-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add networkpolicies under /contrib/networkpolicies #2121
Conversation
Thank you for the time and work @juliusvonkohout! I'll look into them today and include them either in RC0 or RC1. As a first comment, from a quick glance, could you also add a small README file and an OWNERS file? For the README I can think of the following information to expose:
Regarding the OWNERS file can you add yourself as an approver? I can also be a reviewer to help if you want. |
@kimwnasptd is this sufficient? Maybe one can circumvent the networkpolices by using the istio-ingressgateway and specifying a service in the kubeflow namespace as host. Then i would have to rework them a bit. |
Now it is way more secure. One could limit even further how the pods in the kubeflow namespace can communicate with each other, but this would be quite cumbersome and a task for the future |
@kimwnasptd i could also add podsecuritypolicies here and add networkpolicies to https://github.com/kubeflow/manifests/blob/master/example/kustomization.yaml. For the podsecuritypolicies to work properly i would also need to introduce istio-cni according to #2014 |
The changes look good! One last nit is to remove me from the |
done |
Thanks! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout, kimwnasptd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Create .gitkeep * Add files via upload * Create OWNERS * Create README.md * Delete default-deny-not-istio-system.yaml * Create default-allow-same-namespace.yaml * Create centraldashboard.yaml * Create jupyter-web-app.yaml * Create katib-ui.yaml * Create kfserving-models-web-app.yaml * Create ml-pipeline-ui.yaml * Update ml-pipeline.yaml * Create volumes-web-app.yaml * Update kustomization.yaml * Update OWNERS
* tests: Scripts for e2e tests (#2128) * remove old test files Signed-off-by: Kimonas Sotirchos <[email protected]> * gitignore: Don't track pyc files Signed-off-by: Kimonas Sotirchos <[email protected]> * flake8: Introduce linting file Signed-off-by: Kimonas Sotirchos <[email protected]> * hack: Introduce scripts for cluster manipulation Signed-off-by: Kimonas Sotirchos <[email protected]> * tests: Add e2e test Signed-off-by: Kimonas Sotirchos <[email protected]> * GH action for running e2e test Signed-off-by: Kimonas Sotirchos <[email protected]> * Reduce the installed components and system reqs Signed-off-by: Kimonas Sotirchos <[email protected]> * kserve: Add simple kustomization file To avoid having to use --load_restrictor none we'll need to wrap the KServe manifests inside a kustomization.yaml file. Signed-off-by: Kimonas Sotirchos <[email protected]> * unittests: Fix unit tests Signed-off-by: Kimonas Sotirchos <[email protected]> * gh: Remove action for e2e tests We should use prow instead to trigger our e2e tests. Signed-off-by: Kimonas Sotirchos <[email protected]> * Add networkpolicies under /contrib/networkpolicies (#2121) * Create .gitkeep * Add files via upload * Create OWNERS * Create README.md * Delete default-deny-not-istio-system.yaml * Create default-allow-same-namespace.yaml * Create centraldashboard.yaml * Create jupyter-web-app.yaml * Create katib-ui.yaml * Create kfserving-models-web-app.yaml * Create ml-pipeline-ui.yaml * Update ml-pipeline.yaml * Create volumes-web-app.yaml * Update kustomization.yaml * Update OWNERS * Sync kubeflow pipelines manifests 1.8.0 rc.2 (#2131) * hack: Update pipelines sync script to change README Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/pipelines manifests from 1.8.0-rc.2 * Sync kubeflow kubeflow manifests v1.5.0 rc.1 (#2134) * hack: Sync README for kubeflow/kubeflow sync-script Extend the sync-script for kubeflow/kubeflow to also update the components versions in the readme. Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/kubeflow manifests from v1.5.0-rc.1 * Sync kserve/models-web-app manifests (#2135) * kserve: Rename from upstream to kserve We will be including both kserve/kserve and kserve/models-web-app into the manifests, so the names will need to reflect this. Signed-off-by: Kimonas Sotirchos <[email protected]> * kserve: Add manifests for the models-web-app Include the MWA manifests from the v0.7.0 tag. https://github.com/kserve/models-web-app/tree/v0.7.0 Signed-off-by: Kimonas Sotirchos <[email protected]> * kserve: Include both kserve and mwa manifests Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/kfp-tekton manifests from v1.1.1 (#2141) * hack: Update tekton script to edit README The hack script for updating the kfp-tekton manifests should also be updating the README file as well. Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/kfp-tekton manifests from v1.1.1 * Update manifests for Katib v0.13.0-rc.1 release (#2139) * Update manifests for Katib v0.13.0-rc.1 release * Change README * readme: Remove MPI reference and add ingress distributions link (#2143) * Closes #1963 * Remove unused MPI reference (PR #2119) * Update kubeflow/pipelines manifests from 1.8.0 (#2144) Signed-off-by: Kimonas Sotirchos <[email protected]> * hack: Don't error if namespace kubeflow exists (#2140) The helper setup scripts should not error when the namespaces already exist. Signed-off-by: Kimonas Sotirchos <[email protected]> Co-authored-by: juliusvonkohout <[email protected]> Co-authored-by: Andrey Velichkevich <[email protected]> Co-authored-by: a9p <[email protected]>
* tests: Scripts for e2e tests (kubeflow#2128) * remove old test files Signed-off-by: Kimonas Sotirchos <[email protected]> * gitignore: Don't track pyc files Signed-off-by: Kimonas Sotirchos <[email protected]> * flake8: Introduce linting file Signed-off-by: Kimonas Sotirchos <[email protected]> * hack: Introduce scripts for cluster manipulation Signed-off-by: Kimonas Sotirchos <[email protected]> * tests: Add e2e test Signed-off-by: Kimonas Sotirchos <[email protected]> * GH action for running e2e test Signed-off-by: Kimonas Sotirchos <[email protected]> * Reduce the installed components and system reqs Signed-off-by: Kimonas Sotirchos <[email protected]> * kserve: Add simple kustomization file To avoid having to use --load_restrictor none we'll need to wrap the KServe manifests inside a kustomization.yaml file. Signed-off-by: Kimonas Sotirchos <[email protected]> * unittests: Fix unit tests Signed-off-by: Kimonas Sotirchos <[email protected]> * gh: Remove action for e2e tests We should use prow instead to trigger our e2e tests. Signed-off-by: Kimonas Sotirchos <[email protected]> * Add networkpolicies under /contrib/networkpolicies (kubeflow#2121) * Create .gitkeep * Add files via upload * Create OWNERS * Create README.md * Delete default-deny-not-istio-system.yaml * Create default-allow-same-namespace.yaml * Create centraldashboard.yaml * Create jupyter-web-app.yaml * Create katib-ui.yaml * Create kfserving-models-web-app.yaml * Create ml-pipeline-ui.yaml * Update ml-pipeline.yaml * Create volumes-web-app.yaml * Update kustomization.yaml * Update OWNERS * Sync kubeflow pipelines manifests 1.8.0 rc.2 (kubeflow#2131) * hack: Update pipelines sync script to change README Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/pipelines manifests from 1.8.0-rc.2 * Sync kubeflow kubeflow manifests v1.5.0 rc.1 (kubeflow#2134) * hack: Sync README for kubeflow/kubeflow sync-script Extend the sync-script for kubeflow/kubeflow to also update the components versions in the readme. Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/kubeflow manifests from v1.5.0-rc.1 * Sync kserve/models-web-app manifests (kubeflow#2135) * kserve: Rename from upstream to kserve We will be including both kserve/kserve and kserve/models-web-app into the manifests, so the names will need to reflect this. Signed-off-by: Kimonas Sotirchos <[email protected]> * kserve: Add manifests for the models-web-app Include the MWA manifests from the v0.7.0 tag. https://github.com/kserve/models-web-app/tree/v0.7.0 Signed-off-by: Kimonas Sotirchos <[email protected]> * kserve: Include both kserve and mwa manifests Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/kfp-tekton manifests from v1.1.1 (kubeflow#2141) * hack: Update tekton script to edit README The hack script for updating the kfp-tekton manifests should also be updating the README file as well. Signed-off-by: Kimonas Sotirchos <[email protected]> * Update kubeflow/kfp-tekton manifests from v1.1.1 * Update manifests for Katib v0.13.0-rc.1 release (kubeflow#2139) * Update manifests for Katib v0.13.0-rc.1 release * Change README * readme: Remove MPI reference and add ingress distributions link (kubeflow#2143) * Closes kubeflow#1963 * Remove unused MPI reference (PR kubeflow#2119) * Update kubeflow/pipelines manifests from 1.8.0 (kubeflow#2144) Signed-off-by: Kimonas Sotirchos <[email protected]> * hack: Don't error if namespace kubeflow exists (kubeflow#2140) The helper setup scripts should not error when the namespaces already exist. Signed-off-by: Kimonas Sotirchos <[email protected]> Co-authored-by: juliusvonkohout <[email protected]> Co-authored-by: Andrey Velichkevich <[email protected]> Co-authored-by: a9p <[email protected]>
* Create .gitkeep * Add files via upload * Create OWNERS * Create README.md * Delete default-deny-not-istio-system.yaml * Create default-allow-same-namespace.yaml * Create centraldashboard.yaml * Create jupyter-web-app.yaml * Create katib-ui.yaml * Create kfserving-models-web-app.yaml * Create ml-pipeline-ui.yaml * Update ml-pipeline.yaml * Create volumes-web-app.yaml * Update kustomization.yaml * Update OWNERS
Which issue is resolved by this Pull Request:
Resolves kubeflow/kubeflow#6228 (comment)
@kimwnasptd
Description of your changes:
Add networkpolicies under /contrib/networkpolicies
Checklist:
Make sure you have installed kustomize == 3.2.1
make generate-changed-only
make test