kubeflow
/
kfp-tekton
mirror of https://github.com/kubeflow/kfp-tekton.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update release manifests and openshift docs (#575) 

* update release manifests and openshift docs

* update release manifests and openshift docs

* add optional kustomization.yaml
This commit is contained in:
Tommy Li 2021-04-29 15:46:30 -07:00 committed by GitHub
parent 76e249d4d9
commit 8db274ada2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 139 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
guides/kfp-tekton-openshift.md
View File

@ -1,135 +0,0 @@
## Deploy Kubeflow Pipelines with Tekton backend on OpenShift Container Platform
- [Deploy Kubeflow Pipelines with Tekton backend on OpenShift Container Platform](#deploy-kubeflow-pipelines-with-tekton-backend-on-openshift-container-platform)
- [Prepare OpenShift cluster environment](#prepare-openshift-cluster-environment)
- [Deploy Kubeflow Pipelines with Tekton backend](#deploy-kubeflow-pipelines-with-tekton-backend)
- [1. Leverage OpenShift Pipelines (built on Tekton)](#1-leverage-openshift-pipelines)
- [2. Install Tekton as part of deployment](#2-install-tekton-as-part-of-deployment)
- [Set up routes to Kubeflow Pipelines and Tekton Pipelines dashboards](#set-up-routes-to-kubeflow-pipelines-and-tekton-pipelines-dashboards)
- [Update configmap when running with OpenShift Pipelines](#update-configmap-when-running-with-openshift-pipelines)
### Prepare OpenShift cluster environment
* Install Tekton Pipelines CLI
Follow this [link](https://github.com/tektoncd/cli) to install Tekton Pipelines CLI. 'X' is your version number. We recommend version v0.14 and above, and ideally Tekton v0.21
```shell
# Get the tar.gz
curl -LO https://github.com/tektoncd/cli/releases/download/vX/tkn_X_$(uname -sm|awk '{print $1"_"$2}').tar.gz
# Extract tkn to your PATH (e.g. /usr/local/bin)
sudo tar xvzf tkn_X_$(uname -sm|awk '{print $1"_"$2}').tar.gz -C /usr/local/bin tkn
```
* Check OpenShift Pipelines
Depending on how the OpenShift Container Platform is configured and installed, the [OpenShift Pipelines](https://docs.openshift.com/container-platform/4.4/pipelines/understanding-openshift-pipelines.html) may already exist on your cluster. Or your cluster may have [Tekton Pipelines](https://github.com/tektoncd/pipeline) installed previously for other use-cases.
To verfiy, run
```shell
tkn version
```
If the `Pipeline version` in the output is `unknown` or >=`v0.14.0`, then continue to next step.
Otherwise, the existing version won't work with the Kubeflow kfp-tekton project, which requires a minimum Tekton version of v0.14.0. Remove it from your cluster before proceeding further.
* Set up default StorageClass
A default storageclass is required to deploy Kubeflow. To check if your cluster has a default storageclass, run
```shell
oc get storageclass
NAME PROVISIONER AGE
rook-ceph-block-internal (default) rook-ceph.rbd.csi.ceph.com 27h
rook-ceph-cephfs-internal rook-ceph.cephfs.csi.ceph.com 27h
rook-ceph-delete-bucket-internal ceph.rook.io/bucket 27h
```
The default storageclass should have the **`(default)`** attached to its name. To make a storageclass the default storageclass for the cluster, run
```shell
kubectl patch storageclass rook-ceph-block-internal -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
```
Make sure there is only one default storageclass. To unset a storageclass as default, run
```shell
kubectl patch storageclass rook-ceph-block-internal -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
```
Replace `rook-ceph-block-internal` with your desired storageclass.
