feat: enforce PSS restricted for CI and upgrade Istio to 1.30

- Enforce PSS restricted labels on user namespace during CI tests
  via kubeflow_profile_install.sh
- Update workflow triggers for broader PSS test coverage across
  katib, pipeline, trainer, training-operator, and dex workflows
- Add PSS-compliant securityContext and workingDir to test Notebook
  and Katib trial manifests to prevent permission issues
- Add seccompProfile to JupyterLab WorkspaceKind sample
- Add PSS-compliant overrides to istio_validation test-client pod
- Upgrade Istio manifests from 1.29 to 1.30.0-rc.0 for native
  PSS Restricted compatibility (CRDs, install, sidecar injector,
  cluster-local-gateway, ztunnel, profile)

Signed-off-by: abdullahpathan22 <abdullahpathan22@users.noreply.github.com>

Author: abdullahpathan22

.github/workflows/dex_oauth2-proxy_test.yaml

@@ -7,7 +7,8 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - experimental/security/PSS/*
+    - tests/kubeflow_profile_install.sh
+    - tests/PSS_enable.sh
     - common/dex/base/**
     - tests/istio*
     - tests/dex_login_test.py

.github/workflows/istio_validation.yaml

@@ -252,7 +252,8 @@ jobs:
     - name: Test basic connectivity
       run: |
         kubectl expose deployment test-application --port=80 --target-port=8080 -n $KF_PROFILE
-        kubectl run test-client --image=busybox --rm -i --restart=Never -n $KF_PROFILE -- \
+        kubectl run test-client --image=busybox --rm -i --restart=Never -n $KF_PROFILE \
+          --overrides='{"spec": {"securityContext": {"runAsNonRoot": true, "runAsUser": 1000, "seccompProfile": {"type": "RuntimeDefault"}}, "containers": [{"name": "test-client", "image": "busybox", "securityContext": {"allowPrivilegeEscalation": false, "capabilities": {"drop": ["ALL"]}, "runAsNonRoot": true, "runAsUser": 1000}}]}}' -- \
           wget -qO- --timeout=10 test-application.$KF_PROFILE.svc.cluster.local
 
     - name: Apply Pod Security Standards Restricted levels

.github/workflows/katib_test.yaml

@@ -3,7 +3,7 @@ on:
   pull_request:
     paths:
     - tests/install_KinD_create_KinD_cluster_install_kustomize.sh
-    - tests/katib_install.sh
+    - tests/katib*
     - .github/workflows/katib_test.yaml
     - applications/katib/upstream/**
     - common/istio*/**
@@ -12,7 +12,8 @@ on:
     - tests/profile_controller_install.sh
     - applications/dashboard/upstream/profile-controller/**
     - common/cert-manager/**
-    - experimental/security/PSS/*
+    - tests/kubeflow_profile_install.sh
+    - tests/PSS_enable.sh
 
 permissions:
   contents: read

.github/workflows/pipeline_run_from_notebook.yaml

@@ -14,6 +14,9 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
+    - tests/pipeline*
+    - tests/kubeflow_profile_install.sh
+    - tests/PSS_enable.sh
     - common/kubeflow-namespace/**
 
 permissions:

.github/workflows/pipeline_test.yaml

@@ -13,9 +13,9 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - tests/pipeline_v1_test.py
-    - tests/pipeline_v2_test.py
-    - experimental/security/PSS/*
+    - tests/pipeline*
+    - tests/kubeflow_profile_install.sh
+    - tests/PSS_enable.sh
 
 permissions:
   contents: read

.github/workflows/trainer_test.yaml

@@ -14,7 +14,8 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - experimental/security/PSS/*
+    - tests/kubeflow_profile_install.sh
+    - tests/PSS_enable.sh
 
 permissions:
   contents: read

.github/workflows/training_operator_test.yaml

@@ -14,7 +14,8 @@ on:
     - common/cert-manager/**
     - common/oauth2-proxy/**
     - common/istio*/**
-    - experimental/security/PSS/*
+    - tests/kubeflow_profile_install.sh
+    - tests/PSS_enable.sh
 
 permissions:
   contents: read

README.md

@@ -79,7 +79,7 @@ This repository periodically synchronizes all official Kubeflow components from
 | Kubeflow Pipelines | applications/pipeline/upstream | [2.16.1](https://github.com/kubeflow/pipelines/tree/2.16.1/manifests/kustomize) | 970m | 3552Mi | 35GB |
 | Kubeflow Hub | applications/hub/upstream | [v0.3.9](https://github.com/kubeflow/hub/tree/v0.3.9/manifests/kustomize) | 510m | 2112Mi | 20GB |
 | Spark Operator	|	applications/spark/spark-operator	|	[2.5.0](https://github.com/kubeflow/spark-operator/tree/v2.5.0) | 9m | 41Mi | 0GB |
-| Istio | common/istio | [1.29.2](https://github.com/istio/istio/releases/tag/1.29.2) | 750m | 2364Mi | 0GB |
+| Istio | common/istio | [1.30.0-rc.0](https://github.com/istio/istio/releases/tag/1.30.0-rc.0) | 750m | 2364Mi | 0GB |
 | Knative | common/knative/knative-serving <br /> common/knative/knative-eventing | [v1.21.1](https://github.com/knative/serving/releases/tag/knative-v1.21.1) <br /> [v1.21.0](https://github.com/knative/eventing/releases/tag/knative-v1.21.0) | 1450m | 1038Mi | 0GB |
 | Cert Manager | common/cert-manager | [1.19.4](https://github.com/cert-manager/cert-manager/releases/tag/v1.19.4) | 3m | 128Mi | 0GB |
 | Dex | common/dex | [2.45.0](https://github.com/dexidp/dex/releases/tag/v2.45.0) | 3m | 27Mi | 0GB |

applications/trainer/upstream/base/runtimes/torch_distributed.yaml

@@ -19,6 +19,19 @@ spec:
             spec:
               template:
                 spec:
+                  securityContext:
+                    runAsNonRoot: true
+                    runAsUser: 1000
+                    seccompProfile:
+                      type: RuntimeDefault
                   containers:
                     - name: node
                       image: pytorch/pytorch:2.10.0-cuda12.8-cudnn9-runtime
+                      workingDir: /tmp
+                      securityContext:
+                        allowPrivilegeEscalation: false
+                        capabilities:
+                          drop:
+                            - ALL
+                          add: []
+                        runAsNonRoot: true

applications/workspaces/upstream/controller/samples/jupyterlab_v1beta1_workspacekind.yaml

@@ -208,6 +208,8 @@ spec:
     ##
     securityContext:
       fsGroup: 100
+      seccompProfile:
+        type: RuntimeDefault
 
     ## container SecurityContext for Workspace Pods (MUTABLE)
     ##  - spec for SecurityContext: