Skip to content

Fix custom_cni manifest apply failure for multi-namespace resources#13091

Open
yankay wants to merge 1 commit intokubernetes-sigs:masterfrom
yankay:fix/custom-cni-remove-hardcoded-namespace
Open

Fix custom_cni manifest apply failure for multi-namespace resources#13091
yankay wants to merge 1 commit intokubernetes-sigs:masterfrom
yankay:fix/custom-cni-remove-hardcoded-namespace

Conversation

@yankay
Copy link
Copy Markdown
Member

@yankay yankay commented Mar 13, 2026
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

Remove the hardcoded namespace: "kube-system" parameter from the Custom CNI | Start Resources task in roles/network_plugin/custom_cni/tasks/main.yml.

After #13002 bumped the custom_cni test Cilium version to 1.18.6, the regenerated cilium.yaml manifest now includes resources in the cilium-secrets namespace (Namespace object, Roles, and RoleBindings for TLS interception policy secrets). The kube module's namespace: "kube-system" parameter causes kubectl apply --namespace=kube-system, which conflicts with these resources:

error: the namespace from the provided object "cilium-secrets" does not match
the namespace "kube-system". You must pass '--namespace=cilium-secrets' to
perform this operation.

By removing the hardcoded namespace, kubectl apply will respect the namespace declared in each resource's metadata. This is:

  • Consistent with how kube-ovn applies its manifests (no hardcoded namespace)
  • Semantically correct for custom_cni, where users bring their own complete manifests that may target multiple namespaces
  • Safe, because all namespaced resources in the test manifest already have explicit namespace declarations

Which issue(s) this PR fixes:

Fixes the debian11-custom-cni CI failure introduced by #13002.

Special notes for your reviewer:

The kube module (in library/kube.py) only adds --namespace to the kubectl command when the parameter is provided. Without it, kubectl uses whatever namespace is specified in each resource's metadata, which is the desired behavior for multi-namespace manifests.

Other network plugins that apply whole YAML files (kube-ovn) also omit the namespace parameter, while plugins that apply individual known resources (kube-router, multus) use it — this change aligns custom_cni with the correct pattern.

Does this PR introduce a user-facing change?:

Custom CNI manifests with resources targeting multiple namespaces are now correctly applied.
Previously, all resources were forced into kube-system, causing failures for multi-namespace manifests.

Copilot AI review requested due to automatic review settings March 13, 2026 08:30
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 13, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yankay

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 13, 2026
@yankay
Copy link
Copy Markdown
Member Author

yankay commented Mar 13, 2026

/release-note-none

@yankay
Copy link
Copy Markdown
Member Author

yankay commented Mar 13, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Mar 13, 2026
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes the hardcoded kube-system namespace from the Custom CNI manifest application step so that user-supplied manifests are applied as-is (consistent with kubectl apply -f semantics and manifest-defined namespaces).

Changes:

  • Drop namespace: "kube-system" from the kube task that applies custom_cni_manifests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Mar 13, 2026
@yankay yankay added the ci-full Run every available tests label Mar 13, 2026
@yankay
Copy link
Copy Markdown
Member Author

yankay commented Mar 13, 2026

/retest

@yankay
fix: remove hardcoded namespace from custom_cni kube module
38945f0 
The `Custom CNI | Start Resources` task was passing
`namespace: "kube-system"` to the kube module, which adds
`--namespace=kube-system` to the kubectl apply command. This causes
failures when the user-provided manifest contains resources targeting
namespaces other than kube-system (e.g. cilium-secrets introduced in
Cilium 1.18.6).

Remove the hardcoded namespace parameter so kubectl respects the
namespace declared in each resource's metadata. This is consistent
with how kube-ovn's custom manifests are applied and aligns with the
custom_cni design: users bring their own complete manifests.

Signed-off-by: Xinyang Han <hxy0229@outlook.com>
@yankay yankay force-pushed the fix/custom-cni-remove-hardcoded-namespace branch from eddc5ef to 38945f0 Compare March 13, 2026 11:49
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cyclinder cyclinder Awaiting requested review from cyclinder

@VannTen VannTen Awaiting requested review from VannTen

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. ci-full Run every available tests cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yankay @k8s-ci-robot