Skip to content

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #220

chore: Add securitycontext for PSS PoC (rootless Kubeflow)

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #220

name: Test Notebook Controller with m2m auth manifests in KinD
on:
pull_request:
paths:
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/notebook_controller_m2m_test.yaml
- apps/jupyter/**
- common/oauth2-proxy/**
- common/istio*/**
- tests/gh-actions/install_istio.sh
- tests/gh-actions/install_oauth2-proxy.sh
- tests/gh-actions/install_multi_tenancy.sh
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD, Create KinD cluster and Install kustomize
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- name: Install kubectl
run: ./tests/gh-actions/install_kubectl.sh
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install Istio
run: ./tests/gh-actions/install_istio.sh
- name: Install oauth2-proxy
run: ./tests/gh-actions/install_oauth2-proxy.sh
- name: Install kubeflow-istio-resources
run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Build & Apply manifests
run: |
kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f -
kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \
--field-selector=status.phase!=Succeeded
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
- name: Port forward
run: |
INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
- name: List notebooks over API with authorized SA Token
run: |
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
STATUS_CODE=$(curl -v \
--silent --output /dev/stderr --write-out "%{http_code}" \
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
-H "Authorization: Bearer ${TOKEN}")
if test $STATUS_CODE -ne 200; then
echo "Error, this call should be authorized to list notebooks in namespace ${KF_PROFILE}."
exit 1
fi
- name: List notebooks over API with unauthorized SA Token
run: |
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n default create token default)"
STATUS_CODE=$(curl -v \
--silent --output /dev/stderr --write-out "%{http_code}" \
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
-H "Authorization: Bearer ${TOKEN}")
if test $STATUS_CODE -ne 403; then
echo "Error, this call should fail to list notebooks in namespace ${KF_PROFILE}."
exit 1
fi