PSS baseline / restricted also for Notebooks, Katib, Kserve and istio-ingressgateway

[akagami-harsh]

Pull Request Template for Kubeflow Manifests

✏️ Summary of Changes

• added the namespace knative-serving to the PSS tests for kserve
• split and merge https://github.com/kubeflow/manifests/blob/master/.github/workflows/pss_test.yaml into https://github.com/kubeflow/manifests/blob/master/.github/workflows/pipeline_test.yaml and https://github.com/kubeflow/manifests/blob/master/.github/workflows/dex_test.yaml
• add auth namesace labels
• Add the PSS tests also for https://github.com/kubeflow/manifests/blob/master/.github/workflows/pipeline_run_from_notebook.yaml

📦 Dependencies

List any dependencies or related PRs (e.g., "Depends on #123").

🐛 Related Issues

• part of PSS baseline / restricted also for Notebooks, Katib, Kserve, Dashboard and istio-ingressgateway #3015

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.

[juliusvonkohout]

/retest

[juliusvonkohout]

I see

Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
namespace/kubeflow patched
Warning: centraldashboard-5796446d58-z4dzv: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
Warning: profiles-deployment-779878fd4d-qgbpk: seccompProfile

Patching the PSS-restricted labels for namespace kubeflow...
Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
Warning: kserve-controller-manager-7cfcfd6d6b-8lswm: seccompProfile
Warning: kserve-localmodel-controller-manager-655ccdf64-5tzqb: unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
Warning: kserve-models-web-app-5f5dfb549c-x6jpz: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
namespace/kubeflow patched

 Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
namespace/kubeflow patched
Warning: notebook-controller-deployment-68b6c4855c-mw69k: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile

Patching the PSS-restricted labels for namespace kubeflow...
Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
Warning: cache-server-74475fd484-vrknf (and 12 other pods): unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
namespace/kubeflow patched


Patching the PSS-restricted labels for namespace kubeflow...
Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest"
Warning: admission-webhook-deployment-799878b4bb-4z5g9: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/kubeflow patched
Warning: cache-server-74475fd484-7mnfc (and 12 other pods): unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile
Warning: jupyter-web-app-deployment-6d5d4885f5-7cpcg (and 1 other pod): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, runAsUser=0, seccompProfile

for a follow up PR.

[juliusvonkohout]

Thank you
/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment