From f6930430bbff430e30180591f430978a275fa28d Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Thu, 19 Mar 2026 06:03:18 +0530 Subject: [PATCH 01/17] fix: resolve Kustomize 5 deprecation warnings (#2991) Signed-off-by: Abdullah Pathan --- .../upstream/base/kustomization.yaml | 55 ++-- .../overlays/cert-manager/kustomization.yaml | 64 +++-- .../upstream/base/kustomization.yaml | 101 +++---- .../overlays/istio/kustomization.yaml | 34 ++- .../upstream/crd/kustomization.yaml | 22 +- .../upstream/default/kustomization.yaml | 12 +- .../overlays/kubeflow/kustomization.yaml | 4 +- .../profiles/upstream/base/kustomization.yaml | 4 +- .../profiles/upstream/crd/kustomization.yaml | 8 +- .../upstream/default/kustomization.yaml | 20 +- .../overlays/kubeflow/kustomization.yaml | 32 ++- .../upstream/crd/kustomization.yaml | 8 +- .../upstream/default/cainjection_patch.yaml | 14 +- .../upstream/default/kustomization.yaml | 247 ++++++++---------- .../upstream/base/kustomization.yaml | 4 +- .../upstream/crd/kustomization.yaml | 6 +- .../upstream/default/kustomization.yaml | 16 +- .../overlays/kubeflow/kustomization.yaml | 4 +- .../upstream/base/kustomization.yaml | 88 ++++--- .../overlays/istio/kustomization.yaml | 34 ++- .../upstream/base/kustomization.yaml | 88 ++++--- .../overlays/istio/kustomization.yaml | 34 ++- 22 files changed, 486 insertions(+), 413 deletions(-) diff --git a/applications/admission-webhook/upstream/base/kustomization.yaml b/applications/admission-webhook/upstream/base/kustomization.yaml index c0701101d0..f2990bb26f 100644 --- a/applications/admission-webhook/upstream/base/kustomization.yaml +++ b/applications/admission-webhook/upstream/base/kustomization.yaml @@ -8,45 +8,38 @@ resources: - service-account.yaml - service.yaml - crd.yaml -commonLabels: - app: poddefaults - kustomize.component: poddefaults - app.kubernetes.io/component: poddefaults - app.kubernetes.io/name: poddefaults +labels: +- includeSelectors: true + pairs: + app: poddefaults + kustomize.component: poddefaults + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults + images: - name: ghcr.io/kubeflow/kubeflow/poddefaults-webhook newName: ghcr.io/kubeflow/kubeflow/poddefaults-webhook newTag: v1.10.0 + namespace: kubeflow + generatorOptions: disableNameSuffixHash: true -vars: -# These vars are used to substitute in the namespace, service name and -# deployment name into the mutating WebHookConfiguration. -# Since its a CR kustomize isn't aware of those fields and won't -# transform them. -# We need the var names to be relatively unique so that when we -# compose with other applications they won't conflict. -- fieldref: - fieldPath: metadata.namespace - name: podDefaultsNamespace - objref: - apiVersion: v1 - kind: Service - name: service -- fieldref: - fieldPath: metadata.name - name: podDefaultsServiceName - objref: - apiVersion: v1 - kind: Service - name: service -- fieldref: - fieldPath: metadata.name - name: podDefaultsDeploymentName - objref: - apiVersion: apps/v1 + +replacements: +- source: kind: Deployment name: deployment + fieldPath: metadata.name + targets: + - select: + kind: MutatingWebhookConfiguration + name: mutating-webhook-configuration + fieldPaths: + - webhooks.0.name + options: + delimiter: "." + index: 0 + configurations: - params.yaml diff --git a/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml b/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml index 36542dded6..2ba92fead4 100644 --- a/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml +++ b/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml @@ -4,44 +4,56 @@ # the certificate. # TODO(jlewi): We should eventually refactor the manifests to delete # bootstrap and use certmanager by default. -bases: -- ../../base - resources: +- ../../base - certificate.yaml namespace: kubeflow namePrefix: admission-webhook- -commonLabels: - app: poddefaults - kustomize.component: poddefaults - app.kubernetes.io/component: poddefaults - app.kubernetes.io/name: poddefaults +labels: +- includeSelectors: true + pairs: + app: poddefaults + kustomize.component: poddefaults + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults -patchesStrategicMerge: -- mutating-webhook-configuration.yaml -- deployment.yaml +patches: +- path: mutating-webhook-configuration.yaml +- path: deployment.yaml generatorOptions: disableNameSuffixHash: true -vars: -# These vars are used to substitute in the namespace, service name and -# deployment name into the mutating WebHookConfiguration. -# Since its a CR kustomize isn't aware of those fields and won't -# transform them. -# We need the var names to be relatively unique so that when we -# compose with other applications they won't conflict. -- name: podDefaultsCertName - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: cert - fieldref: - fieldpath: metadata.name +replacements: +- source: + kind: Service + name: service + fieldPath: metadata.namespace + targets: + - select: + kind: MutatingWebhookConfiguration + name: mutating-webhook-configuration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: "/" + index: 0 +- source: + kind: Certificate + name: cert + fieldPath: metadata.name + targets: + - select: + kind: MutatingWebhookConfiguration + name: mutating-webhook-configuration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: "/" + index: 1 configurations: - params.yaml diff --git a/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml b/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml index 76989046ac..fefe4e1e18 100644 --- a/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml +++ b/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml @@ -17,13 +17,17 @@ resources: - configs/logos-configmap.yaml namePrefix: jupyter-web-app- namespace: kubeflow -commonLabels: - app: jupyter-web-app - kustomize.component: jupyter-web-app +labels: +- includeSelectors: true + pairs: + app: jupyter-web-app + kustomize.component: jupyter-web-app + images: - name: ghcr.io/kubeflow/kubeflow/jupyter-web-app newName: ghcr.io/kubeflow/kubeflow/jupyter-web-app newTag: v1.10.0 + # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: @@ -33,60 +37,65 @@ configMapGenerator: - files: - configs/spawner_ui_config.yaml name: config -vars: -- fieldref: - fieldPath: data.JWA_CLUSTER_DOMAIN - name: JWA_CLUSTER_DOMAIN - objref: - apiVersion: v1 + +replacements: +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: metadata.namespace - name: JWA_NAMESPACE - objref: - apiVersion: v1 - kind: Service - name: service -- fieldref: - fieldPath: data.JWA_USERID_HEADER - name: JWA_USERID_HEADER - objref: - apiVersion: v1 + fieldPath: data.JWA_PREFIX + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=jupyter-web-app].env.[name=APP_PREFIX].value +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: data.JWA_USERID_PREFIX - name: JWA_USERID_PREFIX - objref: - apiVersion: v1 + fieldPath: data.JWA_UI + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=jupyter-web-app].env.[name=UI].value +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: data.JWA_UI - name: JWA_UI - objref: - apiVersion: v1 + fieldPath: data.JWA_USERID_HEADER + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=jupyter-web-app].env.[name=USERID_HEADER].value +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: data.JWA_PREFIX - name: JWA_PREFIX - objref: - apiVersion: v1 + fieldPath: data.JWA_USERID_PREFIX + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=jupyter-web-app].env.[name=USERID_PREFIX].value +- source: kind: ConfigMap name: parameters -- name: JWA_APP_SECURE_COOKIES - fieldref: fieldPath: data.JWA_APP_SECURE_COOKIES - objref: - apiVersion: v1 + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=jupyter-web-app].env.[name=APP_SECURE_COOKIES].value +- source: kind: ConfigMap name: parameters -- name: JWA_APP_ENABLE_METRICS - fieldref: fieldPath: data.JWA_APP_ENABLE_METRICS - objref: - apiVersion: v1 - kind: ConfigMap - name: parameters + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=jupyter-web-app].env.[name=METRICS].value diff --git a/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml b/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml index a647f10977..fdc355bcff 100644 --- a/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml +++ b/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml @@ -6,8 +6,36 @@ resources: - authorization-policy.yaml - destination-rule.yaml namespace: kubeflow -commonLabels: - app: jupyter-web-app - kustomize.component: jupyter-web-app +labels: +- includeSelectors: true + pairs: + app: jupyter-web-app + kustomize.component: jupyter-web-app configurations: - params.yaml + +replacements: +- source: + kind: Service + name: service + fieldPath: metadata.namespace + targets: + - select: + kind: VirtualService + fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: "." + index: 1 +- source: + kind: ConfigMap + name: parameters + fieldPath: data.JWA_CLUSTER_DOMAIN + targets: + - select: + kind: VirtualService + fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: "." + index: 3 diff --git a/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml b/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml index 8dac3f0e48..5c976d1d06 100644 --- a/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml +++ b/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml @@ -5,28 +5,26 @@ resources: - bases/kubeflow.org_notebooks.yaml # +kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: -- patches/trivial_conversion_patch.yaml +patches: +- path: patches/trivial_conversion_patch.yaml +- target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: notebooks.kubeflow.org + path: patches/validation_patches.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_notebooks.yaml +#- path: patches/webhook_in_notebooks.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_notebooks.yaml +#- path: patches/cainjection_in_notebooks.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: - kustomizeconfig.yaml -patchesJson6902: - - target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: notebooks.kubeflow.org - path: patches/validation_patches.yaml - diff --git a/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml b/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml index 393aaa5e5f..653bc84b61 100644 --- a/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml +++ b/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml @@ -9,12 +9,14 @@ namespace: notebook-controller-system namePrefix: notebook-controller- # Labels to add to all resources and selectors. -commonLabels: - app: notebook-controller - kustomize.component: notebook-controller +labels: +- includeSelectors: true + pairs: + app: notebook-controller + kustomize.component: notebook-controller -bases: +resources: - ../rbac - ../manager - ../crd @@ -45,7 +47,7 @@ bases: #- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -vars: +#vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: diff --git a/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml b/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml index 6a9b11b7cd..ec34fe84ee 100644 --- a/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml +++ b/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml @@ -3,8 +3,8 @@ kind: Kustomization resources: - ../../base namespace: kubeflow -patchesStrategicMerge: -- patches/remove-namespace.yaml +patches: +- path: patches/remove-namespace.yaml configMapGenerator: - name: config behavior: merge diff --git a/applications/profiles/upstream/base/kustomization.yaml b/applications/profiles/upstream/base/kustomization.yaml index a8f4f0fc3c..d17e76ab9b 100644 --- a/applications/profiles/upstream/base/kustomization.yaml +++ b/applications/profiles/upstream/base/kustomization.yaml @@ -6,8 +6,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../default -patchesStrategicMerge: -- patches/manager.yaml +patches: +- path: patches/manager.yaml images: - name: ghcr.io/kubeflow/kubeflow/profile-controller diff --git a/applications/profiles/upstream/crd/kustomization.yaml b/applications/profiles/upstream/crd/kustomization.yaml index 6a99c5f05c..db21e36e81 100644 --- a/applications/profiles/upstream/crd/kustomization.yaml +++ b/applications/profiles/upstream/crd/kustomization.yaml @@ -5,16 +5,16 @@ resources: - bases/kubeflow.org_profiles.yaml #+kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: -- patches/trivial_conversion_patch.yaml +patches: +- path: patches/trivial_conversion_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_profiles.yaml +#- path: patches/webhook_in_profiles.