This is an automated email from the ASF dual-hosted git repository.
cdmikechen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/submarine.git
The following commit(s) were added to refs/heads/master by this push:
new b0d96b39 SUBMARINE-1131. Remove deprecated API for k8s 1.25
b0d96b39 is described below
commit b0d96b392744a84dc6a3a0295af1cd301ccbfba7
Author: cdmikechen <[email protected]>
AuthorDate: Sat Jun 17 20:07:17 2023 +0800
SUBMARINE-1131. Remove deprecated API for k8s 1.25
### What is this PR for?
`PodSecurityPolicy` will be removed in k8s 1.25
https://kubernetes.io/docs/reference/using-api/deprecation-guide/#psp-v125
So that we need to remove the `PodSecurityPolicy` support in 1.25 and try
to use other ways to handle `runAsUser`.
https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
https://kubernetes.io/docs/concepts/security/pod-security-admission/
### What type of PR is it?
Improvement
### Todos
* [x] - Add k8s 1.25 in git workflow
* [x] - Change `podSecurityPolicy.create` default value to false
* [x] - Change`PodSecurityPolicy` to `Pod Security Admission` (PCA) in 1.25
### What is the Jira issue?
https://issues.apache.org/jira/browse/SUBMARINE-1131
### How should this be tested?
CI test
### Screenshots (if appropriate)
### Questions:
* Do the license files need updating? No
* Are there breaking changes for older versions? No
* Does this need new documentation? No
Author: cdmikechen <[email protected]>
Signed-off-by: cdmikechen <[email protected]>
Closes #1071 from cdmikechen/SUBMARINE-1131 and squashes the following
commits:
a9ed15d6 [cdmikechen] support PSA
2556d34e [cdmikechen] update master workflow k8s to 1.25.3
f9930133 [cdmikechen] set kind to 1.25.3
0ed0131b [cdmikechen] set psp to false by default
f85c3b9a [cdmikechen] update k8s version to 1.25
---
.github/workflows/master.yml | 2 +-
.github/workflows/python.yml | 2 +-
helm-charts/submarine/README.md | 2 +-
helm-charts/submarine/values.yaml | 4 +-
website/docs/devDocs/Dependencies.md | 75 ++++++++++++++++++-------------
website/docs/gettingStarted/quickstart.md | 18 ++++++--
6 files changed, 64 insertions(+), 39 deletions(-)
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index a7702420..2f6ff79f 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -33,7 +33,7 @@ jobs:
steps:
- id: set-matrix
run: |
- echo "::set-output name=matrix::[\"v1.22.17\", \"v1.23.17\",
\"v1.24.12\"]"
+ echo "::set-output name=matrix::[\"v1.22.17\", \"v1.23.17\",
\"v1.24.12\", \"v1.25.3\"]"
submarine-operator-verify:
runs-on: ubuntu-latest
timeout-minutes: 10
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 11c2a7b2..29f73e8e 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -19,7 +19,7 @@ name: python-sdk
on: [push, pull_request]
env:
- KUBERNETES_VERSION: "v1.21.14"
+ KUBERNETES_VERSION: "v1.25.3"
jobs:
check-style:
diff --git a/helm-charts/submarine/README.md b/helm-charts/submarine/README.md
index 456b5ab1..980dadd7 100644
--- a/helm-charts/submarine/README.md
+++ b/helm-charts/submarine/README.md
@@ -96,7 +96,7 @@ The following table lists the configurable parameters of the
MySQL chart and the
| `storageClass.provisioner` | Determine what volume plugin
is used for provisioning PVs
| `k8s.io/minikube-hostpath` |
| `storageClass.parameters` | Describe volumes belonging to
the storage class
| `{}` |
| `clusterType` | k8s cluster type. can be:
kubernetes or openshift
| `kubernetes`
|
-| `podSecurityPolicy.create` | Specifies whether a
PodSecurityPolicy should be created, this configuration enables the
database/minio/server to set securityContext.runAsUser | `true`
|
+| `podSecurityPolicy.create` | Specifies whether a
PodSecurityPolicy should be created, this configuration enables the
database/minio/server to set securityContext.runAsUser | `false`
|
| `istio.enabled` | Use istio to expose the
service
| `true`
|
| `istio.gatewaySelector` | Gateway label selector
| `istio: ingressgateway` |
| `training-operator.enabled` | If we need to deploye a
kubeflow training operator in this helm
| `true`
|
diff --git a/helm-charts/submarine/values.yaml
b/helm-charts/submarine/values.yaml
index b151a099..97c6e6ff 100644
--- a/helm-charts/submarine/values.yaml
+++ b/helm-charts/submarine/values.yaml
@@ -43,7 +43,9 @@ clusterType: kubernetes
podSecurityPolicy:
# Specifies whether a PodSecurityPolicy should be created,
# This configuration enables the database/minio/server to set
securityContext.runAsUser
- create: true
+ # If your kubernetes cluster version is 1.25+, please set false.
