Skip to content

chart: add network policies #708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chart: add network policies #708

wants to merge 1 commit into from
+58 −0

Conversation

@Gacko
Copy link
Contributor

@Gacko Gacko commented Nov 1, 2025

When deploying the chart to clusters with network access restricted by network policies, you might not be able access the API server.

This PR adds network policies for the controller and kubelet plugin, so they can access the API server in such environments.

@Gacko
chart: add network policies
245564a 
Signed-off-by: Marco Ebert <[email protected]>
@copy-pr-bot
Copy link

copy-pr-bot bot commented Nov 1, 2025

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

jgehrcke
jgehrcke approved these changes Nov 3, 2025
View reviewed changes
Copy link
Collaborator

@jgehrcke jgehrcke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this patch @Gacko. At the surface, this looks good to me and I trust that it has solved the problem you were seeing.

@klueska do you also want to have a look?

@Gacko
Copy link
Contributor Author

Gacko commented Nov 3, 2025

@jgehrcke: Yes, it did.

If you're interested I can come up with Helm unit testing in a separate PR. We're using the Helm Unit Tests plugin at Ingress NGINX for some basic testing.

Additionally you could use the Helm Chart Testing tool in conjunction with KIND to deploy and test the chart.

Shall I first create an issue to have a discussion?

@Gacko
Copy link
Contributor Author

Gacko commented Nov 3, 2025

Ah, and one more thought on this PR: I chose ports 443 and 6443 because they are common, but I am not sure if it would actually be a better idea to have them configurable, since this network policy hard-codes egress to any destination via 443 and 6443.

@Gacko
Copy link
Contributor Author

Gacko commented Nov 18, 2025
edited
Loading

Hey hey @jgehrcke & @klueska!

I hope you got home from KubeCon safely! Wanted to ask if we can get this merged any time soon. 🙂

@jgehrcke
Copy link
Collaborator

jgehrcke commented Nov 19, 2025

@shivamerla can you have a look at this patch?

@shivamerla
Copy link
Contributor

shivamerla commented Nov 19, 2025

@jgehrcke LGTM. This gives users a sensible baseline. If additional customization (restricted IP CIDR, namespaces) is needed, cluster admins can continue deploying their own policies and leave it disabled in the helm chart. I don't think we need to make the egress rules/ports customizable and complicate this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jgehrcke jgehrcke jgehrcke approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Planning Board: k8s-dra-driver-gpu
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Gacko @jgehrcke @shivamerla