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_profiles.yaml +#- path: patches/cainjection_in_profiles.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/applications/profiles/upstream/default/kustomization.yaml b/applications/profiles/upstream/default/kustomization.yaml index 3951af943f..da9f576f6a 100644 --- a/applications/profiles/upstream/default/kustomization.yaml +++ b/applications/profiles/upstream/default/kustomization.yaml @@ -9,10 +9,12 @@ namespace: profiles-system namePrefix: profiles- # Labels to add to all resources and selectors. -commonLabels: - kustomize.component: profiles +labels: +- includeSelectors: true + pairs: + kustomize.component: profiles -bases: +resources: - ../crd - ../rbac - ../manager @@ -24,29 +26,29 @@ bases: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -# - manager_auth_proxy_patch.yaml +# - path: manager_auth_proxy_patch.yaml # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, uncomment the following line and # comment manager_auth_proxy_patch.yaml. # Only one of manager_auth_proxy_patch.yaml and # manager_prometheus_metrics_patch.yaml should be enabled. -#- manager_prometheus_metrics_patch.yaml +#- path: manager_prometheus_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml -#- manager_webhook_patch.yaml +#- path: manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml +#- path: webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -vars: +#vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: diff --git a/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml b/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml index 7dc71bae63..f8cd350c8f 100644 --- a/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml +++ b/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml @@ -7,24 +7,32 @@ resources: - virtual-service.yaml - authorizationpolicy.yaml -commonLabels: - kustomize.component: profiles +labels: +- includeSelectors: true + pairs: + kustomize.component: profiles -patchesStrategicMerge: -- patches/kfam.yaml -- patches/remove-namespace.yaml +patches: +- path: patches/kfam.yaml +- path: patches/remove-namespace.yaml configurations: - params.yaml -vars: -- name: PROFILES_NAMESPACE - fieldref: - fieldpath: metadata.namespace - objref: - name: profiles-kfam +replacements: +- source: kind: Service - apiVersion: v1 + name: profiles-kfam + fieldPath: metadata.namespace + targets: + - select: + kind: VirtualService + name: profiles-kfam + fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: "." + index: 1 images: - name: ghcr.io/kubeflow/kubeflow/kfam diff --git a/applications/pvcviewer-controller/upstream/crd/kustomization.yaml b/applications/pvcviewer-controller/upstream/crd/kustomization.yaml index 9de0c9c7ee..7e3ae22f2d 100644 --- a/applications/pvcviewer-controller/upstream/crd/kustomization.yaml +++ b/applications/pvcviewer-controller/upstream/crd/kustomization.yaml @@ -5,11 +5,9 @@ resources: - bases/kubeflow.org_pvcviewers.yaml #+kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: -- patches/webhook_in_pvcviewers.yaml -#+kubebuilder:scaffold:crdkustomizewebhookpatch - -- patches/cainjection_in_pvcviewers.yaml +patches: +- path: patches/webhook_in_pvcviewers.yaml +- path: patches/cainjection_in_pvcviewers.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml b/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml index 3b8ebe25aa..91614f8cc8 100644 --- a/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml +++ b/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml @@ -1,5 +1,4 @@ -# This patch add annotation to admission webhook config and -# CERTIFICATE_NAMESPACE and CERTIFICATE_NAME will be substituted by kustomize +# This patch add labels to admission webhook config apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -11,8 +10,6 @@ metadata: app.kubernetes.io/part-of: pvc-viewer app.kubernetes.io/managed-by: kustomize name: mutating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -25,12 +22,3 @@ metadata: app.kubernetes.io/part-of: pvc-viewer app.kubernetes.io/managed-by: kustomize name: validating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: pvcviewers.kubeflow.org diff --git a/applications/pvcviewer-controller/upstream/default/kustomization.yaml b/applications/pvcviewer-controller/upstream/default/kustomization.yaml index ca98b792dc..0be1e729a7 100644 --- a/applications/pvcviewer-controller/upstream/default/kustomization.yaml +++ b/applications/pvcviewer-controller/upstream/default/kustomization.yaml @@ -12,8 +12,10 @@ namespace: kubeflow namePrefix: pvcviewer- # Labels to add to all resources and selectors. -commonLabels: - app: pvcviewer +labels: +- includeSelectors: true + pairs: + app: pvcviewer resources: - ../crd @@ -24,147 +26,110 @@ resources: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +patches: # Do not create a namespace -- remove_namespace.yaml +- path: remove_namespace.yaml # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml -- manager_webhook_patch.yaml -- cainjection_patch.yaml -- dnsnames_patch.yaml +- path: manager_auth_proxy_patch.yaml +- path: manager_webhook_patch.yaml +- path: cainjection_patch.yaml -vars: -- name: CERTIFICATE_NAMESPACE - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert -- name: SERVICE_NAMESPACE - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service - -# the following config is for teaching kustomize how to replace vars in Certificates. -configurations: -- kustomizeconfig.yaml - -# Note: the kustomize version that's being used to execute integration tests currently doesn't support replacemens. -# Thus, we're using the deprecated vars feature above. -# Once the kustomize version is updated, we can use the following config instead of the vars feature. -# Can be removed then: cainjection_patch.yaml, dnsnames_patch.yaml, kustomizeconfig.yaml, their references here and the vars section above. -# replacements: -# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.namespace # namespace of the certificate CR -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 0 -# create: true -# - source: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldPath: .metadata.name -# targets: -# - select: -# kind: ValidatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: MutatingWebhookConfiguration -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - select: -# kind: CustomResourceDefinition -# fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] -# options: -# delimiter: '/' -# index: 1 -# create: true -# - source: # Add cert-manager annotation to the webhook Service -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.name # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 0 -# create: true -# - source: -# kind: Service -# version: v1 -# name: webhook-service -# fieldPath: .metadata.namespace # namespace of the service -# targets: -# - select: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# fieldPaths: -# - .spec.dnsNames.0 -# - .spec.dnsNames.1 -# options: -# delimiter: '.' -# index: 1 -# create: true +replacements: + - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: metadata.namespace # namespace of the certificate CR + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true + - source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: metadata.name + targets: + - select: + kind: ValidatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - select: + kind: CustomResourceDefinition + fieldPaths: + - metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true + - source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - spec.dnsNames.0 + - spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true + - source: + kind: Service + version: v1 + name: webhook-service + fieldPath: metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - spec.dnsNames.0 + - spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml index f2fbc13e6d..aa6bc341c2 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml @@ -9,8 +9,8 @@ configMapGenerator: - TENSORBOARD_IMAGE=tensorflow/tensorflow:2.5.1 - ISTIO_GATEWAY=kubeflow/kubeflow-gateway - ISTIO_HOST=* -patchesStrategicMerge: -- patches/add_controller_config.yaml +patches: +- path: patches/add_controller_config.yaml images: - name: ghcr.io/kubeflow/kubeflow/tensorboard-controller newName: ghcr.io/kubeflow/kubeflow/tensorboard-controller diff --git a/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml index 2c596543a2..53ca1266c7 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml @@ -5,15 +5,15 @@ resources: - bases/tensorboard.kubeflow.org_tensorboards.yaml #+kubebuilder:scaffold:crdkustomizeresource -patchesStrategicMerge: +patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_tensorboards.yaml +#- path: patches/webhook_in_tensorboards.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_tensorboards.yaml +#- path: patches/cainjection_in_tensorboards.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml index 399ffd068f..b90b565037 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml @@ -9,11 +9,13 @@ namespace: tensorboard-controller-system namePrefix: tensorboard-controller- # Labels to add to all resources and selectors. -commonLabels: - app: tensorboard-controller - kustomize.component: tensorboard-controller +labels: +- includeSelectors: true + pairs: + app: tensorboard-controller + kustomize.component: tensorboard-controller -bases: +resources: - ../crd - ../rbac - ../manager @@ -25,11 +27,11 @@ bases: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +patches: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - - manager_auth_proxy_patch.yaml + - path: manager_auth_proxy_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type @@ -45,7 +47,7 @@ patchesStrategicMerge: #- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -vars: +#vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: diff --git a/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml index d02e02287e..23b2af1b49 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml @@ -3,5 +3,5 @@ kind: Kustomization resources: - ../../base namespace: kubeflow -patchesStrategicMerge: -- patches/remove-namespace.yaml +patches: +- path: patches/remove-namespace.yaml diff --git a/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml b/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml index 702e76ba48..1ee6d73b1b 100644 --- a/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml +++ b/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml @@ -8,66 +8,72 @@ resources: - service.yaml namePrefix: tensorboards-web-app- namespace: kubeflow -commonLabels: - app: tensorboards-web-app - kustomize.component: tensorboards-web-app +labels: +- includeSelectors: true + pairs: + app: tensorboards-web-app + kustomize.component: tensorboards-web-app + images: - name: ghcr.io/kubeflow/kubeflow/tensorboards-web-app newName: ghcr.io/kubeflow/kubeflow/tensorboards-web-app newTag: v1.10.0 + # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: - envs: - params.env name: parameters -vars: -- fieldref: - fieldPath: data.TWA_CLUSTER_DOMAIN - name: TWA_CLUSTER_DOMAIN - objref: - apiVersion: v1 + +replacements: +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: metadata.namespace - name: TWA_NAMESPACE - objref: - apiVersion: v1 - kind: Service - name: service -- fieldref: - fieldPath: data.TWA_USERID_HEADER - name: TWA_USERID_HEADER - objref: - apiVersion: v1 + fieldPath: data.TWA_PREFIX + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=APP_PREFIX].value +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: data.TWA_USERID_PREFIX - name: TWA_USERID_PREFIX - objref: - apiVersion: v1 + fieldPath: data.TWA_USERID_HEADER + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=USERID_HEADER].value +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: data.TWA_PREFIX - name: TWA_PREFIX - objref: - apiVersion: v1 + fieldPath: data.TWA_USERID_PREFIX + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=USERID_PREFIX].value +- source: kind: ConfigMap name: parameters -- fieldref: fieldPath: data.TWA_APP_SECURE_COOKIES - name: TWA_APP_SECURE_COOKIES - objref: - apiVersion: v1 + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=APP_SECURE_COOKIES].value +- source: kind: ConfigMap name: parameters -- name: TWA_APP_ENABLE_METRICS - fieldref: fieldPath: data.TWA_APP_ENABLE_METRICS - objref: - apiVersion: v1 - kind: ConfigMap - name: parameters + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=METRICS].value diff --git a/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml b/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml index 45e308307c..cd64bc3eaa 100644 --- a/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml +++ b/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml @@ -6,8 +6,36 @@ resources: - authorization-policy.yaml - destination-rule.yaml namespace: kubeflow -commonLabels: - app: tensorboards-web-app - kustomize.component: tensorboards-web-app +labels: +- includeSelectors: true + pairs: + app: tensorboards-web-app + kustomize.component: tensorboards-web-app configurations: - params.yaml + +replacements: +- source: + kind: Service + name: service + fieldPath: metadata.namespace + targets: + - select: + kind: VirtualService + fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: "." + index: 1 +- source: + kind: ConfigMap + name: parameters + fieldPath: data.TWA_CLUSTER_DOMAIN + targets: + - select: + kind: VirtualService + fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: "." + index: 3 diff --git a/applications/volumes-web-app/upstream/base/kustomization.yaml b/applications/volumes-web-app/upstream/base/kustomization.yaml index deda40865c..b58be01f2b 100644 --- a/applications/volumes-web-app/upstream/base/kustomization.yaml +++ b/applications/volumes-web-app/upstream/base/kustomization.yaml @@ -8,13 +8,17 @@ resources: - service.yaml namePrefix: volumes-web-app- namespace: kubeflow -commonLabels: - app: volumes-web-app - kustomize.component: volumes-web-app +labels: +- includeSelectors: true + pairs: + app: volumes-web-app + kustomize.component: volumes-web-app + images: - name: ghcr.io/kubeflow/kubeflow/volumes-web-app newName: ghcr.io/kubeflow/kubeflow/volumes-web-app newTag: v1.10.0 + # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: @@ -24,53 +28,55 @@ configMapGenerator: - files: - viewer-spec.yaml name: viewer-spec -vars: -- fieldref: - fieldPath: data.VWA_CLUSTER_DOMAIN - name: VWA_CLUSTER_DOMAIN - objref: - apiVersion: v1 + +replacements: +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: metadata.namespace - name: VWA_NAMESPACE - objref: - apiVersion: v1 - kind: Service - name: service -- fieldref: - fieldPath: data.VWA_USERID_HEADER - name: VWA_USERID_HEADER - objref: - apiVersion: v1 + fieldPath: data.VWA_PREFIX + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=volumes-web-app].env.[name=APP_PREFIX].value +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: data.VWA_USERID_PREFIX - name: VWA_USERID_PREFIX - objref: - apiVersion: v1 + fieldPath: data.VWA_USERID_HEADER + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=volumes-web-app].env.[name=USERID_HEADER].value +- source: kind: ConfigMap name: parameters -- fieldref: - fieldPath: data.VWA_PREFIX - name: VWA_PREFIX - objref: - apiVersion: v1 + fieldPath: data.VWA_USERID_PREFIX + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=volumes-web-app].env.[name=USERID_PREFIX].value +- source: kind: ConfigMap name: parameters -- name: VWA_APP_SECURE_COOKIES - fieldref: fieldPath: data.VWA_APP_SECURE_COOKIES - objref: - apiVersion: v1 + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=volumes-web-app].env.[name=APP_SECURE_COOKIES].value +- source: kind: ConfigMap name: parameters -- name: VWA_APP_ENABLE_METRICS - fieldref: fieldPath: data.VWA_APP_ENABLE_METRICS - objref: - apiVersion: v1 - kind: ConfigMap - name: parameters + targets: + - select: + kind: Deployment + name: deployment + fieldPaths: + - spec.template.spec.containers.[name=volumes-web-app].env.[name=METRICS].value diff --git a/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml b/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml index 1d8d0ac0fc..792df5ebef 100644 --- a/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml +++ b/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml @@ -6,8 +6,36 @@ resources: - authorization-policy.yaml - destination-rule.yaml namespace: kubeflow -commonLabels: - app: volumes-web-app - kustomize.component: volumes-web-app +labels: +- includeSelectors: true + pairs: + app: volumes-web-app + kustomize.component: volumes-web-app configurations: - params.yaml + +replacements: +- source: + kind: Service + name: service + fieldPath: metadata.namespace + targets: + - select: + kind: VirtualService + fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: "." + index: 1 +- source: + kind: ConfigMap + name: parameters + fieldPath: data.VWA_CLUSTER_DOMAIN + targets: + - select: + kind: VirtualService + fieldPaths: + - spec.http.0.route.0.destination.host + options: + delimiter: "." + index: 3 From 230480c086f320a69d598199a23f39594a5c0713 Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Thu, 19 Mar 2026 06:15:41 +0530 Subject: [PATCH 02/17] Revert "fix: resolve Kustomize 5 deprecation warnings (#2991)" This reverts commit 27287d30abc71f4121346d344319ca892a6b6f27. Signed-off-by: Abdullah Pathan --- .../upstream/base/kustomization.yaml | 55 ++-- .../overlays/cert-manager/kustomization.yaml | 64 ++--- .../upstream/base/kustomization.yaml | 101 ++++--- .../overlays/istio/kustomization.yaml | 34 +-- .../upstream/crd/kustomization.yaml | 22 +- .../upstream/default/kustomization.yaml | 12 +- .../overlays/kubeflow/kustomization.yaml | 4 +- .../profiles/upstream/base/kustomization.yaml | 4 +- .../profiles/upstream/crd/kustomization.yaml | 8 +- .../upstream/default/kustomization.yaml | 20 +- .../overlays/kubeflow/kustomization.yaml | 32 +-- .../upstream/crd/kustomization.yaml | 8 +- .../upstream/default/cainjection_patch.yaml | 14 +- .../upstream/default/kustomization.yaml | 247 ++++++++++-------- .../upstream/base/kustomization.yaml | 4 +- .../upstream/crd/kustomization.yaml | 6 +- .../upstream/default/kustomization.yaml | 16 +- .../overlays/kubeflow/kustomization.yaml | 4 +- .../upstream/base/kustomization.yaml | 88 +++---- .../overlays/istio/kustomization.yaml | 34 +-- .../upstream/base/kustomization.yaml | 88 +++---- .../overlays/istio/kustomization.yaml | 34 +-- 22 files changed, 413 insertions(+), 486 deletions(-) diff --git a/applications/admission-webhook/upstream/base/kustomization.yaml b/applications/admission-webhook/upstream/base/kustomization.yaml index f2990bb26f..c0701101d0 100644 --- a/applications/admission-webhook/upstream/base/kustomization.yaml +++ b/applications/admission-webhook/upstream/base/kustomization.yaml @@ -8,38 +8,45 @@ resources: - service-account.yaml - service.yaml - crd.yaml -labels: -- includeSelectors: true - pairs: - app: poddefaults - kustomize.component: poddefaults - app.kubernetes.io/component: poddefaults - app.kubernetes.io/name: poddefaults - +commonLabels: + app: poddefaults + kustomize.component: poddefaults + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults images: - name: ghcr.io/kubeflow/kubeflow/poddefaults-webhook newName: ghcr.io/kubeflow/kubeflow/poddefaults-webhook newTag: v1.10.0 - namespace: kubeflow - generatorOptions: disableNameSuffixHash: true - -replacements: -- source: +vars: +# These vars are used to substitute in the namespace, service name and +# deployment name into the mutating WebHookConfiguration. +# Since its a CR kustomize isn't aware of those fields and won't +# transform them. +# We need the var names to be relatively unique so that when we +# compose with other applications they won't conflict. +- fieldref: + fieldPath: metadata.namespace + name: podDefaultsNamespace + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: + fieldPath: metadata.name + name: podDefaultsServiceName + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: + fieldPath: metadata.name + name: podDefaultsDeploymentName + objref: + apiVersion: apps/v1 kind: Deployment name: deployment - fieldPath: metadata.name - targets: - - select: - kind: MutatingWebhookConfiguration - name: mutating-webhook-configuration - fieldPaths: - - webhooks.0.name - options: - delimiter: "." - index: 0 - configurations: - params.yaml diff --git a/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml b/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml index 2ba92fead4..36542dded6 100644 --- a/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml +++ b/applications/admission-webhook/upstream/overlays/cert-manager/kustomization.yaml @@ -4,56 +4,44 @@ # the certificate. # TODO(jlewi): We should eventually refactor the manifests to delete # bootstrap and use certmanager by default. -resources: +bases: - ../../base + +resources: - certificate.yaml namespace: kubeflow namePrefix: admission-webhook- -labels: -- includeSelectors: true - pairs: - app: poddefaults - kustomize.component: poddefaults - app.kubernetes.io/component: poddefaults - app.kubernetes.io/name: poddefaults +commonLabels: + app: poddefaults + kustomize.component: poddefaults + app.kubernetes.io/component: poddefaults + app.kubernetes.io/name: poddefaults -patches: -- path: mutating-webhook-configuration.yaml -- path: deployment.yaml +patchesStrategicMerge: +- mutating-webhook-configuration.yaml +- deployment.yaml generatorOptions: disableNameSuffixHash: true -replacements: -- source: - kind: Service - name: service - fieldPath: metadata.namespace - targets: - - select: - kind: MutatingWebhookConfiguration - name: mutating-webhook-configuration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: "/" - index: 0 -- source: - kind: Certificate - name: cert - fieldPath: metadata.name - targets: - - select: - kind: MutatingWebhookConfiguration - name: mutating-webhook-configuration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: "/" - index: 1 +vars: +# These vars are used to substitute in the namespace, service name and +# deployment name into the mutating WebHookConfiguration. +# Since its a CR kustomize isn't aware of those fields and won't +# transform them. +# We need the var names to be relatively unique so that when we +# compose with other applications they won't conflict. +- name: podDefaultsCertName + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: cert + fieldref: + fieldpath: metadata.name configurations: - params.yaml diff --git a/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml b/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml index fefe4e1e18..76989046ac 100644 --- a/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml +++ b/applications/jupyter/jupyter-web-app/upstream/base/kustomization.yaml @@ -17,17 +17,13 @@ resources: - configs/logos-configmap.yaml namePrefix: jupyter-web-app- namespace: kubeflow -labels: -- includeSelectors: true - pairs: - app: jupyter-web-app - kustomize.component: jupyter-web-app - +commonLabels: + app: jupyter-web-app + kustomize.component: jupyter-web-app images: - name: ghcr.io/kubeflow/kubeflow/jupyter-web-app newName: ghcr.io/kubeflow/kubeflow/jupyter-web-app newTag: v1.10.0 - # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: @@ -37,65 +33,60 @@ configMapGenerator: - files: - configs/spawner_ui_config.yaml name: config - -replacements: -- source: +vars: +- fieldref: + fieldPath: data.JWA_CLUSTER_DOMAIN + name: JWA_CLUSTER_DOMAIN + objref: + apiVersion: v1 kind: ConfigMap name: parameters - fieldPath: data.JWA_PREFIX - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=jupyter-web-app].env.[name=APP_PREFIX].value -- source: +- fieldref: + fieldPath: metadata.namespace + name: JWA_NAMESPACE + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: + fieldPath: data.JWA_USERID_HEADER + name: JWA_USERID_HEADER + objref: + apiVersion: v1 kind: ConfigMap name: parameters - fieldPath: data.JWA_UI - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=jupyter-web-app].env.[name=UI].value -- source: +- fieldref: + fieldPath: data.JWA_USERID_PREFIX + name: JWA_USERID_PREFIX + objref: + apiVersion: v1 kind: ConfigMap name: parameters - fieldPath: data.JWA_USERID_HEADER - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=jupyter-web-app].env.[name=USERID_HEADER].value -- source: +- fieldref: + fieldPath: data.JWA_UI + name: JWA_UI + objref: + apiVersion: v1 kind: ConfigMap name: parameters - fieldPath: data.JWA_USERID_PREFIX - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=jupyter-web-app].env.[name=USERID_PREFIX].value -- source: +- fieldref: + fieldPath: data.JWA_PREFIX + name: JWA_PREFIX + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- name: JWA_APP_SECURE_COOKIES + fieldref: fieldPath: data.JWA_APP_SECURE_COOKIES - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=jupyter-web-app].env.[name=APP_SECURE_COOKIES].value -- source: + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- name: JWA_APP_ENABLE_METRICS + fieldref: fieldPath: data.JWA_APP_ENABLE_METRICS - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=jupyter-web-app].env.