+ # reference:
https://kubernetes.io/docs/reference/using-api/deprecation-guide/#psp-v125
+ create: false
# Istio configuration
istio:
diff --git a/website/docs/devDocs/Dependencies.md
b/website/docs/devDocs/Dependencies.md
index 5ae85845..9aebbb68 100644
--- a/website/docs/devDocs/Dependencies.md
+++ b/website/docs/devDocs/Dependencies.md
@@ -1,6 +1,7 @@
---
title: Dependencies for Submarine
---
+
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
@@ -19,54 +20,64 @@ KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
-* These are the dependencies currently used by Apache Submarine.
+
+- These are the dependencies currently used by Apache Submarine.
## Kubernetes
-| Kubernetes Version | Support? |
-|---------------------|:-------------:|
-| 1.18.x (or earlier) | X |
-| 1.19.x - 1.21.x | √ |
-| 1.22.x (or later) | X |
+
+| Kubernetes Version | Support? |
+| ------------------- | :------------: |
+| 1.18.x (or earlier) | X |
+| 1.19.x - 1.21.x | Not tested |
+| 1.22.x - 1.25.x | √ |
+| 1.26.x (or later) | To be verified |
## KinD
-| KinD Version | Support? |
-|--------------------|:-------------:|
-| 0.5.x (or earlier) | X |
-| 0.6.x - 0.17.x | √ |
+
+| KinD Version | Support? |
+| ------------------ | :------: |
+| 0.5.x (or earlier) | X |
+| 0.6.x - 0.17.x | √ |
## Java
-| JDK Version | Support? |
-| ------------- |:-------------:|
-| 8 | √ |
-| 11 | √ |
-| 17 | X |
+
+| JDK Version | Support? |
+| ----------- | :------------: |
+| 8 | X |
+| 11 | √ |
+| 17 | To be verified |
## Maven
-* 3.3 or later ( < 3.8.1 )
+
+- 3.3 or later ( < 3.8.1 )
## Docker
-* Latest
+
+- Latest
## Helm
-* Version 3
+
+- Version 3
## NodeJS
-* 14 (or later)
+
+- 14 (or later)
## Go
-| Go Version | Support? |
-|-----------------|:-------------:|
-| 1.15 | X |
-| 1.16 | √ |
-| 1.17 | √ |
-| 1.18 (or later) | To be verified |
+
+| Go Version | Support? |
+| --------------- | :------: |
+| 1.15 | X |
+| 1.16 | √ |
+| 1.17 | √ |
+| 1.18 (or later) | X |
## Python
-| Python Version | Support? |
-| ------------- |:-------------:|
-| 3.6 (or earlier) | X |
-| 3.7 | √ |
-| 3.8 | √ |
-| 3.9 | √ |
-| 3.10 | √ |
+| Python Version | Support? |
+| ---------------- | :------: |
+| 3.6 (or earlier) | X |
+| 3.7 | √ |
+| 3.8 | √ |
+| 3.9 | √ |
+| 3.10 | √ |
diff --git a/website/docs/gettingStarted/quickstart.md
b/website/docs/gettingStarted/quickstart.md
index b2b1dede..aa51c667 100644
--- a/website/docs/gettingStarted/quickstart.md
+++ b/website/docs/gettingStarted/quickstart.md
@@ -42,8 +42,12 @@ Start minikube
# You can go to https://minikube.sigs.k8s.io/docs/start/ and follow the
tutorial to install minikube.
# Then you can start kubernetes with minikube:
minikube start --vm-driver=docker --cpus 8 --memory 8192 --kubernetes-version
v1.24.12
-# Or if you want to support Pod Security Policy
(https://minikube.sigs.k8s.io/docs/tutorials/using_psp), you can use the
following command to start cluster
-minikube start
--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
--addons=pod-security-policy --vm-driver=docker --cpus 8 --memory 8192
--kubernetes-version v1.24.12
+
+# The version of k8s can be adjusted to the range of your current minikube.
+# For example, minikube v1.28.0 can provide versions from v1.25.0 to v1.25.3
in k8s 1.25
+
+# Or if you want to support Pod Security Policy
(https://minikube.sigs.k8s.io/docs/tutorials/using_psp) in k8s 1.21 or 1.22,
you can use the following command to start cluster
+minikube start
--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
--addons=pod-security-policy --vm-driver=docker --cpus 8 --memory 8192
--kubernetes-version v1.21.2
```
Install Istio, there are two ways to install: Command-Istioctl-based, or
Helm-based
@@ -78,10 +82,18 @@ cd submarine
2. Create necessary namespaces
```bash
+# create namespace for submarine, training, notebook and seldon-core operators
kubectl create namespace submarine
-kubectl create namespace submarine-user-test
kubectl label namespace submarine istio-injection=enabled
+
+# create namespace for deploying submarine-server
+kubectl create namespace submarine-user-test
kubectl label namespace submarine-user-test istio-injection=enabled
+
+# After k8s 1.25, we can turn on PSA (Pod Security Admission) labels for
namespace.
+# We use a common PSA enforcement level. If you want to use a more detailed
configuration, you can refer to
+#
https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces
+kubectl label namespace submarine-user-test
'pod-security.kubernetes.io/enforce=privileged'
```
3. Install the submarine operator and dependencies by helm chart
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
