Update 20220926-contrib-component-guidelines.md

[juliusvonkohout]

@kimwnasptd @annajung this was missing from #2286 (comment) and exspecially the kuberay integration shows that proper projects can easily implement it.

[annajung]

I think this is a fair ask and definitely a good practice! If we like to enforce this during the current clean up effort, we should try to get this merged soon & communicate this to /contrib component owners

cc @kimwnasptd

[juliusvonkohout]

@kimwnasptd
The most important ones (Seldon and kserve) already work with the predecessor of PSS. I am running it with similar restrictions (and istio-cni) for over one year. Kuberay does so as well and they will go even one step further as detailed in ray-project/kuberay#750. So the restricted PSS still allows to run as a specific non-root user but the kuberay developers want to become even better than that.

[kimwnasptd]

After some discussion with @juliusvonkohout we decided to use this PR towards the overarching goal of better defining the implementation details (or technical requirements) that we would expect from the contrib components.

We've had context around this in other places, like #2286 (comment) and kubeflow/kubeflow#6662.

The first step will be to break down the requirements to 2 categories:

• Structural requirements
• Technical requirements

The first category is regarding what we currently have. Requirements regarding the file structure of the addons. Things like having a README, exposing upgrade instructions and examples.

Then the next one will be a list of more technical requirements that we will expect these addons to follow

[kimwnasptd]

Some aspects that I believe we'll need to re-evaluate are:

• Defining the least subset of required criteria for accepting new components
• Re-think the deprecation process, since we are adding more requirements

Also we could think about a model where we explicitly "rank"/document how much an addon aligns with the requirements. So that users looking at different addons can know the state and be able to decide which ones they want to add in their platform

cc @annajung

[kimwnasptd]

Adding some items we discussed with @juliusvonkohout and @kromanow94 live as functional requirements:

• Running with baseline PSS
• [stretch] Namespace isolation
• [stretch] Running with strict PSS
• [stretch] Running with Istio sidecars

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[juliusvonkohout]

Adding some items we discussed with @juliusvonkohout and @kromanow94 live as functional requirements:

* Running with baseline PSS

* [stretch] Namespace isolation

* [stretch] Running with strict PSS

* [stretch] Running with Istio sidecars

i have added the necessary changes.

[kimwnasptd]

/lgtm

Thanks @juliusvonkohout!