Added tests to tests/gh-actions to enable baseline and restricted PSS (kubeflow#2819)

* Patched PSS labels to multi_tenancy

Signed-off-by: biswajit-9776 <[email protected]>

* Added script in gh-actions to patch PSS/static/baseline/pacthes

Signed-off-by: biswajit-9776 <[email protected]>

* Added PSS scripts for both baseline and restricted labels of static namespaces and renamed directories

Signed-off-by: biswajit-9776 <[email protected]>

* Added tests to enable PSS in gh-actions

Signed-off-by: biswajit-9776 <[email protected]>

* Added workflow test for PSS labels

Signed-off-by: biswajit-9776 <[email protected]>

* Fixed indentation

Signed-off-by: biswajit-9776 <[email protected]>

---------

Signed-off-by: biswajit-9776 <[email protected]>

Author: biswajit-9776

.github/workflows/pss_test.yaml

@@ -0,0 +1,35 @@
+name: Appy PSS labels to namespaces
+on:
+  pull_request:
+    paths:
+    - .github/workflows/*
+    - tests/gh-actions/kind-cluster.yaml
+    - apps/profiles/upstream/**
+    - common/dex/**
+    - common/cert-manager/**
+    - common/oidc-client/oauth2-proxy/**
+    - common/istio*/**
+    - tests/gh-actions/install_istio_with_ext_auth.sh
+    - tests/gh-actions/install_multitenancy.sh
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Install KinD
+      run: ./tests/gh-actions/install_kind.sh
+
+    - name: Create KinD Cluster
+      run: kind create cluster --config tests/gh-actions/kind-cluster.yaml
+
+    - name: Install kustomize
+      run: ./tests/gh-actions/install_kustomize.sh
+
+    - name: Install kubectl
+      run: ./tests/gh-actions/install_kubectl.sh
+
+    - name: Applying Pod Security Standards baseline levels for static namespaces
+      run: ./tests/gh-actions/enable_baseline_PSS.sh

contrib/security/PSS/static/baseline/kustomization.yaml

@@ -3,7 +3,7 @@ kind: Component
 
 patches:
 - path: patches/kubeflow-labels.yaml
-- path: patches/istio-labels.yaml
+- path: patches/istio-system-labels.yaml
 - path: patches/cert-manager-labels.yaml
-- path: patches/dex-labels.yaml
-- path: patches/oauth2-proxy-labels.yaml
+- path: patches/auth-labels.yaml
+- path: patches/oauth2-proxy-labels.yaml

contrib/security/PSS/static/baseline/patches/dex-labels.yaml renamed to contrib/security/PSS/static/baseline/patches/auth-labels.yaml

@@ -3,8 +3,7 @@ kind: Component
 
 patches:
 - path: patches/kubeflow-labels.yaml
-- path: patches/istio-labels.yaml
+- path: patches/istio-system-labels.yaml
 - path: patches/cert-manager-labels.yaml
-- path: patches/dex-labels.yaml
+- path: patches/auth-labels.yaml
 - path: patches/oauth2-proxy-labels.yaml
-- path: patches/istio-labels.yaml

contrib/security/PSS/static/baseline/patches/istio-labels.yaml renamed to contrib/security/PSS/static/baseline/patches/istio-system-labels.yaml

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+
+for NAMESPACE in "${NAMESPACES[@]}"; do
+    if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+        echo "Patching the PSS-baseline labels for namespace $NAMESPACE..."
+        kubectl patch namespace $NAMESPACE --patch-file ./contrib/security/PSS/static/baseline/patches/${NAMESPACE}-labels.yaml
+    fi
+done

contrib/security/PSS/static/restricted/kustomization.yaml

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+
+for NAMESPACE in "${NAMESPACES[@]}"; do
+    if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+        echo "Patching the PSS-restricted labels for namespace $NAMESPACE..."
+        kubectl patch namespace $NAMESPACE --patch-file ./contrib/security/PSS/static/restricted/patches/${NAMESPACE}-labels.yaml
+    fi
+done