-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVEs - Fix CVEs in kubeflow centraldashboard component #6519
CVEs - Fix CVEs in kubeflow centraldashboard component #6519
Conversation
* Fix(manifests): Upgrade rbac.authorization.k8s.io from v1beta1 to v1 (kubeflow#6261) * proposal: Extend Notebook Controller to expose idleness for Jupyter (kubeflow#6295) * proposal: Extend Notebook Controller to expose idleness for Jupyter (kubeflow#6270) Provide a design doc as a proposal for extending Notebook Controller to expose idleness for Jupyter. Our proposal is in markdown format and follows the guidelines of the kubeflow/components/proposal/README.md guide. You can view the kubeflow#6270 issue in the following link: kubeflow#6270 Signed-off-by: Athanasios Markou <athamark@arrikto.com> * review: change the title of the proposal Change the title of the proposal to only include the proposed new feature. The new title of the proposal will now be "Expose Idleness Information for Jupyter Notebooks". * review: rename the proposal markdown file We want to give a more specific name to the markdown which contains the proposal. Since this proposal emphasizes on a feature regarding the Jupyter Notebooks, the new name will be: 20220121-jupyter-notebook-idleness.md * Synchronize jupyter-web-application role with clusterrole (kubeflow#6241) * Update role.yaml * Update role.yaml * Update cluster-role.yaml * Kubeflow Roadmap update - with 1.5 details (kubeflow#6266) * Kubeflow Roadmap update - with 1.5 details These proposed changes include: identifying that 1.4.1 has been delivered, provides themes for 1.5 and provides details of major features in 1.5 by working group. This is an initial proposal that needs review by the working group leads. * correct formatting in KFP features Moved KFP features under KFP Control Flow doc * updating KFP section updating KFP references with updates from KFP team * Updated the 1.5 release date to March updated the 1.5 release date to March * Update ROADMAP.md change Hyperparameter leader election to Katib leader election Co-authored-by: Andrey Velichkevich <andrey.velichkevich@gmail.com> * Update ROADMAP.md improve description and details of feature for metrics collector Co-authored-by: Andrey Velichkevich <andrey.velichkevich@gmail.com> * Update Katib description for Early stopping in 1.5 updating with Andrey's suggestion (but without the world proper). * Validation for Early Stopping algorithm settings helps users to proper reduce model overfitting Co-authored-by: Andrey Velichkevich <andrey.velichkevich@gmail.com> * notebooks: Extend Notebook Controller to expose idleness for Jupyter (kubeflow#6297) * notebooks: Update image's tag in make Modify Makefile to update properly the TAG based on the git TAG. Signed-off-by: Athanasios Markou <athamark@arrikto.com> Reviewed-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * notebooks: Expose last-activity Extend the notebook-controller to: * cull idle Notebook Servers based on their new `last-activity` annotation * expose the last activity of each Notebook Server as an annotation on the metadata of the corresponding CR object Modify notebook_controller.go to: * update the Last Activity of each Notebook Server that has a Running pod * delete the Last Activity Annotation for every Notebook Server that does not have a Running pod Extend culler.go to: * perform culling based on the new `last-activity` annotation and not based on the `/api/status` endpoint. * update the last activity of a Notebook Server, based on the kernels' execution states. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Athanasios Markou <athamark@arrikto.com> * notebooks: Introduce a DEV env var We introduce a DEV ENV var to allow admins develop and test on their local machine their custom Notebook Controller. We provide information and instructions inside the components/notebook-controller/README.md. Signed-off-by: Athanasios Markou <athamark@arrikto.com> Reviewed-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * notebooks: Add unit tests for last-activity * Introduce new tests for allKernelsAreIdle() * Extend the tests for NotebookIsIdle() and for NotebookNeedsCulling(). Signed-off-by: Athanasios Markou <athamark@arrikto.com> Reviewed-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * review: UpdateNotebookLastActivityAnnotation() Ensure that UpdateNotebookLastActivityAnnotation() does not return "true". This function should not return any value. Signed-off-by: Athanasios Markou <athamark@arrikto.com> * jwa: Rework the Storage API of the web app (kubeflow#6321) * wa(back): Add helper for deserializing JSON obj In some cases we might need to construct Python k8s lib objects from the JSONs that are provided by clients. I.e. the UI will be sending a PVC object in json format, so the backend will need to create the corresponding client.V1PersistentVolumeClaim object and submit it. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * wa(back): Serialization helper Add helper function for converting a k8s-client object into a dict that can be sent as an HTTP response. