Skip to content

fix: variable namespaces for networkpolicies #3342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
danish9039 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: variable namespaces for networkpolicies #3342

danish9039 wants to merge 2 commits into from
+5 −1

Conversation

@danish9039
Copy link

@danish9039 danish9039 commented Feb 9, 2026

✏️ Summary of Changes

This PR fixes an issue #3319 where NetworkPolicies for various core components were incorrectly being applied to the kubeflow namespace. This was caused by a hardcoded namespace: kubeflow in the base kustomization.yaml.

Additionally, this PR updates the tests/multi_tenancy_install.sh script to proactively create the required target namespaces before applying the policies, ensuring the installation succeeds even if components are installed in a pick-and-choose manner.

The Problem

flowchart TB
    subgraph "Before Fix (Broken)"
        K[kustomization.yaml<br>namespace: kubeflow] --> |Forces ALL resources| KF[kubeflow namespace]
        
        P1[cert-manager-webhook.yaml<br>namespace: cert-manager] --> K
        P2[default-allow-auth.yaml<br>namespace: auth] --> K
        P3[istio-policy.yaml<br>namespace: istio-system] --> K
        
        K --> |All end up in| KF
        
        KF --> |Contains policies for| WRONG[❌ Wrong namespaces!]
    end
Loading

The Solution

flowchart TB
    subgraph "After Fix (Correct)"
        K2[kustomization.yaml<br>NO namespace override] --> |Respects each file|SPLIT
        
        SPLIT{Each policy goes<br>to its own namespace}
        
        SPLIT --> CM[cert-manager namespace]
        SPLIT --> AU[auth namespace]
        SPLIT --> IS[istio-system namespace]
        SPLIT --> KS[knative-serving namespace]
        SPLIT --> KF2[kubeflow namespace]
        SPLIT --> KFS[kubeflow-system namespace]
        
        CM --> |✅ Protects| CMP[cert-manager pods]
        AU --> |✅ Protects| AUP[auth pods]
        IS --> |✅ Protects| ISP[istio pods]
    end
Loading

Verification

  • Checked that kustomize build common/networkpolicies/base generates policies with correct namespaces.
  • Ran shellcheck tests/multi_tenancy_install.sh on the modified script to ensure robustness.

Continuing work by @juhyeon-cha with addition of namespace creation in test scripts.

📦 Dependencies

None.

🐛 Related Issues

Supersedes #3319

✅ Contributor Checklist

  • I have tested these changes with kustomize. See Installation Prerequisites.
  • All commits are signed-off to satisfy the DCO check.
  • I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).

@google-oss-prow
Copy link

google-oss-prow bot commented Feb 9, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign juliusvonkohout for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link

github-actions bot commented Feb 9, 2026

Welcome to the Kubeflow Manifests Repository

Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community.

Before making more PRs:
Please ensure your PR follows our Contributing Guide.
Please also be aware that many components are synchronizes from upstream via the scripts in /scripts.
So in some cases you have to fix the problem in the upstream repositories first, but you can use a PR against kubeflow/manifests to test the platform integration.

Community Resources:

Thanks again for helping to improve Kubeflow.

@danish9039
fix: variable namespaces for networkpolicies
6c7b0c9 
Remove namespace override in kustomization.yaml to allow NetworkPolicies
to use their self-defined namespaces.

Also update multi_tenancy_install.sh to create required namespaces
before applying network policies, ensuring the installation succeeds.

Supersedes kubeflow#3319

Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
@danish9039 danish9039 force-pushed the fix/networkpolicies-variable-namespaces branch from ec1e9f0 to 6c7b0c9 Compare February 9, 2026 12:03
@danish9039
Copy link
Author

danish9039 commented Feb 9, 2026

@juliusvonkohout

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Feb 10, 2026
edited
Loading

Thank you for the PR. Please check out all the comments such as #3319 (comment) "everything outside of the kubeflow namespaces so cert-manager, knative-serving etc. We should directly move in this PR to the respective folders/overlays in /common" lets aim for a long-term solution that is better than just creating empty namespaces. I will also do a dummy istio change to trigger more tests. For example we can rename common/cert-manager/kubeflow-issuer/base to common/cert-manager/overlay/kubeflow and add the cert-manager networkpolicy in that folder

@juliusvonkohout
dummy
a820ebf 
Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusvonkohout juliusvonkohout Awaiting requested review from juliusvonkohout

@tarekabouzeid tarekabouzeid Awaiting requested review from tarekabouzeid

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danish9039 @juliusvonkohout