Added changes to pss_test.yaml workflow (#2838)

* Added changes to pss_test.yaml workflow Signed-off-by: biswajit-9776 <[email protected]> * Fixed the directory names Signed-off-by: biswajit-9776 <[email protected]> * Fixed typo and added wait commands Signed-off-by: biswajit-9776 <[email protected]> * Fixed typos Signed-off-by: biswajit-9776 <[email protected]> --------- Signed-off-by: biswajit-9776 <[email protected]>
kubeflow · Aug 16, 2024 · fcf861f · fcf861f
1 parent ef73b64
commit fcf861f
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
@@ -1,4 +1,4 @@
-name: Appy PSS labels to namespaces
+name: Apply PSS labels to namespaces
 on:
   pull_request:
     paths:
@@ -31,5 +31,31 @@ jobs:
     - name: Install kubectl
       run: ./tests/gh-actions/install_kubectl.sh
 
+    - name: Install all deployments from static namespaces
+      run: |
+        kustomize build common/kubeflow-namespace/base | kubectl apply -f -
+        ./tests/gh-actions/install_cert_manager.sh
+        ./tests/gh-actions/install_istio_with_ext_auth.sh
+        kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
+        ./tests/gh-actions/install_multi_tenancy.sh
+        kustomize build ./common/oauth2-proxy/overlays/m2m-self-signed | kubectl apply -f -
+        echo "Waiting for all oauth2-proxy pods to become ready..."
+        kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy
+        kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f -
+        echo "Waiting for pods in auth namespace to become ready..."
+        kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth
+
     - name: Applying Pod Security Standards baseline levels for static namespaces
       run: ./tests/gh-actions/enable_baseline_PSS.sh
+
+    - name: Unapplying applied baseline values
+      run: |
+        NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+        for NAMESPACE in "${NAMESPACES[@]}"; do
+          if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+            kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
+          fi
+        done
+
+    - name: Applying Pod Security Standards restricted levels for static namespaces
+      run: ./tests/gh-actions/enable_restricted_PSS.sh