* Download `kfctl`
Follow these steps to download the `kfctl` binary from the kfctl project's release [page](https://github.com/kubeflow/kfctl/releases/tag/v1.1.0).
```shell
wget https://github.com/kubeflow/kfctl/releases/download/v1.1.0/kfctl_v1.1.0-0-g9a3621e_$(uname | tr '[:upper:]' '[:lower:]').tar.gz
tar zxvf kfctl_v1.1.0-0-g9a3621e_$(uname | tr '[:upper:]' '[:lower:]').tar.gz
chmod +x kfctl
mv kfctl /usr/local/bin
```
### Deploy Kubeflow Pipelines with Tekton backend
As explained in the [Prepare OpenShift cluster environment](#prepare-openshift-cluster-environment) section, your cluster may have pre-installed OpenShift Pipelines product. Kubeflow Pipelines can leverage the OpenShift Pipelines as the Tekton backend. Otherwise, you can choose to install the Tekton Pipelines as part of the Kubeflow Pipelines deployment. Choose one of the approaches feasible to your cluster.
#### 1. Leverage OpenShift Pipelines
Choose [kfctl_openshift_pipelines.v1.1.0.yaml](https://raw.githubusercontent.com/IBM/KubeflowDojo/master/OpenShift/manifests/kfctl_openshift_pipelines.v1.1.0.yaml) to deploy the minimal required components for single-user Kubeflow with Tekton backend. Run
```shell
export KFDEF_DIR=<path_to_kfdef>
mkdir -p ${KFDEF_DIR}
cd ${KFDEF_DIR}
export CONFIG_URI=https://raw.githubusercontent.com/IBM/KubeflowDojo/master/OpenShift/manifests/kfctl_openshift_pipelines.v1.1.0.yaml
kfctl apply -V -f ${CONFIG_URI}
```
#### 2. Install Tekton as part of deployment
Choose [kfctl_tekton_openshift_minimal.v1.1.0.yaml](https://raw.githubusercontent.com/IBM/KubeflowDojo/master/OpenShift/manifests/kfctl_tekton_openshift_minimal.v1.1.0.yaml) to deploy the minimal required components for single-user Kubeflow with Tekton backend. Run
```shell
export KFDEF_DIR=<path_to_kfdef>
mkdir -p ${KFDEF_DIR}
cd ${KFDEF_DIR}
export CONFIG_URI=https://raw.githubusercontent.com/IBM/KubeflowDojo/master/OpenShift/manifests/kfctl_tekton_openshift_minimal.v1.1.0.yaml
kfctl apply -V -f ${CONFIG_URI}
```
### Set up routes to Kubeflow Pipelines and Tekton Pipelines dashboards
Run with following command to expose the dashboards.
```shell
oc expose svc ml-pipeline-ui -n kubeflow
kfp_ui="http://"$(oc get routes -n kubeflow|grep pipeline-ui|awk '{print $2}')
oc expose svc tekton-dashboard -n tekton-pipelines
tekton_ui="http://"$(oc get routes -n tekton-pipelines|grep dashboard|awk '{print $2}')
```
`$kfp_ui` is the url for the Kubeflow Pipelines UI and `$tekton_ui` is the url for the Tekton Dashboard.
### Update configmap when running with OpenShift Pipelines
If you choose to deploy Kubeflow Pipelines with Tekton backend using OpenShift Pipelines product, supported via this KfDef Configuration [kfctl_openshift_pipelines.v1.1.0.yaml](https://raw.githubusercontent.com/IBM/KubeflowDojo/master/OpenShift/manifests/kfctl_openshift_pipelines.v1.1.0.yaml), you need to update the following configmap to support the use cases where users use `$HOME` variable in their containers when running pipelines.
```shell
TEKTON_PIPELINES_NAMESPACE=openshift-pipelines
cat <<EOF |oc apply -f - -n $TEKTON_PIPELINES_NAMESPACE
apiVersion: v1
kind: ConfigMap
metadata:
name: feature-flags
data:
disable-affinity-assistant: "false"
disable-home-env-overwrite: "true"
disable-working-directory-overwrite: "true"
running-in-environment-with-injected-sidecars: "true"
EOF
oc rollout restart deployment/tekton-pipelines-controller -n $TEKTON_PIPELINES_NAMESPACE
```
Note: change **`TEKTON_PIPELINES_NAMESPACE`** to the namespace where Tekton pipelines is installed on your cluster.

