fix(spur-k8s): support SpurJobs across all namespaces#78
Merged
shiv-tyagi merged 2 commits intoROCm:mainfrom Apr 14, 2026
Merged
fix(spur-k8s): support SpurJobs across all namespaces#78shiv-tyagi merged 2 commits intoROCm:mainfrom
shiv-tyagi merged 2 commits intoROCm:mainfrom
Conversation
Member
Author
|
Will rebase and mark ready after #79 is merged. |
shiv-tyagi
force-pushed
the
global-namespace-support
branch
4 times, most recently
from
a07f4fe to
4df279d
Compare
Member
Author
|
This PR has a test file which would conflict with #81. I will rebase and merge post that. @powderluv Please approve if this looks okay to you. I will take care of merging on CI pass. |
Made-with: Cursor
…-namespace integration test Made-with: Cursor
powderluv
approved these changes
Apr 14, 2026
shiv-tyagi
force-pushed
the
global-namespace-support
branch
from
4df279d to
730a2a3
Compare
Member
Author
|
Resolved the merge conflict with main. CI is looking good. Merging now. Thanks for the review @powderluv. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The operator was previously scoped to a single namespace (
--namespace, defaultspur). As a result, anySpurJobcreated outside that namespace was never picked up by the controller.What was broken
Why this matters
Running all workloads in the operator’s namespace is not a good security model. User jobs should run in their own namespaces so they can benefit from proper RBAC, quotas, and network policies. The previous setup forced everything into a shared namespace with no isolation. This forces job pods to run in the controller’s namespace. If those pods use a ServiceAccount with elevated permissions in that namespace, it can lead to unintended privilege escalation and potential security risks.
What’s changed
SpurJobs cluster-wide.How it works
spurctldis namespace-agnostic and only deals with job IDs. To bridge that, the operator adds aspur.ai/job-idlabel to eachSpurJob. When a job is dispatched, the system looks up the namespace using this label—making Kubernetes the source of truth and avoiding in-memory state.Why cluster-wide scope
A single operator managing the whole cluster is the intended model (similar to Volcano or Argo). Running one operator per namespace would add unnecessary complexity, and the RBAC was already cluster-scoped anyway.
Before / After
Before (job not admitted outside
spur):After (job admitted in its own namespace):