[name=METRICS].value + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters diff --git a/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml b/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml index fdc355bcff..a647f10977 100644 --- a/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml +++ b/applications/jupyter/jupyter-web-app/upstream/overlays/istio/kustomization.yaml @@ -6,36 +6,8 @@ resources: - authorization-policy.yaml - destination-rule.yaml namespace: kubeflow -labels: -- includeSelectors: true - pairs: - app: jupyter-web-app - kustomize.component: jupyter-web-app +commonLabels: + app: jupyter-web-app + kustomize.component: jupyter-web-app configurations: - params.yaml - -replacements: -- source: - kind: Service - name: service - fieldPath: metadata.namespace - targets: - - select: - kind: VirtualService - fieldPaths: - - spec.http.0.route.0.destination.host - options: - delimiter: "." - index: 1 -- source: - kind: ConfigMap - name: parameters - fieldPath: data.JWA_CLUSTER_DOMAIN - targets: - - select: - kind: VirtualService - fieldPaths: - - spec.http.0.route.0.destination.host - options: - delimiter: "." - index: 3 diff --git a/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml b/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml index 5c976d1d06..8dac3f0e48 100644 --- a/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml +++ b/applications/jupyter/notebook-controller/upstream/crd/kustomization.yaml @@ -5,26 +5,28 @@ resources: - bases/kubeflow.org_notebooks.yaml # +kubebuilder:scaffold:crdkustomizeresource -patches: -- path: patches/trivial_conversion_patch.yaml -- target: - group: apiextensions.k8s.io - version: v1 - kind: CustomResourceDefinition - name: notebooks.kubeflow.org - path: patches/validation_patches.yaml +patchesStrategicMerge: +- patches/trivial_conversion_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- path: patches/webhook_in_notebooks.yaml +#- patches/webhook_in_notebooks.yaml # +kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- path: patches/cainjection_in_notebooks.yaml +#- patches/cainjection_in_notebooks.yaml # +kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. configurations: - kustomizeconfig.yaml +patchesJson6902: + - target: + group: apiextensions.k8s.io + version: v1 + kind: CustomResourceDefinition + name: notebooks.kubeflow.org + path: patches/validation_patches.yaml + diff --git a/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml b/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml index 653bc84b61..393aaa5e5f 100644 --- a/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml +++ b/applications/jupyter/notebook-controller/upstream/default/kustomization.yaml @@ -9,14 +9,12 @@ namespace: notebook-controller-system namePrefix: notebook-controller- # Labels to add to all resources and selectors. -labels: -- includeSelectors: true - pairs: - app: notebook-controller - kustomize.component: notebook-controller +commonLabels: + app: notebook-controller + kustomize.component: notebook-controller -resources: +bases: - ../rbac - ../manager - ../crd @@ -47,7 +45,7 @@ resources: #- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -#vars: +vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. # - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: diff --git a/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml b/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml index ec34fe84ee..6a9b11b7cd 100644 --- a/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml +++ b/applications/jupyter/notebook-controller/upstream/overlays/kubeflow/kustomization.yaml @@ -3,8 +3,8 @@ kind: Kustomization resources: - ../../base namespace: kubeflow -patches: -- path: patches/remove-namespace.yaml +patchesStrategicMerge: +- patches/remove-namespace.yaml configMapGenerator: - name: config behavior: merge diff --git a/applications/profiles/upstream/base/kustomization.yaml b/applications/profiles/upstream/base/kustomization.yaml index d17e76ab9b..a8f4f0fc3c 100644 --- a/applications/profiles/upstream/base/kustomization.yaml +++ b/applications/profiles/upstream/base/kustomization.yaml @@ -6,8 +6,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../default -patches: -- path: patches/manager.yaml +patchesStrategicMerge: +- patches/manager.yaml images: - name: ghcr.io/kubeflow/kubeflow/profile-controller diff --git a/applications/profiles/upstream/crd/kustomization.yaml b/applications/profiles/upstream/crd/kustomization.yaml index db21e36e81..6a99c5f05c 100644 --- a/applications/profiles/upstream/crd/kustomization.yaml +++ b/applications/profiles/upstream/crd/kustomization.yaml @@ -5,16 +5,16 @@ resources: - bases/kubeflow.org_profiles.yaml #+kubebuilder:scaffold:crdkustomizeresource -patches: -- path: patches/trivial_conversion_patch.yaml +patchesStrategicMerge: +- patches/trivial_conversion_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- path: patches/webhook_in_profiles.yaml +#- patches/webhook_in_profiles.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- path: patches/cainjection_in_profiles.yaml +#- patches/cainjection_in_profiles.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/applications/profiles/upstream/default/kustomization.yaml b/applications/profiles/upstream/default/kustomization.yaml index da9f576f6a..3951af943f 100644 --- a/applications/profiles/upstream/default/kustomization.yaml +++ b/applications/profiles/upstream/default/kustomization.yaml @@ -9,12 +9,10 @@ namespace: profiles-system namePrefix: profiles- # Labels to add to all resources and selectors. -labels: -- includeSelectors: true - pairs: - kustomize.component: profiles +commonLabels: + kustomize.component: profiles -resources: +bases: - ../crd - ../rbac - ../manager @@ -26,29 +24,29 @@ resources: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patches: +patchesStrategicMerge: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -# - path: manager_auth_proxy_patch.yaml +# - manager_auth_proxy_patch.yaml # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, uncomment the following line and # comment manager_auth_proxy_patch.yaml. # Only one of manager_auth_proxy_patch.yaml and # manager_prometheus_metrics_patch.yaml should be enabled. -#- path: manager_prometheus_metrics_patch.yaml +#- manager_prometheus_metrics_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml -#- path: manager_webhook_patch.yaml +#- manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection -#- path: webhookcainjection_patch.yaml +#- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -#vars: +vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: diff --git a/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml b/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml index f8cd350c8f..7dc71bae63 100644 --- a/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml +++ b/applications/profiles/upstream/overlays/kubeflow/kustomization.yaml @@ -7,32 +7,24 @@ resources: - virtual-service.yaml - authorizationpolicy.yaml -labels: -- includeSelectors: true - pairs: - kustomize.component: profiles +commonLabels: + kustomize.component: profiles -patches: -- path: patches/kfam.yaml -- path: patches/remove-namespace.yaml +patchesStrategicMerge: +- patches/kfam.yaml +- patches/remove-namespace.yaml configurations: - params.yaml -replacements: -- source: - kind: Service +vars: +- name: PROFILES_NAMESPACE + fieldref: + fieldpath: metadata.namespace + objref: name: profiles-kfam - fieldPath: metadata.namespace - targets: - - select: - kind: VirtualService - name: profiles-kfam - fieldPaths: - - spec.http.0.route.0.destination.host - options: - delimiter: "." - index: 1 + kind: Service + apiVersion: v1 images: - name: ghcr.io/kubeflow/kubeflow/kfam diff --git a/applications/pvcviewer-controller/upstream/crd/kustomization.yaml b/applications/pvcviewer-controller/upstream/crd/kustomization.yaml index 7e3ae22f2d..9de0c9c7ee 100644 --- a/applications/pvcviewer-controller/upstream/crd/kustomization.yaml +++ b/applications/pvcviewer-controller/upstream/crd/kustomization.yaml @@ -5,9 +5,11 @@ resources: - bases/kubeflow.org_pvcviewers.yaml #+kubebuilder:scaffold:crdkustomizeresource -patches: -- path: patches/webhook_in_pvcviewers.yaml -- path: patches/cainjection_in_pvcviewers.yaml +patchesStrategicMerge: +- patches/webhook_in_pvcviewers.yaml +#+kubebuilder:scaffold:crdkustomizewebhookpatch + +- patches/cainjection_in_pvcviewers.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml b/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml index 91614f8cc8..3b8ebe25aa 100644 --- a/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml +++ b/applications/pvcviewer-controller/upstream/default/cainjection_patch.yaml @@ -1,4 +1,5 @@ -# This patch add labels to admission webhook config +# This patch add annotation to admission webhook config and +# CERTIFICATE_NAMESPACE and CERTIFICATE_NAME will be substituted by kustomize apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -10,6 +11,8 @@ metadata: app.kubernetes.io/part-of: pvc-viewer app.kubernetes.io/managed-by: kustomize name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -22,3 +25,12 @@ metadata: app.kubernetes.io/part-of: pvc-viewer app.kubernetes.io/managed-by: kustomize name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: pvcviewers.kubeflow.org diff --git a/applications/pvcviewer-controller/upstream/default/kustomization.yaml b/applications/pvcviewer-controller/upstream/default/kustomization.yaml index 0be1e729a7..ca98b792dc 100644 --- a/applications/pvcviewer-controller/upstream/default/kustomization.yaml +++ b/applications/pvcviewer-controller/upstream/default/kustomization.yaml @@ -12,10 +12,8 @@ namespace: kubeflow namePrefix: pvcviewer- # Labels to add to all resources and selectors. -labels: -- includeSelectors: true - pairs: - app: pvcviewer +commonLabels: + app: pvcviewer resources: - ../crd @@ -26,110 +24,147 @@ resources: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patches: +patchesStrategicMerge: # Do not create a namespace -- path: remove_namespace.yaml +- remove_namespace.yaml # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- path: manager_auth_proxy_patch.yaml -- path: manager_webhook_patch.yaml -- path: cainjection_patch.yaml +- manager_auth_proxy_patch.yaml +- manager_webhook_patch.yaml +- cainjection_patch.yaml +- dnsnames_patch.yaml -replacements: - - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldPath: metadata.namespace # namespace of the certificate CR - targets: - - select: - kind: ValidatingWebhookConfiguration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 0 - create: true - - select: - kind: MutatingWebhookConfiguration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 0 - create: true - - select: - kind: CustomResourceDefinition - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 0 - create: true - - source: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldPath: metadata.name - targets: - - select: - kind: ValidatingWebhookConfiguration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 1 - create: true - - select: - kind: MutatingWebhookConfiguration - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 1 - create: true - - select: - kind: CustomResourceDefinition - fieldPaths: - - metadata.annotations.[cert-manager.io/inject-ca-from] - options: - delimiter: '/' - index: 1 - create: true - - source: # Add cert-manager annotation to the webhook Service - kind: Service - version: v1 - name: webhook-service - fieldPath: metadata.name # namespace of the service - targets: - - select: - kind: Certificate - group: cert-manager.io - version: v1 - fieldPaths: - - spec.dnsNames.0 - - spec.dnsNames.1 - options: - delimiter: '.' - index: 0 - create: true - - source: - kind: Service - version: v1 - name: webhook-service - fieldPath: metadata.namespace # namespace of the service - targets: - - select: - kind: Certificate - group: cert-manager.io - version: v1 - fieldPaths: - - spec.dnsNames.0 - - spec.dnsNames.1 - options: - delimiter: '.' - index: 1 - create: true +vars: +- name: CERTIFICATE_NAMESPACE + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert +- name: SERVICE_NAMESPACE + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + +# the following config is for teaching kustomize how to replace vars in Certificates. +configurations: +- kustomizeconfig.yaml + +# Note: the kustomize version that's being used to execute integration tests currently doesn't support replacemens. +# Thus, we're using the deprecated vars feature above. +# Once the kustomize version is updated, we can use the following config instead of the vars feature. +# Can be removed then: cainjection_patch.yaml, dnsnames_patch.yaml, kustomizeconfig.yaml, their references here and the vars section above. +# replacements: +# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # namespace of the certificate CR +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - source: # Add cert-manager annotation to the webhook Service +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name # namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace # namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true diff --git a/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml index aa6bc341c2..f2fbc13e6d 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/base/kustomization.yaml @@ -9,8 +9,8 @@ configMapGenerator: - TENSORBOARD_IMAGE=tensorflow/tensorflow:2.5.1 - ISTIO_GATEWAY=kubeflow/kubeflow-gateway - ISTIO_HOST=* -patches: -- path: patches/add_controller_config.yaml +patchesStrategicMerge: +- patches/add_controller_config.yaml images: - name: ghcr.io/kubeflow/kubeflow/tensorboard-controller newName: ghcr.io/kubeflow/kubeflow/tensorboard-controller diff --git a/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml index 53ca1266c7..2c596543a2 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/crd/kustomization.yaml @@ -5,15 +5,15 @@ resources: - bases/tensorboard.kubeflow.org_tensorboards.yaml #+kubebuilder:scaffold:crdkustomizeresource -patches: +patchesStrategicMerge: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. # patches here are for enabling the conversion webhook for each CRD -#- path: patches/webhook_in_tensorboards.yaml +#- patches/webhook_in_tensorboards.