chore: Add securitycontext for PSS PoC (rootless Kubeflow) #220
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test Notebook Controller with m2m auth manifests in KinD | |
on: | |
pull_request: | |
paths: | |
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- .github/workflows/notebook_controller_m2m_test.yaml | |
- apps/jupyter/** | |
- common/oauth2-proxy/** | |
- common/istio*/** | |
- tests/gh-actions/install_istio.sh | |
- tests/gh-actions/install_oauth2-proxy.sh | |
- tests/gh-actions/install_multi_tenancy.sh | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install KinD, Create KinD cluster and Install kustomize | |
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- name: Install kubectl | |
run: ./tests/gh-actions/install_kubectl.sh | |
- name: Create kubeflow namespace | |
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
- name: Install Istio | |
run: ./tests/gh-actions/install_istio.sh | |
- name: Install oauth2-proxy | |
run: ./tests/gh-actions/install_oauth2-proxy.sh | |
- name: Install kubeflow-istio-resources | |
run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - | |
- name: Install KF Multi Tenancy | |
run: ./tests/gh-actions/install_multi_tenancy.sh | |
- name: Build & Apply manifests | |
run: | | |
kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f - | |
kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f - | |
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \ | |
--field-selector=status.phase!=Succeeded | |
- name: Create KF Profile | |
run: kustomize build common/user-namespace/base | kubectl apply -f - | |
- name: Port forward | |
run: | | |
INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') | |
nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & | |
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready | |
- name: List notebooks over API with authorized SA Token | |
run: | | |
KF_PROFILE=kubeflow-user-example-com | |
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" | |
STATUS_CODE=$(curl -v \ | |
--silent --output /dev/stderr --write-out "%{http_code}" \ | |
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \ | |
-H "Authorization: Bearer ${TOKEN}") | |
if test $STATUS_CODE -ne 200; then | |
echo "Error, this call should be authorized to list notebooks in namespace ${KF_PROFILE}." | |
exit 1 | |
fi | |
- name: List notebooks over API with unauthorized SA Token | |
run: | | |
KF_PROFILE=kubeflow-user-example-com | |
TOKEN="$(kubectl -n default create token default)" | |
STATUS_CODE=$(curl -v \ | |
--silent --output /dev/stderr --write-out "%{http_code}" \ | |
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \ | |
-H "Authorization: Bearer ${TOKEN}") | |
if test $STATUS_CODE -ne 403; then | |
echo "Error, this call should fail to list notebooks in namespace ${KF_PROFILE}." | |
exit 1 | |
fi |