networkpolicy for training operator (kubeflow#2786)

networkpolicy for training operator Signed-off-by: juliusvonkohout <[email protected]>
hansinikarunarathne · Jul 4, 2024 · f3edb26 · f3edb26
1 parent 37e4352
commit f3edb26
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/common/networkpolicies/base/kustomization.yaml b/common/networkpolicies/base/kustomization.yaml
@@ -20,5 +20,6 @@ resources:
   - poddefaults.yaml
   - pvcviewer-webhook.yaml
   - seldon.yaml
-  - volumes-web-app.yaml
   - tensorboards-web-app.yaml
+  - training-operator-webhook.yaml
+  - volumes-web-app.yaml
diff --git a/common/networkpolicies/base/training-operator-webhook.yaml b/common/networkpolicies/base/training-operator-webhook.yaml
@@ -0,0 +1,20 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: training-operator-webhook
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+    - key: control-plane
+      operator: In
+      values:
+      - kubeflow-training-operator
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 9443
+  policyTypes:
+    - Ingress