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD -#- path: patches/cainjection_in_tensorboards.yaml +#- patches/cainjection_in_tensorboards.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch # the following config is for teaching kustomize how to do kustomization for CRDs. diff --git a/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml index b90b565037..399ffd068f 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/default/kustomization.yaml @@ -9,13 +9,11 @@ namespace: tensorboard-controller-system namePrefix: tensorboard-controller- # Labels to add to all resources and selectors. -labels: -- includeSelectors: true - pairs: - app: tensorboard-controller - kustomize.component: tensorboard-controller +commonLabels: + app: tensorboard-controller + kustomize.component: tensorboard-controller -resources: +bases: - ../crd - ../rbac - ../manager @@ -27,11 +25,11 @@ resources: # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patches: +patchesStrategicMerge: # Protect the /metrics endpoint by putting it behind auth. # If you want your controller-manager to expose the /metrics # endpoint w/o any authn/z, please comment the following line. - - path: manager_auth_proxy_patch.yaml + - manager_auth_proxy_patch.yaml # Mount the controller config file for loading manager configurations # through a ComponentConfig type @@ -47,7 +45,7 @@ patches: #- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -#vars: +vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. #- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR # objref: diff --git a/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml b/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml index 23b2af1b49..d02e02287e 100644 --- a/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml +++ b/applications/tensorboard/tensorboard-controller/upstream/overlays/kubeflow/kustomization.yaml @@ -3,5 +3,5 @@ kind: Kustomization resources: - ../../base namespace: kubeflow -patches: -- path: patches/remove-namespace.yaml +patchesStrategicMerge: +- patches/remove-namespace.yaml diff --git a/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml b/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml index 1ee6d73b1b..702e76ba48 100644 --- a/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml +++ b/applications/tensorboard/tensorboards-web-app/upstream/base/kustomization.yaml @@ -8,72 +8,66 @@ resources: - service.yaml namePrefix: tensorboards-web-app- namespace: kubeflow -labels: -- includeSelectors: true - pairs: - app: tensorboards-web-app - kustomize.component: tensorboards-web-app - +commonLabels: + app: tensorboards-web-app + kustomize.component: tensorboards-web-app images: - name: ghcr.io/kubeflow/kubeflow/tensorboards-web-app newName: ghcr.io/kubeflow/kubeflow/tensorboards-web-app newTag: v1.10.0 - # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: - envs: - params.env name: parameters - -replacements: -- source: - kind: ConfigMap - name: parameters - fieldPath: data.TWA_PREFIX - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=APP_PREFIX].value -- source: +vars: +- fieldref: + fieldPath: data.TWA_CLUSTER_DOMAIN + name: TWA_CLUSTER_DOMAIN + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- fieldref: + fieldPath: metadata.namespace + name: TWA_NAMESPACE + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: fieldPath: data.TWA_USERID_HEADER - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=USERID_HEADER].value -- source: + name: TWA_USERID_HEADER + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- fieldref: fieldPath: data.TWA_USERID_PREFIX - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=USERID_PREFIX].value -- source: + name: TWA_USERID_PREFIX + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.TWA_PREFIX + name: TWA_PREFIX + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- fieldref: fieldPath: data.TWA_APP_SECURE_COOKIES - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=APP_SECURE_COOKIES].value -- source: + name: TWA_APP_SECURE_COOKIES + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- name: TWA_APP_ENABLE_METRICS + fieldref: fieldPath: data.TWA_APP_ENABLE_METRICS - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=tensorboards-web-app].env.[name=METRICS].value + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters diff --git a/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml b/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml index cd64bc3eaa..45e308307c 100644 --- a/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml +++ b/applications/tensorboard/tensorboards-web-app/upstream/overlays/istio/kustomization.yaml @@ -6,36 +6,8 @@ resources: - authorization-policy.yaml - destination-rule.yaml namespace: kubeflow -labels: -- includeSelectors: true - pairs: - app: tensorboards-web-app - kustomize.component: tensorboards-web-app +commonLabels: + app: tensorboards-web-app + kustomize.component: tensorboards-web-app configurations: - params.yaml - -replacements: -- source: - kind: Service - name: service - fieldPath: metadata.namespace - targets: - - select: - kind: VirtualService - fieldPaths: - - spec.http.0.route.0.destination.host - options: - delimiter: "." - index: 1 -- source: - kind: ConfigMap - name: parameters - fieldPath: data.TWA_CLUSTER_DOMAIN - targets: - - select: - kind: VirtualService - fieldPaths: - - spec.http.0.route.0.destination.host - options: - delimiter: "." - index: 3 diff --git a/applications/volumes-web-app/upstream/base/kustomization.yaml b/applications/volumes-web-app/upstream/base/kustomization.yaml index b58be01f2b..deda40865c 100644 --- a/applications/volumes-web-app/upstream/base/kustomization.yaml +++ b/applications/volumes-web-app/upstream/base/kustomization.yaml @@ -8,17 +8,13 @@ resources: - service.yaml namePrefix: volumes-web-app- namespace: kubeflow -labels: -- includeSelectors: true - pairs: - app: volumes-web-app - kustomize.component: volumes-web-app - +commonLabels: + app: volumes-web-app + kustomize.component: volumes-web-app images: - name: ghcr.io/kubeflow/kubeflow/volumes-web-app newName: ghcr.io/kubeflow/kubeflow/volumes-web-app newTag: v1.10.0 - # We need the name to be unique without the suffix because the original name is what # gets used with patches configMapGenerator: @@ -28,55 +24,53 @@ configMapGenerator: - files: - viewer-spec.yaml name: viewer-spec - -replacements: -- source: - kind: ConfigMap - name: parameters - fieldPath: data.VWA_PREFIX - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=volumes-web-app].env.[name=APP_PREFIX].value -- source: +vars: +- fieldref: + fieldPath: data.VWA_CLUSTER_DOMAIN + name: VWA_CLUSTER_DOMAIN + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- fieldref: + fieldPath: metadata.namespace + name: VWA_NAMESPACE + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: fieldPath: data.VWA_USERID_HEADER - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=volumes-web-app].env.[name=USERID_HEADER].value -- source: + name: VWA_USERID_HEADER + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- fieldref: fieldPath: data.VWA_USERID_PREFIX - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=volumes-web-app].env.[name=USERID_PREFIX].value -- source: + name: VWA_USERID_PREFIX + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.VWA_PREFIX + name: VWA_PREFIX + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- name: VWA_APP_SECURE_COOKIES + fieldref: fieldPath: data.VWA_APP_SECURE_COOKIES - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=volumes-web-app].env.[name=APP_SECURE_COOKIES].value -- source: + objref: + apiVersion: v1 kind: ConfigMap name: parameters +- name: VWA_APP_ENABLE_METRICS + fieldref: fieldPath: data.VWA_APP_ENABLE_METRICS - targets: - - select: - kind: Deployment - name: deployment - fieldPaths: - - spec.template.spec.containers.[name=volumes-web-app].env.[name=METRICS].value + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters diff --git a/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml b/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml index 792df5ebef..1d8d0ac0fc 100644 --- a/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml +++ b/applications/volumes-web-app/upstream/overlays/istio/kustomization.yaml @@ -6,36 +6,8 @@ resources: - authorization-policy.yaml - destination-rule.yaml namespace: kubeflow -labels: -- includeSelectors: true - pairs: - app: volumes-web-app - kustomize.component: volumes-web-app +commonLabels: + app: volumes-web-app + kustomize.component: volumes-web-app configurations: - params.yaml - -replacements: -- source: - kind: Service - name: service - fieldPath: metadata.namespace - targets: - - select: - kind: VirtualService - fieldPaths: - - spec.http.0.route.0.destination.host - options: - delimiter: "." - index: 1 -- source: - kind: ConfigMap - name: parameters - fieldPath: data.VWA_CLUSTER_DOMAIN - targets: - - select: - kind: VirtualService - fieldPaths: - - spec.http.0.route.0.destination.host - options: - delimiter: "." - index: 3 From c3adca0ddc351115c1a4a9d3021317e15ab8e9cc Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Fri, 3 Apr 2026 20:37:10 +0530 Subject: [PATCH 03/17] feat: enforce PSS restricted for user namespaces in CI This commit automates the enforcement of Pod Security Standard (PSS) 'restricted' policies on user namespaces created by the Profile Controller. It also updates CI test manifests (Notebook, Katib, Training) to be PSS compliant by adding the required security contexts. Changes: - Added PSS restricted labels to Profile Controller's default labels. - Patched Notebook, Katib, and Training Operator test manifests. - Refactored profile installation scripts for consistent enforcement. Signed-off-by: Abdullah Pathan --- .../upstream/base/namespace-labels.yaml | 4 ++++ tests/PSS_enable.sh | 3 +-- tests/katib_test.yaml | 11 ++++++++++ tests/kubeflow_profile_install.sh | 1 - ...tebook.test.kubeflow-user-example.com.yaml | 11 ++++++++++ tests/training_operator_job.yaml | 22 +++++++++++++++++++ 6 files changed, 49 insertions(+), 3 deletions(-) diff --git a/applications/profiles/upstream/base/namespace-labels.yaml b/applications/profiles/upstream/base/namespace-labels.yaml index bd6cb44155..fc55d371ff 100644 --- a/applications/profiles/upstream/base/namespace-labels.yaml +++ b/applications/profiles/upstream/base/namespace-labels.yaml @@ -16,3 +16,7 @@ katib.kubeflow.org/metrics-collector-injection: "enabled" serving.kubeflow.org/inferenceservice: "enabled" pipelines.kubeflow.org/enabled: "true" app.kubernetes.io/part-of: "kubeflow-profile" +pod-security.kubernetes.io/enforce: "restricted" +pod-security.kubernetes.io/enforce-version: "latest" +pod-security.kubernetes.io/warn: "restricted" +pod-security.kubernetes.io/warn-version: "latest" diff --git a/tests/PSS_enable.sh b/tests/PSS_enable.sh index e0fa461de5..f95deb96c0 100755 --- a/tests/PSS_enable.sh +++ b/tests/PSS_enable.sh @@ -8,8 +8,7 @@ PSS_LEVEL="${1:-restricted}" exit 1 } -NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system") -[[ "$PSS_LEVEL" == "baseline" ]] && NAMESPACES+=("kubeflow-user-example-com") +NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system" "kubeflow-user-example-com") echo "Applying PSS $PSS_LEVEL to: ${NAMESPACES[*]}" diff --git a/tests/katib_test.yaml b/tests/katib_test.yaml index e369c5f559..014f2670a8 100644 --- a/tests/katib_test.yaml +++ b/tests/katib_test.yaml @@ -44,9 +44,20 @@ spec: annotations: sidecar.istio.io/inject: "false" spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: training-container image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 command: - "python3" - "/opt/pytorch-mnist/mnist.py" diff --git a/tests/kubeflow_profile_install.sh b/tests/kubeflow_profile_install.sh index 4176836970..74907477b1 100755 --- a/tests/kubeflow_profile_install.sh +++ b/tests/kubeflow_profile_install.sh @@ -6,4 +6,3 @@ PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] kubectl logs -n kubeflow "$PROFILE_CONTROLLER_POD" KF_PROFILE=kubeflow-user-example-com kubectl -n $KF_PROFILE get pods,configmaps,secrets -kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce=baseline --overwrite diff --git a/tests/notebook.test.kubeflow-user-example.com.yaml b/tests/notebook.test.kubeflow-user-example.com.yaml index efc6aeec33..5df8a6b771 100644 --- a/tests/notebook.test.kubeflow-user-example.com.yaml +++ b/tests/notebook.test.kubeflow-user-example.com.yaml @@ -13,10 +13,21 @@ metadata: spec: template: spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: test image: ghcr.io/kubeflow/kubeflow/notebook-servers/jupyter-scipy:v1.10.