test pss in respective tests

Signed-off-by: Harshvir Potpose <[email protected]>

.github/workflows/katib_test.yaml

@@ -8,6 +8,7 @@ on:
     - tests/gh-actions/install_istio.sh
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
+    - contrib/security/PSS/*
 
 jobs:
   build:
@@ -53,3 +54,18 @@ jobs:
 
         echo "Waiting for the Experiment to become Succeeded..."
         kubectl wait --for=condition=Succeeded experiments.kubeflow.org -n kubeflow-user --all --timeout 300s
+
+    - name: Apply Pod Security Standards baseline levels
+      run: ./tests/gh-actions/enable_baseline_PSS.sh
+
+    - name: Unapply applied baseline labels
+      run: |
+        NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+        for NAMESPACE in "${NAMESPACES[@]}"; do
+          if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+            kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
+          fi
+        done
+
+    - name: Applying Pod Security Standards restricted levels
+      run: ./tests/gh-actions/enable_restricted_PSS.sh

.github/workflows/kserve_test.yaml

@@ -10,6 +10,7 @@ on:
     - tests/gh-actions/install_knative.sh
     - common/knative/**
     - tests/gh-actions/install_kserve.sh
+    - contrib/security/PSS/**
 
 jobs:
   build:
@@ -60,3 +61,18 @@ jobs:
     - name: Run kserve models webapp test
       run: |
         kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app
+
+    - name: Apply Pod Security Standards baseline levels
+      run: ./tests/gh-actions/enable_baseline_PSS.sh
+
+    - name: Unapply applied baseline labels
+      run: |
+        NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+        for NAMESPACE in "${NAMESPACES[@]}"; do
+          if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+            kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
+          fi
+        done
+
+    - name: Applying Pod Security Standards restricted levels
+      run: ./tests/gh-actions/enable_restricted_PSS.sh

.github/workflows/notebook_controller_test.yaml

@@ -7,6 +7,7 @@ on:
     - apps/jupyter/notebook-controller/upstream/**
     - tests/gh-actions/install_istio.sh
     - common/istio*/**
+    - contrib/security/PSS/**
 
 jobs:
   build:
@@ -27,3 +28,18 @@ jobs:
         kubectl create ns kubeflow
         kustomize build overlays/kubeflow | kubectl apply -f -
         kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s
+
+    - name: Apply Pod Security Standards baseline levels
+      run: ./tests/gh-actions/enable_baseline_PSS.sh
+
+    - name: Unapply applied baseline labels
+      run: |
+        NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+        for NAMESPACE in "${NAMESPACES[@]}"; do
+          if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+            kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
+          fi
+        done
+
+    - name: Applying Pod Security Standards restricted levels
+      run: ./tests/gh-actions/enable_restricted_PSS.sh