Test PSS baseline/restricted for Notebooks, Katib and Kserve #186
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Apply Notebook Controller manifests in KinD | |
| on: | |
| pull_request: | |
| paths: | |
| - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - .github/workflows/notebook_controller_test.yaml | |
| - apps/jupyter/notebook-controller/upstream/** | |
| - tests/gh-actions/install_istio.sh | |
| - common/istio*/** | |
| - contrib/security/PSS/** | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install KinD, Create KinD cluster and Install kustomize | |
| run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - name: Install Istio | |
| run: ./tests/gh-actions/install_istio.sh | |
| - name: Build & Apply manifests | |
| run: | | |
| cd apps/jupyter/notebook-controller/upstream | |
| kubectl create ns kubeflow | |
| kustomize build overlays/kubeflow | kubectl apply -f - | |
| kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s | |
| - name: Apply Pod Security Standards baseline levels | |
| run: ./tests/gh-actions/enable_baseline_PSS.sh | |
| - name: Unapply applied baseline labels | |
| run: | | |
| NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | |
| for NAMESPACE in "${NAMESPACES[@]}"; do | |
| if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
| kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
| fi | |
| done | |
| - name: Applying Pod Security Standards restricted levels | |
| run: ./tests/gh-actions/enable_restricted_PSS.sh |