diff --git a/README.md b/README.md index 5f3ba05541..f9fc94022e 100644 --- a/README.md +++ b/README.md @@ -42,14 +42,14 @@ This repo periodically syncs all official Kubeflow components from their respect | Component | Local Manifests Path | Upstream Revision | | - | - | - | | Training Operator | apps/training-operator/upstream | [v1.5.0-rc.0](https://github.com/kubeflow/training-operator/tree/v1.5.0-rc.0/manifests) | -| Notebook Controller | apps/jupyter/notebook-controller/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/notebook-controller/config) | -| Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/tensorboard-controller/config) | -| Central Dashboard | apps/centraldashboard/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/centraldashboard/manifests) | -| Profiles + KFAM | apps/profiles/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/profile-controller/config) | -| PodDefaults Webhook | apps/admission-webhook/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/admission-webhook/manifests) | -| Jupyter Web App | apps/jupyter/jupyter-web-app/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/crud-web-apps/jupyter/manifests) | -| Tensorboards Web App | apps/tensorboard/tensorboards-web-app/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/crud-web-apps/tensorboards/manifests) | -| Volumes Web App | apps/volumes-web-app/upstream | [v1.6.0-rc.0](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.0/components/crud-web-apps/volumes/manifests) | +| Notebook Controller | apps/jupyter/notebook-controller/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/notebook-controller/config) | +| Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/tensorboard-controller/config) | +| Central Dashboard | apps/centraldashboard/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/centraldashboard/manifests) | +| Profiles + KFAM | apps/profiles/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/profile-controller/config) | +| PodDefaults Webhook | apps/admission-webhook/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/admission-webhook/manifests) | +| Jupyter Web App | apps/jupyter/jupyter-web-app/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/crud-web-apps/jupyter/manifests) | +| Tensorboards Web App | apps/tensorboard/tensorboards-web-app/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/crud-web-apps/tensorboards/manifests) | +| Volumes Web App | apps/volumes-web-app/upstream | [v1.6.0-rc.1](https://github.com/kubeflow/kubeflow/tree/v1.6.0-rc.1/components/crud-web-apps/volumes/manifests) | | Katib | apps/katib/upstream | [v0.14.0-rc.0](https://github.com/kubeflow/katib/tree/v0.14.0-rc.0/manifests/v1beta1) | | KServe | contrib/kserve/kserve | [release-0.8](https://github.com/kserve/kserve/tree/8079f375cbcedc4d45a1b4aade2e2308ea6f9ae8/install/v0.8.0) | | KServe Models Web App | contrib/kserve/models-web-app | [v0.8.1](https://github.com/kserve/models-web-app/tree/v0.8.1/config) | diff --git a/apps/admission-webhook/upstream/base/kustomization.yaml b/apps/admission-webhook/upstream/base/kustomization.yaml index 97f5f877e0..4c382cc87e 100644 --- a/apps/admission-webhook/upstream/base/kustomization.yaml +++ b/apps/admission-webhook/upstream/base/kustomization.yaml @@ -15,7 +15,7 @@ commonLabels: app.kubernetes.io/name: poddefaults images: - name: docker.io/kubeflownotebookswg/poddefaults-webhook - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 namespace: kubeflow generatorOptions: disableNameSuffixHash: true diff --git a/apps/centraldashboard/upstream/base/kustomization.yaml b/apps/centraldashboard/upstream/base/kustomization.yaml index f20c72365d..220ca23ec5 100644 --- a/apps/centraldashboard/upstream/base/kustomization.yaml +++ b/apps/centraldashboard/upstream/base/kustomization.yaml @@ -17,7 +17,7 @@ commonLabels: app.kubernetes.io/name: centraldashboard images: - name: docker.io/kubeflownotebookswg/centraldashboard - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 configMapGenerator: - envs: - params.env diff --git a/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml b/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml index 6434891a84..21b3dac6ac 100644 --- a/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml +++ b/apps/jupyter/jupyter-web-app/upstream/base/configs/spawner_ui_config.yaml @@ -17,23 +17,23 @@ spawnerFormDefaults: image: # The container Image for the user's Jupyter Notebook - value: kubeflownotebookswg/jupyter-scipy:v1.5.0 + value: kubeflownotebookswg/jupyter-scipy:v1.6.0-rc.1 # The list of available standard container Images options: - - kubeflownotebookswg/jupyter-scipy:v1.6.0-rc.0 - - kubeflownotebookswg/jupyter-pytorch-full:v1.6.0-rc.0 - - kubeflownotebookswg/jupyter-pytorch-cuda-full:v1.6.0-rc.0 - - kubeflownotebookswg/jupyter-tensorflow-full:v1.6.0-rc.0 - - kubeflownotebookswg/jupyter-tensorflow-cuda-full:v1.6.0-rc.0 + - kubeflownotebookswg/jupyter-scipy:v1.6.0-rc.1 + - kubeflownotebookswg/jupyter-pytorch-full:v1.6.0-rc.1 + - kubeflownotebookswg/jupyter-pytorch-cuda-full:v1.6.0-rc.1 + - kubeflownotebookswg/jupyter-tensorflow-full:v1.6.0-rc.1 + - kubeflownotebookswg/jupyter-tensorflow-cuda-full:v1.6.0-rc.1 imageGroupOne: # The container Image for the user's Group One Server # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /` # is applied to notebook in this group, configuring # the Istio rewrite for containers that host their web UI at `/` - value: kubeflownotebookswg/codeserver-python:v1.6.0-rc.0 + value: kubeflownotebookswg/codeserver-python:v1.6.0-rc.1 # The list of available standard container Images options: - - kubeflownotebookswg/codeserver-python:v1.6.0-rc.0 + - kubeflownotebookswg/codeserver-python:v1.6.0-rc.1 imageGroupTwo: # The container Image for the user's Group Two Server # The annotation `notebooks.kubeflow.org/http-rewrite-uri: /` @@ -42,10 +42,10 @@ spawnerFormDefaults: # The annotation `notebooks.kubeflow.org/http-headers-request-set` # is applied to notebook in this group, configuring Istio # to add the `X-RStudio-Root-Path` header to requests - value: kubeflownotebookswg/rstudio-tidyverse:v1.6.0-rc.0 + value: kubeflownotebookswg/rstudio-tidyverse:v1.6.0-rc.1 # The list of available standard container Images options: - - kubeflownotebookswg/rstudio-tidyverse:v1.6.0-rc.0 + - kubeflownotebookswg/rstudio-tidyverse:v1.6.0-rc.1 # If true, hide registry and/or tag name in the image selection dropdown hideRegistry: true hideTag: false diff --git a/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml b/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml index b75ab01c5d..6d5f355861 100644 --- a/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml +++ b/apps/jupyter/jupyter-web-app/upstream/base/kustomization.yaml @@ -22,7 +22,7 @@ commonLabels: kustomize.component: jupyter-web-app images: - name: docker.io/kubeflownotebookswg/jupyter-web-app - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: diff --git a/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml b/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml index 8603527a1d..6f1213aec4 100644 --- a/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml +++ b/apps/jupyter/notebook-controller/upstream/base/kustomization.yaml @@ -4,4 +4,4 @@ resources: - ../default images: - name: docker.io/kubeflownotebookswg/notebook-controller - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 diff --git a/apps/profiles/upstream/base/kustomization.yaml b/apps/profiles/upstream/base/kustomization.yaml index d0198470bf..48d7e6c3d7 100644 --- a/apps/profiles/upstream/base/kustomization.yaml +++ b/apps/profiles/upstream/base/kustomization.yaml @@ -11,7 +11,7 @@ patchesStrategicMerge: images: - name: docker.io/kubeflownotebookswg/profile-controller - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 configMapGenerator: - name: namespace-labels-data diff --git a/apps/profiles/upstream/crd/bases/kubeflow.org_profiles.yaml b/apps/profiles/upstream/crd/bases/kubeflow.org_profiles.yaml index 7d878b5726..d6086200ca 100644 --- a/apps/profiles/upstream/crd/bases/kubeflow.org_profiles.yaml +++ b/apps/profiles/upstream/crd/bases/kubeflow.org_profiles.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: profiles.kubeflow.org spec: @@ -22,10 +21,14 @@ spec: description: Profile is the Schema for the profiles API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -36,16 +39,23 @@ spec: description: The profile owner properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If + the Authorizer does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If the object + kind is non-namespace, such as "User" or "Group", and this value + is not empty the Authorizer should report an error. type: string required: - kind @@ -56,10 +66,16 @@ spec: description: Plugin is for customize actions on different platform. