Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add networkpolicies under /contrib/networkpolicies #2121

Merged
merged 15 commits into from
Feb 11, 2022

Conversation

juliusvonkohout
Copy link
Member

Which issue is resolved by this Pull Request:
Resolves kubeflow/kubeflow#6228 (comment)
@kimwnasptd

Description of your changes:

Add networkpolicies under /contrib/networkpolicies

Checklist:

  • Unit tests pass:
    Make sure you have installed kustomize == 3.2.1
    1. make generate-changed-only
    2. make test

@kimwnasptd
Copy link
Member

Thank you for the time and work @juliusvonkohout! I'll look into them today and include them either in RC0 or RC1.

As a first comment, from a quick glance, could you also add a small README file and an OWNERS file? For the README I can think of the following information to expose:

  • Why would a user apply the extra policies
  • Effects they will have in the cluster [how does this affect communication and between which services?]
  • A small note that ideally we should achieve the same with AuthorizationPolicies, if not then this is something we must work on. If there's extra functionality that can not be achieved with the AuthorizationPolices then lets discuss and expose this as well

Regarding the OWNERS file can you add yourself as an approver? I can also be a reviewer to help if you want.

@juliusvonkohout
Copy link
Member Author

juliusvonkohout commented Jan 28, 2022

@kimwnasptd is this sufficient? Maybe one can circumvent the networkpolices by using the istio-ingressgateway and specifying a service in the kubeflow namespace as host. Then i would have to rework them a bit.

@juliusvonkohout
Copy link
Member Author

Now it is way more secure. One could limit even further how the pods in the kubeflow namespace can communicate with each other, but this would be quite cumbersome and a task for the future

@juliusvonkohout
Copy link
Member Author

juliusvonkohout commented Feb 1, 2022

@kimwnasptd i could also add podsecuritypolicies here and add networkpolicies to https://github.com/kubeflow/manifests/blob/master/example/kustomization.yaml. For the podsecuritypolicies to work properly i would also need to introduce istio-cni according to #2014

@kimwnasptd
Copy link
Member

The changes look good! One last nit is to remove me from the approvers, I want to try and make the OWNERS files to be as accurate as possible. Once in the future I also help with some reviews in the networking policies then let's add me as an approver.

@juliusvonkohout
Copy link
Member Author

The changes look good! One last nit is to remove me from the approvers, I want to try and make the OWNERS files to be as accurate as possible. Once in the future I also help with some reviews in the networking policies then let's add me as an approver.

done

@kimwnasptd
Copy link
Member

Thanks!

/lgtm
/approve

@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout, kimwnasptd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 921b55d into kubeflow:master Feb 11, 2022
kimwnasptd pushed a commit to arrikto/kubeflow-manifests that referenced this pull request Feb 15, 2022
* Create .gitkeep

* Add files via upload

* Create OWNERS

* Create README.md

* Delete default-deny-not-istio-system.yaml

* Create default-allow-same-namespace.yaml

* Create centraldashboard.yaml

* Create jupyter-web-app.yaml

* Create katib-ui.yaml

* Create kfserving-models-web-app.yaml

* Create ml-pipeline-ui.yaml

* Update ml-pipeline.yaml

* Create volumes-web-app.yaml

* Update kustomization.yaml

* Update OWNERS
google-oss-prow bot pushed a commit that referenced this pull request Feb 16, 2022
* tests: Scripts for e2e tests (#2128)

* remove old test files

Signed-off-by: Kimonas Sotirchos <[email protected]>

* gitignore: Don't track pyc files

Signed-off-by: Kimonas Sotirchos <[email protected]>

* flake8: Introduce linting file

Signed-off-by: Kimonas Sotirchos <[email protected]>

* hack: Introduce scripts for cluster manipulation

Signed-off-by: Kimonas Sotirchos <[email protected]>

* tests: Add e2e test

Signed-off-by: Kimonas Sotirchos <[email protected]>

* GH action for running e2e test

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Reduce the installed components and system reqs

Signed-off-by: Kimonas Sotirchos <[email protected]>

* kserve: Add simple kustomization file

To avoid having to use --load_restrictor none we'll need to wrap the
KServe manifests inside a kustomization.yaml file.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* unittests: Fix unit tests

Signed-off-by: Kimonas Sotirchos <[email protected]>

* gh: Remove action for e2e tests

We should use prow instead to trigger our e2e tests.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Add networkpolicies under /contrib/networkpolicies (#2121)

* Create .gitkeep

* Add files via upload

* Create OWNERS

* Create README.md

* Delete default-deny-not-istio-system.yaml

* Create default-allow-same-namespace.yaml

* Create centraldashboard.yaml

* Create jupyter-web-app.yaml

* Create katib-ui.yaml

* Create kfserving-models-web-app.yaml

* Create ml-pipeline-ui.yaml

* Update ml-pipeline.yaml

* Create volumes-web-app.yaml

* Update kustomization.yaml

* Update OWNERS

* Sync kubeflow pipelines manifests 1.8.0 rc.2 (#2131)

* hack: Update pipelines sync script to change README

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/pipelines manifests from 1.8.0-rc.2

* Sync kubeflow kubeflow manifests v1.5.0 rc.1 (#2134)

* hack: Sync README for kubeflow/kubeflow sync-script

Extend the sync-script for kubeflow/kubeflow to also update the
components versions in the readme.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/kubeflow manifests from v1.5.0-rc.1

* Sync kserve/models-web-app manifests (#2135)

* kserve: Rename from upstream to kserve

We will be including both kserve/kserve and kserve/models-web-app into
the manifests, so the names will need to reflect this.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* kserve: Add manifests for the models-web-app

Include the MWA manifests from the v0.7.0 tag.
https://github.com/kserve/models-web-app/tree/v0.7.0

