Skip to content

bug: Allow project namespaces to communicate with datashield#48

Open
Alwin-K-Thomas wants to merge 3 commits into
mainfrom
feature/at-datashield-project-access
Open

bug: Allow project namespaces to communicate with datashield#48
Alwin-K-Thomas wants to merge 3 commits into
mainfrom
feature/at-datashield-project-access

Conversation

@Alwin-K-Thomas

@Alwin-K-Thomas Alwin-K-Thomas commented Mar 27, 2026

Copy link
Copy Markdown
  • Added datashield namespace to the project-isolation CiliumNetworkPolicy template
    • Without this, project namespace pods were blocked from reaching opal

@Alwin-K-Thomas Alwin-K-Thomas self-assigned this Mar 27, 2026
@Alwin-K-Thomas Alwin-K-Thomas added the enhancement New feature or request label Mar 27, 2026
@Alwin-K-Thomas Alwin-K-Thomas changed the title feat: Allow project namespaces to communicate with datashield bug: Allow project namespaces to communicate with datashield Mar 27, 2026
@Alwin-K-Thomas Alwin-K-Thomas added bug Something isn't working and removed enhancement New feature or request labels Mar 27, 2026
Copilot AI reviewed Mar 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the per-project CiliumNetworkPolicy template so pods in project namespaces can communicate with services in the datashield namespace (e.g., Opal), avoiding unintended isolation blocks.

Changes:

  • Added datashield to the list of allowed “infrastructure namespaces” in the policy documentation.
  • Allowed ingress from datashield to project namespaces.
  • Allowed egress to datashield from project namespaces.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/cr8tor/services/network_policy_manager.py Outdated
@vvcb

vvcb commented Mar 27, 2026

Copy link
Copy Markdown

Only projects that are using DataSHIELD for federation should have access to the DataSHIELD namespace. Not all projects should have access.

@Alwin-K-Thomas

Alwin-K-Thomas commented Mar 27, 2026

Copy link
Copy Markdown
Author

Only projects that are using DataSHIELD for federation should have access to the DataSHIELD namespace. Not all projects should have access.

Thanks @vvcb for the feedback. I've updated the metamodel to add datashield as a resource type (alongside jupyter, VDI), and the UI now exposes it as a selectable option in the deployment. The operator now derives the namespace based on the datashield resource presence, so the network policy is created with datashield access based on the enable flag, if not, it's excluded entirely.
I'll hold off merging until we wrap up the federated demo next week

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vvcb vvcb Awaiting requested review from vvcb

@m1p1h m1p1h Awaiting requested review from m1p1h

@sauravscode sauravscode Awaiting requested review from sauravscode

Assignees

@Alwin-K-Thomas Alwin-K-Thomas

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Alwin-K-Thomas @vvcb