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string spec: type: object @@ -76,24 +92,39 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + description: 'hard is the set of desired hard limits for each + named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' type: object scopeSelector: - description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. properties: matchExpressions: - description: A list of scope selector requirements by scope of the resources. + description: A list of scope selector requirements by scope + of the resources. items: - description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values. + description: A scoped-resource selector requirement is a + selector that contains values, a scope name, and an operator + that relates the scope name and values. properties: operator: - description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. + description: Represents a scope's relationship to a + set of values. Valid operators are In, NotIn, Exists, + DoesNotExist. type: string scopeName: - description: The name of the scope that the selector applies to. + description: The name of the scope that the selector + applies to. type: string values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during + a strategic merge patch. items: type: string type: array @@ -104,9 +135,12 @@ spec: type: array type: object scopes: - description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects. + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all + objects. items: - description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota + description: A ResourceQuotaScope defines a filter that must + match each object tracked by a quota type: string type: array type: object @@ -137,10 +171,14 @@ spec: description: Profile is the Schema for the profiles API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -151,16 +189,23 @@ spec: description: The profile owner properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If + the Authorizer does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If the object + kind is non-namespace, such as "User" or "Group", and this value + is not empty the Authorizer should report an error. type: string required: - kind @@ -171,10 +216,16 @@ spec: description: Plugin is for customize actions on different platform. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string spec: type: object @@ -191,24 +242,39 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + description: 'hard is the set of desired hard limits for each + named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' type: object scopeSelector: - description: scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched. + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. properties: matchExpressions: - description: A list of scope selector requirements by scope of the resources. + description: A list of scope selector requirements by scope + of the resources. items: - description: A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values. + description: A scoped-resource selector requirement is a + selector that contains values, a scope name, and an operator + that relates the scope name and values. properties: operator: - description: Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. + description: Represents a scope's relationship to a + set of values. Valid operators are In, NotIn, Exists, + DoesNotExist. type: string scopeName: - description: The name of the scope that the selector applies to. + description: The name of the scope that the selector + applies to. type: string values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during + a strategic merge patch. items: type: string type: array @@ -219,9 +285,12 @@ spec: type: array type: object scopes: - description: A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects. + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all + objects. items: - description: A ResourceQuotaScope defines a filter that must match each object tracked by a quota + description: A ResourceQuotaScope defines a filter that must + match each object tracked by a quota type: string type: array type: object diff --git