kubeflow · google-oss-prow · Oct 23, 2025 · Oct 10, 2025 · Oct 22, 2025 · andyatmiami
diff --git a/components/centraldashboard-angular/manifests/base/kustomization.yaml b/components/centraldashboard-angular/manifests/base/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
 - service-account.yaml
 - service.yaml
 - configmap.yaml
+- network-policy.yaml
 images:
 - name: ghcr.io/kubeflow/dashboard/dashboard-angular
   newName: ghcr.io/kubeflow/dashboard/dashboard-angular

diff --git a/components/centraldashboard-angular/manifests/base/network-policy.yaml b/components/centraldashboard-angular/manifests/base/network-policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: dashboard-angular
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - dashboard-angular
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+        - podSelector: {}
+  policyTypes:
+    - Ingress
diff --git a/components/centraldashboard/manifests/base/kustomization.yaml b/components/centraldashboard/manifests/base/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
 - service-account.yaml
 - service.yaml
 - configmap.yaml
+- network-policy.yaml
 images:
 - name: ghcr.io/kubeflow/dashboard/dashboard
   newName: ghcr.io/kubeflow/dashboard/dashboard

diff --git a/components/centraldashboard/manifests/base/network-policy.yaml b/components/centraldashboard/manifests/base/network-policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: dashboard
+spec:
+  podSelector:
+    matchExpressions:
+      - key: app
+        operator: In
+        values:
+          - dashboard
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchExpressions:
+              - key: kubernetes.io/metadata.name
+                operator: In
+                values:
+                  - istio-system
+        - podSelector: {}
+  policyTypes:
+    - Ingress
diff --git a/testing/shared/test_service.sh b/testing/shared/test_service.sh
@@ -39,6 +39,15 @@ case "$OPERATION" in
             -H "kubeflow-userid: test-user" \
             "http://localhost:${PORT}/api/workgroup/exists" \
             >/dev/null 2>&1
+
+        # test the NetworkPolicy, by ensuring other Pods timeout talking to the dashboard
+        OUTPUT=$(kubectl run \
+                    netshoot-test --rm -i \
+                    --restart=Never \
+                    --image nicolaka/netshoot \
+                    -- curl dashboard.kubeflow.svc --connect-timeout 5 \
+                    2>&1 || true)
+        echo $OUTPUT | grep "Connection timed out after"
         ;;
 
     "test-kfam")