kubeflow
/
notebooks
mirror of https://github.com/kubeflow/notebooks.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat(ws): add manifests for backend (#455) 

* feat(ws): Define k8s workload manifest for backend component #324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

* feat(ws): Define k8s workload manifest for backend component #324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

* feat(ws): add Istio AuthorizationPolicy for nb-backend #324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

* feat(ws): Define k8s workload manifest for backend component + istio - kubeflow#324

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>

---------

Signed-off-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>
Co-authored-by: Liav Weiss (EXT-Nokia) <liav.weiss.ext@nokia.com>
This commit is contained in:
Liav Weiss 2025-08-21 20:09:06 +03:00 committed by Bhakti Narvekar
parent 1950ea37b5
commit 877e6de894
13 changed files with 330 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
workspaces/backend/Makefile
View File

@ -1,5 +1,5 @@
# Image URL to use all building/pushing image targets
IMG ?= nbv2-backend:latest
IMG ?= nb-backend:latest
# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
ENVTEST_K8S_VERSION = 1.31.0
@ -124,11 +124,13 @@ $(LOCALBIN):
## Tool Binaries
KUBECTL ?= kubectl
KUSTOMIZE := $(LOCALBIN)/kustomize
ENVTEST ?= $(LOCALBIN)/setup-envtest
GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
SWAGGER = $(LOCALBIN)/swag
## Tool Versions
KUSTOMIZE_VERSION ?= v5.5.0
ENVTEST_VERSION ?= release-0.19
GOLANGCI_LINT_VERSION ?= v1.61.0
SWAGGER_VERSION ?= v1.16.6
@ -148,6 +150,26 @@ golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
$(GOLANGCI_LINT): $(LOCALBIN)
$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION))
##@ deployment
.PHONY: deploy
deploy: kustomize ## Deploy backend to the K8s cluster specified in ~/.kube/config.
cd manifests/kustomize/overlays/istio && $(KUSTOMIZE) edit set image workspaces-backend=${IMG}
$(KUBECTL) apply -k manifests/kustomize/overlays/istio
.PHONY: undeploy
undeploy: kustomize ## Undeploy backend from the K8s cluster specified in ~/.kube/config.
$(KUBECTL) delete -k manifests/kustomize/overlays/istio --ignore-not-found=true
##@ Dependencies
.PHONY: kustomize
kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
$(KUSTOMIZE): $(LOCALBIN)
$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION))
# go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
# $1 - target path with name of binary
# $2 - package url which can be installed

63
workspaces/backend/manifests/kustomize/base/deployment.yaml Normal file
View File

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: workspaces-backend
spec:
replicas: 1
selector:
matchLabels: {}
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
template:
metadata:
labels: {}
spec:
serviceAccountName: workspaces-backend
securityContext:
runAsNonRoot: true
terminationGracePeriodSeconds: 30
containers:
- name: workspaces-backend
image: workspaces-backend
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
ports:
- name: http-api
containerPort: 4000
env:
- name: PORT
value: "4000"
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 100m
memory: 512Mi
livenessProbe:
httpGet:
path: /api/v1/healthcheck
port: http-api
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 20
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
readinessProbe:
httpGet:
path: /api/v1/healthcheck
port: http-api
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1

16
workspaces/backend/manifests/kustomize/base/kustomization.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow-workspaces
resources:
- namespace.yaml
- service_account.yaml
- rbac.yaml
- service.yaml
- deployment.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/component: api

4
workspaces/backend/manifests/kustomize/base/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: kubeflow-workspaces

39
workspaces/backend/manifests/kustomize/base/rbac.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: workspaces-backend
rules:
- apiGroups:
- kubeflow.org
resources:
- workspaces
- workspacekinds
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: workspaces-backend
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: workspaces-backend
subjects:
- kind: ServiceAccount
name: workspaces-backend
namespace: kubeflow-workspaces

11
workspaces/backend/manifests/kustomize/base/service.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: workspaces-backend
spec:
selector: {}
ports:
- name: http-api
port: 4000
targetPort: http-api
type: ClusterIP

4
workspaces/backend/manifests/kustomize/base/service_account.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: workspaces-backend

9
workspaces/backend/manifests/kustomize/components/common/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: workspaces-backend
app.kubernetes.io/part-of: kubeflow-workspaces

17
workspaces/backend/manifests/kustomize/components/istio/authorization-policy.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: workspaces-backend
spec:
action: ALLOW
selector:
matchLabels:
app.kubernetes.io/component: api
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: workspaces-backend
app.kubernetes.io/part-of: kubeflow-workspaces
rules:
- from:
- source:
principals:
- cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account

9
workspaces/backend/manifests/kustomize/components/istio/destination-rule.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: workspaces-backend
spec:
host: workspaces-backend.kubeflow-workspaces.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

11
workspaces/backend/manifests/kustomize/components/istio/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
- destination-rule.yaml
- virtual-service.yaml
- authorization-policy.yaml
labels:
- pairs:
app.kubernetes.io/component: api

20
workspaces/backend/manifests/kustomize/components/istio/virtual-service.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: workspaces-backend
spec:
gateways:
- kubeflow/kubeflow-gateway
hosts:
- '*'
http:
- match:
- uri:
prefix: /workspaces/api/
rewrite:
uri: /api/
route:
- destination:
host: workspaces-backend.kubeflow-workspaces.svc.cluster.local
port:
number: 4000

104
workspaces/backend/manifests/kustomize/overlays/istio/kustomization.yaml Normal file
View File

@ -0,0 +1,104 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: kubeflow-workspaces
resources:
- ../../base
components:
- ../../components/istio
- ../../components/common
patches:
- patch: |-
- op: remove
path: /metadata/labels/app.kubernetes.io~1component
- op: remove
path: /metadata/labels/app.kubernetes.io~1name
- op: add
path: /metadata/labels/istio-injection
value: enabled
target:
kind: Namespace
name: kubeflow-workspaces
replacements:
- source:
fieldPath: metadata.namespace
kind: ServiceAccount
name: workspaces-backend
targets:
- fieldPaths:
- metadata.name
select:
kind: Namespace
name: kubeflow-workspaces
- fieldPaths:
- subjects.[kind=ServiceAccount].namespace
select:
kind: ClusterRoleBinding
name: workspaces-backend
- source:
fieldPath: metadata.name
kind: Service
name: workspaces-backend
version: v1
targets:
- fieldPaths:
- spec.http.0.route.0.destination.host
options:
delimiter: .
select:
group: networking.istio.io
kind: VirtualService
name: workspaces-backend
version: v1beta1
- fieldPaths:
- spec.host
options:
delimiter: .
select:
group: networking.istio.io
kind: DestinationRule
name: workspaces-backend
version: v1beta1
- source:
fieldPath: metadata.namespace
kind: Service
name: workspaces-backend
version: v1
targets:
- fieldPaths:
- spec.http.0.route.0.destination.host
options:
delimiter: .
index: 1
select:
group: networking.istio.io
kind: VirtualService
name: workspaces-backend
version: v1beta1
- fieldPaths:
- spec.host
options:
delimiter: .
index: 1
select:
group: networking.istio.io
kind: DestinationRule
name: workspaces-backend
version: v1beta1
- source:
fieldPath: spec.ports.[name=http-api].port
kind: Service
name: workspaces-backend
version: v1
targets:
- fieldPaths:
- spec.http.0.route.0.destination.port.number
select:
group: networking.istio.io
kind: VirtualService
name: workspaces-backend
version: v1beta1