15
guides/kfp_tekton_install.md
View File

@ -17,14 +17,16 @@ A Kubernetes cluster `v1.18` that has least 8 vCPU and 16 GB memory.
### IBM Cloud Kubernetes Service (IKS)
1. [Create an IBM Cloud cluster](https://www.kubeflow.org/docs/ibm/create-cluster/) or if you have an existing cluster, please follow the [initial setup for an existing cluster](https://master.kubeflow.org/docs/distributions/ibm/create-cluster/#connecting-to-an-existing-cluster)
2. **Important**: Configure the IKS cluster with [IBM Cloud Block Storage Setup](https://www.kubeflow.org/docs/ibm/deploy/install-kubeflow-on-iks/#ibm-cloud-block-storage-setup)
2. **Important**: Configure the IKS cluster with [IBM Cloud Group ID Storage Setup](https://www.kubeflow.org/docs/distributions/ibm/deploy/install-kubeflow-on-iks/#storage-setup-for-a-classic-ibm-cloud-kubernetes-cluster)
### OpenShift
Follow the instructions at [Deploy Kubeflow Pipelines with Tekton backend on OpenShift Container Platform](./kfp-tekton-openshift.md). Depending on your situation, you can choose between the two approaches:
1. Leverage OpenShift Pipelines (built on Tekton)
Depending on your situation, you can choose between the two approaches to set up the pipeline engine on Openshift:
1. Leverage [OpenShift Pipelines](https://docs.openshift.com/container-platform/4.7/cicd/pipelines/installing-pipelines.html) (built on Tekton)
2. Install Tekton as part of deployment
Once you decided your approach, follow the [Standalone Kubeflow Pipelines with Tekton Backend Deployment](#standalone-kubeflow-pipelines-with-tekton-backend-deployment) to install the Kubeflow Pipeline Stack.
### Other Cloud Providers or On-Prem Kubernetes Deployment
Visit [Kubeflow Installation](https://www.kubeflow.org/docs/started/) for setting up the preferred environment to deploy Kubeflow.
@ -33,7 +35,7 @@ A Kubernetes cluster `v1.18` that has least 8 vCPU and 16 GB memory.
To install the standalone Kubeflow Pipelines with Tekton, run the following steps:
1. Install [Tekton v0.21.0](https://github.com/tektoncd/pipeline/releases/tag/v0.21.0)
1. Install [Tekton v0.21.0](https://github.com/tektoncd/pipeline/blob/v0.21.0/docs/install.md#installing-tekton-pipelines-on-kubernetes) if you don't have Tekton pipelines or OpenShift Pipelines on the cluster. Please be aware that Tekton custom task, loop, and recursion will not work if Tekton/Openshift pipelines version is not v0.21.0+.
2. Enable custom task controller and other feature flags for kfp-tekton
```shell
@ -62,6 +64,11 @@ To install the standalone Kubeflow Pipelines with Tekton, run the following step
kubectl get svc ml-pipeline-ui -n kubeflow -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
```
6. (OpenShift only) If you are running the standalone KFP-Tekton on OpenShift, apply the necessary security context constraint below
```shell
oc apply -f manifests/kustomize/third-party/openshift/standalone
```
## Kubeflow installation including Kubeflow Pipelines with Tekton Backend
**Important: Please complete the [prerequisites](#installation-targets-and-prerequisites) before proceeding with the following instructions.**

