-
Notifications
You must be signed in to change notification settings - Fork 898
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: Guidelines for /contrib components #2286
proposal: Guidelines for /contrib components #2286
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kimwnasptd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
0fa0e14
to
9677d1d
Compare
Create an initial proposal regarding the expectations we should have around the components in /contrib as well as a deprecation plan for unmaintained components. Signed-off-by: Kimonas Sotirchos <[email protected]>
9677d1d
to
e18e446
Compare
I think "The K8s version and KF component versions that the component needs" is not always needed and can be ued as excuse to not maintain stuff. We should expect also /contrib to work with the recent Kubeflow version. So if you remove everything that has not been touched for 2 years and is most likely broken, you get
@sylus seems to have interest in upgrading seldon according to #2207 (comment) |
Signed-off-by: Kimonas Sotirchos <[email protected]>
Signed-off-by: Kimonas Sotirchos <[email protected]>
Signed-off-by: Kimonas Sotirchos <[email protected]>
cfb01f9
to
7227249
Compare
Signed-off-by: Kimonas Sotirchos <[email protected]>
@kimwnasptd we have two related sessions at the Kubeflow Summit on Day 2, 1:00 pm - 1:30 pm - Manifests, and |
@kimwnasptd I like this proposal. Some comments in the Component Requirements section. Should we consider enhancing item 3. to include the need for a test plan and a verification that it has been executed for the latest release? Should there be an item 5 that would address how users might get support i.e. via a Kubeflow slack channel ? |
Yes, this can definitely be a topic to go through as well as how to make it easier for new components to integrate with Kubeflow.
That's a pretty good suggestion actually, to expect a series of steps [can later become a script, that we can use to validate a component is working as expected. This also links to what @annajung proposed above https://github.com//pull/2286#discussion_r981484770 I'll add a new bullet for testing that asks maintainers to provide:
I think there's no need for this one. As long as the OWNERS file is up to date we can expect issues to be opened and we can ping the maintainers in these issues. |
Signed-off-by: Kimonas Sotirchos <[email protected]>
At this point I believe we've addressed all the provided feedback. Also thank you everyone for your valuable input! I think the documented requirements will really help ensure our components will be able to stand the test of time. Next work items here will be to expose more documentation on what are the actual technical details for a component to be "integrated" with the rest of the KF components. I.e.
I'll keep this PR open for 2 more days to see if we'll have any last feedback and then I'll merge the PR. Thank you for your time everyone! |
Yes, definitely no root containers / runasnonroot. They must run with the offical kubernetes podsecuritystandards restricted set https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted. That is currently the case if you use istio-cni and all other official components. I worked over the last two years with almost all WGs to make this possible. Only this enables us to significantly harden Kubeflow in the future and make it ready for enterprise consumption. |
@kimwnasptd https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/ will be incredible exiting. I am still discussing with security researchers, but it could once and for all remove the runasnonroot problem. The PVC support will come in the future https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-user-namespaces/README.md#phase-2-pods-with-volumes. But then in around a year, when modern distributions are using that, we could at least consider runasnonroot exceptions e.g. for MLflow from infinstor in the Kubeflow profile namespaces. Maybe i will use kyverno then and add two policies into contrib: The offical restricted PSS and and another one which allows root (not privileged) and enforces hostUsers=false. |
At this point I believe we can merge this PR and start cleaning up the /cc @kubeflow/wg-manifests-leads /hold cancel |
/lgtm |
* proposal: Guidelines for /contrib components Create an initial proposal regarding the expectations we should have around the components in /contrib as well as a deprecation plan for unmaintained components. Signed-off-by: Kimonas Sotirchos <[email protected]> * review: Document that components should be working with current KF Signed-off-by: Kimonas Sotirchos <[email protected]> * review: Expect link to component's documentation Signed-off-by: Kimonas Sotirchos <[email protected]> * review: Expect an UPGRADE.md file as well Signed-off-by: Kimonas Sotirchos <[email protected]> * review: Fix typos Signed-off-by: Kimonas Sotirchos <[email protected]> * review: Add some testing requirements Signed-off-by: Kimonas Sotirchos <[email protected]> Signed-off-by: Kimonas Sotirchos <[email protected]>
Create an initial proposal regarding the expectations we should have around the components in
/contrib
as well as a deprecation plan for unmaintained components.I'd like to wait 2 weeks before merging this PR, to gather feedback on the proposal. Then once it's merged I'll do a pass on the components and create issues for the ones that don't meet the requirements. If there won't be any feedback in those issues, then the components will enter a deprecation phase.
@holdenk @Jeffwan @krishnadurai @yanniszark @juliusvonkohout @zijianjoy @gkcalat @zijianjoy @gkcalat @Jeffwan @woop @tedhtchang @Tomcli @animeshsingh @pvaneck @axsaucedo @adriangonz @cliveseldon @ryandawsonuk @ellistarn @yuzisun @cliveseldon @animeshsingh @deadeyegoodwin
cc-ing the release team as well @annajung @DomFleischmann @yubozhao @surajkota @DnPlas @jbottum