Remove load_restrictor kustomize flag and lint README markdown (kubef…

…low#1844) * remove load-restrictor kustomize flag and lint README markdown * Set kustomize loader to RestrictionRootOnly in test_util.go * review: undo changes to test scripts * review: add note to reusing patches best practices
surajkota · Apr 16, 2021 · 5fc7c7e · 5fc7c7e
1 parent 15a09df
commit 5fc7c7e
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 40 deletions.
diff --git a/README.md b/README.md
@@ -64,9 +64,8 @@ The `example` directory contains an example kustomization for the single command
 
 You can install all Kubeflow official components (residing under `apps`) and all common services (residing under `common`) using the following command:
 
-
 ```sh
-while ! kustomize build --load_restrictor=none example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done
+while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 10; done
 ```
 
 Once, everything is installed successfully, you can access the Kubeflow Central Dashboard [by logging in to your cluster](#connect-to-your-kubeflow-cluster).
@@ -88,10 +87,11 @@ cert-manager is used by many Kubeflow components to provide certificates for
 admission webhooks.
 
 Install cert-manager:
+
 ```sh
-kustomize build --load_restrictor=none common/cert-manager/cert-manager-kube-system-resources/base | kubectl apply -f -
-kustomize build --load_restrictor=none common/cert-manager/cert-manager-crds/base | kubectl apply -f -
-kustomize build --load_restrictor=none common/cert-manager/cert-manager/overlays/self-signed | kubectl apply -f -
+kustomize build common/cert-manager/cert-manager-kube-system-resources/base | kubectl apply -f -
+kustomize build common/cert-manager/cert-manager-crds/base | kubectl apply -f -
+kustomize build common/cert-manager/cert-manager/overlays/self-signed | kubectl apply -f -
 ```
 
 #### Istio
@@ -100,10 +100,11 @@ Istio is used by many Kubeflow components to secure their traffic, enforce
 network authorization and implement routing policies.
 
 Install Istio:
+
 ```sh
-kustomize build --load_restrictor=none common/istio-1-9-0/istio-crds/base | kubectl apply -f -
-kustomize build --load_restrictor=none common/istio-1-9-0/istio-namespace/base | kubectl apply -f -
-kustomize build --load_restrictor=none common/istio-1-9-0/istio-install/base | kubectl apply -f -
+kustomize build common/istio-1-9-0/istio-crds/base | kubectl apply -f -
+kustomize build common/istio-1-9-0/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio-1-9-0/istio-install/base | kubectl apply -f -
 ```
 
 #### Dex
@@ -113,32 +114,34 @@ Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends.
 Install Dex:
 
 ```sh
-kustomize build --load_restrictor=none common/dex/overlays/istio | kubectl apply -f -
+kustomize build common/dex/overlays/istio | kubectl apply -f -
 ```
 
 #### OIDC AuthService
 
 The OIDC AuthService extends your Istio Ingress-Gateway capabilities, to be able to function as an OIDC client:
 
 ```sh
-kustomize build --load_restrictor=none common/oidc-authservice/base | kubectl apply -f -
+kustomize build common/oidc-authservice/base | kubectl apply -f -
 ```
 
 #### Knative
 
 Knative is used by the KFServing official Kubeflow component.
 
 Install Knative Serving:
+
 ```sh
-kustomize build --load_restrictor=none common/knative/knative-serving-crds/base | kubectl apply -f -
-kustomize build --load_restrictor=none common/knative/knative-serving-install/base | kubectl apply -f -
-kustomize build --load_restrictor=none common/istio-1-9-0/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/knative/knative-serving-crds/base | kubectl apply -f -
+kustomize build common/knative/knative-serving-install/base | kubectl apply -f -
+kustomize build common/istio-1-9-0/cluster-local-gateway/base | kubectl apply -f -
 ```
 
 Optionally, you can install Knative Eventing which can be used for inference request logging:
+
 ```sh
-kustomize build --load_restrictor=none common/knative/knative-eventing-crds/base | kubectl apply -f -
-kustomize build --load_restrictor=none common/knative/knative-eventing-install/base | kubectl apply -f -
+kustomize build common/knative/knative-eventing-crds/base | kubectl apply -f -
+kustomize build common/knative/knative-eventing-install/base | kubectl apply -f -
 ```
 
 #### Kubeflow Namespace
@@ -147,8 +150,9 @@ Create the namespace where the Kubeflow components will live in. This namespace
 is named `kubeflow`.
 
 Install kubeflow namespace:
+
 ```sh
-kustomize build --load_restrictor=none common/kubeflow-namespace/base | kubectl apply -f -
+kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 ```
 
 #### Kubeflow Roles
@@ -158,11 +162,11 @@ Create the Kubeflow ClusterRoles, `kubeflow-view`, `kubeflow-edit` and
 ClusterRoles.
 
 Install kubeflow roles:
+
 ```sh
-kustomize build --load_restrictor=none common/kubeflow-roles/base | kubectl apply -f -
+kustomize build common/kubeflow-roles/base | kubectl apply -f -
 ```
 
-
 #### Kubeflow Istio Resources
 
 Create the Istio resources needed by Kubeflow. This kustomization currently
@@ -171,61 +175,63 @@ If you want to install with your own Istio, then you need this kustomization as
 well.
 
 Install istio resources:
+
 ```sh
-kustomize build --load_restrictor=none common/istio-1-9-0/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-9-0/kubeflow-istio-resources/base | kubectl apply -f -
 ```
 
 #### Kubeflow Pipelines
 
 Install the Kubeflow Pipelines official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/pipeline/upstream/env/platform-agnostic-multi-user | kubectl apply -f -
+kustomize build apps/pipeline/upstream/env/platform-agnostic-multi-user | kubectl apply -f -
 ```
 