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * wa(back): Add dry run to Notebooks and PVCs The backend will need to be able to create objects with dry-run, in order to ensure they are valid. The backend will need to check that both the Notebook and the PVCs can be created beforehand. This way we avoid the scenario where we create PVCs but the Notebook fails to be created, and the PVCs are never garbage collected. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * wa(back): Update kubernetes to 0.17 In order to support dry-run we must use the 0.17 version of the Python k8s client. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * wa(back): Extend api module to patch pvcs The backend will need to be able to PATCH PVCs in order to set the ownerReference to the Notebook that mounts the PVCs. Ref: arrikto/dev/issues/386#issuecomment-856700392 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * jwa(back): Work with new Volumes API The backend API should not add any more layers of abstractions on top of the K8s API. The backend should expect the client/UI to be sending the entire PVC spec of a new PVC. Refs: arrikto/dev/issues/386 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * jwa(back): Add unittests for new volumes API Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * jwa(back): Extend the PVC info returned We want to show both the access mode and size of the existing PVCs, when a user clicks on the dropdown to select which PVC to mount. The backend will need to provide this information to the frontend. We don't want to send the K8s list of PVCs since this will result in a lot of unnecessary data to be sent. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Ilias Katsakioris <elikatsis@arrikto.com> * jwa(front): Add proxy config for Rok When developing the Rok flavor locally we will need to be able to open the Rok chooser. This can be done by using Angular/webpack proxy to bring the exposed rok service and the app under the same domain. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Tasos Alexiou <tasos@arrikto.com> * jwa(front): Remove card from form The form of the app should not be a big card, but a normal form. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Tasos Alexiou <tasos@arrikto.com> * jwa(front): Install AceModule for yaml editing Install AceModule to allow users to edit yamls of objects. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Tasos Alexiou <tasos@arrikto.com> * wa(front): Change the styling of form sections Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Tasos Alexiou <tasos@arrikto.com> * jwa(front): Create common volume components Component for: * New PVC and configuring its spec * Attaching an existing PVC in a Notebook Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Tasos Alexiou <tasos@arrikto.com> * jwa(front): Update Rok form for new Volume API Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Tasos Alexiou <tasos@arrikto.com> * jwa(front): Mark inputs as dirty when restoring Lab When the UI autofills the form with values from a JupyterLab snapshot then it should mark the touched fields as dirty. This way if a field has errors the UI will make that input red. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Reviewed-by: Tasos Alexiou <tasos@arrikto.com> * jwa: Update ConfigMap in manifests Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * jwa(front): Fix format errors Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * profiles: Update the permissions for notebook idleness (kubeflow#6335) Extend the Profiles Controller to give permissions to Notebooks controller for making GET requests to notebook's /api/kernels endpoint. Refs https://github.com/kubeflow/kubeflow/blob/master/components/proposals/20220121-jupyter-notebook-idleness.md Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * notebooks: Graceful handling of events (kubeflow#6338) * notebooks: Handle events gracefully The controller is not exiting the reconciliation loop after it has re-emitted a Pod/STS Event as a Notebook Event. This results in the controller to later on try and GET a Notebook with the name of the Event that triggered the reconciliation loop. The controller should exit the reconciliation function once it has emitted the event. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * notebooks: Don't reconcile on deleted events We don't want to trigger the reconciliation function when an event gets deleted. If a Notebook would be deleted then the underlying events would be deleted as well, which results in the reconcile function to get triggered and try to GET Events and Notebooks with the name of the deleted event. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * notebooks: Fix endless restarts (kubeflow#6341) * notebooks: Update notebook if timestamp changed We don't want to be updating the spec of the notebook if the timestamp hasn't changed, since this will lead to constant updates and reconciliation loops. