Commit 1df0651
[Feature] Add NetworkIsolation support to RayClusters (#4638)
* [Feature] Add NetworkIsolation support to RayClusters
Co-authored-by: Pat O'Connor <paoconno@redhat.com>
Co-authored-by: Bryan Keane <bkeane@redhat.com>
* add feature gate reg to integration tests + removed redundant if err
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* separate function for head and base ingress rules
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* logger updates as per review
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* adjust DNS egress rule to allow all port 53 egress
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* resolve helm chart CI failure
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* restrict KubeRay rule via NamespaceSelector
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* check if update is necessary on NP via DeepEqual
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* prevent same-name NP mod + add namespace fallback to default
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* add missing rayStartParams ports to custom ports example
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* emit warning when existing NP conflicts with new one via name + fix test
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* remove redundant samples + add new samples
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* remove permissive pod selector rule + test updates
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* prop labels to jobsubmitter for networkpolicy rule
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Add opt-in ALLOW_ALL_RAYJOB_SUBMITTERS env var for broad submitter ingress on standalone RayClusters
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* updated API and config to fix CI failures
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Moved label prop to getSummitterTemplate + review changes
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Review feedback: failed deletion event + reconcile on dupe + nits
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* use rayStartParams for ports + review nits
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* test fix + convert constants to CamelCase
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* helm updates + check if RayCluster is externally managed
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* API updates per review + autoscaling egress rule
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Use standard lib for CIDR + use logConstructor consistently
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Use EndpointSlice IPs for API server egress rule
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Deduplicates ports + peers across EndpointSlices in egress rules
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Remove operator namespace fallback and prop error if namespace not found
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Remove patch verb for networkpolicies
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Remove client port rule for operator
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Add reconcileConcurrency and GenerationChangedPredicate to NetworkPolicy controller setup
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* solve 3 points, close to merge
Signed-off-by: Future-Outlier <eric901201@gmail.com>
* helper
Signed-off-by: Future-Outlier <eric901201@gmail.com>
* update
Signed-off-by: Future-Outlier <eric901201@gmail.com>
* CI failure fixes after DNS logic removal
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Revert "helper"
This reverts commit 26c4053.
* Skip networkpolicy integration test when missing namespace
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Normalize defaulted NetworkPolicy ports before comparing
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Drop network policy integration tests pending followup e2e
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Remove operator namespace ingress rule
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* networkpolicy: separate head/worker custom rules in API Replace the flat ingressRules/egressRules on NetworkIsolationConfig with per-role head/worker sub-structs.Since the API has not shipped yet, this avoids locking in a shared-only design that would require a backward-compatible migration later. Head and workers have fundamentally different security profiles — head needs external access (dashboard, submitter, Prometheus) while workers typically need outbound access (S3, model registries). A shared-only API forces users to over-permit workers just to allow access to the head. New API shape: networkIsolation: mode: DenyAll head: ingressRules: [...] egressRules: [...] worker: ingressRules: [...] egressRules: [...]
Co-authored-by: Cursor <cursor@cursor.sh>
* NetworkIsolation API change cleanup
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Unit tests to ensure custom policies don't leak between head and worker
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Sample comment indendation and removal of operator rule from API docs
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Indent update to pass linter
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Additional review nits - comments etc
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
* Remove redundant comments in controller code
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
---------
Signed-off-by: Pat O'Connor <paoconno@redhat.com>
Signed-off-by: Future-Outlier <eric901201@gmail.com>
Co-authored-by: Laura Fitzgerald <lfitzger@redhat.com>
Co-authored-by: Bryan Keane <bkeane@redhat.com>
Co-authored-by: Future-Outlier <eric901201@gmail.com>
Co-authored-by: Cursor <cursor@cursor.sh>1 parent 99f542a commit 1df0651
27 files changed
Lines changed: 4768 additions & 2 deletions
File tree
- docs/reference
- helm-chart/kuberay-operator
- crds
- templates
- ray-operator
- apis/ray/v1
- config
- crd/bases
- rbac
- samples
- controllers/ray
- utils
- pkg
- client/applyconfiguration
- ray/v1
- features
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
287 | 287 | | |
288 | 288 | | |
289 | 289 | | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
| 331 | + | |
| 332 | + | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
| 345 | + | |
| 346 | + | |
290 | 347 | | |
291 | 348 | | |
292 | 349 | | |
| |||
330 | 387 | | |
331 | 388 | | |
332 | 389 | | |
| 390 | + | |
333 | 391 | | |
334 | 392 | | |
335 | 393 | | |
| |||
0 commit comments