 #### KFServing
 
 Install the KFServing official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/kfserving/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/kfserving/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### Katib
 
 Install the Katib official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/katib/upstream/installs/katib-with-kubeflow | kubectl apply -f -
+kustomize build apps/katib/upstream/installs/katib-with-kubeflow | kubectl apply -f -
 ```
 
 #### Central Dashboard
 
 Install the Central Dashboard official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/centraldashboard/upstream/overlays/istio | kubectl apply -f -
+kustomize build apps/centraldashboard/upstream/overlays/istio | kubectl apply -f -
 ```
 
 #### Admission Webhook
 
 Install the Admission Webhook for PodDefaults:
+
 ```sh
-kustomize build --load_restrictor=none apps/admission-webhook/upstream/overlays/cert-manager | kubectl apply -f -
+kustomize build apps/admission-webhook/upstream/overlays/cert-manager | kubectl apply -f -
 ```
 
 #### Notebooks
 
 Install the Notebook Controller official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/jupyter/notebook-controller/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 Install the Jupyter Web App official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/jupyter/jupyter-web-app/upstream/overlays/istio | kubectl apply -f -
+kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio | kubectl apply -f -
 ```
 
 #### Profiles + KFAM
@@ -234,76 +240,77 @@ Install the Profile Controller and the Kubeflow Access-Management (KFAM) officia
 components:
 
 ```sh
-kustomize build --load_restrictor=none apps/profiles/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/profiles/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### Volumes Web App
 
 Install the Volumes Web App official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/volumes-web-app/upstream/overlays/istio | kubectl apply -f -
+kustomize build apps/volumes-web-app/upstream/overlays/istio | kubectl apply -f -
 ```
 
 #### Tensorboard
 
 Install the Tensorboards Web App official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/tensorboard/tensorboards-web-app/upstream/overlays/istio | kubectl apply -f -
+kustomize build apps/tensorboard/tensorboards-web-app/upstream/overlays/istio | kubectl apply -f -
 ```
 
 Install the Tensorboard Controller official Kubeflow component:
+
 ```sh
-kustomize build --load_restrictor=none apps/tensorboard/tensorboard-controller/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/tensorboard/tensorboard-controller/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### TFJob Operator
 
 Install the TFJob Operator official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/tf-training/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/tf-training/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### PyTorch Operator
 
 Install the PyTorch Operator official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/pytorch-job/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/pytorch-job/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### MPI Operator
 
 Install the MPI Operator official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/mpi-job/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/mpi-job/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### MXNet Operator
 
 Install the MXNet Operator official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/mxnet-job/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/mxnet-job/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### XGBoost Operator
 
 Install the XGBoost Operator official Kubeflow component:
 
 ```sh
-kustomize build --load_restrictor=none apps/xgboost-job/upstream/overlays/kubeflow | kubectl apply -f -
+kustomize build apps/xgboost-job/upstream/overlays/kubeflow | kubectl apply -f -
 ```
 
 #### User Namespace
 
 Finally, create a new namespace for the the default user (named `user`).
 
 ```sh
-kustomize build --load_restrictor=none common/user-namespace/base | kubectl apply -f -
+kustomize build common/user-namespace/base | kubectl apply -f -
 ```
 
 ### Connect to your Kubeflow Cluster
@@ -329,6 +336,7 @@ kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80
 ```
 
 After running the command, you can access the Kubeflow Central Dashboard by doing the following:
+
 1. Open your browser and visit `http://localhost:8080`. You should get the Dex login screen.
 2. Login with the default user's credential. The default username is `user` and the default password is `12341234`.
 
@@ -350,11 +358,13 @@ If you absolutely need to expose Kubeflow over HTTP, you can disable the `Secure
 For security reasons, we don't want to use the default password for the default Kubeflow user when installing in security-sensitive environments. Instead, you should define your own password before deploying. To define a password for the default user:
 
 1. Pick a password for the default user, with handle `user`, and hash it using `bcrypt`:
+
     ```sh
     python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))'
     ```
 
 2. Edit `dex/base/config-map.yaml` and fill the relevant field with the hash of the password you chose:
+
     ```yaml
     ...
       staticPasswords:

diff --git a/docs/KustomizeBestPractices.md b/docs/KustomizeBestPractices.md
@@ -41,6 +41,10 @@ to a database running in cluster.
 
 ## Reuse patches
 
+**Note:** We are in the process of moving to Kustomize v4, see [this](https://github.com/kubeflow/manifests/issues/1797).
+This method of reusing patches is outdated and will likely be replaced by
+[kustomize components](https://github.com/kubernetes-sigs/kustomize/blob/master/examples/components.md).
+
 We encourage reusing patches across kustomize packages when it makes sense. For example suppose we
 have an onprem and standalone version of our application but both of them want to reuse
 a common patch to use an external database. We could lay the packages out like so

diff --git a/tests/test_util.go b/tests/test_util.go
@@ -2,10 +2,13 @@ package tests
 
 import (
 	"fmt"
-	"github.com/ghodss/yaml"
 	"io/ioutil"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/ghodss/yaml"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/kustomize/v3/k8sdeps/kunstruct"
 	"sigs.k8s.io/kustomize/v3/k8sdeps/transformer"
 	"sigs.k8s.io/kustomize/v3/pkg/fs"
@@ -15,8 +18,6 @@ import (
 	"sigs.k8s.io/kustomize/v3/pkg/resource"
 	"sigs.k8s.io/kustomize/v3/pkg/target"
 	"sigs.k8s.io/kustomize/v3/pkg/validators"
-	"strings"
-	"testing"
 )
 
 type KustomizeTestCase struct {