Skip to content

KEP-5708: Add namespace role label support for sig-network#5948

Open
maifeeulasad wants to merge 1 commit intokubernetes:masterfrom
maifeeulasad:kep-5708-maifee
Open

KEP-5708: Add namespace role label support for sig-network#5948
maifeeulasad wants to merge 1 commit intokubernetes:masterfrom
maifeeulasad:kep-5708-maifee

Conversation

@maifeeulasad
Copy link
Copy Markdown

@maifeeulasad maifeeulasad commented Mar 6, 2026

  • One-line PR description: Add namespace role label support for sig-network
  • Other comments: Open for upcoming reviews.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 6, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 6, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: maifeeulasad
Once this PR has been reviewed and has the lgtm label, please assign thockin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 6, 2026

Welcome @maifeeulasad!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 6, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 6, 2026

Hi @maifeeulasad. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the sig/network Categorizes an issue or PR as relevant to SIG Network. label Mar 6, 2026
@k8s-ci-robot k8s-ci-robot requested review from bowei and shaneutt March 6, 2026 21:10
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 6, 2026
lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-network/5708-namespace-role-label/README.md

## Proposal

Add the label `kubernetes.io/namespace-role=system` to system namespaces when they are created by the system namespaces controller.
Copy link
Copy Markdown
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about later reconciliation if those labels are found missing?

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-network/5708-namespace-role-label/README.md
- 2026-03-07: Initial KEP created

## Alternatives

Copy link
Copy Markdown
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could reconcile rather than only labelling on create.

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-network/5708-namespace-role-label/README.md

| Risk | Mitigation |
|------|------------|
| Existing namespaces won't have the label | Document that label only applies to newly created system namespaces; provide migration guidance |
Copy link
Copy Markdown
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not reconcile? Only labelling new namespaces makes the label something that you can't rely on finding.

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-network/5708-namespace-role-label/README.md

- Define additional role values beyond `system` (future KEP)
- Automatically label user-created namespaces
- Change existing namespace admission or validation
Copy link
Copy Markdown
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? It could be really useful (eg: warning people if they set that label on a non-system namespace).

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-network/5708-namespace-role-label/README.md
### Goals

- Define a standard label key `kubernetes.io/namespace-role` for namespace classification
- Automatically label system namespaces (`kube-system`, `kube-public`, `default`) with `kubernetes.io/namespace-role=system`
Copy link
Copy Markdown
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default is not a system namespace. However, it does count as a special case.

lmktfy
lmktfy reviewed Mar 17, 2026
View reviewed changes
keps/sig-network/5708-namespace-role-label/README.md

## Summary

Introduce a standard label `kubernetes.io/namespace-role` to distinguish "system" namespaces (e.g., `kube-system`, `kube-public`, `default`) from "user" namespaces. This enables distribution-independent policy targeting, particularly for ClusterNetworkPolicy.
Copy link
Copy Markdown
Member

@lmktfy lmktfy Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the accepted definition of system namespaces.

@lmktfy
Copy link
Copy Markdown
Member

lmktfy commented Mar 17, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bowei bowei Awaiting requested review from bowei

@shaneutt shaneutt Awaiting requested review from shaneutt

1 more reviewer

@lmktfy lmktfy lmktfy left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory ok-to-test Indicates a non-member PR verified by an org member that is safe to test. sig/network Categorizes an issue or PR as relevant to SIG Network. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maifeeulasad @k8s-ci-robot @lmktfy