Skip to content

test: enforce PSS restricted for CI user namespace#3444

Open
abdullahpathan22 wants to merge 2 commits intokubeflow:masterfrom
abdullahpathan22:fix/pss-ci-restricted
Open

test: enforce PSS restricted for CI user namespace#3444
abdullahpathan22 wants to merge 2 commits intokubeflow:masterfrom
abdullahpathan22:fix/pss-ci-restricted

Conversation

@abdullahpathan22
Copy link
Copy Markdown

@abdullahpathan22 abdullahpathan22 commented Apr 9, 2026
edited
Loading

What this PR does

Modifies tests/kubeflow_profile_install.sh to overwrite the
kubeflow-user-example-com namespace label to enforce: restricted
exclusively during CI testing.

Why

The Profile Controller sets enforce: baseline by default for
customer deployments. This change overwrites that label in CI only,
ensuring test workloads are verified under strict PSS restricted
enforcement without affecting production deployments.

@abdullahpathan22
test: enforce PSS restricted for CI user namespace
c4acbb2 
Overwrites the default baseline namespace label created by the profile
controller exclusively during CI tests. This guarantees that test
workloads simulate strict pod security standard (PSS) restricted
enforcements without modifying production default baselines.

Signed-off-by: abdullahpathan22 <abdullahpathan22@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 9, 2026 20:57
@google-oss-prow
Copy link
Copy Markdown

google-oss-prow bot commented Apr 9, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot requested a review from kimwnasptd April 9, 2026 20:57
@abdullahpathan22
ci: update workflow triggers for PSS test coverage
b9caaa2 
- Broaden katib triggers: tests/katib_install.sh -> tests/katib*
- Broaden pipeline triggers: individual files -> tests/pipeline*
- Add tests/pipeline* trigger to pipeline_run_from_notebook workflow
- Replace dead experimental/security/PSS/* path (directory no longer
  exists) with actual test files: tests/kubeflow_profile_install.sh
  and tests/PSS_enable.sh across all affected workflows

Note: Dashboard/profiles directory paths are intentionally kept as-is
since applications/profiles/ does not exist yet on master. Those paths
will be updated once the directory restructure lands.

Signed-off-by: abdullahpathan22 <abdullahpathan22@users.noreply.github.com>
@google-oss-prow google-oss-prow bot added size/S and removed size/XS labels Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

@juliusvonkohout juliusvonkohout Awaiting requested review from juliusvonkohout

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

Assignees

No one assigned

Labels

size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abdullahpathan22