kubeflow
Add the networkpolicies to cicd tests
Validation Checklist
- [X] Is this a Kubeflow issue?
- [X] Are you posting in the right repository ?
- [X] Did you follow the installation guide https://github.com/kubeflow/manifests?tab=readme-ov-file ?
- [X] Is the issue report properly structured and detailed with version numbers?
- [X] Is this for Kubeflow development ?
- [x] Would you like to work on this issue?
- [x] Join our slack channel using wg-manifests.
Version
master
Describe your issue
We want them especially for the model registry @lampajr
Steps to reproduce the issue
No bug, just an enhancement
Put here any screenshots or videos (optional)
No response
Currently the CI pipeline uses KinD with its native KindNet CNI. This does not support enforcing NetworkPolicies (it might in the future, according to https://github.com/kubernetes-sigs/kind/issues/842), so we will have to install a separate CNI for this such as Calico. It might also be possible to use the Istio CNI since we already use this: https://github.com/kubeflow/manifests/tree/master/common/istio-cni-1-22
As an alternative we could convert all KinD usage to K3d, since that supports netpols out of the box (using Flannel CNI). It is (in my opinion) also easier to use, since it supports Ingress and is in general just easier to configure
@juliusvonkohout can you explain this issue bit more and the exact place where we use KinD in manifest?
I installed the kubeflow in my machine. And when I checked there were multiple network policies are there. And as far as I know Istio CNI supports network policies. Since istio is currently intergrated with the kind cluster, do we need a different plugin? And if so, are the existing network policies not working now?
I installed the kubeflow in my machine. And when I checked there were multiple network policies are there. And as far as I know Istio CNI supports network policies. Since istio is currently intergrated with the kind cluster, do we need a different plugin? And if so, are the existing network policies not working now?
Please Test whether the networkpolicies have any effect. You can do so with a pod and curl.
I installed the kubeflow in my machine. And when I checked there were multiple network policies are there. And as far as I know Istio CNI supports network policies. Since istio is currently intergrated with the kind cluster, do we need a different plugin? And if so, are the existing network policies not working now?
Please Test whether the networkpolicies have any effect. You can do so with a pod and curl.
@AndersBennedsgaard @juliusvonkohout I created a new namespace test and enabled Istio for that namespace. Then create an nginx pod, service, and network policy only to allow traffic from the nginx namespace. and busybox pod on the default namespace. I tried to curl from the busybox pod. So, it does not allow us to do so. Give output like the one below
RBAC: access denied
Therefore networkpolicies work with isto. We don't need an external calico plugin to activate networkpolicies. So, we can close the PR #2820
I installed the kubeflow in my machine. And when I checked there were multiple network policies are there. And as far as I know Istio CNI supports network policies. Since istio is currently intergrated with the kind cluster, do we need a different plugin? And if so, are the existing network policies not working now?
Please Test whether the networkpolicies have any effect. You can do so with a pod and curl.
@AndersBennedsgaard @juliusvonkohout I created a new namespace test and enabled Istio for that namespace. Then create an nginx pod, service, and network policy only to allow traffic from the nginx namespace. and busybox pod on the default namespace. I tried to curl from the busybox pod. So, it does not allow us to do so. Give output like the one below
RBAC: access denied
Therefore networkpolicies work with isto. We don't need an external calico plugin to activate networkpolicies. So, we can close the PR #2820
Are you sure that this is not done by a default authorizationpolicy? did you make sure that nginx does not run with an istio proxy? did you test whether it works if you allow it in the networkpolicy?
Yes, the RBAC: access denied is an Istio message from AuthorizationPolicies or other Istio rules. If it was a NetworkPolicy, you would receive a timeout. So I think this only works because both of the pods are Istio-enabled and is under some Istio policy. Istio does not handle networking between services that does not have an Istio sidecar, so the Istio CNI is not enough.
I actually found somewhere that the Istio CNI still requires a network plugin (like Calico), for handling the networking necessary for NetworkPolicies and other things. So we still need a network plugin
I installed the kubeflow in my machine. And when I checked there were multiple network policies are there. And as far as I know Istio CNI supports network policies. Since istio is currently intergrated with the kind cluster, do we need a different plugin? And if so, are the existing network policies not working now?
Please Test whether the networkpolicies have any effect. You can do so with a pod and curl.
@AndersBennedsgaard @juliusvonkohout I created a new namespace test and enabled Istio for that namespace. Then create an nginx pod, service, and network policy only to allow traffic from the nginx namespace. and busybox pod on the default namespace. I tried to curl from the busybox pod. So, it does not allow us to do so. Give output like the one below
RBAC: access denied
Therefore networkpolicies work with isto. We don't need an external calico plugin to activate networkpolicies. So, we can close the PR #2820
Are you sure that this is not done by a default authorizationpolicy? did you make sure that nginx does not run with an istio proxy? did you test whether it works if you allow it in the networkpolicy?
Actually procedure I followed is,
-
create a test namespace with the Istio enabled
kubectl create namespace testkubectl label namespace test istio-injection=enabled -
Create an NGINX pod in that namespace
kubectl run nginx --image=nginx --labels app=nginx --namespace test --expose --port 80 -
Create busybox pod in default namespace
kubectl run busybox --rm -ti --image=alpine -- /bin/sh -
And create a network policy that does not allow traffic from other namespaces.
-
curl to nginx pod from busybox. Then it gives RBAC denied .
So due to enabling Istio in test namespace it does run with the Istio proxy pod
So basically it denied because of that reason.
Therefore, we have to add external plugin for managing network policies. I will do so and update you
kind has released 0.24 that includes network policies https://github.com/kubernetes-sigs/kind/releases/tag/v0.24.0
kind has released 0.24 that includes network policies https://github.com/kubernetes-sigs/kind/releases/tag/v0.24.0
@hansinikarunarathne this might make your life easier :-D We can also upgrade the Kubernetes version if necessary.
kind has released 0.24 that includes network policies https://github.com/kubernetes-sigs/kind/releases/tag/v0.24.0
@hansinikarunarathne this might make your life easier :-D We can also upgrade the Kubernetes version if necessary.
Yes, I checked on it. I will update the Kubernetes version and Kind installation version. I will create a new PR instead of making changes to #2820
We can close the PR #2820 and merge the PR #2843
@juliusvonkohout if you have any suggestions let me know
Solved in #2843
@hansinikarunarathne please link PRs to issues on the right hand side.