Fix PSS restricted warnings for kubeflow components

[akagami-harsh]

Pull Request Template for Kubeflow Manifests

✏️ Summary of Changes

• fixed PSS restricted warning for katib
• working on fixing for other components

📦 Dependencies

List any dependencies or related PRs (e.g., "Depends on #123").

🐛 Related Issues

• PSS baseline / restricted also for Notebooks, Katib, Kserve, Dashboard and istio-ingressgateway #3015

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[akagami-harsh]

testing CI here, if it works then i'll make separate PRs to upstream repos

[juliusvonkohout]

testing CI here, if it works then i'll make separate PRs to upstream repos

Thank you, please also leave this one here open as well :-)

[akagami-harsh]

The cache-server is experiencing issues that appear to be related to the istio-init container. To mitigate this, Should i disable Istio sidecar injection for the cache-server deployment by adding the sidecar.istio.io/inject: "false" annotation to the cache-deployment.yaml file https://github.com/kubeflow/manifests/blob/master/apps/pipeline/upstream/base/cache/cache-deployment.yaml

[akagami-harsh]

The cache-server is experiencing issues that appear to be related to the istio-init container. To mitigate this, Should i disable Istio sidecar injection for the cache-server deployment by adding the sidecar.istio.io/inject: "false" annotation to the cache-deployment.yaml file https://github.com/kubeflow/manifests/blob/master/apps/pipeline/upstream/base/cache/cache-deployment.yaml

update: we can fix this by using istio-cni istio/istio#35894

[akagami-harsh]

opened PR in respective upstream repos

[juliusvonkohout]

I still see in the tests

Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
Warning: centraldashboard-5796446d58-4h5jm: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
namespace/kubeflow patched

now i also see why you have to set the seccomprofile at the pod level

[juliusvonkohout]

kubeflow/pipelines#11751 for KFP has been merged

[juliusvonkohout]

kubeflow/dashboard#87 for tracking in Kubeflow/ dashboard

[juliusvonkohout]

@akagami-harsh there is something you can fix directly in kubeflow / manifests overlays, not the upstream part.

++ kubectl patch namespace knative-serving --patch-file ./experimental/security/PSS/static/restricted/patches/knative-serving-labels.yaml
+ PATCH_OUTPUT='Warning: existing pods in namespace "knative-serving" violate the new PodSecurity enforce level "restricted:latest"
Warning: activator-5f95966686-pgcpc (and 4 other pods): seccompProfile
namespace/knative-serving patched'
+ echo 'Warning: existing pods in namespace "knative-serving" violate the new PodSecurity enforce level "restricted:latest"
Warning: activator-5f95966686-pgcpc (and 4 other pods): seccompProfile
namespace/knative-serving patched'

[juliusvonkohout]

/lgtm
/approve
/hold

lets wait for succesful tests and please make sure that all of this is merged in kubeflow/katib and kubeflow/dashboard.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[juliusvonkohout]

/lgtm
/unhold

but please make sure that all of this is merged in kubeflow/katib and kubeflow/dashboard