a/apps/profiles/upstream/crd/kustomization.yaml b/apps/profiles/upstream/crd/kustomization.yaml index 2463cf6666..6a99c5f05c 100644 --- a/apps/profiles/upstream/crd/kustomization.yaml +++ b/apps/profiles/upstream/crd/kustomization.yaml @@ -3,19 +3,19 @@ # It should be run by config/default resources: - bases/kubeflow.org_profiles.yaml -# +kubebuilder:scaffold:crdkustomizeresource +#+kubebuilder:scaffold:crdkustomizeresource patchesStrategicMerge: - patches/trivial_conversion_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD #- patches/webhook_in_profiles.yaml -# +kubebuilder:scaffold:crdkustomizewebhookpatch +#+kubebuilder:scaffold:crdkustomizewebhookpatch -# [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. +# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD #- patches/cainjection_in_profiles.yaml -# +kubebuilder:scaffold:crdkustomizecainjectionpatch +#+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: diff --git a/apps/profiles/upstream/crd/kustomizeconfig.yaml b/apps/profiles/upstream/crd/kustomizeconfig.yaml index 6f83d9a94b..ec5c150a9d 100644 --- a/apps/profiles/upstream/crd/kustomizeconfig.yaml +++ b/apps/profiles/upstream/crd/kustomizeconfig.yaml @@ -4,13 +4,15 @@ nameReference: version: v1 fieldSpecs: - kind: CustomResourceDefinition + version: v1 group: apiextensions.k8s.io - path: spec/conversion/webhookClientConfig/service/name + path: spec/conversion/webhook/clientConfig/service/name namespace: - kind: CustomResourceDefinition + version: v1 group: apiextensions.k8s.io - path: spec/conversion/webhookClientConfig/service/namespace + path: spec/conversion/webhook/clientConfig/service/namespace create: false varReference: diff --git a/apps/profiles/upstream/crd/patches/cainjection_in_profiles.yaml b/apps/profiles/upstream/crd/patches/cainjection_in_profiles.yaml index 469003317a..283cb438fe 100644 --- a/apps/profiles/upstream/crd/patches/cainjection_in_profiles.yaml +++ b/apps/profiles/upstream/crd/patches/cainjection_in_profiles.yaml @@ -1,8 +1,7 @@ # The following patch adds a directive for certmanager to inject CA into the CRD -# CRD conversion requires k8s 1.13 or later. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) name: profiles.kubeflow.org diff --git a/apps/profiles/upstream/crd/patches/trivial_conversion_patch.yaml b/apps/profiles/upstream/crd/patches/trivial_conversion_patch.yaml index 084756256c..32209f97c1 100644 --- a/apps/profiles/upstream/crd/patches/trivial_conversion_patch.yaml +++ b/apps/profiles/upstream/crd/patches/trivial_conversion_patch.yaml @@ -3,5 +3,6 @@ kind: CustomResourceDefinition metadata: name: profiles.kubeflow.org spec: + preserveUnknownFields: false # TODO: Remove in Kubeflow 1.7 release conversion: strategy: None \ No newline at end of file diff --git a/apps/profiles/upstream/crd/patches/webhook_in_profiles.yaml b/apps/profiles/upstream/crd/patches/webhook_in_profiles.yaml index 0031f277b0..ab379f18f3 100644 --- a/apps/profiles/upstream/crd/patches/webhook_in_profiles.yaml +++ b/apps/profiles/upstream/crd/patches/webhook_in_profiles.yaml @@ -1,5 +1,4 @@ -# The following patch enables conversion webhook for CRD -# CRD conversion requires k8s 1.13 or later. +# The following patch enables a conversion webhook for the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -7,11 +6,11 @@ metadata: spec: conversion: strategy: Webhook - webhookClientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - namespace: system - name: webhook-service - path: /convert + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/apps/profiles/upstream/default/kustomization.yaml b/apps/profiles/upstream/default/kustomization.yaml index 80e47e6895..3951af943f 100644 --- a/apps/profiles/upstream/default/kustomization.yaml +++ b/apps/profiles/upstream/default/kustomization.yaml @@ -16,15 +16,18 @@ bases: - ../crd - ../rbac - ../manager -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml #- ../webhook # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. #- ../certmanager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus patchesStrategicMerge: - # Protect the /metrics endpoint by putting it behind auth. - # Only one of manager_auth_proxy_patch.yaml and - # manager_prometheus_metrics_patch.yaml should be enabled. +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. # - manager_auth_proxy_patch.yaml # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, uncomment the following line and @@ -33,7 +36,8 @@ patchesStrategicMerge: # manager_prometheus_metrics_patch.yaml should be enabled. #- manager_prometheus_metrics_patch.yaml -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml #- manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. @@ -47,16 +51,16 @@ vars: #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: # kind: Certificate -# group: certmanager.k8s.io -# version: v1alpha1 +# group: cert-manager.io +# version: v1 # name: serving-cert # this name should match the one in certificate.yaml # fieldref: # fieldpath: metadata.namespace #- name: CERTIFICATE_NAME # objref: # kind: Certificate -# group: certmanager.k8s.io -# version: v1alpha1 +# group: cert-manager.io +# version: v1 # name: serving-cert # this name should match the one in certificate.yaml #- name: SERVICE_NAMESPACE # namespace of the service # objref: diff --git a/apps/profiles/upstream/default/manager_auth_proxy_patch.yaml b/apps/profiles/upstream/default/manager_auth_proxy_patch.yaml index 889fdf74cc..131a314292 100644 --- a/apps/profiles/upstream/default/manager_auth_proxy_patch.yaml +++ b/apps/profiles/upstream/default/manager_auth_proxy_patch.yaml @@ -1,24 +1,34 @@ -# This patch inject a sidecar container which is a HTTP proxy for the controller manager, -# it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. apiVersion: apps/v1 kind: Deployment metadata: - name: deployment + name: controller-manager + namespace: system spec: template: spec: containers: - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" - "--logtostderr=true" - - "--v=10" + - "--v=0" ports: - containerPort: 8443 + protocol: TCP name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi - name: manager args: - - "--metrics-addr=127.0.0.1:8080" - - "--enable-leader-election" + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" diff --git a/apps/profiles/upstream/manager/kustomization.yaml b/apps/profiles/upstream/manager/kustomization.yaml index b6e143061c..e5b6827b42 100644 --- a/apps/profiles/upstream/manager/kustomization.yaml +++ b/apps/profiles/upstream/manager/kustomization.yaml @@ -3,9 +3,9 @@ resources: - service-account.yaml configMapGenerator: -- name: config - literals: +- literals: - ADMIN= - WORKLOAD_IDENTITY= - USERID_HEADER="kubeflow-userid" - USERID_PREFIX= + name: config \ No newline at end of file diff --git a/apps/profiles/upstream/manager/manager.yaml b/apps/profiles/upstream/manager/manager.yaml index 5647ca7ae5..840ed86469 100644 --- a/apps/profiles/upstream/manager/manager.yaml +++ b/apps/profiles/upstream/manager/manager.yaml @@ -41,4 +41,18 @@ spec: - containerPort: 8080 name: manager-http protocol: TCP - serviceAccountName: controller-service-account + livenessProbe: + httpGet: + path: /healthz + port: 9876 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 9876 + initialDelaySeconds: 5 + periodSeconds: 10 + ports: + - containerPort: 9876 + serviceAccountName: controller-manager diff --git a/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml b/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml index d4d69688e6..e6bee083c1 100644 --- a/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml +++ b/apps/profiles/upstream/overlays/kubeflow/kustomization.yaml @@ -28,4 +28,4 @@ vars: images: - name: docker.io/kubeflownotebookswg/kfam - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 diff --git a/apps/profiles/upstream/prometheus/kustomization.yaml b/apps/profiles/upstream/prometheus/kustomization.yaml new file mode 100644 index 0000000000..ed137168a1 --- /dev/null +++ b/apps/profiles/upstream/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/apps/profiles/upstream/prometheus/monitor.yaml b/apps/profiles/upstream/prometheus/monitor.yaml new file mode 100644 index 0000000000..d19136ae71 --- /dev/null +++ b/apps/profiles/upstream/prometheus/monitor.yaml @@ -0,0 +1,20 @@ + +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager diff --git a/apps/profiles/upstream/rbac/auth_proxy_client_clusterrole.yaml b/apps/profiles/upstream/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 0000000000..51a75db47a --- /dev/null +++ b/apps/profiles/upstream/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/apps/profiles/upstream/rbac/auth_proxy_role.yaml