feat: add Istio Ambient Mode with PSS baseline requirement

madmecodes · madmecodes · commit 1acac73ff717 · 2025-09-30T18:56:34.000+05:30
Signed-off-by: madmecodes &lt;ayushguptadev1@gmail.com&gt;
diff --git a/.github/workflows/istio_ambient_test.yaml b/.github/workflows/istio_ambient_test.yaml
@@ -119,8 +119,22 @@ jobs:
         kubectl logs -n istio-system daemonset/ztunnel --tail=50 | grep -i "connection\|proxy" || echo "ztunnel logs (last 50 lines):"
         kubectl logs -n istio-system daemonset/ztunnel --tail=50
 
-    - name: Apply Pod Security Standards Restricted levels
-      run: ./tests/PSS_enable.sh
+    - name: Verify PSS Baseline for istio-system
+      run: |
+        # Ambient mode requires PSS baseline (not restricted) for istio-system
+        PSS_LEVEL=$(kubectl get namespace istio-system -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}')
+        if [ "$PSS_LEVEL" != "baseline" ]; then
+          echo "ERROR: istio-system should have PSS baseline, got: $PSS_LEVEL"
+          exit 1
+        fi
+        echo "istio-system correctly configured with PSS baseline"
+
+    - name: Apply Pod Security Standards Restricted levels to user namespaces
+      run: |
+        # Apply PSS restricted to kubeflow namespace (ztunnel runs in istio-system, not user namespaces)
+        kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce=restricted --overwrite
+        kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce-version=latest --overwrite
+        echo "Applied PSS restricted to user namespace: $KF_PROFILE"
 
     - name: Collect debug information on failure
       if: failure()
diff --git a/common/istio/README.md b/common/istio/README.md
@@ -33,7 +33,9 @@ kubectl apply -k istio-install/overlays/ambient-gke
 kubectl apply -k istio-install/overlays/ambient-oauth2-proxy
 ```
 
-**Note:** Ambient mode uses Kustomize components (`components/ambient-mode/`, `components/gke-ambient/`) for composable configuration without duplication.
+**Important:** Ambient mode requires PSS Baseline (not Restricted) for the `istio-system` namespace. The ztunnel component needs `CAP_SYS_ADMIN`, `CAP_NET_ADMIN`, and `CAP_NET_RAW` capabilities for transparent proxying and network namespace operations. The `istio-system` namespace is automatically configured with PSS baseline labels when using ambient mode components.
+
+**Note:** Ambient mode uses Kustomize components (`components/ambient-mode/`) for composable configuration without duplication.
 
 ### Insecure Istio (CNI-disabled)
 For environments that don't support CNI:
diff --git a/common/istio/istio-install/components/ambient-mode/istio-namespace-pss-baseline.yaml b/common/istio/istio-install/components/ambient-mode/istio-namespace-pss-baseline.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/warn: baseline
+    pod-security.kubernetes.io/warn-version: latest
diff --git a/common/istio/istio-install/components/ambient-mode/kustomization.yaml b/common/istio/istio-install/components/ambient-mode/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Component
 
 resources:
 - ztunnel.yaml
+- istio-namespace-pss-baseline.yaml
 
 patches:
 - path: istiod-ambient-patch.yaml