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * notebooks: Use a deep-copy of the notebook spec The controller should use a deep-copy of the notebook spec when calculating the spec for the StatefulSet. If not then we could update the notebook object without wanting it, since the spec could have been changed when calculating the STS spec. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * notebooks: Add prefix env var only if missing The controller should be setting OR updating the NB_PREFIX env var. Previously it would always blindly append it to the spec, which could result in double entries for the same env var. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * releasing: Update tags for v1.5.0-rc.1 (kubeflow#6343) Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> Co-authored-by: Andrey Velichkevich <andrey.velichkevich@gmail.com>
…ields" (kubeflow#6195) error comparison between pointer and pointer in "CopyStatefulSetFields"
Configure the dashboard to use the KServe app instead of the KFServing 0.6.1 one. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
The controller should not trigger the reconcile loop when an Event is deleted. Previously the controller would run the reconciliation loop on any event deletion. This commit updates it to not run the loop for ANY event. Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
* Don't overwrite security context if it is unset in PodDefaults * Merge securityContexts form PodDefault and target pod Co-authored-by: Alex Lembiyeuski <alembiyeuski@d2iq.com>
Fix kubeflow#6366 Migrating to Kubebuilder v3 leads to the following changes: - Add .dockerignore file. - Upgrade Go version from v1.15 to v1.17. - Adapt Makefile. - Add image (build + push) target to makefile. - Upgrade EnvTest to use K8s v1.22. - Update PROJECT template. - Migrate CRD apiVersion from v1beta to v1. - Add livenessProbe and readinessProbe to controller manager. - Upgrade controller-runtime from v0.2.0 to v0.11.0. Other changes: - Build image using public.ecr.aws registry instead of gcr.io. - Update README.md documentation. - Update 3rd party licences. - Fix notebook.spec description. - Add 3 sample notebooks (v1, v1alpha1 and v1beta1). Signed-off-by: Samuel Veloso <svelosol@redhat.com>
On Reconcile method, there are several places where the notebook object is changed. Currently, each point leads to a call to r.Status().Update(), which may end up pushing a half-finished object and the API will reject and break. This commit adds an update_notebook flag that marks if the notebook instance has been changed or not and moves the r.Status().Update() to the end of the Reconcile().
…ldashboard (kubeflow#6342) Bumps [undefsafe](https://github.com/remy/undefsafe) from 2.0.2 to 2.0.5. - [Release notes](https://github.com/remy/undefsafe/releases) - [Commits](remy/undefsafe@v2.0.2...v2.0.5) --- updated-dependencies: - dependency-name: undefsafe dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 9af3297)
…dashboard (kubeflow#6432) Bumps [moment](https://github.com/moment/moment) from 2.24.0 to 2.29.2. - [Release notes](https://github.com/moment/moment/releases) - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](moment/moment@2.24.0...2.29.2) --- updated-dependencies: - dependency-name: moment dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit b7036b6)
…aldashboard (kubeflow#6377) Bumps [url-parse](https://github.com/unshiftio/url-parse) from 1.4.7 to 1.5.10. - [Release notes](https://github.com/unshiftio/url-parse/releases) - [Commits](unshiftio/url-parse@1.4.7...1.5.10) --- updated-dependencies: - dependency-name: url-parse dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit f823365)
…eflow#6284) Bumps [shelljs](https://github.com/shelljs/shelljs) from 0.8.3 to 0.8.5. - [Release notes](https://github.com/shelljs/shelljs/releases) - [Changelog](https://github.com/shelljs/shelljs/blob/master/CHANGELOG.md) - [Commits](shelljs/shelljs@v0.8.3...v0.8.5) --- updated-dependencies: - dependency-name: shelljs dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 979b41c)
…s/centraldashboard (kubeflow#6440) Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.9.0 to 1.14.9. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.9.0...v1.14.9) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit ccfaf7f)
…ubeflow#6307) Bumps [node-fetch](https://github.com/node-fetch/node-fetch) from 2.6.0 to 2.6.7. - [Release notes](https://github.com/node-fetch/node-fetch/releases) - [Changelog](https://github.com/node-fetch/node-fetch/blob/main/docs/CHANGELOG.md) - [Commits](node-fetch/node-fetch@v2.6.0...v2.6.7) --- updated-dependencies: - dependency-name: node-fetch dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> (cherry picked from commit 0e291e0)
* Pin alpine repository version * Introduce a new LogoutButton component
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Relates to issue D2iQ-90506
To check:
can/should I update json-schema references in components/centraldashboard/third_party?