Synchronize kubeflow model registry manifests v0.2.14

README.md

@@ -58,7 +58,7 @@ This repo periodically syncs all official Kubeflow components from their respect
 | KServe | contrib/kserve/kserve | [v0.14.1](https://github.com/kserve/kserve/releases/tag/v0.14.1/install/v0.14.1) |
 | KServe Models Web App | contrib/kserve/models-web-app | [0.13.0](https://github.com/kserve/models-web-app/tree/0.13.0/config) |
 | Kubeflow Pipelines | apps/pipeline/upstream | [2.4.0](https://github.com/kubeflow/pipelines/tree/2.4.0/manifests/kustomize) |
-| Kubeflow Model Registry | apps/model-registry/upstream | [v0.2.12](https://github.com/kubeflow/model-registry/tree/v0.2.12/manifests/kustomize) |
+| Kubeflow Model Registry | apps/model-registry/upstream | [v0.2.14](https://github.com/kubeflow/model-registry/tree/v0.2.14/manifests/kustomize) |
 
 The following is also a matrix with versions from common components that are
 used from the different projects of Kubeflow:

apps/model-registry/upstream/README.md

@@ -44,22 +44,45 @@ curl -sX 'GET' \
 
 There are two main ways to deploy the Model Registry UI:
 
-1. Standalone mode - Use this if you are using Model Registry without the Kubeflow Platform
+1. Standalone mode - Use this if you are using Model Registry without the Kubeflow Platform (**Note: You will need a custom standalone image**)
 
 2. Integrated mode - Use this if you are deploying Model Registry in Kubeflow 
 
-For a standalone install run the following command:
+For a standalone install, we recommend following the [Model Registry UI standalone deployment documentation](../../clients/ui/docs/local-deployment-guide-ui.md).
+
+For an integrated install use the kubeflow UI overlay:
 
 ```bash
-kubectl apply -k options/ui/overlays/standalone -n kubeflow
+kubectl apply -k options/ui/overlays/istio -n kubeflow
 ```
 
-For an integrated install use the istio UI overlay:
+To make Model Registry UI accessible from the Kubeflow UI, you need to add the following to your Kubeflow UI configmap:
 
 ```bash
-kubectl apply -k options/ui/overlays/istio -n kubeflow
+kubectl edit configmap -n kubeflow centraldashboard-config
+```
+
+```yaml
+apiVersion: v1
+data:
+  links: |-
+    {
+        "menuLinks": [
+            {
+                "icon": "assignment",
+                "link": "/model-registry/",
+                "text": "Model Registry",
+                "type": "item"
+            },
+            ...
 ```
 
+Or you can add it in one line with:
+
+```bash
+kubectl get configmap centraldashboard-config -n kubeflow -o json | jq '.data.links |= (fromjson | .menuLinks += [{"icon": "assignment", "link": "/model-registry/", "text": "Model Registry", "type": "item"}] | tojson)' | kubectl apply -f - -n kubeflow
+````
+
 ## Usage
 
 For a basic usage of the Kubeflow Model Registry, follow the [Kubeflow Model Registry getting started documentation](https://www.kubeflow.org/docs/components/model-registry/getting-started/)
@@ -74,4 +97,4 @@ kubectl delete -k options/istio
 
 # Delete model registry db and deployment
 kubectl delete -k overlays/db
-```
+```

apps/model-registry/upstream/base/kustomization.yaml

@@ -8,4 +8,4 @@ resources:
 images:
 - name: kubeflow/model-registry
   newName: kubeflow/model-registry
-  newTag: v0.2.13
+  newTag: v0.2.14

apps/model-registry/upstream/base/model-registry-deployment.yaml

@@ -16,6 +16,10 @@ spec:
       labels:
         component: model-registry-server
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
         - name: rest-container
           args:
@@ -44,6 +48,11 @@ spec:
             tcpSocket:
               port: http-api
             timeoutSeconds: 2
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
         - name: grpc-container
           # ! Sync to the same MLMD version:
           # * backend/metadata_writer/requirements.in and requirements.txt
@@ -102,4 +111,11 @@ spec:
             initialDelaySeconds: 3
             periodSeconds: 5
             timeoutSeconds: 2
+          securityContext:
+            runAsUser: 65534
+            runAsGroup: 65534
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
       serviceAccountName: model-registry-server

apps/model-registry/upstream/options/csi/kustomization.yaml

@@ -7,4 +7,4 @@ resources:
 images:
 - name: kubeflow/model-registry-storage-initializer
   newName: kubeflow/model-registry-storage-initializer
-  newTag: v0.2.13
+  newTag: v0.2.14

apps/model-registry/upstream/options/ui/base/kustomization.yaml

@@ -10,4 +10,4 @@ resources:
 images:
 - name: model-registry-ui-image
   newName: docker.io/kubeflow/model-registry-ui
-  newTag: latest
+  newTag: v0.2.14