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 resources: limits: cpu: "0.6" diff --git a/tests/training_operator_job.yaml b/tests/training_operator_job.yaml index 341db77599..0fd65e3642 100644 --- a/tests/training_operator_job.yaml +++ b/tests/training_operator_job.yaml @@ -14,8 +14,19 @@ spec: labels: sidecar.istio.io/inject: "false" spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: pytorch + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727 imagePullPolicy: Always command: @@ -53,8 +64,19 @@ spec: labels: sidecar.istio.io/inject: "false" spec: + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault containers: - name: pytorch + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727 imagePullPolicy: Always command: From 99b58e00d9e8817c638566752bbf3498bf5ce57d Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sat, 4 Apr 2026 04:43:29 +0530 Subject: [PATCH 04/17] fix(ci): conditionalize user namespace in PSS script Modified PSS_enable.sh to only include the user namespace when the PSS_LEVEL is set to 'restricted'. This prevents potential conflicts where the script might try to downgrade the security level to 'baseline' for namespaces that are now enforced to be 'restricted' by default. Signed-off-by: Abdullah Pathan --- tests/PSS_enable.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/PSS_enable.sh b/tests/PSS_enable.sh index f95deb96c0..164ef1adb2 100755 --- a/tests/PSS_enable.sh +++ b/tests/PSS_enable.sh @@ -8,7 +8,10 @@ PSS_LEVEL="${1:-restricted}" exit 1 } -NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system" "kubeflow-user-example-com") +NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving" "kubeflow-system") +if [[ "$PSS_LEVEL" == "restricted" ]]; then + NAMESPACES+=("kubeflow-user-example-com") +fi echo "Applying PSS $PSS_LEVEL to: ${NAMESPACES[*]}" From 8d0f6cfe2fe987f2d8f1905434c1e47a9990a856 Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sat, 4 Apr 2026 05:07:09 +0530 Subject: [PATCH 05/17] fix(profiles): align duplicate PSS labels with restricted level Updated applications/profiles/pss/namespace-labels.yaml to ensure consistency with the upstream configuration. The PSS enforcement level has been increased from baseline to restricted, and matching warning labels and versions have been added as required by the new security standards. Signed-off-by: Abdullah Pathan --- applications/profiles/pss/namespace-labels.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/applications/profiles/pss/namespace-labels.yaml b/applications/profiles/pss/namespace-labels.yaml index 08f6690272..087201c3e7 100644 --- a/applications/profiles/pss/namespace-labels.yaml +++ b/applications/profiles/pss/namespace-labels.yaml @@ -20,4 +20,7 @@ katib.kubeflow.org/metrics-collector-injection: "enabled" serving.kubeflow.org/inferenceservice: "enabled" pipelines.kubeflow.org/enabled: "true" app.kubernetes.io/part-of: "kubeflow-profile" -pod-security.kubernetes.io/enforce: "baseline" +pod-security.kubernetes.io/enforce: "restricted" +pod-security.kubernetes.io/enforce-version: "latest" +pod-security.kubernetes.io/warn: "restricted" +pod-security.kubernetes.io/warn-version: "latest" From 4c9bfa1fcdfe1ed1d626cefc7516172eee0496f1 Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sat, 4 Apr 2026 12:40:23 +0200 Subject: [PATCH 06/17] Change pod security enforcement to baseline Signed-off-by: Abdullah Pathan --- applications/profiles/pss/namespace-labels.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/applications/profiles/pss/namespace-labels.yaml b/applications/profiles/pss/namespace-labels.yaml index 087201c3e7..3d5339bd4d 100644 --- a/applications/profiles/pss/namespace-labels.yaml +++ b/applications/profiles/pss/namespace-labels.yaml @@ -20,7 +20,5 @@ katib.kubeflow.org/metrics-collector-injection: "enabled" serving.kubeflow.org/inferenceservice: "enabled" pipelines.kubeflow.org/enabled: "true" app.kubernetes.io/part-of: "kubeflow-profile" -pod-security.kubernetes.io/enforce: "restricted" -pod-security.kubernetes.io/enforce-version: "latest" +pod-security.kubernetes.io/enforce: "baseline" pod-security.kubernetes.io/warn: "restricted" -pod-security.kubernetes.io/warn-version: "latest" From 6b39804d6fe28357d048e784f6473530a4db6210 Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sat, 4 Apr 2026 12:41:06 +0200 Subject: [PATCH 07/17] Remove pod security labels from namespace Removed pod security enforcement labels from the namespace. Signed-off-by: Abdullah Pathan --- applications/profiles/upstream/base/namespace-labels.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/applications/profiles/upstream/base/namespace-labels.yaml b/applications/profiles/upstream/base/namespace-labels.yaml index fc55d371ff..bd6cb44155 100644 --- a/applications/profiles/upstream/base/namespace-labels.yaml +++ b/applications/profiles/upstream/base/namespace-labels.yaml @@ -16,7 +16,3 @@ katib.kubeflow.org/metrics-collector-injection: "enabled" serving.kubeflow.org/inferenceservice: "enabled" pipelines.kubeflow.org/enabled: "true" app.kubernetes.io/part-of: "kubeflow-profile" -pod-security.kubernetes.io/enforce: "restricted" -pod-security.kubernetes.io/enforce-version: "latest" -pod-security.kubernetes.io/warn: "restricted" -pod-security.kubernetes.io/warn-version: "latest" From cd15375df60b0343082beaf5a633092836e078fa Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sat, 4 Apr 2026 12:41:50 +0200 Subject: [PATCH 08/17] Label KF_PROFILE namespace with restricted pod security Add pod security enforcement label to KF_PROFILE namespace Signed-off-by: Abdullah Pathan --- tests/kubeflow_profile_install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/kubeflow_profile_install.sh b/tests/kubeflow_profile_install.sh index 74907477b1..6b17901930 100755 --- a/tests/kubeflow_profile_install.sh +++ b/tests/kubeflow_profile_install.sh @@ -6,3 +6,4 @@ PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] kubectl logs -n kubeflow "$PROFILE_CONTROLLER_POD" KF_PROFILE=kubeflow-user-example-com kubectl -n $KF_PROFILE get pods,configmaps,secrets +kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce=restricted --overwrite From e8e134ab26a7b8d8fe6ddc764eabdaa268b83197 Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sat, 4 Apr 2026 17:25:55 +0530 Subject: [PATCH 09/17] fix(ci): fix trainer CRD schema and update pytorch-mnist image - Remove spec.template and spec.trainer.securityContext from trainer_job.yaml as they are unknown fields in TrainJob v1alpha1 CRD, causing strict decoding rejection (BadRequest). - Update pytorch-mnist image in training_operator_job.yaml from the legacy docker.io/kubeflowkatib image (root-based) to ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0, which supports non-root execution and is consistent with katib_test.yaml. Signed-off-by: Abdullah Pathan --- tests/training_operator_job.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/training_operator_job.yaml b/tests/training_operator_job.yaml index 0fd65e3642..ec4b39269e 100644 --- a/tests/training_operator_job.yaml +++ b/tests/training_operator_job.yaml @@ -27,7 +27,7 @@ spec: - ALL runAsNonRoot: true runAsUser: 1000 - image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727 + image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 imagePullPolicy: Always command: - "python3" @@ -77,7 +77,7 @@ spec: - ALL runAsNonRoot: true runAsUser: 1000 - image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727 + image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 imagePullPolicy: Always command: - "python3" From 78f9e01987c3fdbaf9af7b4237b32d3191b42bcc Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sun, 5 Apr 2026 01:10:52 +0530 Subject: [PATCH 10/17] fix: robust wait logic and PSS hardening for training operator and katib Signed-off-by: Abdullah Pathan --- tests/katib_test.yaml | 2 ++ tests/kubeflow_profile_install.sh | 2 +- tests/notebook.test.kubeflow-user-example.com.yaml | 2 ++ tests/training_operator_job.yaml | 4 ++++ tests/training_operator_test.sh | 13 +++++++++++-- 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/tests/katib_test.yaml b/tests/katib_test.yaml index 014f2670a8..42a9f99568 100644 --- a/tests/katib_test.yaml +++ b/tests/katib_test.yaml @@ -46,6 +46,8 @@ spec: spec: securityContext: runAsNonRoot: true + runAsGroup: 1000 + fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: diff --git a/tests/kubeflow_profile_install.sh b/tests/kubeflow_profile_install.sh index 6b17901930..9dca6c8325 100755 --- a/tests/kubeflow_profile_install.sh +++ b/tests/kubeflow_profile_install.sh @@ -6,4 +6,4 @@ PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] kubectl logs -n kubeflow "$PROFILE_CONTROLLER_POD" KF_PROFILE=kubeflow-user-example-com kubectl -n $KF_PROFILE get pods,configmaps,secrets -kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce=restricted --overwrite + diff --git a/tests/notebook.test.kubeflow-user-example.com.yaml b/tests/notebook.test.kubeflow-user-example.com.yaml index 5df8a6b771..fdb81c7ade 100644 --- a/tests/notebook.test.kubeflow-user-example.com.yaml +++ b/tests/notebook.test.kubeflow-user-example.com.yaml @@ -15,6 +15,8 @@ spec: spec: securityContext: runAsNonRoot: true + runAsGroup: 1000 + fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: diff --git a/tests/training_operator_job.yaml b/tests/training_operator_job.yaml index ec4b39269e..3608729086 100644 --- a/tests/training_operator_job.yaml +++ b/tests/training_operator_job.yaml @@ -16,6 +16,8 @@ spec: spec: securityContext: runAsNonRoot: true + runAsGroup: 1000 + fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: @@ -66,6 +68,8 @@ spec: spec: securityContext: runAsNonRoot: true + runAsGroup: 1000 + fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: diff --git a/tests/training_operator_test.sh b/tests/training_operator_test.sh index f338b1632b..1d1147b1e6 100755 --- a/tests/training_operator_test.sh +++ b/tests/training_operator_test.sh @@ -6,8 +6,17 @@ cat tests/training_operator_job.yaml | \ sed 's/name: pytorch-simple/name: pytorch-simple\n namespace: '"$KF_PROFILE"'/g' > /tmp/pytorch-job.yaml kubectl apply -f /tmp/pytorch-job.yaml -kubectl wait --for=jsonpath='{.status.conditions[0].type}=Created' pytorchjob.kubeflow.org/pytorch-simple -n $KF_PROFILE --timeout=60s - +# Wait for the PyTorchJob to be created by the operator +echo "Waiting for PyTorchJob status to be populated..." +if ! kubectl wait --for=condition=Created pytorchjob/pytorch-simple -n $KF_PROFILE --timeout=120s; then + echo "ERROR: Timeout waiting for PyTorchJob status. Collecting diagnostics..." + kubectl describe pytorchjob pytorch-simple -n $KF_PROFILE + kubectl get pods -n $KF_PROFILE -l training.kubeflow.org/job-name=pytorch-simple + kubectl get events -n $KF_PROFILE --sort-by=.metadata.creationTimestamp + exit 1 +fi + +echo "PyTorchJob created successfully. Waiting for pods..." kubectl get pods -n $KF_PROFILE --show-labels kubectl wait --for=condition=Ready pod -l training.kubeflow.org/replica-type=master -n $KF_PROFILE --timeout=240s From 787268509a32819886e047fa58dae35b3f4d06c7 Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sun, 5 Apr 2026 04:10:02 +0530 