b/apps/profiles/upstream/rbac/auth_proxy_role.yaml index 618f5e4177..80e1857c59 100644 --- a/apps/profiles/upstream/rbac/auth_proxy_role.yaml +++ b/apps/profiles/upstream/rbac/auth_proxy_role.yaml @@ -3,11 +3,15 @@ kind: ClusterRole metadata: name: proxy-role rules: -- apiGroups: ["authentication.k8s.io"] +- apiGroups: + - authentication.k8s.io resources: - tokenreviews - verbs: ["create"] -- apiGroups: ["authorization.k8s.io"] + verbs: + - create +- apiGroups: + - authorization.k8s.io resources: - subjectaccessreviews - verbs: ["create"] + verbs: + - create diff --git a/apps/profiles/upstream/rbac/auth_proxy_service.yaml b/apps/profiles/upstream/rbac/auth_proxy_service.yaml index d61e5469fb..71f1797279 100644 --- a/apps/profiles/upstream/rbac/auth_proxy_service.yaml +++ b/apps/profiles/upstream/rbac/auth_proxy_service.yaml @@ -1,10 +1,6 @@ apiVersion: v1 kind: Service metadata: - annotations: - prometheus.io/port: "8443" - prometheus.io/scheme: https - prometheus.io/scrape: "true" labels: control-plane: controller-manager name: controller-manager-metrics-service @@ -13,6 +9,7 @@ spec: ports: - name: https port: 8443 + protocol: TCP targetPort: https selector: control-plane: controller-manager diff --git a/apps/profiles/upstream/rbac/kustomization.yaml b/apps/profiles/upstream/rbac/kustomization.yaml index 00ea48591c..bd995d6fab 100644 --- a/apps/profiles/upstream/rbac/kustomization.yaml +++ b/apps/profiles/upstream/rbac/kustomization.yaml @@ -1,11 +1,18 @@ resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +# - service_account.yaml # - role.yaml - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 3 lines if you want to disable +# Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. # - auth_proxy_service.yaml # - auth_proxy_role.yaml # - auth_proxy_role_binding.yaml +# - auth_proxy_client_clusterrole.yaml diff --git a/apps/profiles/upstream/rbac/leader_election_role_binding.yaml b/apps/profiles/upstream/rbac/leader_election_role_binding.yaml index 902b8d9f1f..e2afd1e758 100644 --- a/apps/profiles/upstream/rbac/leader_election_role_binding.yaml +++ b/apps/profiles/upstream/rbac/leader_election_role_binding.yaml @@ -8,4 +8,4 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: controller-service-account \ No newline at end of file + name: controller-service-account diff --git a/apps/profiles/upstream/rbac/profile_editor_role.yaml b/apps/profiles/upstream/rbac/profile_editor_role.yaml new file mode 100644 index 0000000000..daf0325166 --- /dev/null +++ b/apps/profiles/upstream/rbac/profile_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit profiles. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: profile-editor-role +rules: +- apiGroups: + - kubeflow.org + resources: + - profiles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - profiles/status + verbs: + - get diff --git a/apps/profiles/upstream/rbac/profile_viewer_role.yaml b/apps/profiles/upstream/rbac/profile_viewer_role.yaml new file mode 100644 index 0000000000..b14ccd5556 --- /dev/null +++ b/apps/profiles/upstream/rbac/profile_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view profiles. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: profile-viewer-role +rules: +- apiGroups: + - kubeflow.org + resources: + - profiles + verbs: + - get + - list + - watch +- apiGroups: + - kubeflow.org + resources: + - profiles/status + verbs: + - get diff --git a/apps/profiles/upstream/rbac/role.yaml b/apps/profiles/upstream/rbac/role.yaml new file mode 100644 index 0000000000..db354a0c75 --- /dev/null +++ b/apps/profiles/upstream/rbac/role.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - '*' +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - profiles + - profiles/finalizers + - profiles/status + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - '*' diff --git a/apps/profiles/upstream/rbac/role_binding.yaml b/apps/profiles/upstream/rbac/role_binding.yaml index 3c260a3e04..6dc1096adb 100644 --- a/apps/profiles/upstream/rbac/role_binding.yaml +++ b/apps/profiles/upstream/rbac/role_binding.yaml @@ -1,12 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: cluster-role-binding + name: cluster-rolebinding roleRef: - # profile-controller creates RoleBindings that give permissions in various - # user namespaces.These permissions are defined in another ClusterRole and is - # not