chore: Add securitycontext for PSS PoC (rootless Kubeflow) #226

name: Test Notebook Controller with m2m auth manifests in KinD
- .github/workflows/notebook_controller_m2m_test.yaml
- apps/jupyter/**
- common/oauth2-proxy/**
- common/istio*/**
runs-on: ubuntu-latest
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD, Create KinD cluster and Install kustomize
run: ./tests/gh-actions/
- name: Install kubectl
run: ./tests/gh-actions/
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install Istio
run: ./tests/gh-actions/
- name: Install oauth2-proxy
run: ./tests/gh-actions/
- name: Install kubeflow-istio-resources
run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/
- name: Build & Apply manifests
run: |
kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f -
kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
- name: Port forward
run: |
INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0]}')
nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
- name: List notebooks over API with authorized SA Token
run: |
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
STATUS_CODE=$(curl -v \
--silent --output /dev/stderr --write-out "%{http_code}" \
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
-H "Authorization: Bearer ${TOKEN}")
if test $STATUS_CODE -ne 200; then
echo "Error, this call should be authorized to list notebooks in namespace ${KF_PROFILE}."
exit 1
- name: List notebooks over API with unauthorized SA Token
run: |
TOKEN="$(kubectl -n default create token default)"
STATUS_CODE=$(curl -v \
--silent --output /dev/stderr --write-out "%{http_code}" \
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
-H "Authorization: Bearer ${TOKEN}")
if test $STATUS_CODE -ne 403; then
echo "Error, this call should fail to list notebooks in namespace ${KF_PROFILE}."
exit 1