PSS labels for the profile controller

contrib/security/PSS/dynamic/baseline/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+- name: namespace-labels-data
+  namespace: kubeflow
+  behavior: merge
+  files:
+  - namespace-labels.yaml

contrib/security/PSS/dynamic/baseline/namespace-labels.yaml

@@ -0,0 +1,23 @@
+# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml
+# as using only the required label to merge it with the existing config map of profiles
+# deployment to enable PSS for profile namespaces, leads to creation of a new config map
+# with just the PSS label and replaces the pre-exisiting labels in the deployed config map.
+# Below is a list of labels to be set by default.
+#
+# To add a namespace label, use `key: 'value'`, for example:
+# istio.io/rev: 'asm-191-1'
+#
+# To remove a namespace label, use `key: ''`. For example:
+# istio-injection: ''
+#
+# Profile controller will not replace a namespace label if its key already
+# exists. If you want to override the value of a previously applied label, you
+# need to:
+# 1. Remove the label by using `key: ''` and deploy.
+# 2. Add the label by using `key: 'value'` and deploy.
+#
+katib.kubeflow.org/metrics-collector-injection: "enabled"
+serving.kubeflow.org/inferenceservice: "enabled"
+pipelines.kubeflow.org/enabled: "true"
+app.kubernetes.io/part-of: "kubeflow-profile"
+pod-security.kubernetes.io/enforce: "baseline"

contrib/security/PSS/dynamic/restricted/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+- name: namespace-labels-data
+  namespace: kubeflow
+  behavior: merge
+  files:
+  - namespace-labels.yaml

contrib/security/PSS/dynamic/restricted/namespace-labels.yaml

@@ -0,0 +1,23 @@
+# This file is a duplicate of apps/profiles/upstream/base/namespace-labels.yaml
+# as using only the required label to merge it with the existing config map of profiles
+# deployment to enable PSS for profile namespaces, leads to creation of a new config map
+# with just the PSS label and replaces the pre-exisiting labels in the deployed config map.
+# Below is a list of labels to be set by default.
+#
+# To add a namespace label, use `key: 'value'`, for example:
+# istio.io/rev: 'asm-191-1'
+#
+# To remove a namespace label, use `key: ''`. For example:
+# istio-injection: ''
+#
+# Profile controller will not replace a namespace label if its key already
+# exists. If you want to override the value of a previously applied label, you
+# need to:
+# 1. Remove the label by using `key: ''` and deploy.
+# 2. Add the label by using `key: 'value'` and deploy.
+#
+katib.kubeflow.org/metrics-collector-injection: "enabled"
+serving.kubeflow.org/inferenceservice: "enabled"
+pipelines.kubeflow.org/enabled: "true"
+app.kubernetes.io/part-of: "kubeflow-profile"
+pod-security.kubernetes.io/enforce: "restricted"

contrib/security/PSS/static/restricted/kustomization.yaml

@@ -6,4 +6,5 @@ patches:
 - path: patches/istio-labels.yaml
 - path: patches/cert-manager-labels.yaml
 - path: patches/dex-labels.yaml
-- path: patches/oauth2-proxy-labels.yaml
+- path: patches/oauth2-proxy-labels.yaml
+- path: patches/istio-labels.yaml

example/kustomization.yaml

@@ -89,9 +89,14 @@ resources:
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
 
+components:
 # Pod Security Standards
 # https://kubernetes.io/docs/concepts/security/pod-security-standards/
 # Uncomment to enable baseline level standards
 # - ../contrib/security/PSS/static/baseline
 # Uncomment to enable restricted level standards
-# - ../contrib/security/PSS/static/restricted
+# - ../contrib/security/PSS/static/restricted
+# Uncomment to enable baseline level standards for dynamic namespaces
+# - ../contrib/security/PSS/dynamic/baseline
+# Uncomment to enable restricted level standards for dynamic namespaces
+# - ../contrib/security/PSS/dynamic/restricted