manifests icon indicating copy to clipboard operation
manifests copied to clipboard
verified publisher icon kubeflow

Finish and upstream the minio replacement

Open juliusvonkohout opened this issue 11 months ago • 5 comments

Validation Checklist

  • [x] I confirm that this is a Kubeflow-related issue.
  • [x] I am reporting this in the appropriate repository.
  • [x] I have followed the Kubeflow installation guidelines.
  • [x] The issue report is detailed and includes version numbers where applicable.
  • [x] I have considered adding my company to the adopters page to support Kubeflow and help the community, since I expect help from the community for my issue (see 1. and 2.).
  • [x] This issue pertains to Kubeflow development.
  • [x] I am available to work on this issue.
  • [x] You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

master

Detailed Description

Follow up of https://github.com/kubeflow/manifests/pull/3051#issuecomment-2833371838

@akagami-harsh @milinddethe15 @pschoen-itsc

Steps to Reproduce

In a follow up PR we should

  • [x] check whether ubuntu-latest-16-cores is really needed instead of the smaller nodes
  • [x] test it also in https://github.com/kubeflow/manifests/blob/master/.github/workflows/full_kubeflow_integration_test.yaml
  • [x] Add security checks to fest for unauthorized access
  • [x] Adjust the Argo Workflow-Controller configuration map to achieve the same for V1 pipelines (easy, did so before)
  • [ ] See how we can upstream that to KFP
  • [x] Fix ./tests/gh-actions/install_pipelines_swfs.sh shell: /usr/bin/bash -e {0} Installing Pipelines ... customresourcedefinition.apiextensions.k8s.io/compositecontrollers.metacontroller.k8s.io created customresourcedefinition.apiextensions.k8s.io/controllerrevisions.metacontroller.k8s.io created customresourcedefinition.apiextensions.k8s.io/decoratorcontrollers.metacontroller.k8s.io created Waiting for crd/compositecontrollers.metacontroller.k8s.io to be available ... customresourcedefinition.apiextensions.k8s.io/compositecontrollers.metacontroller.k8s.io condition met Warning: 'vars' is deprecated. Please use 'replacements' instead. [EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically.
  • [x] WARNING: PSS violation detected for namespace kubeflow Warning: existing pods in namespace "kubeflow" violate the new PodSecurity enforce level "restricted:latest" Warning: init-seaweedfs-pg9jk (and 3 other pods): seccompProfile

Thank you everyone! I am pushing this for 4 years or so and even had google and redhat employees involved, back then even Amazon. It is fundamental for CVEs, maintainabiliy (minio is now stuck for 5 years or so) and hard multi-tenancy as basic requirement for a sane platform. We also had approaches there for several years with minio. it started all in 2020 here https://github.com/kubeflow/pipelines/issues/4649 and went via https://github.com/kubeflow/pipelines/pull/7725 (2022) and https://github.com/kubeflow/manifests/pull/2826 (October 2024) to https://github.com/kubeflow/manifests/pull/3051 (2025). Without that experimental and extended tests it would have been very hard to pull of and coordinate. I want to especially highlight @pschoen-itsc who spent his effort here for the public health sector in Germany where many insurances need hard multi-tenancy to process data.

Screenshots or Videos (Optional)

No response

juliusvonkohout avatar Apr 28 '25 15:04 juliusvonkohout

@akagami-harsh

juliusvonkohout avatar May 19 '25 11:05 juliusvonkohout

/assign @akagami-harsh

juliusvonkohout avatar May 19 '25 11:05 juliusvonkohout

@juliusvonkohout: GitHub didn't allow me to assign the following users: akagami-harsh.

Note that only kubeflow members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to this:

/assign @akagami-harsh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

google-oss-prow[bot] avatar May 19 '25 11:05 google-oss-prow[bot]

/assign

akagami-harsh avatar May 19 '25 17:05 akagami-harsh

SO what is missing is "test it also in https://github.com/kubeflow/manifests/blob/master/.github/workflows/full_kubeflow_integration_test.yaml"

and then in the next call we can discuss how to upstream it.

juliusvonkohout avatar Jun 04 '25 12:06 juliusvonkohout

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Aug 10 '25 00:08 github-actions[bot]

Still in progress

juliusvonkohout avatar Aug 10 '25 09:08 juliusvonkohout

Now lets get a KFP release and synchronize :-)

juliusvonkohout avatar Aug 20 '25 16:08 juliusvonkohout

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 20 '25 00:10 github-actions[bot]

The 2.15 release in kfp is supposed to land soon

juliusvonkohout avatar Oct 23 '25 08:10 juliusvonkohout