Skip to content

fix(manifests): Allow same-namespace access to SeaweedFS for standalone deployments #12543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hbelmiro wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(manifests): Allow same-namespace access to SeaweedFS for standalone deployments #12543

hbelmiro wants to merge 1 commit into from
+4 −13

Conversation

@hbelmiro
Copy link
Contributor

@hbelmiro hbelmiro commented Dec 9, 2025
edited
Loading

Description of your changes:

The SeaweedFS NetworkPolicy only allows traffic from namespaces labeled app.kubernetes.io/part-of: kubeflow-profile or from istio-system. This blocks the API server (running in the kubeflow namespace) from accessing object storage on clusters with NetworkPolicy enforcement, breaking standalone KFP deployments.

Fix: Add an ingress rule allowing same-namespace pod traffic to SeaweedFS on port 8333.

Note: This change aligns with the upstream Kubeflow manifests repository, which deploys a default-allow-same-namespace.yaml NetworkPolicy for the kubeflow namespace. For standalone KFP, we achieve the same functional result by adding the rule directly to the SeaweedFS policy rather than introducing a separate blanket policy. This keeps the standalone deployment simpler while solving the connectivity issue.

Changes

  • Added same-namespace ingress rule to SeaweedFS NetworkPolicy
  • Fixes standalone deployments by allowing API server and UI to access object storage

Checklist:

@hbelmiro
Copy link
Contributor Author

hbelmiro commented Dec 9, 2025

/retest

HumairAK
HumairAK reviewed Dec 9, 2025
View reviewed changes
@hbelmiro hbelmiro marked this pull request as draft December 10, 2025 17:19
@hbelmiro hbelmiro force-pushed the fix-namespace-manifest branch from df9360b to 4155dc5 Compare December 10, 2025 17:34
@google-oss-prow
Copy link

google-oss-prow bot commented Dec 10, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from hbelmiro and additionally assign juliusvonkohout for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hbelmiro hbelmiro changed the title fix(manifests): Add kubeflow-profile label to namespace for NetworkPolicy compatibility WIP - fix(manifests): Dec 10, 2025
@hbelmiro hbelmiro marked this pull request as ready for review December 10, 2025 17:47
@hbelmiro
Copy link
Contributor Author

hbelmiro commented Dec 10, 2025

@juliusvonkohout can you PTAL on this?

@hbelmiro hbelmiro force-pushed the fix-namespace-manifest branch from 4155dc5 to b0ed5b1 Compare December 10, 2025 17:51
@hbelmiro hbelmiro changed the title WIP - fix(manifests): fix(manifests): Allow same-namespace access to SeaweedFS for standalone deployments Dec 10, 2025
@juliusvonkohout
Copy link
Member

juliusvonkohout commented Dec 10, 2025
edited
Loading

Thank you @hbelmiro it looks good and and more robust than before, but may you raise the same PR against kubeflow/manifests to also test the CI/CD there? If it is green and you see a kfp tests, then both are good to merge.

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Dec 11, 2025
edited
Loading

kubeflow/manifests#3306 is merged so
/lgtm

and thank you for making it more robust

@google-oss-prow google-oss-prow bot added the lgtm label Dec 11, 2025
@juliusvonkohout
Copy link
Member

juliusvonkohout commented Dec 11, 2025

Just be careful if more than this single port is needed in the future for the same namespace. But that can also be adjusted in the future if needed.

@hbelmiro
Copy link
Contributor Author

hbelmiro commented Dec 11, 2025

@HumairAK can you please take a final look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HumairAK HumairAK HumairAK left review comments

@droctothorpe droctothorpe Awaiting requested review from droctothorpe

@mprahl mprahl Awaiting requested review from mprahl

@pschoen-itsc pschoen-itsc Awaiting requested review from pschoen-itsc

@rimolive rimolive Awaiting requested review from rimolive

Assignees

@juliusvonkohout juliusvonkohout

Labels

lgtm size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hbelmiro @juliusvonkohout @HumairAK