From c4acbb215fd4be3c53335d58124c5f76ae30a454 Mon Sep 17 00:00:00 2001 From: abdullahpathan22 Date: Fri, 10 Apr 2026 02:20:45 +0530 Subject: [PATCH 1/2] test: enforce PSS restricted for CI user namespace Overwrites the default baseline namespace label created by the profile controller exclusively during CI tests. This guarantees that test workloads simulate strict pod security standard (PSS) restricted enforcements without modifying production default baselines. Signed-off-by: abdullahpathan22 --- tests/kubeflow_profile_install.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/kubeflow_profile_install.sh b/tests/kubeflow_profile_install.sh index 4176836970..222ef321b3 100755 --- a/tests/kubeflow_profile_install.sh +++ b/tests/kubeflow_profile_install.sh @@ -6,4 +6,7 @@ PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] kubectl logs -n kubeflow "$PROFILE_CONTROLLER_POD" KF_PROFILE=kubeflow-user-example-com kubectl -n $KF_PROFILE get pods,configmaps,secrets -kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce=baseline --overwrite +kubectl label namespace $KF_PROFILE \ + pod-security.kubernetes.io/enforce=restricted \ + pod-security.kubernetes.io/enforce-version=latest \ + --overwrite From b9caaa2ee44863453be790cc17362a799712bf9b Mon Sep 17 00:00:00 2001 From: abdullahpathan22 Date: Tue, 21 Apr 2026 04:05:32 +0530 Subject: [PATCH 2/2] ci: update workflow triggers for PSS test coverage - Broaden katib triggers: tests/katib_install.sh -> tests/katib* - Broaden pipeline triggers: individual files -> tests/pipeline* - Add tests/pipeline* trigger to pipeline_run_from_notebook workflow - Replace dead experimental/security/PSS/* path (directory no longer exists) with actual test files: tests/kubeflow_profile_install.sh and tests/PSS_enable.sh across all affected workflows Note: Dashboard/profiles directory paths are intentionally kept as-is since applications/profiles/ does not exist yet on master. Those paths will be updated once the directory restructure lands. Signed-off-by: abdullahpathan22 --- .github/workflows/dex_oauth2-proxy_test.yaml | 3 ++- .github/workflows/katib_test.yaml | 5 +++-- .github/workflows/pipeline_run_from_notebook.yaml | 3 +++ .github/workflows/pipeline_test.yaml | 6 +++--- .github/workflows/trainer_test.yaml | 3 ++- .github/workflows/training_operator_test.yaml | 3 ++- 6 files changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/dex_oauth2-proxy_test.yaml b/.github/workflows/dex_oauth2-proxy_test.yaml index cdcd738580..139d365788 100644 --- a/.github/workflows/dex_oauth2-proxy_test.yaml +++ b/.github/workflows/dex_oauth2-proxy_test.yaml @@ -7,7 +7,8 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - experimental/security/PSS/* + - tests/kubeflow_profile_install.sh + - tests/PSS_enable.sh - common/dex/base/** - tests/istio* - tests/dex_login_test.py diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index 921da769b1..d629acde6b 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -3,13 +3,14 @@ on: pull_request: paths: - tests/install_KinD_create_KinD_cluster_install_kustomize.sh - - tests/katib_install.sh + - tests/katib* - .github/workflows/katib_test.yaml - applications/katib/upstream/** - common/istio*/** - tests/istio* - common/cert-manager/** - - experimental/security/PSS/* + - tests/kubeflow_profile_install.sh + - tests/PSS_enable.sh permissions: contents: read diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index c7f1f5bbb2..7b6fb89e3d 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -10,6 +10,9 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** + - tests/pipeline* + - tests/kubeflow_profile_install.sh + - tests/PSS_enable.sh - common/kubeflow-namespace/** - applications/jupyter/** diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 6c479db1b7..cf1fab6d87 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -10,9 +10,9 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - tests/pipeline_v1_test.py - - tests/pipeline_v2_test.py - - experimental/security/PSS/* + - tests/pipeline* + - tests/kubeflow_profile_install.sh + - tests/PSS_enable.sh permissions: contents: read diff --git a/.github/workflows/trainer_test.yaml b/.github/workflows/trainer_test.yaml index f23f28206b..6b257b1f0d 100644 --- a/.github/workflows/trainer_test.yaml +++ b/.github/workflows/trainer_test.yaml @@ -11,7 +11,8 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - experimental/security/PSS/* + - tests/kubeflow_profile_install.sh + - tests/PSS_enable.sh permissions: contents: read diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index 5d05f0f80e..d36f6be745 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -11,7 +11,8 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - experimental/security/PSS/* + - tests/kubeflow_profile_install.sh + - tests/PSS_enable.sh permissions: contents: read