From 8401db53d63f001884f9243ddfc4ee5fc91b11c5 Mon Sep 17 00:00:00 2001 From: Matteo Mortari Date: Mon, 17 Feb 2025 09:02:40 +0100 Subject: [PATCH] Synchronize kubeflow model registry manifests v0.2.14 (#2998) * script: make script BSD-compatible (MacOSX) Signed-off-by: tarilabs * Update kubeflow/model-registry manifests from v0.2.14 Signed-off-by: tarilabs --------- Signed-off-by: tarilabs --- README.md | 2 +- apps/model-registry/upstream/README.md | 35 +++++++++++++++---- .../upstream/base/kustomization.yaml | 2 +- .../base/model-registry-deployment.yaml | 16 +++++++++ .../upstream/options/csi/kustomization.yaml | 2 +- .../options/ui/base/kustomization.yaml | 2 +- .../ui/base/model-registry-ui-deployment.yaml | 9 +++++ .../ui/overlays/istio/kustomization.yaml | 2 ++ .../db/model-registry-db-deployment.yaml | 11 ++++++ .../overlays/postgres/kustomization.yaml | 6 ++-- .../model-registry-db-deployment.yaml | 16 +++++++-- .../patches/model-registry-deployment.yaml | 4 +-- hack/synchronize-model-registry-manifests.sh | 4 +-- 13 files changed, 91 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 053e7a9454..6f6ec2556a 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ This repo periodically syncs all official Kubeflow components from their respect | KServe | contrib/kserve/kserve | [v0.14.1](https://github.com/kserve/kserve/releases/tag/v0.14.1/install/v0.14.1) | | KServe Models Web App | contrib/kserve/models-web-app | [0.13.0](https://github.com/kserve/models-web-app/tree/0.13.0/config) | | Kubeflow Pipelines | apps/pipeline/upstream | [2.4.0](https://github.com/kubeflow/pipelines/tree/2.4.0/manifests/kustomize) | -| Kubeflow Model Registry | apps/model-registry/upstream | [v0.2.12](https://github.com/kubeflow/model-registry/tree/v0.2.12/manifests/kustomize) | +| Kubeflow Model Registry | apps/model-registry/upstream | [v0.2.14](https://github.com/kubeflow/model-registry/tree/v0.2.14/manifests/kustomize) | The following is also a matrix with versions from common components that are used from the different projects of Kubeflow: diff --git a/apps/model-registry/upstream/README.md b/apps/model-registry/upstream/README.md index a931e56864..09e6f85124 100644 --- a/apps/model-registry/upstream/README.md +++ b/apps/model-registry/upstream/README.md @@ -44,22 +44,45 @@ curl -sX 'GET' \ There are two main ways to deploy the Model Registry UI: -1. Standalone mode - Use this if you are using Model Registry without the Kubeflow Platform +1. Standalone mode - Use this if you are using Model Registry without the Kubeflow Platform (**Note: You will need a custom standalone image**) 2. Integrated mode - Use this if you are deploying Model Registry in Kubeflow -For a standalone install run the following command: +For a standalone install, we recommend following the [Model Registry UI standalone deployment documentation](../../clients/ui/docs/local-deployment-guide-ui.md). + +For an integrated install use the kubeflow UI overlay: ```bash -kubectl apply -k options/ui/overlays/standalone -n kubeflow +kubectl apply -k options/ui/overlays/istio -n kubeflow ``` -For an integrated install use the istio UI overlay: +To make Model Registry UI accessible from the Kubeflow UI, you need to add the following to your Kubeflow UI configmap: ```bash -kubectl apply -k options/ui/overlays/istio -n kubeflow +kubectl edit configmap -n kubeflow centraldashboard-config +``` + +```yaml +apiVersion: v1 +data: + links: |- + { + "menuLinks": [ + { + "icon": "assignment", + "link": "/model-registry/", + "text": "Model Registry", + "type": "item" + }, + ... ``` +Or you can add it in one line with: + +```bash +kubectl get configmap centraldashboard-config -n kubeflow -o json | jq '.data.links |= (fromjson | .menuLinks += [{"icon": "assignment", "link": "/model-registry/", "text": "Model Registry", "type": "item"}] | tojson)' | kubectl apply -f - -n kubeflow +```` + ## Usage For a basic usage of the Kubeflow Model Registry, follow the [Kubeflow Model Registry getting started