KFP support for pss restricted#3412
Merged
Merged
Conversation
|
Welcome to the Kubeflow Manifests Repository Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community. Before making more PRs: Community Resources:
Thanks again for helping to improve Kubeflow. |
Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Agent-Logs-Url: https://github.com/kubeflow/manifests/sessions/ec493960-d5dc-4015-846d-ca2df854ae97
Copilot
AI
changed the title
[WIP] Move baseline to common/security/PSS and update links
Relocate PSS component to Mar 20, 2026
common/security/PSS and switch enforce level to restricted
Closed
Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Agent-Logs-Url: https://github.com/kubeflow/manifests/sessions/873cf29a-e8a3-4ad3-869e-a59e0ac84d35
…tests Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Agent-Logs-Url: https://github.com/kubeflow/manifests/sessions/873cf29a-e8a3-4ad3-869e-a59e0ac84d35
Copilot
AI
changed the title
Relocate PSS component to
Relocate PSS component, enforce restricted labels, and harden KFP pipeline run security context
Mar 20, 2026
common/security/PSS and switch enforce level to restrictedSigned-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Agent-Logs-Url: https://github.com/kubeflow/manifests/sessions/30efad41-d755-43af-ac19-ec9a3ac32e8e
Copilot
AI
changed the title
Enforce overlay-only Pipelines patching; remove illegal nested/upstream patch wiring
Use typed Kubernetes security context in KFP v1 pipeline test
Mar 20, 2026
Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Agent-Logs-Url: https://github.com/kubeflow/manifests/sessions/50248baf-9c6a-40e7-b52e-218c12f29b86
Copilot
AI
changed the title
Use typed Kubernetes security context in KFP v1 pipeline test
Align KFP v1 security context usage with SDK contract; simplify KFP v2 task security application
Mar 20, 2026
Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Agent-Logs-Url: https://github.com/kubeflow/manifests/sessions/d7963646-53e4-4e44-ba7e-f7ae8db7ea57
Copilot
AI
changed the title
Align KFP v1 security context usage with SDK contract; simplify KFP v2 task security application
Simplify KFP v2 task security wiring and fix KFP v1 compile-time security context application
Mar 20, 2026
Updated security context values to empty strings. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Updated defaultSecurityContextRunAsNonRoot to an empty value with a TODO comment for future improvement. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Member
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Member
|
/lgtm |
Member
|
Force merging since the trainer test is broken |
Member
|
@juliusvonkohout, This PyTorchJob https://github.com/kubeflow/manifests/blob/master/tests/training_operator_job.yaml used by test also need to be PSS restricted compliant, because the container in this PyTorchJob are getting blocked by the PSS. harshvir@msi:~/manifests$ k describe pytorchjobs.kubeflow.org -n kubeflow-user-example-com pytorch-simple
Name: pytorch-simple
Namespace: kubeflow-user-example-com
Labels: <none>
Annotations: <none>
API Version: kubeflow.org/v1
Kind: PyTorchJob
Metadata:
Creation Timestamp: 2026-03-20T21:48:10Z
Generation: 1
Resource Version: 13694
UID: 0ae7462d-c48d-47cd-96d0-b4ee3785e44a
Spec:
Pytorch Replica Specs:
Master:
Replicas: 1
Restart Policy: OnFailure
Template:
Metadata:
Labels:
sidecar.istio.io/inject: false
Spec:
Containers:
Command:
python3
/opt/pytorch-mnist/mnist.py
--epochs=1
--no-cuda
--batch-size=32
--log-interval=50
--lr=0.01
--test-batch-size=1000
Env:
Name: PYTHONUNBUFFERED
Value: 1
Name: OMP_NUM_THREADS
Value: 1
Name: CUDA_VISIBLE_DEVICES
Value:
Name: MALLOC_TRIM_THRESHOLD_
Value: 0
Name: MALLOC_MMAP_MAX_
Value: 0
Image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727
Image Pull Policy: Always
Name: pytorch
Resources:
Limits:
Cpu: 4000m
Memory: 1Gi
Requests:
Cpu: 300m
Memory: 512Mi
Worker:
Replicas: 1
Restart Policy: OnFailure
Template:
Metadata:
Labels:
sidecar.istio.io/inject: false
Spec:
Containers:
Command:
python3
/opt/pytorch-mnist/mnist.py
--epochs=1
--no-cuda
--batch-size=32
--log-interval=50
--lr=0.01
--test-batch-size=1000
Env:
Name: PYTHONUNBUFFERED
Value: 1
Name: OMP_NUM_THREADS
Value: 1
Name: CUDA_VISIBLE_DEVICES
Value:
Name: MALLOC_TRIM_THRESHOLD_
Value: 0
Name: MALLOC_MMAP_MAX_
Value: 0
Image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727
Image Pull Policy: Always
Name: pytorch
Resources:
Limits:
Cpu: 4000m
Memory: 1Gi
Requests:
Cpu: 300m
Memory: 512Mi
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreatePod 6m9s (x3 over 6m50s) pytorchjob-controller Error creating: pods "pytorch-simple-worker-0" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "init-pytorch", "pytorch" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-pytorch", "pytorch" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "init-pytorch", "pytorch" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "init-pytorch", "pytorch" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Warning FailedCreatePod 82s (x14 over 6m50s) pytorchjob-controller Error creating: pods "pytorch-simple-master-0" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "pytorch" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "pytorch" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "pytorch" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "pytorch" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") |
Member
|
And i think, we might also need to make |
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
KFP v1 and v2 restricted support and test