This is a fork of the upstream Kubeflow repository's manifest folder. It contains customizations and modifications specific to deployment into K3S bare metal installation environment.
- The
kustomizebinary should be copied to the control plane node where thekubectlinstallation will be run. i.e. copy or symlink the binary to/usr/bin/kustomizeor/usr/local/bin/kustomize
- The standard nginx-controller manifests can be used. An example template for controller and ingress can be found in the
common/nginxpath - For TLS, create the certificate and key pair secret in the environment to enable HTTPS (e.g.
falkonry-tlsas defined in the example controller into the same namespace as the nginx ingress and istio gateway resources). A secret template is provided. Adjust any other nginx annotations as needed for your environment.
Alternative to the static local user credential scheme, you can use Github (or other IdP service) as your SSO identity provider. Configure the desired service overlay using one of the templates, e.g. common/dex/overlays/github. You can craft the config file manually and deploy/update the config resource, or use kustomize.
Your IT/Ops/DevOps team can provide the values needed for the OAuth application configurations.
kustomize build common/dex/overlays/github | kubectl apply -f -
The auth service config object needs to be patched if params weren't modified during original install. You can just update the configmap:
kubectl edit cm -n istio-system oidc-authservice-parameters
and update the OIDC_PROVIDER value to match the external URL you are using.
OIDC_PROVIDER: https://{{ YOUR DOMAIN }}/dex/
This repo is owned by the Manifests Working Group. If you are a contributor authoring or editing the packages please see Best Practices.
The Kubeflow Manifests repository is organized under three (3) main directories, which include manifests for installing:
| Directory | Purpose |
|---|---|
apps |
Kubeflow's official components, as maintained by the respective Kubeflow WGs |
common |
Common services, as maintained by the Manifests WG |
contrib |
3rd party contributed applications, which are maintained externally and are not part of a Kubeflow WG |
The distributions directory contains manifests for specific, opinionated distributions of Kubeflow, and will be phased out during the 1.4 release, since going forward distributions will maintain their manifests on their respective external repositories.
The docs, hack, and tests directories will also be gradually phased out.
Starting Kubeflow 1.3, all components should be deployable using kustomize only. Any automation tooling for deployment on top of the manifests should be maintained externally by distribution owners.
This repo periodically syncs all official Kubeflow components from their respective upstream repos. The following matrix shows the git version that we include for each component:
| Component | Local Manifests Path | Upstream Revision |
|---|---|---|
| TFJob Operator | apps/tf-training/upstream | v1.1.0 |
| PyTorch Operator | apps/pytorch-job/upstream | v0.7.0 |
| MPI Operator | apps/mpi-job/upstream | b367aa55886d2b042f5089df359d8e067e49e8d1 |
| MXNet Operator | apps/mxnet-job/upstream | v1.1.0 |
| XGBoost Operator | apps/xgboost-job/upstream | v0.2.0 |
| Notebook Controller | apps/jupyter/notebook-controller/upstream | v1.3.1-rc.0 |
| Tensorboard Controller | apps/tensorboard/tensorboard-controller/upstream | v1.3.1-rc.0 |
| Central Dashboard | apps/centraldashboard/upstream | v1.3.1-rc.0 |
| Profiles + KFAM | apps/profiles/upstream | v1.3.1-rc.0 |
| PodDefaults Webhook | apps/admission-webhook/upstream | v1.3.1-rc.0 |
| Jupyter Web App | apps/jupyter/jupyter-web-app/upstream | v1.3.1-rc.0 |
| Tensorboards Web App | apps/tensorboard/tensorboards-web-app/upstream | v1.3.1-rc.0 |
| Volumes Web App | apps/volumes-web-app/upstream | v1.3.1-rc.0 |
| Katib | apps/katib/upstream | v0.11.1 |
| KFServing | apps/kfserving/upstream | e189a510121c09f764f749143b80f6ee6baaf48b (release-0.5) |
| Kubeflow Pipelines | apps/pipeline/upstream | 1.5.1 |
| Kubeflow Tekton Pipelines | apps/kfp-tekton/upstream | v0.8.0 |
Starting Kubeflow 1.3, the Manifests WG provides two options for installing Kubeflow official components and common services with kustomize. The aim is to help end users install easily and to help distribution owners build their opinionated distributions from a tested starting point:
- Single-command installation of all components under
appsandcommon - Multi-command, individual components installation for
appsandcommon
Option 1 targets ease of deployment for end users.
Option 2 targets customization and ability to pick and choose individual components.
The example directory contains an example kustomization for the single command to be able to run.
user@example.com) and password (12341234). For any production Kubeflow deployment, you should change the default password by following the relevant section.
Kubernetes(tested with version1.17) with a default StorageClasskustomize(version3.2.0) (download link)⚠️ Kubeflow 1.3.0 is not compatible with the latest versions of of kustomize 4.x. This is due to changes in the order resources are sorted and printed. Please see kubernetes-sigs/kustomize#3794 and kubeflow/manifests#1797. We know this is not ideal and are working with the upstream kustomize team to add support for the latest versions of kustomize as soon as we can.
kubectl
NOTE
kubectl apply commands may fail on the first try. This is inherent in how Kubernetes and kubectl work (e.g., CR must be created after CRD becomes ready). The solution is to simply re-run the command until it succeeds. For the single-line command, we have included a bash one-liner to retry the command.
You can install all Kubeflow official components (residing under apps) and all common services (residing under common) using the following command:
while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; doneOnce, everything is installed successfully, you can access the Kubeflow Central Dashboard by logging in to your cluster.
Congratulations! You can now start experimenting and running your end-to-end ML workflows with Kubeflow.
In this section, we will install each Kubeflow official component (under apps) and each common service (under common) separately, using just kubectl and kustomize.
If all the following commands are executed, the result is the same as in the above section of the single command installation. The purpose of this section is to:
- Provide a description of each component and insight on how it gets installed.
- Enable the user or distribution owner to pick and choose only the components they need.
cert-manager is used by many Kubeflow components to provide certificates for admission webhooks.
Install cert-manager:
kustomize build common/cert-manager/cert-manager/base | kubectl apply -f -
kustomize build common/cert-manager/kubeflow-issuer/base | kubectl apply -f -Istio is used by many Kubeflow components to secure their traffic, enforce network authorization and implement routing policies.
Install Istio:
kustomize build common/istio-1-9/istio-crds/base | kubectl apply -f -
kustomize build common/istio-1-9/istio-namespace/base | kubectl apply -f -
kustomize build common/istio-1-9/istio-install/base | kubectl apply -f -Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email user@example.com. By default, the user's password is 12341234. For any production Kubeflow deployment, you should change the default password by following the relevant section.
Install Dex:
kustomize build common/dex/overlays/istio | kubectl apply -f -The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client:
kustomize build common/oidc-authservice/base | kubectl apply -f -Knative is used by the KFServing official Kubeflow component.
Install Knative Serving:
kustomize build common/knative/knative-serving/base | kubectl apply -f -
kustomize build common/istio-1-9/cluster-local-gateway/base | kubectl apply -f -Optionally, you can install Knative Eventing which can be used for inference request logging:
kustomize build common/knative/knative-eventing/base | kubectl apply -f -Create the namespace where the Kubeflow components will live in. This namespace
is named kubeflow.
Install kubeflow namespace:
kustomize build common/kubeflow-namespace/base | kubectl apply -f -Create the Kubeflow ClusterRoles, kubeflow-view, kubeflow-edit and
kubeflow-admin. Kubeflow components aggregate permissions to these
ClusterRoles.
Install kubeflow roles:
kustomize build common/kubeflow-roles/base | kubectl apply -f -Create the Istio resources needed by Kubeflow. This kustomization currently
creates an Istio Gateway named kubeflow-gateway, in namespace kubeflow.
If you want to install with your own Istio, then you need this kustomization as
well.
Install istio resources:
kustomize build common/istio-1-9/kubeflow-istio-resources/base | kubectl apply -f -Install the Multi-User Kubeflow Pipelines official Kubeflow component:
kustomize build apps/pipeline/upstream/env/platform-agnostic-multi-user | kubectl apply -f -If your container runtime is not docker, use pns executor instead:
kustomize build apps/pipeline/upstream/env/platform-agnostic-multi-user-pns | kubectl apply -f -Refer to argo workflow executor documentation for their pros and cons.
Multi-User Kubeflow Pipelines dependencies
- Istio + Kubeflow Istio Resources
- Kubeflow Roles
- OIDC Auth Service (or cloud provider specific auth service)
- Profiles + KFAM
Alternative: Kubeflow Pipelines Standalone
You can install Kubeflow Pipelines Standalone which
- does not support multi user separation
- has no dependencies on the other services mentioned here
You can learn more about their differences in Installation Options for Kubeflow Pipelines .
Besides installation instructions in Kubeflow Pipelines Standalone documentation, you need to apply two virtual services to expose Kubeflow Pipelines UI and Metadata API in kubeflow-gateway.