12
install/v0.8.0/kfp-tekton.yaml
View File

@ -1296,15 +1296,21 @@ data:
artifact_script: |-
#!/usr/bin/env sh
push_artifact() {
tar -cvzf $1.tgz $2
mc cp $1.tgz storage/$ARTIFACT_BUCKET/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
if [ -f "$2" ]; then
tar -cvzf $1.tgz $2
mc cp $1.tgz storage/$ARTIFACT_BUCKET/artifacts/$PIPELINERUN/$PIPELINETASK/$1.tgz
else
echo "$2 file does not exist. Skip artifact tracking for $1"
fi
}
push_log() {
cat /var/log/containers/$PODNAME*$NAMESPACE*step-main*.log > step-main.log
push_artifact main-log step-main.log
}
strip_eof() {
awk 'NF' $2 | head -c -1 > $1_temp_save && cp $1_temp_save $2
if [ -f "$2" ]; then
awk 'NF' $2 | head -c -1 > $1_temp_save && cp $1_temp_save $2
fi
}
mc config host add storage ${ARTIFACT_ENDPOINT_SCHEME}${ARTIFACT_ENDPOINT} $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY
inject_default_script: "true"

56
manifests/kustomize/third-party/openshift/standalone/anyuid-scc.yaml vendored Normal file
View File

@ -0,0 +1,56 @@
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: kubeflow-anyuid provides all features of the restricted SCC
but allows users to run with any UID and any GID.
name: kubeflow-anyuid-kfp-tekton
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
#Metadata DB accesses files owned by root
- system:serviceaccount:kubeflow:metadatadb
#Minio accesses files owned by root
- system:serviceaccount:kubeflow:minio
#Katib injects container into pods which does not run as non-root user, trying to find Dockerfile for that image and fix it
#- system:serviceaccount:kubeflow:default
- system:serviceaccount:kubeflow:default
- system:serviceaccount:kubeflow:kubeflow-pipelines-cache
- system:serviceaccount:kubeflow:kubeflow-pipelines-cache-deployer-sa
- system:serviceaccount:kubeflow:metadata-grpc-server
- system:serviceaccount:kubeflow:kubeflow-pipelines-metadata-writer
- system:serviceaccount:kubeflow:ml-pipeline
- system:serviceaccount:kubeflow:ml-pipeline-persistenceagent
- system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow
- system:serviceaccount:kubeflow:ml-pipeline-ui
- system:serviceaccount:kubeflow:ml-pipeline-viewer-crd-service-account
- system:serviceaccount:kubeflow:ml-pipeline-visualizationserver
- system:serviceaccount:kubeflow:mysql
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

6
manifests/kustomize/third-party/openshift/standalone/kustomization.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- anyuid-scc.yaml
- privileged-scc.yaml

57
manifests/kustomize/third-party/openshift/standalone/privileged-scc.yaml vendored Normal file
View File

@ -0,0 +1,57 @@
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: kubeflow-anyuid provides all features of the restricted SCC
but allows users to run with any UID and any GID.
name: kubeflow-privileged-kfp-tekton
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users:
#Metadata DB accesses files owned by root
- system:serviceaccount:kubeflow:metadatadb
#Minio accesses files owned by root
- system:serviceaccount:kubeflow:minio
#Katib injects container into pods which does not run as non-root user, trying to find Dockerfile for that image and fix it
#- system:serviceaccount:kubeflow:default
- system:serviceaccount:kubeflow:default
- system:serviceaccount:kubeflow:kubeflow-pipelines-cache
- system:serviceaccount:kubeflow:kubeflow-pipelines-cache-deployer-sa
- system:serviceaccount:kubeflow:metadata-grpc-server
- system:serviceaccount:kubeflow:kubeflow-pipelines-metadata-writer
- system:serviceaccount:kubeflow:ml-pipeline
- system:serviceaccount:kubeflow:ml-pipeline-persistenceagent
- system:serviceaccount:kubeflow:ml-pipeline-scheduledworkflow
- system:serviceaccount:kubeflow:ml-pipeline-ui
- system:serviceaccount:kubeflow:ml-pipeline-viewer-crd-service-account
- system:serviceaccount:kubeflow:ml-pipeline-visualizationserver
- system:serviceaccount:kubeflow:mysql
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
- hostPath