fix: variable namespaces for networkpolicies#3319
Closed
juhyeon-cha wants to merge 2 commits into
Closed
Conversation
Signed-off-by: juhyeon <28646684+juhyeon-cha@users.noreply.github.com>
Author
|
@juliusvonkohout Until recently, |
Member
|
@kunal-511 may you take a look? I think we need to adjust the test scripts then to only use the specific networkpolicies. Or we make our life easier and just create the namespaces in the multi-tenancy script if they do not exist yet. I will also do some dummy istio changes to trigger most tests. |
Member
|
Thank you @juhyeon-cha |
juliusvonkohout
changed the title
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Contributor
Okay I think currently creating namespace in multi-tenancy script if they do not exist will work? |
Member
|
I think especially everything outside of the kubeflow namespaces so cert-manager, knative-serving etc. We should directly move in this PR to the respective folders. |
2 tasks
Member
|
@juhyeon-cha do you want to continue here? Otherwise we will for and continue. |
Author
|
@juliusvonkohout I'm good for now, so please feel free to take over. Thanks! |
Member
|
@juliusvonkohout i can take this up |
Member
|
/assign |
danish9039
added a commit
to danish9039/manifests
that referenced
this pull request
Feb 9, 2026
Remove namespace override in kustomization.yaml to allow NetworkPolicies to use their self-defined namespaces. Also update multi_tenancy_install.sh to create required namespaces before applying network policies, ensuring the installation succeeds. Supersedes kubeflow#3319 Signed-off-by: Danish Ahuja <danish9039@gmail.com>
This was referenced Feb 9, 2026
danish9039
added a commit
to danish9039/manifests
that referenced
this pull request
Feb 9, 2026
Remove namespace override in kustomization.yaml to allow NetworkPolicies to use their self-defined namespaces. Also update multi_tenancy_install.sh to create required namespaces before applying network policies, ensuring the installation succeeds. Supersedes kubeflow#3319 Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
danish9039
added a commit
to danish9039/manifests
that referenced
this pull request
Feb 15, 2026
Remove namespace override in kustomization.yaml to allow NetworkPolicies to use their self-defined namespaces. Also update multi_tenancy_install.sh to create required namespaces before applying network policies, ensuring the installation succeeds. Supersedes kubeflow#3319 Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
danish9039
added a commit
to danish9039/manifests
that referenced
this pull request
Feb 25, 2026
Remove namespace override in kustomization.yaml to allow NetworkPolicies to use their self-defined namespaces. Also update multi_tenancy_install.sh to create required namespaces before applying network policies, ensuring the installation succeeds. Supersedes kubeflow#3319 Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
google-oss-prow Bot
pushed a commit
that referenced
this pull request
Feb 26, 2026
* fix: variable namespaces for networkpolicies Remove namespace override in kustomization.yaml to allow NetworkPolicies to use their self-defined namespaces. Also update multi_tenancy_install.sh to create required namespaces before applying network policies, ensuring the installation succeeds. Supersedes #3319 Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix: restore netpol namespace & refactor overlays Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix: update multi-tenancy script to include new overlays Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * refactor Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * format yaml disable modification of spec.selector Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * refactor: move networkpolicy files to canonical paths Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * refactor: wire subfolder kustomizations and remove dead overlays Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test: align cert-manager install and trivy scan paths Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * Update tests/cert_manager_install.sh Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Update tests/trivy_scan.py Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Update cert-manager installation script to use base Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * test: fix multitenancy wait and lint Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * Update tests/cert_manager_install.sh Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Update tests/trainer_install.sh Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Update multi_tenancy_install.sh Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Comment out default-allow-same-namespace.yaml Comment out default network policy and note future changes. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * test: enable istio-system default-allow-same-namespace only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test(netpol): add istiod control-plane allow policy only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test(netpol): add istiod webhook apiserver policy only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * lint Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test(netpol): add oauth2-proxy ingressgateway allow policy only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow oauth2-proxy and istio to reach dex Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow apiserver to reach knative webhook Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow apiserver to reach net-istio webhook Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: re-enable same-namespace allow for cert-manager Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: re-enable same-namespace allow for knative-serving Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow knative-serving to reach istio gateways Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow istio gateways to reach knative activator Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * move kubeflow network policy files into kubeflow namespace folder Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * rewire kubeflow namespace to apply moved network policies Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * addressed comments Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * move readme and owners Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> * cleanup Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --------- Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Raakshass
added a commit
to Raakshass/manifests
that referenced
this pull request
Mar 27, 2026
* fix: variable namespaces for networkpolicies Remove namespace override in kustomization.yaml to allow NetworkPolicies to use their self-defined namespaces. Also update multi_tenancy_install.sh to create required namespaces before applying network policies, ensuring the installation succeeds. Supersedes kubeflow#3319 Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix: restore netpol namespace & refactor overlays Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix: update multi-tenancy script to include new overlays Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * refactor Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * fix Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * format yaml disable modification of spec.selector Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * refactor: move networkpolicy files to canonical paths Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * refactor: wire subfolder kustomizations and remove dead overlays Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test: align cert-manager install and trivy scan paths Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * Update tests/cert_manager_install.sh Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Update tests/trivy_scan.py Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Update cert-manager installation script to use base Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * test: fix multitenancy wait and lint Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * Update tests/cert_manager_install.sh Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Update tests/trainer_install.sh Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Update multi_tenancy_install.sh Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestion from @juliusvonkohout Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Comment out default-allow-same-namespace.yaml Comment out default network policy and note future changes. Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> * test: enable istio-system default-allow-same-namespace only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test(netpol): add istiod control-plane allow policy only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test(netpol): add istiod webhook apiserver policy only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * lint Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * test(netpol): add oauth2-proxy ingressgateway allow policy only Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow oauth2-proxy and istio to reach dex Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow apiserver to reach knative webhook Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow apiserver to reach net-istio webhook Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: re-enable same-namespace allow for cert-manager Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: re-enable same-namespace allow for knative-serving Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow knative-serving to reach istio gateways Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * netpol: allow istio gateways to reach knative activator Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * move kubeflow network policy files into kubeflow namespace folder Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * rewire kubeflow namespace to apply moved network policies Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * addressed comments Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> * move readme and owners Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> * cleanup Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --------- Signed-off-by: danish9039 <danishsiddiqui040@gmail.com> Signed-off-by: hippie-danish <133037056+danish9039@users.noreply.github.com> Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Co-authored-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Template for Kubeflow Manifests
✏️ Summary of Changes
The problem is that all NetworkPolicies are being created in the kubeflow namespace because the
namespacevalue is present in kustomization.yaml.✅ Contributor Checklist