Install the KFServing official Kubeflow component:
kustomize build apps/kfserving/upstream/overlays/kubeflow | kubectl apply -f -Install the Katib official Kubeflow component:
kustomize build apps/katib/upstream/installs/katib-with-kubeflow | kubectl apply -f -Install the Central Dashboard official Kubeflow component:
kustomize build apps/centraldashboard/upstream/overlays/istio | kubectl apply -f -Install the Admission Webhook for PodDefaults:
kustomize build apps/admission-webhook/upstream/overlays/cert-manager | kubectl apply -f -Install the Notebook Controller official Kubeflow component:
kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow | kubectl apply -f -Install the Jupyter Web App official Kubeflow component:
kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio | kubectl apply -f -Install the Profile Controller and the Kubeflow Access-Management (KFAM) official Kubeflow components:
kustomize build apps/profiles/upstream/overlays/kubeflow | kubectl apply -f -Install the Volumes Web App official Kubeflow component:
kustomize build apps/volumes-web-app/upstream/overlays/istio | kubectl apply -f -Install the Tensorboards Web App official Kubeflow component:
kustomize build apps/tensorboard/tensorboards-web-app/upstream/overlays/istio | kubectl apply -f -Install the Tensorboard Controller official Kubeflow component:
kustomize build apps/tensorboard/tensorboard-controller/upstream/overlays/kubeflow | kubectl apply -f -Install the TFJob Operator official Kubeflow component:
kustomize build apps/tf-training/upstream/overlays/kubeflow | kubectl apply -f -Install the PyTorch Operator official Kubeflow component:
kustomize build apps/pytorch-job/upstream/overlays/kubeflow | kubectl apply -f -Install the MPI Operator official Kubeflow component:
kustomize build apps/mpi-job/upstream/overlays/kubeflow | kubectl apply -f -Install the MXNet Operator official Kubeflow component:
kustomize build apps/mxnet-job/upstream/overlays/kubeflow | kubectl apply -f -Install the XGBoost Operator official Kubeflow component:
kustomize build apps/xgboost-job/upstream/overlays/kubeflow | kubectl apply -f -Finally, create a new namespace for the the default user (named kubeflow-user-example-com).
kustomize build common/user-namespace/base | kubectl apply -f -After installation, it will take some time for all Pods to become ready. Make sure all Pods are ready before trying to connect, otherwise you might get unexpected errors. To check that all Kubeflow-related Pods are ready, use the following commands:
kubectl get pods -n cert-manager
kubectl get pods -n istio-system
kubectl get pods -n auth
kubectl get pods -n knative-eventing
kubectl get pods -n knative-serving
kubectl get pods -n kubeflow
kubectl get pods -n kubeflow-user-example-comThe default way of accessing Kubeflow is via port-forward. This enables you to get started quickly without imposing any requirements on your environment. Run the following to port-forward Istio's Ingress-Gateway to local port 8080:
kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80After running the command, you can access the Kubeflow Central Dashboard by doing the following:
- Open your browser and visit
http://localhost:8080. You should get the Dex login screen. - Login with the default user's credential. The default email address is
user@example.comand the default password is12341234.
In order to connect to Kubeflow using NodePort / LoadBalancer / Ingress, you need to setup HTTPS. The reason is that many of our web apps (e.g., Tensorboard Web App, Jupyter Web App, Katib UI) use Secure Cookies, so accessing Kubeflow with HTTP over a non-localhost domain does not work.
Exposing your Kubeflow cluster with proper HTTPS is a process heavily dependent on your environment. For this reason, please take a look at the available Kubeflow distributions, which are targeted to specific environments, and select the one that fits your needs.
NOTE
If you absolutely need to expose Kubeflow over HTTP, you can disable the Secure Cookies feature by setting the APP_SECURE_COOKIES environment variable to false in every relevant web app. This is not recommended, as it poses security risks.
For security reasons, we don't want to use the default password for the default Kubeflow user when installing in security-sensitive environments. Instead, you should define your own password before deploying. To define a password for the default user:
-
Pick a password for the default user, with email
user@example.com, and hash it usingbcrypt:python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))' -
Edit
dex/base/config-map.yamland fill the relevant field with the hash of the password you chose:... staticPasswords: - email: user@example.com hash: <enter the generated hash here>
-
Q: What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow 1.3?
A: Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OIDC-AuthService, the versions incommonare the ones we have validated. -
Q: Can I use the latest Kustomize version (
v4.x)?
A: Kubeflow 1.3.0 is not compatible with the latest versions of of kustomize 4.x. This is due to changes in the order resources are sorted and printed. Please see kubernetes-sigs/kustomize#3794 and kubeflow/manifests#1797. We know this is not ideal and are working with the upstream kustomize team to add support for the latest versions of kustomize as soon as we can.