From a46294f06743d286e32e1063a56f891cce3bafe3 Mon Sep 17 00:00:00 2001 From: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Date: Thu, 9 Jan 2025 22:34:16 +0800 Subject: [PATCH 1/5] Add the manifests overlay for Kubeflow Training V2 Signed-off-by: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Signed-off-by: Xinmin Du <2812493086@qq.com> --- .../kubeflow/kubeflow-training-roles.yaml | 91 +++++++++++++++++++ .../v2/overlays/kubeflow/kustomization.yaml | 15 +++ 2 files changed, 106 insertions(+) create mode 100644 manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml create mode 100644 manifests/v2/overlays/kubeflow/kustomization.yaml diff --git a/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml b/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml new file mode 100644 index 0000000000..6b38240eb5 --- /dev/null +++ b/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml @@ -0,0 +1,91 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-training-admin-v2 + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin: "true" +rules: [] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-training-edit-v2 + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin: "true" +rules: + - apiGroups: + - kubeflow.org + resources: + - trainjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - kubeflow.org + resources: + - clustertrainingruntimes + - trainingruntimes + verbs: + - get + - list + - watch + - apiGroups: + - kubeflow.org + resources: + - trainjobs/status + verbs: + - get + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-training-view-v2 + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: + - apiGroups: + - kubeflow.org + resources: + - clustertrainingruntimes + - trainingruntimes + - trainjobs + verbs: + - get + - list + - watch + - apiGroups: + - kubeflow.org + resources: + - trainjobs/status + verbs: + - get \ No newline at end of file diff --git a/manifests/v2/overlays/kubeflow/kustomization.yaml b/manifests/v2/overlays/kubeflow/kustomization.yaml new file mode 100644 index 0000000000..5994be9475 --- /dev/null +++ b/manifests/v2/overlays/kubeflow/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: + - ../../base + - kubeflow-training-roles.yaml + - https://github.com/kubernetes-sigs/jobset/releases/download/v0.6.0/manifests.yaml +images: + - name: kubeflow/training-operator-v2 + newTag: latest +secretGenerator: + - name: training-operator-v2-webhook-cert + namespace: kubeflow-system + options: + disableNameSuffixHash: true \ No newline at end of file From 963bfbcfe4313174d3afb2578e51599158f462e7 Mon Sep 17 00:00:00 2001 From: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Date: Fri, 10 Jan 2025 18:11:07 +0800 Subject: [PATCH 2/5] Update manifest: adjust permissions, and format changes Signed-off-by: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Signed-off-by: Xinmin Du <2812493086@qq.com> --- .../kubeflow/kubeflow-training-roles.yaml | 31 +++++-------------- .../v2/overlays/kubeflow/kustomization.yaml | 9 ++++-- 2 files changed, 15 insertions(+), 25 deletions(-) diff --git a/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml b/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml index 6b38240eb5..7661a270b8 100644 --- a/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml +++ b/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml @@ -3,11 +3,11 @@ kind: ClusterRole metadata: name: kubeflow-training-admin-v2 labels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin-v2: "true" aggregationRule: clusterRoleSelectors: - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin-v2: "true" rules: [] --- @@ -16,12 +16,14 @@ kind: ClusterRole metadata: name: kubeflow-training-edit-v2 labels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit-v2: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin-v2: "true" rules: - apiGroups: - kubeflow.org resources: + - clustertrainingruntimes + - trainingruntimes - trainjobs verbs: - create @@ -31,15 +33,6 @@ rules: - patch - update - watch - - apiGroups: - - kubeflow.org - resources: - - clustertrainingruntimes - - trainingruntimes - verbs: - - get - - list - - watch - apiGroups: - kubeflow.org resources: @@ -56,14 +49,6 @@ rules: - get - list - watch - - apiGroups: - - "" - resources: - - events - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -71,7 +56,7 @@ kind: ClusterRole metadata: name: kubeflow-training-view-v2 labels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view-v2: "true" rules: - apiGroups: - kubeflow.org @@ -88,4 +73,4 @@ rules: resources: - trainjobs/status verbs: - - get \ No newline at end of file + - get diff --git a/manifests/v2/overlays/kubeflow/kustomization.yaml b/manifests/v2/overlays/kubeflow/kustomization.yaml index 5994be9475..aef14931b4 100644 --- a/manifests/v2/overlays/kubeflow/kustomization.yaml +++ b/manifests/v2/overlays/kubeflow/kustomization.yaml @@ -2,8 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kubeflow resources: - - ../../base + - ../../base/crds + - ../../base/manager + - ../../base/rbac + - ../../base/webhook + - ../../base/runtimes/pre-training - kubeflow-training-roles.yaml + # TODO (andreyvelich): JobSet should support kubeflow-system namespace. - https://github.com/kubernetes-sigs/jobset/releases/download/v0.6.0/manifests.yaml images: - name: kubeflow/training-operator-v2 @@ -12,4 +17,4 @@ secretGenerator: - name: training-operator-v2-webhook-cert namespace: kubeflow-system options: - disableNameSuffixHash: true \ No newline at end of file + disableNameSuffixHash: true From 1100986ba65466a4d6dbaa6c04d800c9104ff4c9 