From 9a0850b957abcf048e39338111520a1dc1a3c76c Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Fri, 5 Dec 2025 20:58:41 +0100 Subject: [PATCH 1/6] pss-restricted-fixes Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> --- manifests/base/manager/manager.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/base/manager/manager.yaml b/manifests/base/manager/manager.yaml index 8f5dc3056c..6691851893 100644 --- a/manifests/base/manager/manager.yaml +++ b/manifests/base/manager/manager.yaml @@ -19,7 +19,12 @@ spec: app.kubernetes.io/name: trainer app.kubernetes.io/component: manager app.kubernetes.io/part-of: kubeflow + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: manager image: ghcr.io/kubeflow/trainer/trainer-controller-manager From dcd83f90b80b0db1448a6da80c17f64950acdaac Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Fri, 5 Dec 2025 21:02:24 +0100 Subject: [PATCH 2/6] Enhance deployment.yaml with security context and annotations Add security context and annotations for Istio traffic management. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> --- charts/kubeflow-trainer/templates/manager/deployment.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/kubeflow-trainer/templates/manager/deployment.yaml b/charts/kubeflow-trainer/templates/manager/deployment.yaml index 95adf44e04..f29524f38e 100644 --- a/charts/kubeflow-trainer/templates/manager/deployment.yaml +++ b/charts/kubeflow-trainer/templates/manager/deployment.yaml @@ -30,7 +30,12 @@ spec: metadata: labels: {{- include "trainer.manager.selectorLabels" . | nindent 8 }} + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: manager image: {{ include "trainer.image" . }} From 9fdcccb87fa4b43c885ec25adecdb32edccff2ef Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Fri, 5 Dec 2025 21:05:08 +0100 Subject: [PATCH 3/6] Update kustomization.yaml with new patches Added a patch to modify the jobset-controller-manager deployment annotations and security context. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> --- .../third-party/jobset/kustomization.yaml | 32 +++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/manifests/third-party/jobset/kustomization.yaml b/manifests/third-party/jobset/kustomization.yaml index c3f0e3ed63..ada3caa31b 100644 --- a/manifests/third-party/jobset/kustomization.yaml +++ b/manifests/third-party/jobset/kustomization.yaml @@ -6,9 +6,29 @@ resources: # Add required patches. patches: - # Remove namespace from the JobSet release manifests. - - path: patches/jobset_remove_namespace.yaml - target: - group: "" - version: v1 - kind: Namespace +# Remove namespace from the JobSet release manifests. +- path: patches/jobset_remove_namespace.yaml + target: + group: "" + version: v1 + kind: Namespace +- target: + group: apps + version: v1 + kind: Deployment + name: jobset-controller-manager + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: jobset-controller-manager + namespace: kubeflow-system + spec: + template: + metadata: + annotations: + traffic.sidecar.istio.io/excludeInboundPorts: "9443" + spec: + securityContext: + seccompProfile: + type: RuntimeDefault From db3fa5c79f428931e7c2afc800d36154dafa5b7c Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Tue, 30 Dec 2025 16:17:08 +0100 Subject: [PATCH 4/6] Remove seccomp profile from manager deployment Removed security context seccomp profile from deployment. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> --- charts/kubeflow-trainer/templates/manager/deployment.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/charts/kubeflow-trainer/templates/manager/deployment.yaml b/charts/kubeflow-trainer/templates/manager/deployment.yaml index f29524f38e..d5825d3761 100644 --- a/charts/kubeflow-trainer/templates/manager/deployment.yaml +++ b/charts/kubeflow-trainer/templates/manager/deployment.yaml @@ -33,9 +33,6 @@ spec: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "9443" spec: - securityContext: - seccompProfile: - type: RuntimeDefault containers: - name: manager image: {{ include "trainer.image" . }} From 92513ebe4345fb57bf2a4c2b52925c3204da4246 Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Tue, 30 Dec 2025 16:17:38 +0100 Subject: [PATCH 5/6] Remove seccompProfile from security context Removed security context seccompProfile configuration. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> --- manifests/third-party/jobset/kustomization.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/manifests/third-party/jobset/kustomization.yaml b/manifests/third-party/jobset/kustomization.yaml index ada3caa31b..db2c6c8b41 100644 --- a/manifests/third-party/jobset/kustomization.yaml +++ b/manifests/third-party/jobset/kustomization.yaml @@ -28,7 +28,3 @@ patches: metadata: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "9443" - spec: - securityContext: - seccompProfile: - type: RuntimeDefault From 6ec7112a3b397d0b160330f78f9b6bbcd4c59a0f Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Tue, 30 Dec 2025 16:18:54 +0100 Subject: [PATCH 6/6] Remove seccompProfile from manager security context Removed security context seccompProfile from spec. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> --- manifests/base/manager/manager.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/manifests/base/manager/manager.yaml b/manifests/base/manager/manager.yaml index 6691851893..c028c3dcc2 100644 --- a/manifests/base/manager/manager.yaml +++ b/manifests/base/manager/manager.yaml @@ -22,9 +22,6 @@ spec: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "9443" spec: - securityContext: - seccompProfile: - type: RuntimeDefault containers: - name: manager image: ghcr.io/kubeflow/trainer/trainer-controller-manager