known beforehand. Thus, profile-controller is using a more permissive - # ClusterRole. apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin diff --git a/apps/profiles/upstream/rbac/service_account.yaml b/apps/profiles/upstream/rbac/service_account.yaml new file mode 100644 index 0000000000..7cd6025bfc --- /dev/null +++ b/apps/profiles/upstream/rbac/service_account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-manager + namespace: system diff --git a/apps/profiles/upstream/samples/_v1_profile.yaml b/apps/profiles/upstream/samples/_v1_profile.yaml new file mode 100644 index 0000000000..5a87ff0750 --- /dev/null +++ b/apps/profiles/upstream/samples/_v1_profile.yaml @@ -0,0 +1,6 @@ +apiVersion: kubeflow.org/v1 +kind: Profile +metadata: + name: profile-sample +spec: + # TODO(user): Add fields here diff --git a/apps/profiles/upstream/samples/_v1beta1_profile.yaml b/apps/profiles/upstream/samples/_v1beta1_profile.yaml new file mode 100644 index 0000000000..7e4a070b45 --- /dev/null +++ b/apps/profiles/upstream/samples/_v1beta1_profile.yaml @@ -0,0 +1,6 @@ +apiVersion: kubeflow.org/v1beta1 +kind: Profile +metadata: + name: profile-sample +spec: + # TODO(user): Add fields here diff --git a/apps/profiles/upstream/samples/profile_v1_aws_iam.yaml b/apps/profiles/upstream/samples/profile_v1_aws_iam.yaml deleted file mode 100644 index bd94903aaf..0000000000 --- a/apps/profiles/upstream/samples/profile_v1_aws_iam.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kubeflow.org/v1 -kind: Profile -metadata: - name: profile-aws-iam -spec: - owner: - kind: User - name: test-user@kubeflow.org - plugins: - - kind: AwsIamForServiceAccount - spec: - awsIamRole: arn:aws:iam::account-id:role/s3-reader diff --git a/apps/profiles/upstream/samples/profile_v1_profile.yaml b/apps/profiles/upstream/samples/profile_v1_profile.yaml deleted file mode 100644 index 4fd18b2c05..0000000000 --- a/apps/profiles/upstream/samples/profile_v1_profile.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: kubeflow.org/v1 -kind: Profile -metadata: - name: profile-v1beta1 -spec: - owner: - kind: User - name: user1@abcd.com - plugins: - - kind: WorkloadIdentity - spec: - gcpServiceAccount: kubeflow2@project-id.iam.gserviceaccount.com diff --git a/apps/profiles/upstream/samples/profile_v1beta1_profile.yaml b/apps/profiles/upstream/samples/profile_v1beta1_profile.yaml deleted file mode 100644 index 6db0472423..0000000000 --- a/apps/profiles/upstream/samples/profile_v1beta1_profile.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kubeflow.org/v1beta1 -kind: Profile -metadata: - name: kubeflow-user1 -spec: - owner: - kind: User - name: user1@abcd.com - plugins: - - kind: WorkloadIdentity - spec: - gcpServiceAccount: kubeflow2@project-id.iam.gserviceaccount.com - resourceQuotaSpec: - hard: - cpu: "10" - memory: 20Gi - pods: "20" diff --git a/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml b/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml index 34523c5d19..b20097ddda 100644 --- a/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml +++ b/apps/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml @@ -12,4 +12,4 @@ patchesStrategicMerge: - patches/add_controller_config.yaml images: - name: docker.io/kubeflownotebookswg/tensorboard-controller - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 diff --git a/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml b/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml index de813eccf8..ff83819d1b 100644 --- a/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml +++ b/apps/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml @@ -13,7 +13,7 @@ commonLabels: kustomize.component: tensorboards-web-app images: - name: docker.io/kubeflownotebookswg/tensorboards-web-app - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: diff --git a/apps/volumes-web-app/upstream/base/kustomization.yaml b/apps/volumes-web-app/upstream/base/kustomization.yaml index 68e395c006..5e159ef82d 100644 --- a/apps/volumes-web-app/upstream/base/kustomization.yaml +++ b/apps/volumes-web-app/upstream/base/kustomization.yaml @@ -13,7 +13,7 @@ commonLabels: kustomize.component: volumes-web-app images: - name: docker.io/kubeflownotebookswg/volumes-web-app - newTag: v1.6.0-rc.0 + newTag: v1.6.0-rc.1 # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: