knative: add eventing security overlay#3419
Conversation
|
Welcome to the Kubeflow Manifests Repository Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community. Before making more PRs: Community Resources:
Thanks again for helping to improve Kubeflow. |
There was a problem hiding this comment.
Pull request overview
Adds an opt-in Knative Eventing “security” overlay to support restricted Pod Security Standards (PSS) installs and documents validation outcomes.
Changes:
- Added
common/knative/knative-eventing/overlays/securitywith NetworkPolicies, a restricted-PSS namespace label patch, and arequest-replysecurityContext patch. - Added validation documentation artifacts and a canonical validation log entry.
- Updated
.gitignoreto ignore repo-root.obsidian/metadata.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| docs/policy-validation-log.md | Adds a canonical validation log entry for the new overlay. |
| docs/artifacts/INDEX.md | Adds an index entry pointing to the new validation artifact and log anchor. |
| docs/artifacts/2026-03-23-knative-eventing-security-validation.md | Adds a detailed validation artifact explaining the PSS issue and overlay behavior. |
| common/knative/knative-eventing/overlays/security/patches/request-reply-security-context.yaml | Adds restricted-PSS-compatible securityContext patch for request-reply. |
| common/knative/knative-eventing/overlays/security/namespace-patch.yaml | Adds restricted PSS enforcement label to the knative-eventing namespace. |
| common/knative/knative-eventing/overlays/security/kustomization.yaml | Wires the overlay resources and patches together. |
| common/knative/knative-eventing/overlays/security/default-allow-same-namespace.yaml | Adds same-namespace-only default ingress policy for Eventing namespace. |
| common/knative/knative-eventing/overlays/security/allow-webhook-apiserver.yaml | Adds webhook ingress allowance (port-based) to keep admission webhooks reachable. |
| .gitignore | Ignores .obsidian/ directory at repo root and normalizes an ignore entry. |
danish9039
force-pushed
the
feat/knative-eventing-security-overlays
branch
2 times, most recently
from
02a06a5 to
3e6da07
Compare
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
danish9039
force-pushed
the
feat/knative-eventing-security-overlays
branch
from
3e6da07 to
6f44373
Compare
|
Do you have a basic test for knative-eventing ? |
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
danish9039
force-pushed
the
feat/knative-eventing-security-overlays
branch
from
316b65d to
c36f80f
Compare
@juliusvonkohout added tests |
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
danish9039
force-pushed
the
feat/knative-eventing-security-overlays
branch
from
045ab6e to
b6bea73
Compare
|
@juliusvonkohout the current test covers install verification (control-plane pods ready + NetworkPolicy/PSS assertions). Would you like me to extend it with a full functional flow test that has PingSource → Broker (MTChannelBasedBroker/IMC) → Trigger → event-display with actual CloudEvent delivery assertion ?? for that we need a separate test script similar to kserve_test.sh |
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
|
/retest |
|
Thank you |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
common/knative/knative-eventing/overlays/securityoverlayrequest-replyin the overlay sorestrictedPSS works in-cluster