Subject: [PATCH 11/17] fix: resolve pod ContainerCreating and trial timeout CI failures - training_operator_job.yaml: Add sidecar.istio.io/inject=false as pod annotation (not just label) so Istio CNI respects the opt-out and does not inject the istio-validation init container that requires NET_ADMIN capability blocked by PSS baseline. - katib_test.yaml: Add --no-cuda flag to trial command to ensure the training script exits quickly in CPU-only CI environments, fixing the 600s Succeeded timeout. - kubeflow_profile_install.sh: Re-add explicit kubectl label for baseline PSS as belt-and-suspenders alongside the Profile Controller declarative approach, ensuring the label is set before any pods are scheduled. - notebook.test.kubeflow-user-example.com.yaml: Use fsGroup=100 (jovyan group) instead of 1000 to match the notebook server image's expected group, fixing the readyReplicas=1 timeout. Signed-off-by: Abdullah Pathan --- tests/katib_test.yaml | 1 + tests/kubeflow_profile_install.sh | 2 +- tests/notebook.test.kubeflow-user-example.com.yaml | 2 +- tests/training_operator_job.yaml | 4 ++++ 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/tests/katib_test.yaml b/tests/katib_test.yaml index 42a9f99568..697a56b819 100644 --- a/tests/katib_test.yaml +++ b/tests/katib_test.yaml @@ -64,6 +64,7 @@ spec: - "python3" - "/opt/pytorch-mnist/mnist.py" - "--epochs=1" + - "--no-cuda" - "--batch-size=16" - "--lr=${trialParameters.learningRate}" - "--momentum=${trialParameters.momentum}" diff --git a/tests/kubeflow_profile_install.sh b/tests/kubeflow_profile_install.sh index 9dca6c8325..6d46841fff 100755 --- a/tests/kubeflow_profile_install.sh +++ b/tests/kubeflow_profile_install.sh @@ -6,4 +6,4 @@ PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] kubectl logs -n kubeflow "$PROFILE_CONTROLLER_POD" KF_PROFILE=kubeflow-user-example-com kubectl -n $KF_PROFILE get pods,configmaps,secrets - +kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/warn=restricted --overwrite diff --git a/tests/notebook.test.kubeflow-user-example.com.yaml b/tests/notebook.test.kubeflow-user-example.com.yaml index fdb81c7ade..a5bf105f47 100644 --- a/tests/notebook.test.kubeflow-user-example.com.yaml +++ b/tests/notebook.test.kubeflow-user-example.com.yaml @@ -16,7 +16,7 @@ spec: securityContext: runAsNonRoot: true runAsGroup: 1000 - fsGroup: 1000 + fsGroup: 100 seccompProfile: type: RuntimeDefault containers: diff --git a/tests/training_operator_job.yaml b/tests/training_operator_job.yaml index 3608729086..d0b32ffa1d 100644 --- a/tests/training_operator_job.yaml +++ b/tests/training_operator_job.yaml @@ -11,6 +11,8 @@ spec: restartPolicy: OnFailure template: metadata: + annotations: + sidecar.istio.io/inject: "false" labels: sidecar.istio.io/inject: "false" spec: @@ -63,6 +65,8 @@ spec: restartPolicy: OnFailure template: metadata: + annotations: + sidecar.istio.io/inject: "false" labels: sidecar.istio.io/inject: "false" spec: From bd62d805b7e58a16464c105964218cd149f92441 Mon Sep 17 00:00:00 2001 From: Abdullah Pathan Date: Sun, 5 Apr 2026 14:11:31 +0530 Subject: [PATCH 12/17] ci: update katib and pipeline workflow triggers Signed-off-by: Abdullah Pathan --- .github/workflows/katib_test.yaml | 2 +- .github/workflows/pipeline_run_from_notebook.yaml | 1 + .github/workflows/pipeline_test.yaml | 3 +-- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index 921da769b1..3fac47fe1c 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -3,7 +3,7 @@ on: pull_request: paths: - tests/install_KinD_create_KinD_cluster_install_kustomize.sh - - tests/katib_install.sh + - tests/katib* - .github/workflows/katib_test.yaml - applications/katib/upstream/** - common/istio*/** diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 32e524d543..3bece17b41 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -4,6 +4,7 @@ on: paths: - tests/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/pipeline_run_from_notebook.yaml + - tests/pipeline* - applications/jupyter/notebook-controller/upstream/** - applications/pipeline/upstream/** - tests/istio* diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 6c479db1b7..9233e96101 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -10,8 +10,7 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - tests/pipeline_v1_test.py - - tests/pipeline_v2_test.py + - tests/pipeline* - experimental/security/PSS/* permissions: From 5c2cdc26e9b35d5562ad7bd6ce532f03a39c6b7f Mon Sep 17 00:00:00 2001 From: abdullahpathan22 Date: Sun, 5 Apr 2026 14:37:14 +0530 Subject: [PATCH 13/17] fix(ci): address Copilot AI review feedback - Update PSS trigger paths in all workflows - Fix PyTorchJob Creation wait condition in training_operator_test.sh Signed-off-by: abdullahpathan22 --- .github/workflows/dex_oauth2-proxy_test.yaml | 2 +- .github/workflows/katib_test.yaml | 2 +- .github/workflows/pipeline_test.yaml | 2 +- .github/workflows/trainer_test.yaml | 2 +- .github/workflows/training_operator_test.yaml | 2 +- tests/training_operator_test.sh | 21 ++++++++++++++----- 6 files changed, 21 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dex_oauth2-proxy_test.yaml b/.github/workflows/dex_oauth2-proxy_test.yaml index cdcd738580..f986e752f6 100644 --- a/.github/workflows/dex_oauth2-proxy_test.yaml +++ b/.github/workflows/dex_oauth2-proxy_test.yaml @@ -7,7 +7,7 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - experimental/security/PSS/* + - applications/profiles/pss/** - common/dex/base/** - tests/istio* - tests/dex_login_test.py diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index 3fac47fe1c..0ad53f453b 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -9,7 +9,7 @@ on: - common/istio*/** - tests/istio* - common/cert-manager/** - - experimental/security/PSS/* + - applications/profiles/pss/** permissions: contents: read diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 9233e96101..629da2ca0e 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -11,7 +11,7 @@ on: - common/oauth2-proxy/** - common/istio*/** - tests/pipeline* - - experimental/security/PSS/* + - applications/profiles/pss/** permissions: contents: read diff --git a/.github/workflows/trainer_test.yaml b/.github/workflows/trainer_test.yaml index f23f28206b..0607de9c6a 100644 --- a/.github/workflows/trainer_test.yaml +++ b/.github/workflows/trainer_test.yaml @@ -11,7 +11,7 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - experimental/security/PSS/* + - applications/profiles/pss/** permissions: contents: read diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index 5d05f0f80e..c63be238ab 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -11,7 +11,7 @@ on: - common/cert-manager/** - common/oauth2-proxy/** - common/istio*/** - - experimental/security/PSS/* + - applications/profiles/pss/** permissions: contents: read diff --git a/tests/training_operator_test.sh b/tests/training_operator_test.sh index 1d1147b1e6..667330856b 100755 --- a/tests/training_operator_test.sh +++ b/tests/training_operator_test.sh @@ -6,13 +6,24 @@ cat tests/training_operator_job.yaml | \ sed 's/name: pytorch-simple/name: pytorch-simple\n namespace: '"$KF_PROFILE"'/g' > /tmp/pytorch-job.yaml kubectl apply -f /tmp/pytorch-job.yaml -# Wait for the PyTorchJob to be created by the operator +# Wait for the PyTorchJob status conditions to be populated by the operator. echo "Waiting for PyTorchJob status to be populated..." -if ! kubectl wait --for=condition=Created pytorchjob/pytorch-simple -n $KF_PROFILE --timeout=120s; then +pytorch_job_status_timeout_seconds=120 +pytorch_job_status_poll_interval_seconds=2 +pytorch_job_status_is_populated=false +for ((elapsed_seconds=0; elapsed_seconds/dev/null || true) + if [[ -n "$pytorch_job_condition_type" ]]; then + pytorch_job_status_is_populated=true + break + fi + sleep "$pytorch_job_status_poll_interval_seconds" +done +if [[ "$pytorch_job_status_is_populated" != "true" ]]; then echo "ERROR: Timeout waiting for PyTorchJob status. Collecting diagnostics..." - kubectl describe pytorchjob pytorch-simple -n $KF_PROFILE - kubectl get pods -n $KF_PROFILE -l training.kubeflow.org/job-name=pytorch-simple - kubectl get events -n $KF_PROFILE --sort-by=.metadata.creationTimestamp + kubectl describe pytorchjob pytorch-simple -n "$KF_PROFILE" + kubectl get pods -n "$KF_PROFILE" -l training.kubeflow.org/job-name=pytorch-simple + kubectl get events -n "$KF_PROFILE" --sort-by=.metadata.creationTimestamp exit 1 fi From 19deee73b807cd7dcc7eff3cd1e6e3e078cbd261 Mon Sep 17 00:00:00 2001 From: abdullahpathan22 Date: Sun, 5 Apr 2026 16:19:45 +0530 Subject: [PATCH 14/17] fix(ci): fix failing katib, pipeline, and trainer tests - tests/training_operator_job.yaml, tests/katib_test.yaml: revert broken ghcr image to docker.io - tests/notebook.test.kubeflow-user-example.com.yaml: opt out of Istio sidecar injection to bypass PSS baseline NET_ADMIN rejection Signed-off-by: abdullahpathan22 --- tests/katib_test.yaml | 2 +- tests/notebook.test.kubeflow-user-example.com.yaml | 5 +++++ tests/training_operator_job.yaml | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/katib_test.yaml b/tests/katib_test.yaml index 697a56b819..20e700aa10 100644 --- a/tests/katib_test.yaml +++ b/tests/katib_test.yaml @@ -52,7 +52,7 @@ spec: type: RuntimeDefault containers: - name: training-container - image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 + image: docker.io/kubeflowkatib/pytorch-mnist-cpu:latest securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/tests/notebook.test.kubeflow-user-example.com.yaml b/tests/notebook.test.kubeflow-user-example.com.yaml index a5bf105f47..720eef7ac1 100644 --- a/tests/notebook.test.kubeflow-user-example.com.yaml +++ b/tests/notebook.test.kubeflow-user-example.com.yaml @@ -12,6 +12,11 @@ metadata: namespace: kubeflow-user-example-com spec: template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + sidecar.istio.io/inject: "false" spec: securityContext: runAsNonRoot: true diff --git a/tests/training_operator_job.yaml b/tests/training_operator_job.yaml index d0b32ffa1d..5beea4e9db 100644 --- a/tests/training_operator_job.yaml +++ b/tests/training_operator_job.yaml @@ -31,7 +31,7 @@ spec: - ALL runAsNonRoot: true runAsUser: 1000 - image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 + image: docker.io/kubeflowkatib/pytorch-mnist-cpu:latest imagePullPolicy: Always command: - "python3" @@ -85,7 +85,7 @@ spec: - ALL runAsNonRoot: true runAsUser: 1000 - image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 + image: docker.io/kubeflowkatib/pytorch-mnist-cpu:latest imagePullPolicy: Always command: - "python3" From 1c7c6d799385bcffa0b701688b63fb0f4c6b4c8a Mon Sep 17 00:00:00 2001 From: abdullahpathan22 Date: Sun, 5 Apr 2026 18:17:17 +0530 Subject: [PATCH 15/17] fix(tests): revert images to ghcr.io As per mentor feedback, we must avoid using docker.io and prefer ghcr.io for all container images in our manifests and tests. Signed-off-by: Abdullah Pathan Signed-off-by: abdullahpathan22 --- tests/katib_test.yaml | 2 +- tests/training_operator_job.