kubeflow
diff --git a/‎.github/workflows/admission_webhook_test.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/admission_webhook_test.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/centraldashboard_test.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/centraldashboard_test.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/jupyter_web_application_test.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/jupyter_web_application_test.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/katib_test.yaml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/katib_test.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/kserve_cni_test.yaml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/kserve_cni_test.yaml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/kserve_m2m_test.yaml‎
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/kserve_m2m_test.yaml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/kserve_test.yaml‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/kserve_test.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/pipeline_swfs_test.yaml‎
Lines changed: 28 additions & 10 deletions b/‎.github/workflows/pipeline_swfs_test.yaml‎
Lines changed: 28 additions & 10 deletions
diff --git a/‎.github/workflows/ray_test.yaml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/ray_test.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/spark_test.yaml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/spark_test.yaml‎
Lines changed: 6 additions & 0 deletions
@@ -8,6 +8,7 @@ on:
     - tests/gh-actions/install_istio.sh
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
+    - common/istio*/**
 
 jobs:
   build:
 
@@ -6,6 +6,7 @@ on:
     - .github/workflows/centraldashboard_test.yaml
     - apps/centraldashboard/upstream/**
     - tests/gh-actions/install_istio.sh
+    - common/istio*/**
 
 jobs:
   build:
 
@@ -6,6 +6,7 @@ on:
     - .github/workflows/jupyter_web_application_test.yaml
     - apps/jupyter/jupyter-web-app/upstream/**
     - tests/gh-actions/install_istio.sh
+    - common/istio*/**
 
 jobs:
   build:
 
@@ -6,6 +6,7 @@ on:
     - .github/workflows/katib_test.yaml
     - apps/katib/upstream/**
     - tests/gh-actions/install_istio.sh
+    - common/istio*/**
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
     - experimental/security/PSS/*
 
@@ -4,7 +4,8 @@ on:
     paths:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/kserve_cni_test.yaml
-    - common/istio-cni-1-24/**
+    - tests/gh-actions/install_istio.sh
+    - common/istio*/**
     - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
     - tests/gh-actions/install_knative-cni.sh
 
@@ -5,15 +5,16 @@ on:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/kserve_m2m_test.yaml
     - apps/kserve/**
-    - common/oauth2-proxy/**
+    - tests/gh-actions/install_kserve.sh
     - common/istio*/**
     - tests/gh-actions/install_istio.sh
+    - common/oauth2-proxy/**
     - tests/gh-actions/install_oauth2-proxy.sh
-    - tests/gh-actions/install_cert_manager.sh
     - common/cert-manager/**
-    - tests/gh-actions/install_knative.sh
+    - tests/gh-actions/install_cert_manager.sh
     - common/knative/**
-    - tests/gh-actions/install_kserve.sh
+    - tests/gh-actions/install_knative.sh
+
 
 jobs:
   build:
 
@@ -11,6 +11,8 @@ on:
     - common/knative/**
     - tests/gh-actions/install_kserve.sh
     - experimental/security/PSS/**
+    - common/istio*/**
+    - tests/gh-actions/install_istio.sh
 
 jobs:
   build:
 
@@ -38,14 +38,14 @@ jobs:
     - name: Create kubeflow namespace
       run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 
-    - name: Install KF Pipelines
-      run: ./tests/gh-actions/install_pipelines.sh
-
     - name: Install KF Multi Tenancy
       run: ./tests/gh-actions/install_multi_tenancy.sh
 
+    - name: Install KF Pipelines
+      run: ./tests/gh-actions/install_pipelines_swfs.sh
+
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: |
@@ -75,12 +75,6 @@ jobs:
         fi
         kubectl get secret mlpipeline-minio-artifact -n "$KF_PROFILE" -o json | jq -r '.data | keys[] as $k | "\($k): \(. | .[$k] | @base64d)"' | tr '\n' ' '
 
-    - name: Install seaweedfs
-      run: |
-        kustomize build experimental/seaweedfs/istio | kubectl apply -f -
-        kubectl -n kubeflow wait --for=condition=available --timeout=600s deploy/seaweedfs
-        kubectl -n kubeflow exec deploy/seaweedfs -c seaweedfs -- sh -c "echo \"s3.configure -user minio -access_key minio -secret_key minio123 -actions Read,Write,List -apply\" | /usr/bin/weed shell"
-
     - name: port forward
       run: |
         ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
@@ -93,3 +87,27 @@ jobs:
         KF_PROFILE=kubeflow-user-example-com
         TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
         python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
+
+    - name: Fail to list pipelines with unauthorized ServiceAccount Token
+      run: |
+        pip3 install kfp==2.11.0
+        KF_PROFILE=kubeflow-user-example-com
+        TOKEN="$(kubectl -n default create token default)"
+        python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
+        echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."
+
+
+    - name: Apply Pod Security Standards baseline levels for static namespaces
+      run: ./tests/gh-actions/enable_baseline_PSS.sh
+
+    - name: Unapply applied baseline labels
+      run: |
+        NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+        for NAMESPACE in "${NAMESPACES[@]}"; do
+          if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+            kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
+          fi
+        done
+
+    - name: Applying Pod Security Standards restricted levels for static namespaces
+      run: ./tests/gh-actions/enable_restricted_PSS.sh
@@ -5,6 +5,12 @@ on:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/ray_test.yaml
     - experimental/ray/**
+    - tests/gh-actions/install_istio.sh
+    - tests/gh-actions/install_cert_manager.sh
+    - tests/gh-actions/install_oauth2-proxy.sh
+    - common/cert-manager/**
+    - common/oauth2-proxy/**
+    - common/istio*/**
 
 jobs:
   build:
 
@@ -5,6 +5,12 @@ on:
     - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
     - .github/workflows/spark_test.yaml
     - apps/spark/**
+    - tests/gh-actions/install_istio.sh
+    - tests/gh-actions/install_cert_manager.sh
+    - tests/gh-actions/install_oauth2-proxy.sh
+    - common/cert-manager/**
+    - common/oauth2-proxy/**
+    - common/istio*/**
 
 jobs:
   build: