Limit Istio Sidecar Scope to reduce memory and make cluster more scalable #243
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Apply Notebook Controller manifests in KinD | |
| on: | |
| pull_request: | |
| paths: | |
| - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - .github/workflows/notebook_controller_test.yaml | |
| - apps/jupyter/notebook-controller/upstream/** | |
| - tests/gh-actions/install_istio.sh | |
| - common/istio*/** | |
| - experimental/security/PSS/** | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install KinD, Create KinD cluster and Install kustomize | |
| run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - name: Install Istio | |
| run: ./tests/gh-actions/install_istio.sh | |
| - name: Build & Apply manifests | |
| run: | | |
| cd apps/jupyter/notebook-controller/upstream | |
| kubectl create ns kubeflow | |
| kustomize build overlays/kubeflow | kubectl apply -f - | |
| kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s | |
| - name: Apply Pod Security Standards baseline levels | |
| run: ./tests/gh-actions/enable_baseline_PSS.sh | |
| - name: Unapply applied baseline labels | |
| run: | | |
| NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | |
| for NAMESPACE in "${NAMESPACES[@]}"; do | |
| if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
| kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
| fi | |
| done | |
| - name: Applying Pod Security Standards restricted levels | |
| run: ./tests/gh-actions/enable_restricted_PSS.sh |