From d2c52757213121c744c017a1a76cbae74e1ad706 Mon Sep 17 00:00:00 2001 From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Thu, 16 May 2024 14:18:44 +0200 Subject: [PATCH] Kubernetes 1.29 (#2716) Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 107 ++++++++++++----------------- tests/gh-actions/kind-cluster.yaml | 6 +- 2 files changed, 48 insertions(+), 65 deletions(-) diff --git a/README.md b/README.md index 7f54f8012c..0801e25d82 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ -- [Overview](#overview) +- [Overview of the Kubeflow Platform](#overview) - [Kubeflow components versions](#kubeflow-components-versions) - [Installation](#installation) * [Prerequisites](#prerequisites) @@ -17,11 +17,11 @@ -## Overview +## Overview of the Kubeflow Platform -This repo is owned by the [Manifests Working Group](https://github.com/kubeflow/community/blob/master/wg-manifests/charter.md). +This repository is owned by the [Manifests Working Group](https://github.com/kubeflow/community/blob/master/wg-manifests/charter.md). If you are a contributor authoring or editing the packages please see [Best Practices](./docs/KustomizeBestPractices.md). -Our Slack channel is wg-manifests which you can join here https://www.kubeflow.org/docs/about/community/. You can also find our biweekly meetings there as well. +Our Slack channel is wg-manifests which you can join here https://www.kubeflow.org/docs/about/community/. You can also find there our [biweekly meetings](https://bit.ly/kf-wg-manifests-meet), including the commentable [Agenda](https://bit.ly/kf-wg-manifests-notes) The Kubeflow Manifests repository is organized under three main directories, which include manifests for installing: @@ -31,7 +31,7 @@ The Kubeflow Manifests repository is organized under three main directories, whi | `common` | Common services, as maintained by the Manifests WG | | `contrib` | 3rd party contributed applications (e.g. Ray, Kserve), which are maintained externally and are not part of a Kubeflow WG | -All components are deployable with `kustomize`. Any automation tooling for deployment on top of the manifests should be maintained externally by distribution owners. +All components are deployable with `kustomize`. You can choose to deploy the whole Kubeflow platform or individual components. ## Kubeflow components versions @@ -82,11 +82,11 @@ The `example` directory contains an example kustomization for the single command :warning: In both options, we use a default email (`user@example.com`) and password (`12341234`). For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password). ### Prerequisites - -- `Kubernetes` (around `1.28`) with a default [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/) -- `kustomize` [5.2.1+](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.2.1) - - :warning: Kubeflow is not compatible with earlier versions of Kustomize. One of the reasons is that we need the [`sortOptions`](https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/sortoptions/) field, which is only available in Kustomize 5 and onwards https://github.com/kubeflow/manifests/issues/2388. -- `kubectl` +- This is the master branch which targets Kubernetes 1.29+ +- For the specific Kubernetes version per release consult the [release notes](https://github.com/kubeflow/manifests/releases) +- Either our local Kind (installed below) or your own Kubernetes cluster with a default [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/) +- Kustomize [5.2.1+](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.2.1) +- Kubectl in a version that is [compatible with your Kubernetes cluster](https://kubernetes.io/releases/version-skew-policy/#kubectl) --- **NOTE** @@ -113,7 +113,7 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - image: kindest/node:v1.28.0 + image: kindest/node:v1.29.4 kubeadmConfigPatches: - | kind: ClusterConfiguration @@ -142,7 +142,7 @@ kubectl create secret generic regcred \ You can install all Kubeflow official components (residing under `apps`) and all common services (residing under `common`) using the following command: ```sh -while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done +while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 20; done ``` Once, everything is installed successfully, you can access the Kubeflow Central Dashboard [by logging in to your cluster](#connect-to-your-kubeflow-cluster). @@ -176,15 +176,16 @@ If you bump into this error we advise to re-apply the kustomization of the compo #### cert-manager -cert-manager is used by many Kubeflow components to provide certificates for +Cert-manager is used by many Kubeflow components to provide certificates for admission webhooks. Install cert-manager: ```sh kustomize build common/cert-manager/cert-manager/base | kubectl apply -f - +echo "Waiting for cert-manager to be ready ..." kubectl wait --for=condition=ready pod -l 'app in (cert-manager,webhook)' --timeout=180s -n cert-manager -kustomize build common/cert-manager/kubeflow-issuer/base | kubectl apply -f - +kubectl wait --for=jsonpath='{.subsets[0].addresses[0].targetRef.kind}'=Pod endpoints -l 'app in (cert-manager,webhook)' --timeout=180s -n cert-manager ``` In case you get this error: @@ -197,35 +198,33 @@ For more troubleshooting info also check out https://cert-manager.io/docs/troubl #### Istio -Istio is used by many Kubeflow components to secure their traffic, enforce +Istio is used by most Kubeflow components to secure their traffic, enforce network authorization and implement routing policies. Install Istio: ```sh +echo "Installing Istio configured with external authorization..." +cd common/istio-1-17 kustomize build common/istio-1-17/istio-crds/base | kubectl apply -f - kustomize build common/istio-1-17/istio-namespace/base | kubectl apply -f - -kustomize build common/istio-1-17/istio-install/base | kubectl apply -f - -``` - -#### AuthService +kustomize build common/istio-1-17/istio-install/overlays/oauth2-proxy | kubectl apply -f - -The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client: - -```sh -kustomize build common/oidc-client/oidc-authservice/base | kubectl apply -f - +echo "Waiting for all Istio Pods to become ready..." +kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s ``` -
- oauth2-proxy alternative +#### Oauth2-proxy -You can use [OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) instead of [OIDC AuthService](https://github.com/arrikto/oidc-authservice). To do so, run the following command instead +The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client: ```sh -kustomize build common/oidc-client/oauth2-proxy/base | kubectl apply -f - +echo "Installing oauth2-proxy..." +kustomize build common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - +kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy ``` -
+It supports user sessions as well as proper token-based machine to machine atuhhentication. #### Dex @@ -234,10 +233,8 @@ Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. Install Dex: ```sh -kustomize build common/dex/overlays/istio | kubectl apply -f - +kustomize build common/dex/overlays/oauth2-proxy | kubectl apply -f - ``` - -> If you are using `oauth2-proxy` as auth envoy filter, you should be using `common/dex/overlays/oauth2-proxy` instead. #### Knative @@ -279,19 +276,6 @@ Install kubeflow roles: kustomize build common/kubeflow-roles/base | kubectl apply -f - ``` -#### Kubeflow Istio Resources - -Create the Istio resources needed by Kubeflow. This kustomization currently -creates an Istio Gateway named `kubeflow-gateway`, in namespace `kubeflow`. -If you want to install with your own Istio, then you need this kustomization as -well. - -Install istio resources: - -```sh -kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f - -``` - #### Kubeflow Pipelines Install the [Multi-User Kubeflow Pipelines](https://www.kubeflow.org/docs/components/pipelines/multi-user/) official Kubeflow component: @@ -299,18 +283,12 @@ Install the [Multi-User Kubeflow Pipelines](https://www.kubeflow.org/docs/compon ```sh kustomize build apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user | kubectl apply -f - ``` -This installs argo with the safe-to use runasnonroot emissary executor. Please note that the installer is still responsible to analyze the security issues that arise when containers are run with root access and to decide if the kubeflow pipeline main containers are run as runasnonroot. It is strongly recommended that the pipelines main containers are installed and run as runasnonroot and without any special capabilities to mitigate security risks. - -Do not use the deprecated and insecure PNS executor anymore -```sh -kustomize build apps/pipeline/upstream/env/platform-agnostic-multi-user-pns | kubectl apply -f - -``` - -Refer to [argo workflow executor documentation](https://argoproj.github.io/argo-workflows/workflow-executors) for further reasoning. +This installs argo with the runasnonroot emissary executor. Please note that you are still responsible to analyze the security issues that arise when containers are run with root access and to decide if the kubeflow pipeline main containers are run as runasnonroot. It is in general strongly recommended that all user-accessible OCI containers run with Pod Security Standards [restricted] +(https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) **Multi-User Kubeflow Pipelines dependencies** -* Istio + Kubeflow Istio Resources +* Istio * Kubeflow Roles * OIDC Auth Service (or cloud provider specific auth service) * Profiles + KFAM @@ -337,14 +315,12 @@ Install the KServe component: kustomize build contrib/kserve/kserve | kubectl apply -f - ``` -Install the Models web app: +Install the Models web application: ```sh kustomize build contrib/kserve/models-web-app/overlays/kubeflow | kubectl apply -f - ``` -- ../contrib/kserve/models-web-app/overlays/kubeflow - #### Katib Install the Katib official Kubeflow component: @@ -369,7 +345,7 @@ Install the Admission Webhook for PodDefaults: kustomize build apps/admission-webhook/upstream/overlays/cert-manager | kubectl apply -f - ``` -#### Notebooks +#### Notebooks 1.0 Install the Notebook Controller official Kubeflow component: @@ -383,6 +359,10 @@ Install the Jupyter Web App official Kubeflow component: kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio | kubectl apply -f - ``` +#### Workspaces (Notebooks 2.0) + +It is still in development. + #### PVC Viewer Controller Install the PVC Viewer Controller official Kubeflow component: @@ -400,7 +380,7 @@ components: kustomize build apps/profiles/upstream/overlays/kubeflow | kubectl apply -f - ``` -#### Volumes Web App +#### Volumes Web Application Install the Volumes Web App official Kubeflow component: @@ -430,7 +410,7 @@ Install the Training Operator official Kubeflow component: kustomize build apps/training-operator/upstream/overlays/kubeflow | kubectl apply -f - ``` -#### User Namespace +#### User Namespaces Finally, create a new namespace for the default user (named `kubeflow-user-example-com`). @@ -463,13 +443,14 @@ kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80 After running the command, you can access the Kubeflow Central Dashboard by doing the following: 1. Open your browser and visit `http://localhost:8080`. You should get the Dex login screen. -2. Login with the default user's credential. The default email address is `user@example.com` and the default password is `12341234`. +2. Login with the default user's credentials. The default email address is `user@example.com` and the default password is `12341234`. #### NodePort / LoadBalancer / Ingress -In order to connect to Kubeflow using NodePort / LoadBalancer / Ingress, you need to setup HTTPS. The reason is that many of our web apps (e.g., Tensorboard Web App, Jupyter Web App, Katib UI) use [Secure Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies), so accessing Kubeflow with HTTP over a non-localhost domain does not work. +In order to connect to Kubeflow using NodePort / LoadBalancer / Ingress, you need to setup HTTPS. The reason is that many of our web applications (e.g., Tensorboard Web Application, Jupyter Web Application, Katib UI) use [Secure Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies), so accessing Kubeflow with HTTP over a non-localhost domain does not work. -Exposing your Kubeflow cluster with proper HTTPS is a process heavily dependent on your environment. For this reason, please take a look at the available [Kubeflow distributions](https://www.kubeflow.org/docs/started/installing-kubeflow/#install-a-packaged-kubeflow-distribution), which are targeted to specific environments, and select the one that fits your needs. +Exposing your Kubeflow cluster with proper HTTPS is a simple proces, but dependent on your environment. +There are also third-party commercial [distributions](https://www.kubeflow.org/docs/started/installing-kubeflow/#install-a-packaged-kubeflow-distribution) available. --- **NOTE** @@ -484,6 +465,8 @@ For security reasons, we don't want to use the default password for the default 1. Pick a password for the default user, with email `user@example.com`, and hash it using `bcrypt`: +TODO this changed slightly in https://github.com/kubeflow/manifests/pull/2669 and https://github.com/kubeflow/manifests/pull/2229 + ```sh python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))' ``` diff --git a/tests/gh-actions/kind-cluster.yaml b/tests/gh-actions/kind-cluster.yaml index 323fe5adba..83dd8b3325 100644 --- a/tests/gh-actions/kind-cluster.yaml +++ b/tests/gh-actions/kind-cluster.yaml @@ -19,8 +19,8 @@ kubeadmConfigPatches: "service-account-signing-key-file": "/etc/kubernetes/pki/sa.key" nodes: - role: control-plane - image: kindest/node:v1.28.7@sha256:a99353a19f3f8958bc4d9b808425224b6ff0f03b0c1ef7ae18eda5ccc0c21342 + image: kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 - role: worker - image: kindest/node:v1.28.7@sha256:a99353a19f3f8958bc4d9b808425224b6ff0f03b0c1ef7ae18eda5ccc0c21342 + image: kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 - role: worker - image: kindest/node:v1.28.7@sha256:a99353a19f3f8958bc4d9b808425224b6ff0f03b0c1ef7ae18eda5ccc0c21342 \ No newline at end of file + image: kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8 \ No newline at end of file