Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added PSS profile seccompProfile to pods of istio #2787

Merged
merged 6 commits into from
Jul 23, 2024

Conversation

biswajit-9776
Copy link
Contributor

Pull Request Template for Kubeflow manifests Issues

  • Please include a summary of changes and the related issue.
  • List any dependencies that are required for this change.
  • Please delete the options that are not relevant.
  • The following checklist will help you to satisfy the requirements.

✏️ A brief description of the changes

I added the seccompProfile to istio pods to enable pod-security.kubernetes.io/: restricted labels.

📦 List any dependencies that are required for this change

My PR depends on #

🐛 If this PR is related to an issue, please put the link of the issue here.

The following issues are related, because ...

✅ Unit Test Checklist

  • 🛠️ Make sure you have installed kustomize == 5.2.1+
  • ✍️ Have you written new tests for your core changes, as applicable?
  • 🔄 Have you successfully run existing tests with your changes ?
  • 🚀 Have you successfully run existing and new tests with your changes ?

✅ Contributor checklist


You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

@biswajit-9776
Copy link
Contributor Author

I have tested on cluster for both audit and enforce mode of PSS labels.
Previously the pods were only failing for the enforce=restricted label.
Post the changes in this PR, the pods are successfully created for all modes of PSS.

@juliusvonkohout
Copy link
Member

Hello, this must be done automatically via istioctl or istio profiles or kustomize overlays/components, not manually.

@biswajit-9776
Copy link
Contributor Author

Hi, I'm looking for a method of setting seccompProfile during installation like:

istioctl install --set values.global.proxy.seccompProfile.type=RuntimeDefault

I haven't encountered anything like it yet; meanwhile, I would set these changes as kustomize component in our contrib/security directory.

@google-oss-prow google-oss-prow bot added size/S and removed size/XS labels Jul 5, 2024
@juliusvonkohout
Copy link
Member

juliusvonkohout commented Jul 5, 2024

Hi, I'm looking for a method of setting seccompProfile during installation like:

istioctl install --set values.global.proxy.seccompProfile.type=RuntimeDefault

I haven't encountered anything like it yet; meanwhile, I would set these changes as kustomize component in our contrib/security directory.

You can add them directly to both istio folders in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml as long as this is a static file that is not modified by the synchronization scripts in /hack.

@biswajit-9776
Copy link
Contributor Author

biswajit-9776 commented Jul 5, 2024

Hi, I'm looking for a method of setting seccompProfile during installation like:

istioctl install --set values.global.proxy.seccompProfile.type=RuntimeDefault

I haven't encountered anything like it yet; meanwhile, I would set these changes as kustomize component in our contrib/security directory.

You can add them directly to both istio folders in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml as long as this is a static file that is not modified by the synchronization scripts in /hack.

So, the two patches should be used in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml instead of the example/kustomization.yaml?

@juliusvonkohout
Copy link
Member

Should the two patches be used in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml instead of the example/kustomization.yaml?

Yes, this is something we can do directly. Please check whether the kustoization.yaml is static.

@biswajit-9776
Copy link
Contributor Author

biswajit-9776 commented Jul 6, 2024

No, this file isn't modified by any scripts or other files. It's just used in workflows and some tests.
Do you wish for the seccompProfile to be applied to istio only when PSS/static/restricted components are applied or in general?

@juliusvonkohout
Copy link
Member

Let's try in general.

@google-oss-prow google-oss-prow bot added size/M and removed size/S labels Jul 6, 2024
@biswajit-9776
Copy link
Contributor Author

https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml

This kustomization doesn't have the required resources for the deployments in our patches as our deployments are part of istio-install/base/install.yaml

A better idea I could think of is istio-1-22/istio-install/base/patches. Since, the install.yaml is in the resources: section of istio-1-22/istio-install/base/kustomization.yaml, our deployments can get patched successfully.

@juliusvonkohout
Copy link
Member

@juliusvonkohout
Copy link
Member

It looks good so far an will take a closer look soon.
We have to make sure, that this is also copied to the istio-1-23 folder if we upgrade with the synchronisation script in /hack to 1.23+ and I have to merge this after the 1.9 release this week.

@biswajit-9776
Copy link
Contributor Author

biswajit-9776 commented Jul 22, 2024

I have taken a look at the scripts in /hack and the script doesn't touch the istio-install/patches in any way and copies all of its content to newer istio versions. If we face any issue, I would take a look at it right away or run a pre-upgrade from the script anytime.

@juliusvonkohout juliusvonkohout self-assigned this Jul 22, 2024
@juliusvonkohout
Copy link
Member

/lgtm
/approve

@google-oss-prow google-oss-prow bot added the lgtm label Jul 23, 2024
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@biswajit-9776
Copy link
Contributor Author

biswajit-9776 commented Jul 23, 2024

/hold

i think we are missing istio-cni

I have added seccompProfile for both deployments in istii-cni-1-22/istio-install/base/patches in this PR. Do you mean anything else for istio-cni?

@juliusvonkohout
Copy link
Member

/unhold

@google-oss-prow google-oss-prow bot merged commit a0468b8 into kubeflow:master Jul 23, 2024
20 checks passed
@juliusvonkohout juliusvonkohout linked an issue Aug 12, 2024 that may be closed by this pull request
pschoen-itsc pushed a commit to pschoen-itsc/kf-manifests that referenced this pull request Sep 3, 2024
* Added PSS profile seccompProfile to pods of istio

Signed-off-by: biswajit-9776 <[email protected]>

* Added seccompProfile to istio as kustomize component

Signed-off-by: biswajit-9776 <[email protected]>

* Undone changes made to istio/base

Signed-off-by: biswajit-9776 <[email protected]>

* Added seccomp files to common/istio-1-22/kubeflow-istio-resources/

Signed-off-by: biswajit-9776 <[email protected]>

* Moved the seccompProfile patches to istio/base/patches

Signed-off-by: biswajit-9776 <[email protected]>

* Added newline character to a file

Signed-off-by: biswajit-9776 <[email protected]>

---------

Signed-off-by: biswajit-9776 <[email protected]>
Signed-off-by: Patrick Schönthaler <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Rootless Kubeflow
2 participants