Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Removing PSS patches #2986

Merged
merged 2 commits into from
Feb 22, 2025
Merged

chore: Removing PSS patches #2986

merged 2 commits into from
Feb 22, 2025

Conversation

biswassri
Copy link
Contributor

@biswassri biswassri commented Feb 10, 2025
edited
Loading

Pull Request Template for Kubeflow manifests Issues

✏️ A brief description of the changes

Removed the PSS security patches that are no longer needed based on description in this issue #2970

📦 List any dependencies that are required for this change

My PR depends on #

🐛 If this PR is related to an issue, please put the link to the issue here.

#2970

✅ Contributor checklist

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

@biswassri biswassri mentioned this pull request Feb 10, 2025
Open
7 tasks
@juliusvonkohout
Copy link
Member

juliusvonkohout commented Feb 10, 2025
edited
Loading

Thank you. you need to sigh for the DCO

# sign the latest X commits with HEAD~X
git rebase --signoff HEAD~1
# You have to force push afterwards
git push -f

@biswassri
chore: Removing PSS patches
2e1ec60 
Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>
@juliusvonkohout
Copy link
Member

Warning: existing pods in namespace "istio-system" violate the new PodSecurity enforce level "restricted:latest"

can you check which pod does not have the full security context? Maybe jwks-proxy?

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Feb 10, 2025
edited
Loading

Yes i think https://github.com/kubeflow/manifests/blob/master/common/oauth2-proxy/components/cluster-jwks-proxy/cluster-jwks-proxy.yaml needs the securitycontext.

        securityContext:
          allowPrivilegeEscalation: false
          seccompProfile:
            type: RuntimeDefault
          runAsNonRoot: true
          capabilities:
            drop:
            - ALL

@juliusvonkohout
Copy link
Member

@biswassri do you want to continue here?

@biswassri
Adding security-context to cluster-jwks-proxy
5c0cfbe 
Signed-off-by: biswassri <srijoni.biswas1994@gmail.com>
@biswassri
Copy link
Contributor Author

biswassri commented Feb 22, 2025
edited
Loading

@juliusvonkohout Apologies for the delay. Updated the securitycontext for the said cluster. Waiting for the CI to pass now.

@juliusvonkohout
Copy link
Member

Thank you very much. The next step then is to fix the seccomprofile as described in the other issues and PRs. To fix it for the istio-ingressgateway as well.
/lgtm
/approve

@google-oss-prow google-oss-prow bot added the lgtm label Feb 22, 2025
@google-oss-prow Google OSS Prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit da0623e into kubeflow:master Feb 22, 2025
12 checks passed
@biswassri biswassri deleted the remove-patches branch February 22, 2025 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliusvonkohout juliusvonkohout Awaiting requested review from juliusvonkohout

@zijianjoy zijianjoy Awaiting requested review from zijianjoy

Assignees

@juliusvonkohout juliusvonkohout

Labels
approved lgtm size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@biswassri @juliusvonkohout