@@ -45,13 +45,14 @@ jobs:
4545 run : ./tests/gh-actions/install_multi_tenancy.sh
4646
4747 - name : Install kubeflow-istio-resources
48- run : kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
48+ run : kustomize build common/istio-cni- 1-24/kubeflow-istio-resources/base | kubectl apply -f -
4949
5050 - name : Install seaweedfs
5151 run : |
5252 kustomize build experimental/seaweedfs/istio | kubectl apply -f -
5353 kubectl -n kubeflow wait --for=condition=available --timeout=600s deploy/seaweedfs
5454
55+
5556name : Create KF Profile
5657 run : |
5758 kustomize build common/user-namespace/base | kubectl apply -f -
9293 KF_PROFILE=kubeflow-user-example-com
9394 TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
9495 python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}"
96+
97+ name : Fail to list pipelines with unauthorized ServiceAccount Token
98+ run : |
99+ pip3 install kfp==2.11.0
100+ KF_PROFILE=kubeflow-user-example-com
101+ TOKEN="$(kubectl -n default create token default)"
102+ python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
103+ echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."
104+
105+
106+ name : Apply Pod Security Standards baseline levels for static namespaces
107+ run : ./tests/gh-actions/enable_baseline_PSS.sh
108+
109+ - name : Unapply applied baseline labels
110+ run : |
111+ NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
112+ for NAMESPACE in "${NAMESPACES[@]}"; do
113+ if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
114+ kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce-
115+ fi
116+ done
117+
118+ name : Applying Pod Security Standards restricted levels for static namespaces
119+ run : ./tests/gh-actions/enable_restricted_PSS.sh
0 commit comments