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/katib_test.yaml b/tests/katib_test.yaml index 20e700aa10..697a56b819 100644 --- a/tests/katib_test.yaml +++ b/tests/katib_test.yaml @@ -52,7 +52,7 @@ spec: type: RuntimeDefault containers: - name: training-container - image: docker.io/kubeflowkatib/pytorch-mnist-cpu:latest + image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/tests/training_operator_job.yaml b/tests/training_operator_job.yaml index 5beea4e9db..d0b32ffa1d 100644 --- a/tests/training_operator_job.yaml +++ b/tests/training_operator_job.yaml @@ -31,7 +31,7 @@ spec: - ALL runAsNonRoot: true runAsUser: 1000 - image: docker.io/kubeflowkatib/pytorch-mnist-cpu:latest + image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 imagePullPolicy: Always command: - "python3" @@ -85,7 +85,7 @@ spec: - ALL runAsNonRoot: true runAsUser: 1000 - image: docker.io/kubeflowkatib/pytorch-mnist-cpu:latest + image: ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 imagePullPolicy: Always command: - "python3" From 24e359f58e469755485af636f142702a42691ba1 Mon Sep 17 00:00:00 2001 From: abdullahpathan22 Date: Mon, 6 Apr 2026 02:50:17 +0530 Subject: [PATCH 16/17] fix(ci): Resolve PSS Restricted CI failures across components * Add global container securityContext to Argo workflow controller * Ensure kubeflow-trainer-webhook-cert creates correctly bypassing type validation * Inject emptyDir mounts for PyTorch/Katib training pods to resolve Permission Denied errors * Ensure consistent PSS enforcement in local tests Signed-off-by: abdullahpathan22 --- .../katib-standalone/katib-config.yaml | 184 ++++++++++++++++++ .../katib-standalone/kustomization.yaml | 1 + .../workflow-controller-configmap-patch.yaml | 10 + .../profiles/pss/namespace-labels.yaml | 3 +- .../base/runtimes/torch_distributed.yaml | 14 ++ .../base/runtimes/xgboost_distributed.yaml | 14 ++ .../kubeflow-platform/kustomization.yaml | 2 +- .../overlays/manager/kustomization.yaml | 1 - tests/katib_test.yaml | 7 + tests/kubeflow_profile_install.sh | 18 +- tests/training_operator_job.yaml | 14 ++ tests/trainjob_test.yaml | 21 ++ 12 files changed, 284 insertions(+), 5 deletions(-) create mode 100644 tests/trainjob_test.yaml diff --git a/applications/katib/upstream/installs/katib-standalone/katib-config.yaml b/applications/katib/upstream/installs/katib-standalone/katib-config.yaml index 666fbc87f3..55fe20a586 100644 --- a/applications/katib/upstream/installs/katib-standalone/katib-config.yaml +++ b/applications/katib/upstream/installs/katib-standalone/katib-config.yaml @@ -5,6 +5,7 @@ init: enable: true controller: webhookPort: 8443 + injectSecurityContext: true trialResources: - TrainJob.v1alpha1.trainer.kubeflow.org - Job.v1.batch @@ -16,39 +17,209 @@ runtime: metricsCollectors: - kind: StdOut image: ghcr.io/kubeflow/katib/file-metrics-collector:v0.19.0 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - kind: File image: ghcr.io/kubeflow/katib/file-metrics-collector:v0.19.0 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - kind: TensorFlowEvent image: ghcr.io/kubeflow/katib/tfevent-metrics-collector:v0.19.0 resources: limits: memory: 1Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault suggestions: - algorithmName: random image: ghcr.io/kubeflow/katib/suggestion-hyperopt:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: tpe image: ghcr.io/kubeflow/katib/suggestion-hyperopt:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: grid image: ghcr.io/kubeflow/katib/suggestion-optuna:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: hyperband image: ghcr.io/kubeflow/katib/suggestion-hyperband:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: bayesianoptimization image: ghcr.io/kubeflow/katib/suggestion-skopt:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: cmaes image: ghcr.io/kubeflow/katib/suggestion-goptuna:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: sobol image: ghcr.io/kubeflow/katib/suggestion-goptuna:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: multivariate-tpe image: ghcr.io/kubeflow/katib/suggestion-optuna:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: enas image: ghcr.io/kubeflow/katib/suggestion-enas:v0.19.0 resources: limits: memory: 400Mi + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: darts image: ghcr.io/kubeflow/katib/suggestion-darts:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault - algorithmName: pbt image: ghcr.io/kubeflow/katib/suggestion-pbt:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault persistentVolumeClaimSpec: accessModes: - ReadWriteMany @@ -58,3 +229,16 @@ runtime: earlyStoppings: - algorithmName: medianstop image: ghcr.io/kubeflow/katib/earlystopping-medianstop:v0.19.0 + podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault diff --git a/applications/katib/upstream/installs/katib-standalone/kustomization.yaml b/applications/katib/upstream/installs/katib-standalone/kustomization.yaml index 166c7bd002..72ecfee8bf 100644 --- a/applications/katib/upstream/installs/katib-standalone/kustomization.yaml +++ b/applications/katib/upstream/installs/katib-standalone/kustomization.yaml @@ -39,3 +39,4 @@ secretGenerator: - name: katib-webhook-cert options: disableNameSuffixHash: true + type: kubernetes.io/tls diff --git a/applications/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml b/applications/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml index 7294451962..4d526c9acb 100644 --- a/applications/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml +++ b/applications/pipeline/upstream/third-party/argo/base/workflow-controller-configmap-patch.yaml @@ -48,3 +48,13 @@ data: - ALL seccompProfile: type: RuntimeDefault + container: | + securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/applications/profiles/pss/namespace-labels.yaml b/applications/profiles/pss/namespace-labels.yaml index 3d5339bd4d..7d1fc7d114 100644 --- a/applications/profiles/pss/namespace-labels.yaml +++ b/applications/profiles/pss/namespace-labels.yaml @@ -20,5 +20,4 @@ katib.kubeflow.org/metrics-collector-injection: "enabled" serving.kubeflow.org/inferenceservice: "enabled" pipelines.kubeflow.org/enabled: "true" app.kubernetes.io/part-of: "kubeflow-profile" -pod-security.kubernetes.io/enforce: "baseline" -pod-security.kubernetes.io/warn: "restricted" +pod-security.kubernetes.io/enforce: "restricted" diff --git a/applications/trainer/upstream/base/runtimes/torch_distributed.yaml b/applications/trainer/upstream/base/runtimes/torch_distributed.yaml index 86aa6b6a73..a19c257fbf 100644 --- a/applications/trainer/upstream/base/runtimes/torch_distributed.yaml +++ b/applications/trainer/upstream/base/runtimes/torch_distributed.yaml @@ -17,8 +17,22 @@ spec: labels: trainer.kubeflow.org/trainjob-ancestor-step: trainer spec: + securityContext: + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault template: spec: containers: - name: node image: pytorch/pytorch:2.10.0-cuda12.8-cudnn9-runtime + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault diff --git a/applications/trainer/upstream/base/runtimes/xgboost_distributed.yaml b/applications/trainer/upstream/base/runtimes/xgboost_distributed.yaml index 9c1aa87087..706bf16f7c 100644 --- a/applications/trainer/upstream/base/runtimes/xgboost_distributed.yaml +++ b/applications/trainer/upstream/base/runtimes/xgboost_distributed.yaml @@ -17,8 +17,22 @@ spec: labels: trainer.kubeflow.org/trainjob-ancestor-step: trainer spec: + securityContext: + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault template: spec: containers: - name: node image: ghcr.io/kubeflow/trainer/xgboost-runtime:latest + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault diff --git a/applications/trainer/upstream/overlays/kubeflow-platform/kustomization.yaml b/applications/trainer/upstream/overlays/kubeflow-platform/kustomization.yaml index 5f0da72126..b06a98c2f4 100644 --- a/applications/trainer/upstream/overlays/kubeflow-platform/kustomization.yaml +++ b/applications/trainer/upstream/overlays/kubeflow-platform/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kubeflow +namespace: kubeflow-system resources: - ../../overlays/manager - ../../overlays/runtimes diff --git a/applications/trainer/upstream/overlays/manager/kustomization.yaml b/applications/trainer/upstream/overlays/manager/kustomization.yaml index f5bd56ad32..f4ae643089 100644 --- a/applications/trainer/upstream/overlays/manager/kustomization.yaml +++ b/applications/trainer/upstream/overlays/manager/kustomization.yaml @@ -20,7 +20,6 @@ images: # Secret for the Kubeflow Training webhook. secretGenerator: - name: kubeflow-trainer-webhook-cert - namespace: kubeflow-system options: disableNameSuffixHash: true diff --git a/tests/katib_test.yaml b/tests/katib_test.yaml index 697a56b819..cc7f4b4f3d 100644 --- a/tests/katib_test.yaml +++ b/tests/katib_test.yaml @@ -46,6 +46,7 @@ spec: spec: securityContext: runAsNonRoot: true + runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: @@ -68,4 +69,10 @@ spec: - "--batch-size=16" - "--lr=${trialParameters.learningRate}" - "--momentum=${trialParameters.momentum}" + volumeMounts: + - mountPath: /opt/pytorch-mnist/data + name: data-dir restartPolicy: Never + volumes: + - name: data-dir + emptyDir: {} diff --git a/tests/kubeflow_profile_install.sh b/tests/kubeflow_profile_install.sh index 6d46841fff..c807430633 100755 --- a/tests/kubeflow_profile_install.sh +++ b/tests/kubeflow_profile_install.sh @@ -6,4 +6,20 @@ PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] kubectl logs -n kubeflow "$PROFILE_CONTROLLER_POD" KF_PROFILE=kubeflow-user-example-com kubectl -n $KF_PROFILE get pods,configmaps,secrets -kubectl label namespace $KF_PROFILE pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/warn=restricted --overwrite + +echo "Verifying PSS Restricted enforcement on namespace $KF_PROFILE..." +# Profiles controller should automatically add the label via the 'pss' overlay +MAX_RETRIES=10 +for i in $(seq 1 $MAX_RETRIES); do + PSS_LABEL=$(kubectl get namespace "$KF_PROFILE" -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}') + if [[ "$PSS_LABEL" == "restricted" ]]; then + echo "✅ Namespace $KF_PROFILE is correctly labeled as restricted." + exit 0 + fi + echo "Wait for Profiles controller to label the namespace (attempt $i/$MAX_RETRIES)..." + sleep 5 +done + +echo "❌ ERROR: Namespace $KF_PROFILE is NOT labeled as restricted." +kubectl get namespace "$KF_PROFILE" -o yaml +exit 1 diff --git a/tests/training_operator_job.yaml b/tests/training_operator_job.yaml index d0b32ffa1d..34d8dec664 100644 --- a/tests/training_operator_job.yaml +++ b/tests/training_operator_job.yaml @@ -18,6 +18,7 @@ spec: spec: securityContext: runAsNonRoot: true + runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: @@ -60,6 +61,12 @@ spec: limits: memory: "1Gi" cpu: "4000m" + volumeMounts: + - mountPath: /opt/pytorch-mnist/data + name: data-dir + volumes: + - name: data-dir + emptyDir: {} Worker: replicas: 1 restartPolicy: OnFailure @@ -72,6 +79,7 @@ spec: spec: securityContext: runAsNonRoot: true + runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 seccompProfile: @@ -114,3 +122,9 @@ spec: limits: memory: "1Gi" cpu: "4000m" + volumeMounts: + - mountPath: /opt/pytorch-mnist/data + name: data-dir + volumes: + - name: data-dir + emptyDir: {} diff --git a/tests/trainjob_test.yaml b/tests/trainjob_test.yaml new file mode 100644 index 0000000000..bb8e0002d7 --- /dev/null +++ b/tests/trainjob_test.yaml @@ -0,0 +1,21 @@ +apiVersion: trainer.kubeflow.org/v1alpha1 +kind: TrainJob +metadata: + name: torch-simple +spec: + runtimeRef: + name: torch-distributed + trainer: + image: pytorch/pytorch:2.10.0-cuda12.8-cudnn9-runtime + command: + - "python3" + - "-c" + - "import torch; print(f\"CUDA available: {torch.cuda.is_available()}\")" + + resourcesPerNode: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "1" + memory: "1Gi" From 15ae2aa5f547b4398173560ff7c2fca66409e426 Mon Sep 17 00:00:00 2001 From: abdullahpathan22 Date: Mon, 6 Apr 2026 12:02:44 +0530 Subject: [PATCH 17/17] fix(tests): Enhance katib_test.sh with extended timeouts and debug fallbacks * Increase experiment wait timeout to 300s to accommodate KinD networking * Implement debug traps and docker image pre-loading Signed-off-by: abdullahpathan22 --- tests/katib_test.sh | 37 +++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/tests/katib_test.sh b/tests/katib_test.sh index cfc11fc901..f50d199271 100755 --- a/tests/katib_test.sh +++ b/tests/katib_test.sh @@ -2,11 +2,36 @@ set -euxo pipefail KF_PROFILE=${1:-kubeflow-user-example-com} +KIND_CLUSTER=${2:-kubeflow} + +function debug_on_failure { + echo "=== Test failed! Collecting debug info ===" + kubectl describe experiment -n "$KF_PROFILE" || true + kubectl describe trials -n "$KF_PROFILE" || true + kubectl get pods -n "$KF_PROFILE" || true + kubectl logs -n kubeflow -l katib.kubeflow.org/component=controller --tail=200 || true +} +trap debug_on_failure ERR + +# Pre-pull image to avoid CI wait time being consumed by image pulls +echo "Pre-pulling training image..." +if command -v docker &>/dev/null; then + docker pull ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 || true + kind load docker-image ghcr.io/kubeflow/katib/pytorch-mnist-cpu:v0.19.0 \ + --name "$KIND_CLUSTER" || true +else + echo "Docker not available, skipping pre-pull" +fi kubectl apply -f tests/katib_test.yaml -kubectl wait --for=condition=Running experiments.kubeflow.org -n $KF_PROFILE --all --timeout=60s -echo "Waiting for all Trials to be Completed..." -kubectl wait --for=condition=Created trials.kubeflow.org -n $KF_PROFILE --all --timeout=60s -kubectl get trials.kubeflow.org -n $KF_PROFILE -kubectl wait --for=condition=Succeeded trials.kubeflow.org -n $KF_PROFILE --all --timeout 600s -kubectl get trials.kubeflow.org -n $KF_PROFILE + +echo "Waiting for experiment to reach Running state..." +kubectl wait --for=condition=Running experiments.kubeflow.org \ + -n "$KF_PROFILE" --all --timeout=300s + +echo "Waiting for trials to be Succeeded..." +kubectl wait --for=condition=Succeeded trials.kubeflow.org \ + -n "$KF_PROFILE" --all --timeout=600s + +kubectl get trials.kubeflow.org -n "$KF_PROFILE" +echo "Katib test passed!"