Signed-off-by: Kimonas Sotirchos <[email protected]>

* kserve: Include both kserve and mwa manifests

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/kfp-tekton manifests from v1.1.1 (#2141)

* hack: Update tekton script to edit README

The hack script for updating the kfp-tekton manifests should also be
updating the README file as well.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/kfp-tekton manifests from v1.1.1

* Update manifests for Katib v0.13.0-rc.1 release (#2139)

* Update manifests for Katib v0.13.0-rc.1 release

* Change README

* readme: Remove MPI reference and add ingress distributions link (#2143)

* Closes #1963
* Remove unused MPI reference (PR #2119)

* Update kubeflow/pipelines manifests from 1.8.0 (#2144)

Signed-off-by: Kimonas Sotirchos <[email protected]>

* hack: Don't error if namespace kubeflow exists (#2140)

The helper setup scripts should not error when the namespaces already
exist.

Signed-off-by: Kimonas Sotirchos <[email protected]>

Co-authored-by: juliusvonkohout <[email protected]>
Co-authored-by: Andrey Velichkevich <[email protected]>
Co-authored-by: a9p <[email protected]>
VaishnaviHire pushed a commit to VaishnaviHire/manifests that referenced this pull request Aug 11, 2022
* tests: Scripts for e2e tests (kubeflow#2128)

* remove old test files

Signed-off-by: Kimonas Sotirchos <[email protected]>

* gitignore: Don't track pyc files

Signed-off-by: Kimonas Sotirchos <[email protected]>

* flake8: Introduce linting file

Signed-off-by: Kimonas Sotirchos <[email protected]>

* hack: Introduce scripts for cluster manipulation

Signed-off-by: Kimonas Sotirchos <[email protected]>

* tests: Add e2e test

Signed-off-by: Kimonas Sotirchos <[email protected]>

* GH action for running e2e test

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Reduce the installed components and system reqs

Signed-off-by: Kimonas Sotirchos <[email protected]>

* kserve: Add simple kustomization file

To avoid having to use --load_restrictor none we'll need to wrap the
KServe manifests inside a kustomization.yaml file.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* unittests: Fix unit tests

Signed-off-by: Kimonas Sotirchos <[email protected]>

* gh: Remove action for e2e tests

We should use prow instead to trigger our e2e tests.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Add networkpolicies under /contrib/networkpolicies (kubeflow#2121)

* Create .gitkeep

* Add files via upload

* Create OWNERS

* Create README.md

* Delete default-deny-not-istio-system.yaml

* Create default-allow-same-namespace.yaml

* Create centraldashboard.yaml

* Create jupyter-web-app.yaml

* Create katib-ui.yaml

* Create kfserving-models-web-app.yaml

* Create ml-pipeline-ui.yaml

* Update ml-pipeline.yaml

* Create volumes-web-app.yaml

* Update kustomization.yaml

* Update OWNERS

* Sync kubeflow pipelines manifests 1.8.0 rc.2 (kubeflow#2131)

* hack: Update pipelines sync script to change README

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/pipelines manifests from 1.8.0-rc.2

* Sync kubeflow kubeflow manifests v1.5.0 rc.1 (kubeflow#2134)

* hack: Sync README for kubeflow/kubeflow sync-script

Extend the sync-script for kubeflow/kubeflow to also update the
components versions in the readme.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/kubeflow manifests from v1.5.0-rc.1

* Sync kserve/models-web-app manifests (kubeflow#2135)

* kserve: Rename from upstream to kserve

We will be including both kserve/kserve and kserve/models-web-app into
the manifests, so the names will need to reflect this.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* kserve: Add manifests for the models-web-app

Include the MWA manifests from the v0.7.0 tag.
https://github.com/kserve/models-web-app/tree/v0.7.0

Signed-off-by: Kimonas Sotirchos <[email protected]>

* kserve: Include both kserve and mwa manifests

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/kfp-tekton manifests from v1.1.1 (kubeflow#2141)

* hack: Update tekton script to edit README

The hack script for updating the kfp-tekton manifests should also be
updating the README file as well.

Signed-off-by: Kimonas Sotirchos <[email protected]>

* Update kubeflow/kfp-tekton manifests from v1.1.1

* Update manifests for Katib v0.13.0-rc.1 release (kubeflow#2139)

* Update manifests for Katib v0.13.0-rc.1 release

* Change README

* readme: Remove MPI reference and add ingress distributions link (kubeflow#2143)

* Closes kubeflow#1963
* Remove unused MPI reference (PR kubeflow#2119)

* Update kubeflow/pipelines manifests from 1.8.0 (kubeflow#2144)

Signed-off-by: Kimonas Sotirchos <[email protected]>

* hack: Don't error if namespace kubeflow exists (kubeflow#2140)

The helper setup scripts should not error when the namespaces already
exist.

Signed-off-by: Kimonas Sotirchos <[email protected]>

Co-authored-by: juliusvonkohout <[email protected]>
Co-authored-by: Andrey Velichkevich <[email protected]>
Co-authored-by: a9p <[email protected]>
kevin85421 pushed a commit to juliusvonkohout/manifests that referenced this pull request Feb 28, 2023
* Create .gitkeep

* Add files via upload

* Create OWNERS

* Create README.md

* Delete default-deny-not-istio-system.yaml

* Create default-allow-same-namespace.yaml

* Create centraldashboard.yaml

* Create jupyter-web-app.yaml

* Create katib-ui.yaml

* Create kfserving-models-web-app.yaml

* Create ml-pipeline-ui.yaml

* Update ml-pipeline.yaml

* Create volumes-web-app.yaml

* Update kustomization.yaml

* Update OWNERS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

KFAM is unprotected and any user can manage all profiles / namespaces of other users.
2 participants