From bd67e60661a8ed879422c48029636ee6e29863a1 Mon Sep 17 00:00:00 2001 From: Harshvir Potpose Date: Wed, 4 Jun 2025 00:09:15 +0530 Subject: [PATCH 1/5] move pss baseline patch to /apps/profiles Signed-off-by: Harshvir Potpose --- .../baseline => apps/profiles/pss}/kustomization.yaml | 2 +- .../baseline => apps/profiles/pss}/namespace-labels.yaml | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) rename {experimental/security/PSS/dynamic/baseline => apps/profiles/pss}/kustomization.yaml (79%) rename {experimental/security/PSS/dynamic/baseline => apps/profiles/pss}/namespace-labels.yaml (67%) diff --git a/experimental/security/PSS/dynamic/baseline/kustomization.yaml b/apps/profiles/pss/kustomization.yaml similarity index 79% rename from experimental/security/PSS/dynamic/baseline/kustomization.yaml rename to apps/profiles/pss/kustomization.yaml index c4833c05e1..fa99b3dff5 100644 --- a/experimental/security/PSS/dynamic/baseline/kustomization.yaml +++ b/apps/profiles/pss/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization namespace: kubeflow resources: -- ../../../../../apps/profiles/upstream/overlays/kubeflow +- ../upstream/overlays/kubeflow configMapGenerator: - name: namespace-labels-data diff --git a/experimental/security/PSS/dynamic/baseline/namespace-labels.yaml b/apps/profiles/pss/namespace-labels.yaml similarity index 67% rename from experimental/security/PSS/dynamic/baseline/namespace-labels.yaml rename to apps/profiles/pss/namespace-labels.yaml index 08f6690272..4cdcf3e85e 100644 --- a/experimental/security/PSS/dynamic/baseline/namespace-labels.yaml +++ b/apps/profiles/pss/namespace-labels.yaml @@ -1,7 +1,5 @@ -# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml -# as using only the required label to merge it with the existing config map of profiles -# deployment to enable PSS for profile namespaces, leads to creation of a new config map -# with just the PSS label and replaces the pre-exisiting labels in the deployed config map. +# PSS (Pod Security Standards) overlay for Kubeflow profiles +# This file extends the base namespace-labels.yaml with PSS baseline label # Below is a list of labels to be set by default. # # To add a namespace label, use `key: 'value'`, for example: From 133e4705b3679e3479a75c6295baddcdf9cc6ff6 Mon Sep 17 00:00:00 2001 From: Harshvir Potpose Date: Wed, 4 Jun 2025 00:56:36 +0530 Subject: [PATCH 2/5] revert comments Signed-off-by: Harshvir Potpose --- apps/profiles/pss/namespace-labels.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apps/profiles/pss/namespace-labels.yaml b/apps/profiles/pss/namespace-labels.yaml index 4cdcf3e85e..08f6690272 100644 --- a/apps/profiles/pss/namespace-labels.yaml +++ b/apps/profiles/pss/namespace-labels.yaml @@ -1,5 +1,7 @@ -# PSS (Pod Security Standards) overlay for Kubeflow profiles -# This file extends the base namespace-labels.yaml with PSS baseline label +# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml +# as using only the required label to merge it with the existing config map of profiles +# deployment to enable PSS for profile namespaces, leads to creation of a new config map +# with just the PSS label and replaces the pre-exisiting labels in the deployed config map. # Below is a list of labels to be set by default. # # To add a namespace label, use `key: 'value'`, for example: From 955b6e32d05ff81d480d919b334a0193d03cfeff Mon Sep 17 00:00:00 2001 From: Harshvir Potpose Date: Wed, 4 Jun 2025 00:57:13 +0530 Subject: [PATCH 3/5] update multi_tenancy_install.sh script Signed-off-by: Harshvir Potpose --- tests/multi_tenancy_install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/multi_tenancy_install.sh b/tests/multi_tenancy_install.sh index 75ec801ba9..136b0786c3 100755 --- a/tests/multi_tenancy_install.sh +++ b/tests/multi_tenancy_install.sh @@ -3,7 +3,7 @@ set -euo pipefail echo "Installing Profiles Controller" kustomize build apps/profiles/upstream/overlays/kubeflow | kubectl apply -f - -kustomize build experimental/security/PSS/dynamic/baseline | kubectl apply -f - +kustomize build apps/profiles/pss | kubectl apply -f - kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s echo "Installing Multitenancy Kubeflow Roles" From 8906ee7da6b86b206a81f2fdab3c850e86204bdc Mon Sep 17 00:00:00 2001 From: Harshvir Potpose Date: Wed, 4 Jun 2025 00:58:02 +0530 Subject: [PATCH 4/5] add pss baseline to /example/experimental Signed-off-by: Harshvir Potpose --- example/kustomization.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 54cb199751..0b8b8ed8fc 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -80,6 +80,8 @@ resources: - ../apps/jupyter/notebook-controller/upstream/overlays/kubeflow # Profiles + KFAM - ../apps/profiles/upstream/overlays/kubeflow +# PSS Baseline for Profiles +- ../apps/profiles/pss # PVC Viewer - ../apps/pvcviewer-controller/upstream/base # Volumes Web App From 25ae2b2101a008d7045d2d58bbbed5c31a4b5317 Mon Sep 17 00:00:00 2001 From: Harshvir Potpose Date: Wed, 4 Jun 2025 01:03:00 +0530 Subject: [PATCH 5/5] fix Signed-off-by: Harshvir Potpose --- example/kustomization.yaml | 4 +--- tests/multi_tenancy_install.sh | 3 +-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 0b8b8ed8fc..ee45dc46ea 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -78,9 +78,7 @@ resources: - ../apps/jupyter/jupyter-web-app/upstream/overlays/istio # Notebook Controller - ../apps/jupyter/notebook-controller/upstream/overlays/kubeflow -# Profiles + KFAM -- ../apps/profiles/upstream/overlays/kubeflow -# PSS Baseline for Profiles +# Profiles + KFAM with PSS (Pod Security Standards) - ../apps/profiles/pss # PVC Viewer - ../apps/pvcviewer-controller/upstream/base diff --git a/tests/multi_tenancy_install.sh b/tests/multi_tenancy_install.sh index 136b0786c3..8011dd6ddc 100755 --- a/tests/multi_tenancy_install.sh +++ b/tests/multi_tenancy_install.sh @@ -1,8 +1,7 @@ #!/bin/bash set -euo pipefail -echo "Installing Profiles Controller" -kustomize build apps/profiles/upstream/overlays/kubeflow | kubectl apply -f - +echo "Installing Profiles Controller with PSS (Pod Security Standards)" kustomize build apps/profiles/pss | kubectl apply -f - kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s