Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #11462

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #11462

wants to merge 4 commits into from
+116 −0

Conversation

juliusvonkohout
Copy link
Member

@juliusvonkohout juliusvonkohout commented Dec 12, 2024
edited
Loading

Description of your changes:

upstream what we have in https://github.com/kubeflow/manifests/tree/master/contrib/security/PSS to make PSS enforcable
and enjoy a rootless Kubeflow kubeflow/manifests#2528

Checklist:

@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign gkcalat for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@juliusvonkohout juliusvonkohout marked this pull request as draft December 12, 2024 16:52
@juliusvonkohout juliusvonkohout changed the title chore: Update ml-pipeline-persistenceagent-deployment.yaml with securitycontext for PSS chore: Add securitycontext for PSS PoC Dec 12, 2024
@juliusvonkohout juliusvonkohout changed the title chore: Add securitycontext for PSS PoC chore: Add securitycontext for PSS PoC (rootless Kubeflow) Dec 12, 2024
@google-oss-prow google-oss-prow bot added size/M and removed size/S labels Dec 15, 2024
@biswassri biswassri force-pushed the patch-26 branch 2 times, most recently from 580147a to df2c7fc Compare December 15, 2024 07:50
@juliusvonkohout
Copy link
Member Author

juliusvonkohout commented Dec 16, 2024
edited
Loading

@biswassri

Thank you.

It is essential, that you sign your commits or you will break the DCO test and we cannot merge
https://github.com/kubeflow/pipelines/pull/11462/checks?check_run_id=34430161221

Remaining patches for pipelines from https://github.com/kubeflow/manifests/tree/master/contrib/security/PSS/patches:

  • minio
  • metadata-*
  • mysql
  • metacontroller
  • workflow-controller

@github-actions GitHub Actions
Copy link

Approvals successfully granted for pending runs.

@juliusvonkohout juliusvonkohout force-pushed the patch-26 branch 3 times, most recently from 9b15e90 to cdb5c46 Compare December 16, 2024 14:51
@google-oss-prow google-oss-prow bot added size/L and removed size/M labels Dec 17, 2024
@biswassri
Copy link

@juliusvonkohout I think I got in most of the patches in. Please let me know if I got something wrong. Also I wasn't sure where to update metacontroller patch I wasn't sure about which file.

@juliusvonkohout
Copy link
Member Author

juliusvonkohout commented Dec 17, 2024
edited
Loading

@biswassri please check out https://github.com/juliusvonkohout/pipelines/blob/patch-26/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml. We should also update it to the latest release in a separate PR https://github.com/metacontroller/metacontroller/releases/tag/v4.11.21. So please modify in a separate PR https://github.com/juliusvonkohout/pipelines/blob/5587d9acc25dd96b596a491af3f38f7c3f885469/manifests/kustomize/third-party/metacontroller/base/stateful-set.yaml#L42 from docker.io/metacontrollerio/metacontroller:v2.0.4 to ghcr.io/metacontroller/metacontroller:v4.11.21

@juliusvonkohout juliusvonkohout marked this pull request as ready for review December 17, 2024 11:38
@juliusvonkohout
Copy link
Member Author

/ok-to-test
/retest

@juliusvonkohout
Copy link
Member Author

@rimolive @HumairAK we need to update metacontroller since dockerhub will be removed in the future according to https://github.com/metacontroller/metacontroller/releases/tag/v4.11.21

juliusvonkohout and others added 3 commits December 19, 2024 01:45
@juliusvonkohout @biswassri
Update ml-pipeline-scheduledworkflow-deployment.yaml
eacc2aa 
Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

Update ml-pipeline-persistenceagent-deployment.yaml

Upstreaming off pss patches

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
@biswassri
Updating server,ui,visualization,veiwercrd deployment yaml
fb1595d 
Signed-off-by: biswassri <58236793+biswassri@users.noreply.github.com>
Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
@biswassri
Updating remaining PSS patches
e7b27f4 
Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>
@biswassri
Updating metacontroller
7242a2f 
Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>
@biswassri
Copy link

biswassri commented Dec 19, 2024
edited
Loading

@juliusvonkohout I updated the metacontroller security patch as well. Created a separate PR for the image update. #11474

@hbelmiro
Copy link
Contributor

/ok-to-test

@github-actions GitHub Actions
Copy link

Approvals successfully granted for pending runs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gkcalat gkcalat Awaiting requested review from gkcalat

@zijianjoy zijianjoy Awaiting requested review from zijianjoy

Assignees
No one assigned
Labels
ok-to-test size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@juliusvonkohout @biswassri @hbelmiro