fix: variable namespaces for networkpolicies

[danish9039]

✏️ Summary of Changes

This PR fixes an issue #3319 where NetworkPolicies for various core components were incorrectly being applied to the kubeflow namespace. This was caused by a hardcoded namespace: kubeflow in the base kustomization.yaml.

Additionally, this PR updates the tests/multi_tenancy_install.sh script to proactively create the required target namespaces before applying the policies, ensuring the installation succeeds even if components are installed in a pick-and-choose manner.

The Problem

flowchart TB
    subgraph "Before Fix (Broken)"
        K[kustomization.yaml<br>namespace: kubeflow] --> |Forces ALL resources| KF[kubeflow namespace]
        
        P1[cert-manager-webhook.yaml<br>namespace: cert-manager] --> K
        P2[default-allow-auth.yaml<br>namespace: auth] --> K
        P3[istio-policy.yaml<br>namespace: istio-system] --> K
        
        K --> |All end up in| KF
        
        KF --> |Contains policies for| WRONG[❌ Wrong namespaces!]
    end

Loading

The Solution

flowchart TB
    subgraph "After Fix (Correct)"
        K2[kustomization.yaml<br>NO namespace override] --> |Respects each file|SPLIT
        
        SPLIT{Each policy goes<br>to its own namespace}
        
        SPLIT --> CM[cert-manager namespace]
        SPLIT --> AU[auth namespace]
        SPLIT --> IS[istio-system namespace]
        SPLIT --> KS[knative-serving namespace]
        SPLIT --> KF2[kubeflow namespace]
        SPLIT --> KFS[kubeflow-system namespace]
        
        CM --> |✅ Protects| CMP[cert-manager pods]
        AU --> |✅ Protects| AUP[auth pods]
        IS --> |✅ Protects| ISP[istio pods]
    end

Loading

Verification

• Checked that kustomize build common/networkpolicies/base generates policies with correct namespaces.
• Ran shellcheck tests/multi_tenancy_install.sh on the modified script to ensure robustness.

---

Continuing work by @juhyeon-cha with addition of namespace creation in test scripts.

📦 Dependencies

None.

🐛 Related Issues

Supersedes #3319

✅ Contributor Checklist

• I have tested these changes with kustomize. See Installation Prerequisites.
• All commits are signed-off to satisfy the DCO check.
• I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).

---

[github-actions]

Welcome to the Kubeflow Manifests Repository

Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community.

Before making more PRs:
Please ensure your PR follows our Contributing Guide.
Please also be aware that many components are synchronizes from upstream via the scripts in /scripts.
So in some cases you have to fix the problem in the upstream repositories first, but you can use a PR against kubeflow/manifests to test the platform integration.

Community Resources:

• CNCF Slack channels: https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels
• Community meetings: https://www.kubeflow.org/docs/about/community/

Thanks again for helping to improve Kubeflow.

[danish9039]

@juliusvonkohout

[juliusvonkohout]

Thank you for the PR. Please check out all the comments such as #3319 (comment) "everything outside of the kubeflow namespaces so cert-manager, knative-serving etc. We should directly move in this PR to the respective folders/overlays in /common" lets aim for a long-term solution that is better than just creating empty namespaces. I will also do a dummy istio change to trigger more tests. For example we can rename common/cert-manager/kubeflow-issuer/base to common/cert-manager/overlay/kubeflow and add the cert-manager networkpolicy in that folder

[danish9039]

Thank you for the PR. Please check out all the comments such as #3319 (comment) "everything outside of the kubeflow namespaces so cert-manager, knative-serving etc. We should directly move in this PR to the respective folders/overlays in /common" lets aim for a long-term solution that is better than just creating empty namespaces. I will also do a dummy istio change to trigger more tests. For example we can rename common/cert-manager/kubeflow-issuer/base to common/cert-manager/overlay/kubeflow and add the cert-manager networkpolicy in that folder

@juliusvonkohout updated the PR to address the feedback

• Refactored Overlays : moved the NetworkPolicies for cert-manager, dex, istio, knative, and oauth2-proxy into their respective overlays/kubeflow directories within common/
• Kustomize Refactor: Updated thekustomization.yaml files to reference these new paths and verified that the base common/networkpolicies/base configuration correctly targets the kubeflow namespace.
• Verification: validated these changes locally using kustomize build and performed server-side validation against a Kind cluster with upstream CRDs installed (for Istio and Knative). confirmed that all manifests are generated correctly and accepted by the API server.

[juliusvonkohout]

Thank you, I added comments.

[juliusvonkohout]

/ok-to-test

[danish9039]

Thank you, I added comments.

@juliusvonkohout I have addressed the feedback , renamed all network policy files as requested and updated their references throughout the codebase. looking at your suggestion #3342 additionally i refactored the namespace creation into a proper Kustomize base (common/namespaces) to provide a declarative, long-term solution instead of relying on the imperative bash loop, ensuring all target namespaces exist before policies are applied.

[danish9039]

Please rebase to master now since I merged c589121

@juliusvonkohout done

[danish9039]

@juliusvonkohout Added allow-knative-to-istio-gateways in istio-system , this allows knative-serving traffic to reach Istio gateways and removes the cross-namespace timeout after enabling same-namespace default allow netpol . and allow-istio-gateways-to-activator in knative-serving this allows Istio gateway pods to reach Knative activator on the serving path,

[danish9039]

@juliusvonkohout moved the remaining networkpolicies in common/networkpolicies/base/ to common/kubeflow-namespace/base/kubeflow/ and removed separate netpol reference from example/kustomization.yaml and the explicit netpol apply step from tests/multi_tenancy_install.sh

[juliusvonkohout]

Thank you, that looks quite good already. Please address the last comments and then maybe a final review will do it.

[danish9039]

Thank you, that looks quite good already. Please address the last comments and then maybe a final review will do it.

@juliusvonkohout addressed all the comments

[juliusvonkohout]

Thank you
/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

...

[juliusvonkohout]

If you are interested in a follow up PR: https://github.com/kubeflow/manifests/blob/master/common/cert-manager/README.md update logic should be moved to /scripts as for all other components. and you can also check which scripts in /scripts have to be run since there are newer upstream releases and raise corresponding PRs.