Snyk scan

.github/ISSUE_TEMPLATE/bug_report.md

@@ -13,6 +13,9 @@ about: Tell us about a problem you are experiencing
 **What did you expect to happen:**
 
 
+**What's the InferenceService yaml:**
+[To help us debug please run `kubectl get isvc $name -n $namespace -oyaml` and paste the output]
+
 **Anything else you would like to add:**
 [Miscellaneous information that will assist in solving the issue.]
 
@@ -21,9 +24,9 @@ about: Tell us about a problem you are experiencing
 
 - Istio Version:
 - Knative Version:
-- KFServing Version:
+- KServe Version:
 - Kubeflow version:
-- Kfdef:[k8s_istio/istio_dex/gcp_basic_auth/gcp_iap/aws/aws_cognito/ibm]
-- Minikube version:
+- Cloud Environment:[k8s_istio/istio_dex/gcp_basic_auth/gcp_iap/aws/aws_cognito/ibm]
+- Minikube/Kind version:
 - Kubernetes version: (use `kubectl version`):
 - OS (e.g. from `/etc/os-release`):

.github/workflows/scheduled-image-scan.yml

@@ -0,0 +1,105 @@
+name: Twice a week image scan
+# Temporarily adding on push for testing
+on:
+  schedule:
+    - cron: '0 0 * * 0,3'
+  workflow_dispatch: {}
+
+jobs:
+  base-image-scan:
+    name: scan images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [{ name: kserve-controller, file: Dockerfile},
+                { name: agent, file: agent.Dockerfile}, 
+                { name: storage-initializer, file: python/storage-initializer.Dockerfile},
+                { name: router, file: router.Dockerfile}]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Security scan on docker image
+        uses: snyk/actions/docker@master
+        id: docker-image-scan
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: kserve/${{ matrix.image.name }}
+          args: --severity-threshold=low
+                --file=${{ matrix.image.file }}
+                --sarif-file-output=./application/${{ matrix.image.name }}/docker.snyk.sarif
+          sarif: false
+
+      - name: Upload sarif file to Github Code Scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: application/${{ matrix.image.name }}/docker.snyk.sarif
+
+  predictor-image-scan:
+    name: scan predictor images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [{ name: sklearnserver, file: python/sklearn.Dockerfile},
+                { name: xgbserver, file: python/xgb.Dockerfile},
+                { name: pmmlserver, file: python/pmml.Dockerfile},
+                { name: paddleserver, file: python/paddle.Dockerfile}]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Security scan on docker image
+        uses: snyk/actions/docker@master
+        id: docker-image-scan
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: kserve/${{ matrix.image.name }}
+          args: --severity-threshold=low
+                --file=${{ matrix.image.file }}
+                --sarif-file-output=./application/${{ matrix.image.name }}/docker.snyk.sarif
+          sarif: false
+
+      - name: Upload sarif file to Github Code Scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: application/${{ matrix.image.name }}/docker.snyk.sarif
+
+  explainer-image-scan:
+    name: scan explainer images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [{ name: aix-explainer, file: python/aixexplainer.Dockerfile},
+                { name: alibi-explainer, file: python/alibiexplainer.Dockerfile},
+                { name: art-explainer, file: python/artexplainer.Dockerfile}]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Security scan on docker image
+        uses: snyk/actions/docker@master
+        id: docker-image-scan
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: kserve/${{ matrix.image.name }}
+          args: --severity-threshold=low
+                --file=${{ matrix.image.file }}
+                --sarif-file-output=./application/${{ matrix.image.name }}/docker.snyk.sarif
+          sarif: false
+
+      - name: Upload sarif file to Github Code Scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: application/${{ matrix.image.name }}/docker.snyk.sarif

charts/kserve-crd/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+name: kserve-crd
+version: v0.10.0-rc0
+description: Helm chart for deploying kserve crds 
+keywords:
+  - kserve
+  - modelmesh
+sources:
+  - http://github.com/kserve/kserve

charts/kserve/Chart.yaml → charts/kserve-resources/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: kserve 
-version: v0.9.0
-description: Helm chart for deploying kserve resources and CRDs
+version: v0.10.0-rc0
+description: Helm chart for deploying kserve resources
 keywords:
   - kserve
   - modelmesh

charts/kserve/templates/configmap.yaml → charts/kserve-resources/templates/configmap.yaml