apps/model-registry/upstream/options/ui/base/model-registry-ui-deployment.yaml

@@ -15,6 +15,10 @@ spec:
         app: model-registry-ui
     spec: 
       serviceAccountName: model-registry-ui
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
       - name: model-registry-ui
         image: model-registry-ui-image
@@ -51,3 +55,8 @@ spec:
           - containerPort: 8080
         args:
           - "--port=8080"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL

apps/model-registry/upstream/options/ui/overlays/istio/kustomization.yaml

@@ -13,3 +13,5 @@ patches:
       version: v1
       kind: Service
       name: model-registry-ui-service
+
+namespace: kubeflow

apps/model-registry/upstream/overlays/db/model-registry-db-deployment.yaml

@@ -19,6 +19,10 @@ spec:
       annotations:
         sidecar.istio.io/inject: "false"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
       - name: db-container
         image: mysql:8.3.0
@@ -46,6 +50,13 @@ spec:
         volumeMounts:
         - name: metadata-mysql
           mountPath: /var/lib/mysql
+        securityContext:
+          runAsUser: 999
+          runAsGroup: 999
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
       volumes:
       - name: metadata-mysql
         persistentVolumeClaim:

apps/model-registry/upstream/overlays/postgres/kustomization.yaml

@@ -13,11 +13,11 @@ patchesStrategicMerge:
 - patches/model-registry-deployment.yaml
 
 configMapGenerator:
-- name: metadata-postgres-db-parameters
+- name: metadata-registry-db-parameters
   envs:
   - params.env
 secretGenerator:
-- name: metadata-postgres-db-secrets
+- name: metadata-registry-db-secrets
   envs:
   - secrets.env
 generatorOptions:
@@ -39,7 +39,7 @@ vars:
 - name: POSTGRES_PORT
   objref:
     kind: ConfigMap
-    name: model-registry-db-parameters
+    name: metadata-registry-db-parameters
     apiVersion: v1
   fieldref:
     fieldpath: data.POSTGRES_PORT

apps/model-registry/upstream/overlays/postgres/model-registry-db-deployment.yaml

@@ -19,6 +19,10 @@ spec:
       annotations:
         sidecar.istio.io/inject: "false"
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+        runAsNonRoot: true
       containers:
       - name: db-container
         image: postgres
@@ -27,17 +31,23 @@ spec:
             value: /var/lib/postgresql/data/pgdata
         envFrom:
         - configMapRef:
-            name: metadata-postgres-db-parameters
+            name: metadata-registry-db-parameters
         - secretRef:
-            name: metadata-postgres-db-secrets
+            name: metadata-registry-db-secrets
         ports:
         - name: postgres
           containerPort: 5432
         volumeMounts:
         - name: metadata-postgres
           mountPath: /var/lib/postgresql/data
+        securityContext:
+          runAsUser: 70
+          runAsGroup: 70
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
       volumes:
       - name: metadata-postgres
         persistentVolumeClaim:
           claimName: metadata-postgres
-

apps/model-registry/upstream/overlays/postgres/patches/model-registry-deployment.yaml

@@ -16,9 +16,9 @@ spec:
           - $patch: replace
           envFrom:
           - configMapRef:
-              name: metadata-postgres-db-parameters
+              name: metadata-registry-db-parameters
           - secretRef:
-              name: metadata-postgres-db-secrets
+              name: metadata-registry-db-secrets
           - configMapRef:
               name: model-registry-configmap
           args: ["--grpc_port=$(MODEL_REGISTRY_GRPC_SERVICE_PORT)",

hack/synchronize-model-registry-manifests.sh

@@ -65,15 +65,15 @@ if [ -d "$DST_DIR" ]; then
     rm -r "$DST_DIR"
 fi
 mkdir -p $DST_DIR
-cp $SRC_DIR/model-registry/manifests/kustomize/* $DST_DIR -r
+cp -r "$SRC_DIR/model-registry/manifests/kustomize/"* "$DST_DIR"
 
 echo "Successfully copied all manifests."
 
 echo "Updating README..."
 SRC_TXT="\[.*\](https://github.com/kubeflow/model-registry/tree/.*/manifests/kustomize)"
 DST_TXT="\[$COMMIT\](https://github.com/kubeflow/model-registry/tree/$COMMIT/manifests/kustomize)"
 
-sed -i "s|$SRC_TXT|$DST_TXT|g" ${MANIFESTS_DIR}/README.md
+sed -i "" "s|$SRC_TXT|$DST_TXT|g" "${MANIFESTS_DIR}/README.md"
 
 echo "Committing the changes..."
 cd $MANIFESTS_DIR