam.yaml +++ b/contrib/security/PSS/patches/kfam.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml index 342ca70f6e..de95a8a26d 100644 --- a/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml +++ b/contrib/security/PSS/patches/kubeflow-pipelines-profile-controller.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/manager.yaml b/contrib/security/PSS/patches/manager.yaml index b4080721fa..deece6802f 100644 --- a/contrib/security/PSS/patches/manager.yaml +++ b/contrib/security/PSS/patches/manager.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/metacontroller.yaml b/contrib/security/PSS/patches/metacontroller.yaml new file mode 100644 index 0000000000..0ca5d77781 --- /dev/null +++ b/contrib/security/PSS/patches/metacontroller.yaml @@ -0,0 +1,13 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: metacontroller + namespace: kubeflow +spec: + template: + spec: + containers: + - name: metacontroller + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml index 717bd851c1..d540ba98e9 100644 --- a/contrib/security/PSS/patches/metadata-envoy-deployment.yaml +++ b/contrib/security/PSS/patches/metadata-envoy-deployment.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml index af6971827b..2392bc0f7d 100644 --- a/contrib/security/PSS/patches/metadata-grpc-deployment.yaml +++ b/contrib/security/PSS/patches/metadata-grpc-deployment.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/metadata-writer.yaml b/contrib/security/PSS/patches/metadata-writer.yaml index 49f10ab0c9..6e597e667d 100644 --- a/contrib/security/PSS/patches/metadata-writer.yaml +++ b/contrib/security/PSS/patches/metadata-writer.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/minio.yaml b/contrib/security/PSS/patches/minio.yaml index 896233f298..35ce8d5baa 100644 --- a/contrib/security/PSS/patches/minio.yaml +++ b/contrib/security/PSS/patches/minio.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml index dfa05641ca..4a0f57f23c 100644 --- a/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-persistenceagent.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml index bf9fc18e33..46e27a7d51 100644 --- a/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-scheduledworkflow.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-ui.yaml b/contrib/security/PSS/patches/ml-pipeline-ui.yaml index b5c35fcb42..9d86557c35 100644 --- a/contrib/security/PSS/patches/ml-pipeline-ui.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-ui.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml index a52470533b..f099a17f26 100644 --- a/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-viewer-crd.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml index a2bc3450ba..8b1233944e 100644 --- a/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml +++ b/contrib/security/PSS/patches/ml-pipeline-visualizationserver.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/ml-pipeline.yaml b/contrib/security/PSS/patches/ml-pipeline.yaml index 097ad1b8f2..8ab9e66284 100644 --- a/contrib/security/PSS/patches/ml-pipeline.yaml +++ b/contrib/security/PSS/patches/ml-pipeline.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/mysql.yaml b/contrib/security/PSS/patches/mysql.yaml index b2663f5b55..0464b89fb2 100644 --- a/contrib/security/PSS/patches/mysql.yaml +++ b/contrib/security/PSS/patches/mysql.yaml @@ -13,6 +13,8 @@ spec: seccompProfile: type: RuntimeDefault runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 capabilities: drop: - ALL diff --git a/contrib/security/PSS/patches/oauth2-proxy.yaml b/contrib/security/PSS/patches/oauth2-proxy.yaml index 4fc94e93af..7f9afacf64 100644 --- a/contrib/security/PSS/patches/oauth2-proxy.yaml +++ b/contrib/security/PSS/patches/oauth2-proxy.yaml @@ -4,7 +4,6 @@ metadata: name: oauth2-proxy namespace: oauth2-proxy spec: - replicas: 2 template: spec: containers: diff --git a/contrib/security/PSS/patches/workflow-controller.yaml b/contrib/security/PSS/patches/workflow-controller.yaml new file mode 100644 index 0000000000..5932fa9d1b --- /dev/null +++ b/contrib/security/PSS/patches/workflow-controller.yaml @@ -0,0 +1,14 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workflow-controller + namespace: kubeflow +spec: + template: + spec: + containers: + - name: workflow-controller + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh index 6c6925ffb4..93d4b32b11 100755 --- a/tests/gh-actions/install_istio-cni.sh +++ b/tests/gh-actions/install_istio-cni.sh @@ -4,4 +4,7 @@ echo "Installing Istio-cni ..." cd common/istio-cni-1-22 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - -kustomize build istio-install/base | kubectl apply -f - \ No newline at end of file +kustomize build istio-install/base | kubectl apply -f - + +echo "Waiting for all Istio Pods to become ready..." +kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s