@@ -121,13 +121,10 @@ data:
         "cpuRequest": "100m",
         "cpuLimit": "1"
     }
-  transformers: |-
-    {
-    }
   metricsAggregator: |-
     {
-      "enableMetricAggregation": {{ .Values.kserve.metricsaggregator.enableMetricAggregation }},
-      "enablePrometheusScraping" : {{ .Values.kserve.metricsaggregator.enablePrometheusScraping }}
+      "enableMetricAggregation": "{{ .Values.kserve.metricsaggregator.enableMetricAggregation }}",
+      "enablePrometheusScraping" : "{{ .Values.kserve.metricsaggregator.enablePrometheusScraping }}"
     }
 kind: ConfigMap
 metadata:

config/configmap/inferenceservice.yaml

@@ -55,7 +55,7 @@ data:
     }
   ingress: |-
     {
-        "ingressGateway" : "$(ingressGateway)",
+        "ingressGateway" : "knative-serving/knative-ingress-gateway",
         "ingressService" : "istio-ingressgateway.istio-system.svc.cluster.local",
         "localGateway" : "knative-serving/knative-local-gateway",
         "localGatewayService" : "knative-local-gateway.istio-system.svc.cluster.local",

config/default/kustomization.yaml

@@ -36,21 +36,7 @@ patchesStrategicMerge:
 generatorOptions:
   disableNameSuffixHash: true
 
-# To make namespace for standalone installation kustomizable,
-# variabilize ingress gateway, webhook service name and
-# kserve namespace in webhook configurations
-configMapGenerator:
-  - name: kserve-config
-    envs:
-    - params.env
 vars:
-- name: ingressGateway
-  objref:
-    kind: ConfigMap
-    name: kserve-config
-    apiVersion: v1
-  fieldref:
-    fieldpath: data.ingressGateway
 - fieldref:
     fieldpath: metadata.name
   name: webhookServiceName

config/overlays/kubeflow/kustomization.yaml

@@ -20,14 +20,5 @@ patchesStrategicMerge:
 generatorOptions:
   disableNameSuffixHash: true
 
-# To make namespace for standalone installation kustomizable,
-# variabilize ingress gateway, webhook service name and
-# kserve namespace in webhook configurations
-configMapGenerator:
-  - name: kserve-config
-    behavior: replace
-    envs:
-    - params.env
-
 configurations:
 - params.yaml

hack/generate-install.sh

@@ -60,6 +60,9 @@ kustomize build config/default | sed s/:latest/:$TAG/ > $INSTALL_PATH
 kustomize build config/overlays/kubeflow | sed s/:latest/:$TAG/ > $KUBEFLOW_INSTALL_PATH
 kustomize build config/runtimes | sed s/:latest/:$TAG/ >> $RUNTIMES_INSTALL_PATH
 
+# Update ingressGateway in inferenceservice configmap as 'kubeflow/kubeflow-gateway'
+yq -i 'select(.metadata.name == "inferenceservice-config").data.ingress |= (fromjson | .ingressGateway = "kubeflow/kubeflow-gateway" | tojson)' $KUBEFLOW_INSTALL_PATH
+
 # Copy CRD files to charts crds directory
 cp config/crd/serving.kserve.io_clusterservingruntimes.yaml charts/kserve/crds/serving.kserve.io_clusterservingruntimes.yaml
 cp config/crd/serving.kserve.io_inferenceservices.yaml charts/kserve/crds/serving.kserve.io_inferenceservices.yaml