Mon Sep 17 00:00:00 2001 From: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Date: Sun, 12 Jan 2025 13:55:10 +0800 Subject: [PATCH 3/5] Update manifest: rename overlay, adjust event permissions Signed-off-by: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Signed-off-by: Xinmin Du <2812493086@qq.com> --- .../kubeflow-training-roles.yaml | 8 ++++++++ .../{kubeflow => kubeflow-platform}/kustomization.yaml | 0 2 files changed, 8 insertions(+) rename manifests/v2/overlays/{kubeflow => kubeflow-platform}/kubeflow-training-roles.yaml (93%) rename manifests/v2/overlays/{kubeflow => kubeflow-platform}/kustomization.yaml (100%) diff --git a/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml b/manifests/v2/overlays/kubeflow-platform/kubeflow-training-roles.yaml similarity index 93% rename from manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml rename to manifests/v2/overlays/kubeflow-platform/kubeflow-training-roles.yaml index 7661a270b8..fb91684aad 100644 --- a/manifests/v2/overlays/kubeflow/kubeflow-training-roles.yaml +++ b/manifests/v2/overlays/kubeflow-platform/kubeflow-training-roles.yaml @@ -49,6 +49,14 @@ rules: - get - list - watch + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/v2/overlays/kubeflow/kustomization.yaml b/manifests/v2/overlays/kubeflow-platform/kustomization.yaml similarity index 100% rename from manifests/v2/overlays/kubeflow/kustomization.yaml rename to manifests/v2/overlays/kubeflow-platform/kustomization.yaml From a038ef26841ca458ea10f02ac6f86286295da8a1 Mon Sep 17 00:00:00 2001 From: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Date: Mon, 13 Jan 2025 14:30:00 +0800 Subject: [PATCH 4/5] Update manifest: make namespace configurable Signed-off-by: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Signed-off-by: Xinmin Du <2812493086@qq.com> --- manifests/v2/base/manager/kustomization.yaml | 2 -- manifests/v2/base/rbac/kustomization.yaml | 2 -- manifests/v2/base/webhook/kustomization.yaml | 2 -- manifests/v2/overlays/kubeflow-platform/kustomization.yaml | 4 ++-- 4 files changed, 2 insertions(+), 8 deletions(-) diff --git a/manifests/v2/base/manager/kustomization.yaml b/manifests/v2/base/manager/kustomization.yaml index a62e9473d9..7394a6d059 100644 --- a/manifests/v2/base/manager/kustomization.yaml +++ b/manifests/v2/base/manager/kustomization.yaml @@ -1,4 +1,2 @@ resources: - manager.yaml -# TODO (andreyvelich): Move it to overlays once we copy the JobSet manifests. -namespace: kubeflow-system diff --git a/manifests/v2/base/rbac/kustomization.yaml b/manifests/v2/base/rbac/kustomization.yaml index e9fca6afba..25a37bf74f 100644 --- a/manifests/v2/base/rbac/kustomization.yaml +++ b/manifests/v2/base/rbac/kustomization.yaml @@ -2,5 +2,3 @@ resources: - role.yaml - role_binding.yaml - service_account.yaml -# TODO (andreyvelich): Move it to overlays once we copy the JobSet manifests. -namespace: kubeflow-system diff --git a/manifests/v2/base/webhook/kustomization.yaml b/manifests/v2/base/webhook/kustomization.yaml index 1ea670ceef..5723808d02 100644 --- a/manifests/v2/base/webhook/kustomization.yaml +++ b/manifests/v2/base/webhook/kustomization.yaml @@ -10,5 +10,3 @@ patches: kind: ValidatingWebhookConfiguration configurations: - kustomizeconfig.yaml -# TODO (andreyvelich): Move it to overlays once we copy the JobSet manifests. -namespace: kubeflow-system diff --git a/manifests/v2/overlays/kubeflow-platform/kustomization.yaml b/manifests/v2/overlays/kubeflow-platform/kustomization.yaml index aef14931b4..d842ed93d8 100644 --- a/manifests/v2/overlays/kubeflow-platform/kustomization.yaml +++ b/manifests/v2/overlays/kubeflow-platform/kustomization.yaml @@ -8,13 +8,13 @@ resources: - ../../base/webhook - ../../base/runtimes/pre-training - kubeflow-training-roles.yaml - # TODO (andreyvelich): JobSet should support kubeflow-system namespace. + # TODO (andreyvelich): JobSet should support kubeflow namespace. - https://github.com/kubernetes-sigs/jobset/releases/download/v0.6.0/manifests.yaml images: - name: kubeflow/training-operator-v2 newTag: latest secretGenerator: - name: training-operator-v2-webhook-cert - namespace: kubeflow-system + namespace: kubeflow options: disableNameSuffixHash: true From 1f1b0c2ba08e9d38782c17df982f932896c4514b Mon Sep 17 00:00:00 2001 From: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Date: Mon, 13 Jan 2025 15:07:18 +0800 Subject: [PATCH 5/5] Update manifest: move standalone, only-manager installation in namespace: kubeflow-system Signed-off-by: Xinmin Du <10803082+doris-xm@user.noreply.gitee.com> Signed-off-by: Xinmin Du <2812493086@qq.com> --- manifests/v2/overlays/only-manager/kustomization.yaml | 1 + manifests/v2/overlays/standalone/kustomization.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/manifests/v2/overlays/only-manager/kustomization.yaml b/manifests/v2/overlays/only-manager/kustomization.yaml index b6f81239d8..aee2a15e0a 100644 --- a/manifests/v2/overlays/only-manager/kustomization.yaml +++ b/manifests/v2/overlays/only-manager/kustomization.yaml @@ -1,5 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: kubeflow-system resources: - namespace.yaml - ../../base/crds diff --git a/manifests/v2/overlays/standalone/kustomization.yaml b/manifests/v2/overlays/standalone/kustomization.yaml index 2a59e17ed4..15611cf8ad 100644 --- a/manifests/v2/overlays/standalone/kustomization.yaml +++ b/manifests/v2/overlays/standalone/kustomization.yaml @@ -1,5 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: kubeflow-system resources: - namespace.yaml - ../../base/crds