documentation](https://www.kubeflow.org/docs/components/model-registry/getting-started/) @@ -74,4 +97,4 @@ kubectl delete -k options/istio # Delete model registry db and deployment kubectl delete -k overlays/db -``` \ No newline at end of file +``` diff --git a/apps/model-registry/upstream/base/kustomization.yaml b/apps/model-registry/upstream/base/kustomization.yaml index 6f7da07810..85daa76f3e 100644 --- a/apps/model-registry/upstream/base/kustomization.yaml +++ b/apps/model-registry/upstream/base/kustomization.yaml @@ -8,4 +8,4 @@ resources: images: - name: kubeflow/model-registry newName: kubeflow/model-registry - newTag: v0.2.13 + newTag: v0.2.14 diff --git a/apps/model-registry/upstream/base/model-registry-deployment.yaml b/apps/model-registry/upstream/base/model-registry-deployment.yaml index 8a5bbfbf2a..be6503d519 100644 --- a/apps/model-registry/upstream/base/model-registry-deployment.yaml +++ b/apps/model-registry/upstream/base/model-registry-deployment.yaml @@ -16,6 +16,10 @@ spec: labels: component: model-registry-server spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: rest-container args: @@ -44,6 +48,11 @@ spec: tcpSocket: port: http-api timeoutSeconds: 2 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - name: grpc-container # ! Sync to the same MLMD version: # * backend/metadata_writer/requirements.in and requirements.txt @@ -102,4 +111,11 @@ spec: initialDelaySeconds: 3 periodSeconds: 5 timeoutSeconds: 2 + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL serviceAccountName: model-registry-server diff --git a/apps/model-registry/upstream/options/csi/kustomization.yaml b/apps/model-registry/upstream/options/csi/kustomization.yaml index ace184ef2b..3b1fcc736a 100644 --- a/apps/model-registry/upstream/options/csi/kustomization.yaml +++ b/apps/model-registry/upstream/options/csi/kustomization.yaml @@ -7,4 +7,4 @@ resources: images: - name: kubeflow/model-registry-storage-initializer newName: kubeflow/model-registry-storage-initializer - newTag: v0.2.13 + newTag: v0.2.14 diff --git a/apps/model-registry/upstream/options/ui/base/kustomization.yaml b/apps/model-registry/upstream/options/ui/base/kustomization.yaml index 03230eb6c2..64e161d79f 100644 --- a/apps/model-registry/upstream/options/ui/base/kustomization.yaml +++ b/apps/model-registry/upstream/options/ui/base/kustomization.yaml @@ -10,4 +10,4 @@ resources: images: - name: model-registry-ui-image newName: docker.io/kubeflow/model-registry-ui - newTag: latest + newTag: v0.2.14 diff --git a/apps/model-registry/upstream/options/ui/base/model-registry-ui-deployment.yaml b/apps/model-registry/upstream/options/ui/base/model-registry-ui-deployment.yaml index 41e1aa4560..0c051cf294 100644 --- a/apps/model-registry/upstream/options/ui/base/model-registry-ui-deployment.yaml +++ b/apps/model-registry/upstream/options/ui/base/model-registry-ui-deployment.yaml @@ -15,6 +15,10 @@ spec: app: model-registry-ui spec: serviceAccountName: model-registry-ui + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: model-registry-ui image: model-registry-ui-image @@ -51,3 +55,8 @@ spec: - containerPort: 8080 args: - "--port=8080" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/apps/model-registry/upstream/options/ui/overlays/istio/kustomization.yaml b/apps/model-registry/upstream/options/ui/overlays/istio/kustomization.yaml index c549862432..c0f6f8fed4 100644 --- a/apps/model-registry/upstream/options/ui/overlays/istio/kustomization.yaml +++ b/apps/model-registry/upstream/options/ui/overlays/istio/kustomization.yaml @@ -13,3 +13,5 @@ patches: version: v1 kind: Service name: model-registry-ui-service + +namespace: kubeflow \ No newline at end of file diff --git a/apps/model-registry/upstream/overlays/db/model-registry-db-deployment.yaml b/apps/model-registry/upstream/overlays/db/model-registry-db-deployment.yaml index 8303fb1316..3d0affb6b6 100644 --- a/apps/model-registry/upstream/overlays/db/model-registry-db-deployment.yaml +++ b/apps/model-registry/upstream/overlays/db/model-registry-db-deployment.yaml @@ -19,6 +19,10 @@ spec: annotations: sidecar.istio.io/inject: "false" spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: db-container image: mysql:8.3.0 @@ -46,6 +50,13 @@ spec: volumeMounts: - name: metadata-mysql mountPath: /var/lib/mysql + securityContext: + runAsUser: 999 + runAsGroup: 999 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumes: - name: metadata-mysql persistentVolumeClaim: diff --git a/apps/model-registry/upstream/overlays/postgres/kustomization.yaml b/apps/model-registry/upstream/overlays/postgres/kustomization.yaml index e52acd8e93..6a3822d8b0 100644 --- a/apps/model-registry/upstream/overlays/postgres/kustomization.yaml +++ b/apps/model-registry/upstream/overlays/postgres/kustomization.yaml @@ -13,11 +13,11 @@ patchesStrategicMerge: - patches/model-registry-deployment.yaml configMapGenerator: -- name: metadata-postgres-db-parameters +- name: metadata-registry-db-parameters envs: - params.env secretGenerator: -- name: metadata-postgres-db-secrets +- name: metadata-registry-db-secrets envs: - secrets.env generatorOptions: @@ -39,7 +39,7 @@ vars: - name: POSTGRES_PORT objref: kind: ConfigMap - name: model-registry-db-parameters + name: metadata-registry-db-parameters apiVersion: v1 fieldref: fieldpath: data.POSTGRES_PORT diff --git a/apps/model-registry/upstream/overlays/postgres/model-registry-db-deployment.yaml b/apps/model-registry/upstream/overlays/postgres/model-registry-db-deployment.yaml index 061d109e1e..5851fc6b18 100644 --- a/apps/model-registry/upstream/overlays/postgres/model-registry-db-deployment.yaml +++ b/apps/model-registry/upstream/overlays/postgres/model-registry-db-deployment.yaml @@ -19,6 +19,10 @@ spec: annotations: sidecar.istio.io/inject: "false" spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true containers: - name: db-container image: postgres @@ -27,17 +31,23 @@ spec: value: /var/lib/postgresql/data/pgdata envFrom: - configMapRef: - name: metadata-postgres-db-parameters + name: metadata-registry-db-parameters - secretRef: - name: metadata-postgres-db-secrets + name: metadata-registry-db-secrets ports: - name: postgres containerPort: 5432 volumeMounts: - name: metadata-postgres mountPath: /var/lib/postgresql/data + securityContext: + runAsUser: 70 + runAsGroup: 70 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL volumes: - name: metadata-postgres persistentVolumeClaim: claimName: metadata-postgres - diff --git a/apps/model-registry/upstream/overlays/postgres/patches/model-registry-deployment.yaml b/apps/model-registry/upstream/overlays/postgres/patches/model-registry-deployment.yaml index 0f8fdbd097..9844feaaef 100644 --- a/apps/model-registry/upstream/overlays/postgres/patches/model-registry-deployment.yaml +++ b/apps/model-registry/upstream/overlays/postgres/patches/model-registry-deployment.yaml @@ -16,9 +16,9 @@ spec: - $patch: replace envFrom: - configMapRef: - name: metadata-postgres-db-parameters + name: metadata-registry-db-parameters - secretRef: - name: metadata-postgres-db-secrets + name: metadata-registry-db-secrets - configMapRef: name: model-registry-configmap args: ["--grpc_port=$(MODEL_REGISTRY_GRPC_SERVICE_PORT)", diff --git a/hack/synchronize-model-registry-manifests.sh b/hack/synchronize-model-registry-manifests.sh index 87b008444b..afcae5c00e 100755 --- a/hack/synchronize-model-registry-manifests.sh +++ b/hack/synchronize-model-registry-manifests.sh @@ -65,7 +65,7 @@ if [ -d "$DST_DIR" ]; then rm -r "$DST_DIR" fi mkdir -p $DST_DIR -cp $SRC_DIR/model-registry/manifests/kustomize/* $DST_DIR -r +cp -r "$SRC_DIR/model-registry/manifests/kustomize/"* "$DST_DIR" echo "Successfully copied all manifests." @@ -73,7 +73,7 @@ echo "Updating README..." SRC_TXT="\[.*\](https://github.com/kubeflow/model-registry/tree/.*/manifests/kustomize)" DST_TXT="\[$COMMIT\](https://github.com/kubeflow/model-registry/tree/$COMMIT/manifests/kustomize)" -sed -i "s|$SRC_TXT|$DST_TXT|g" ${MANIFESTS_DIR}/README.md +sed -i "" "s|$SRC_TXT|$DST_TXT|g" "${MANIFESTS_DIR}/README.md" echo "Committing the changes..." cd $MANIFESTS_DIR