Skip to content

fix: pss-restricted-with-istio #3021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
juliusvonkohout wants to merge 6 commits into
base: master
Choose a base branch
from
Open

fix: pss-restricted-with-istio #3021

juliusvonkohout wants to merge 6 commits into from
+27 −7

Conversation

@juliusvonkohout
Copy link
Member

@juliusvonkohout juliusvonkohout commented Dec 5, 2025
edited
Loading

@andreyvelich may you also patch it in helm for the jobset ?

@juliusvonkohout
pss-restricted-fixes
bc951f1 
Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Dec 5, 2025

🎉 Welcome to the Kubeflow Trainer! 🎉

Thanks for opening your first PR! We're happy to have you as part of our community 🚀

Here's what happens next:

  • If you haven't already, please check out our Contributing Guide for repo-specific guidelines and the Kubeflow Contributor Guide for general community standards.
  • Our team will review your PR soon! cc @kubeflow/kubeflow-trainer-team

Join the community:

Feel free to ask questions in the comments if you need any help or clarification!
Thanks again for contributing to Kubeflow! 🙏

@juliusvonkohout
Enhance deployment.yaml with security context and annotations
c2cb7e4 
Add security context and annotations for Istio traffic management.

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
@google-oss-prow google-oss-prow bot added size/S and removed size/XS labels Dec 5, 2025
@coveralls
Copy link

coveralls commented Dec 5, 2025
edited
Loading

Pull Request Test Coverage Report for Build 20599754766

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 51.435%
Totals Coverage Status
Change from base Build 19935327740: 0.0%
Covered Lines: 1237
Relevant Lines: 2405
💛 - Coveralls

@juliusvonkohout
Update kustomization.yaml with new patches
85b1e83 
Added a patch to modify the jobset-controller-manager deployment annotations and security context.

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
@google-oss-prow google-oss-prow bot added size/M and removed size/S labels Dec 5, 2025
@juliusvonkohout juliusvonkohout changed the title pss-restricted-fixes fix: pss-restricted-with-istio Dec 5, 2025
andreyvelich
andreyvelich reviewed Dec 8, 2025
View reviewed changes
juliusvonkohout
juliusvonkohout commented Dec 10, 2025
View reviewed changes
@juliusvonkohout
Copy link
Member Author

juliusvonkohout commented Dec 16, 2025

/retest

@juliusvonkohout
Remove seccomp profile from manager deployment
c2226b6 
Removed security context seccomp profile from deployment.

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Copilot AI review requested due to automatic review settings December 30, 2025 15:17
Copilot AI reviewed Dec 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Istio sidecar exclusion configuration and seccomp security profiles to improve compatibility with Pod Security Standards (PSS) restricted policies when using Istio service mesh. The changes ensure that webhook traffic on port 9443 bypasses the Istio sidecar and adds RuntimeDefault seccomp profiles for enhanced security.

Key Changes:

  • Added Istio traffic exclusion annotation for inbound port 9443 to prevent sidecar interference with webhook communication
  • Configured RuntimeDefault seccomp profiles at the pod security context level for compliance with restricted PSS

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
manifests/third-party/jobset/kustomization.yaml Adds kustomize patch for jobset-controller-manager deployment with Istio annotation and seccomp profile
manifests/base/manager/manager.yaml Updates trainer manager deployment with Istio exclusion annotation and seccomp security context
charts/kubeflow-trainer/templates/manager/deployment.yaml Adds Istio traffic exclusion annotation to Helm chart template for trainer manager

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@juliusvonkohout
Remove seccompProfile from security context
3082181 
Removed security context seccompProfile configuration.

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
@kubeflow kubeflow deleted a comment from Copilot AI Dec 30, 2025
@juliusvonkohout
Remove seccompProfile from manager security context
a2b6a53 
Removed security context seccompProfile from spec.

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
@juliusvonkohout juliusvonkohout mentioned this pull request Dec 30, 2025
Open
@google-oss-prow
Copy link

google-oss-prow bot commented Dec 30, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: juliusvonkohout
Once this PR has been reviewed and has the lgtm label, please ask for approval from andreyvelich. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@juliusvonkohout
Copy link
Member Author

juliusvonkohout commented Dec 30, 2025

@andreyvelich i am waiting for this to merge kubeflow/manifests#3314
/lgtm from my side if the tests are green.
Maybe you have to rebase the branch.

andreyvelich
andreyvelich reviewed Jan 3, 2026
View reviewed changes
Copy link
Member

@andreyvelich andreyvelich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
@juliusvonkohout Can you rebase this PR to fix CI please ?
/cc @tenzen-y @astefanutti

@google-oss-prow google-oss-prow bot added the lgtm label Jan 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreyvelich andreyvelich andreyvelich left review comments

Copilot code review Copilot Copilot left review comments

@jinchihe jinchihe Awaiting requested review from jinchihe

@kuizhiqing kuizhiqing Awaiting requested review from kuizhiqing

@astefanutti astefanutti Awaiting requested review from astefanutti

@tenzen-y tenzen-y Awaiting requested review from tenzen-y

Assignees

@andreyvelich andreyvelich

@juliusvonkohout juliusvonkohout

Labels

lgtm size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@juliusvonkohout @coveralls @andreyvelich