Skip to content

fix(rbac): Replace hardcoded namespace: default with namespace: system#2898

Merged
google-oss-prow[bot] merged 1 commit intokubeflow:masterfrom
RobuRishabh:fix/rbac-namespace-placeholder
Apr 6, 2026
Merged

fix(rbac): Replace hardcoded namespace: default with namespace: system#2898
google-oss-prow[bot] merged 1 commit intokubeflow:masterfrom
RobuRishabh:fix/rbac-namespace-placeholder

Conversation

@RobuRishabh
Copy link
Copy Markdown
Contributor

@RobuRishabh RobuRishabh commented Mar 30, 2026
edited
Loading

Purpose of this PR

The config/rbac/spark-application-rbac.yaml file hardcodes namespace: default in its ServiceAccount, Role, RoleBinding, and RoleBinding subjects. This locks deployments to the default namespace and prevents deployers from controlling the target namespace via Kustomize, Helm, or kubectl apply -n.

Proposed changes:

  • Remove namespace: default from ServiceAccount metadata
  • Remove namespace: default from Role metadata
  • Remove namespace: default from RoleBinding metadata
  • Remove namespace: default from RoleBinding subjects

Change Category

  • Bugfix (non-breaking change which fixes an issue)
  • Feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that could affect existing functionality)
  • Documentation update

Rationale

Hardcoding namespace: default breaks multi-tenant and custom-namespace installations. Base manifests should omit explicit namespace fields and let the deployer decide, which is the standard Kubernetes/kubebuilder convention.

Checklist

  • I have conducted a self-review of my own code.
  • I have updated documentation accordingly.
  • I have added tests that prove my changes are effective or that my feature works.
  • Existing unit tests pass locally with my changes.

Copilot AI review requested due to automatic review settings March 30, 2026 18:36
@google-oss-prow google-oss-prow bot requested review from ImpSy and nabuskey March 30, 2026 18:36
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Spark application RBAC manifest to follow kubebuilder/kustomize conventions by using namespace: system instead of hardcoding namespace: default.

Changes:

  • Replace namespace: default with namespace: system in the ServiceAccount metadata.
  • Replace namespace: default with namespace: system in the Role metadata.
  • Replace namespace: default with namespace: system in the RoleBinding metadata and its ServiceAccount subject.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

nabuskey
nabuskey approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nabuskey nabuskey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@google-oss-prow google-oss-prow bot added the lgtm label Mar 31, 2026
nabuskey
nabuskey suggested changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nabuskey nabuskey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually we should just remove explicit namespace references. Namespaces are typically specified in kustomization files, correct?

@google-oss-prow google-oss-prow bot removed the lgtm label Mar 31, 2026
@RobuRishabh RobuRishabh requested a review from nabuskey March 31, 2026 21:24
@RobuRishabh RobuRishabh force-pushed the fix/rbac-namespace-placeholder branch 3 times, most recently from 237bb6a to 0fb30e1 Compare April 6, 2026 18:49
@RobuRishabh
fix(rbac): Remove explicit namespace from spark-application-rbac.yaml
faefbe7 
Remove all hardcoded namespace fields from ServiceAccount, Role,
RoleBinding metadata, and RoleBinding subjects. This lets deployers
control the target namespace via Kustomize, Helm, or kubectl -n
instead of being locked to a specific namespace.

Signed-off-by: roburishabh <roburishabh@outlook.com>
@RobuRishabh RobuRishabh force-pushed the fix/rbac-namespace-placeholder branch from 0fb30e1 to faefbe7 Compare April 6, 2026 18:51
@RobuRishabh
Copy link
Copy Markdown
Contributor Author

RobuRishabh commented Apr 6, 2026

Actually we should just remove explicit namespace references. Namespaces are typically specified in kustomization files, correct?

@nabuskey Thanks for the review, I've updated the PR to remove the explicit namespace fields entirely instead of replacing them with system.

nabuskey
nabuskey approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nabuskey nabuskey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@google-oss-prow google-oss-prow bot added lgtm and removed lgtm labels Apr 6, 2026
@RobuRishabh RobuRishabh force-pushed the fix/rbac-namespace-placeholder branch from fd097dd to faefbe7 Compare April 6, 2026 22:38
@RobuRishabh RobuRishabh requested a review from nabuskey April 6, 2026 22:51
nabuskey
nabuskey approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nabuskey nabuskey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@google-oss-prow google-oss-prow bot added the lgtm label Apr 6, 2026
vara-bonthu
vara-bonthu approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@vara-bonthu vara-bonthu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@google-oss-prow
Copy link
Copy Markdown
Contributor

google-oss-prow bot commented Apr 6, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vara-bonthu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 4d9bb6f into kubeflow:master Apr 6, 2026
20 of 21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vara-bonthu vara-bonthu vara-bonthu approved these changes

@ImpSy ImpSy Awaiting requested review from ImpSy

+1 more reviewer

@nabuskey nabuskey nabuskey approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vara-bonthu vara-bonthu

@nabuskey nabuskey

Labels

approved lgtm size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RobuRishabh @vara-bonthu @nabuskey