From f3edb265afb70fa557ddbfe8b73f4a10b82d0796 Mon Sep 17 00:00:00 2001
From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Date: Thu, 4 Jul 2024 18:11:46 +0200
Subject: [PATCH] networkpolicy for training operator (#2786)

networkpolicy for training operator

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
---
 .../networkpolicies/base/kustomization.yaml   |  3 ++-
 .../base/training-operator-webhook.yaml       | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 common/networkpolicies/base/training-operator-webhook.yaml

diff --git a/common/networkpolicies/base/kustomization.yaml b/common/networkpolicies/base/kustomization.yaml
index 33bf626c6d..cbf673a6f0 100644
--- a/common/networkpolicies/base/kustomization.yaml
+++ b/common/networkpolicies/base/kustomization.yaml
@@ -20,5 +20,6 @@ resources:
   - poddefaults.yaml
   - pvcviewer-webhook.yaml
   - seldon.yaml
-  - volumes-web-app.yaml
   - tensorboards-web-app.yaml
+  - training-operator-webhook.yaml
+  - volumes-web-app.yaml
diff --git a/common/networkpolicies/base/training-operator-webhook.yaml b/common/networkpolicies/base/training-operator-webhook.yaml
new file mode 100644
index 0000000000..bbf6e373a3
--- /dev/null
+++ b/common/networkpolicies/base/training-operator-webhook.yaml
@@ -0,0 +1,20 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: training-operator-webhook
+  namespace: kubeflow
+spec:
+  podSelector:
+    matchExpressions:
+    - key: control-plane
+      operator: In
+      values:
+      - kubeflow-training-operator
+  # https://www.elastic.co/guide/en/cloud-on-k8s/1.1/k8s-webhook-network-policies.html
+  # The kubernetes api server must reach the webhook
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 9443
+  policyTypes:
+    - Ingress
\ No newline at end of file