-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to use Kustomize v4+ #1797
Comments
@zijianjoy thanks a lot for opening this issue to switch our target version to latest Kustomize v4. |
I am using Kustomize v4.0.5 for https://github.com/kubeflow-onprem/ArgoFlow and everything works as expected. The @zijianjoy One interesting anomaly I did encounter is that running |
This issue burns me over and over. I am used to installing the latest version of tools and I ran into this again trying to work out the latest release configs for Azure. As far as I can tell 3.9.2+ are broken with Knative also: errors with
The latest version that works for me is 3.9.1 or 3.8.10. I installed and tested about 20 different versions. |
FYI @davidspek with 4.0.5 Knative is also broken as is:
@yanniszark |
@yanniszark with the PR to remove pointers from the Knative YAML everything seems to be working fine. I can generate everything with v4.0.5 by running from the example folder you provided:
|
@berndverst You are correct. I had forgotten about this one but I had already created a PR to fix this in the KNative manifests 4 days ago. Also, you don't need the |
@davidspek I noticed I apparently created 2 PRs that were dupes of yours when they were marked as dupes this morning sigh. At least we are getting those issues addressed now! |
@davidspek I found I needed the load restrictor flag for katib when I tried this yesterday. But I saw that this is also being addressed somewhere. |
@berndverst Indeed, Katig should be the only one. I am working with @andreyvelich to remove this requirement in kubeflow/katib#1498. On my branch with these fixes you can run: |
I want to add another data point that sticking to kustomize 3.2.0 is not a good idea. See kubernetes-sigs/kustomize#1500 (comment), starting from kubectl release 1.21, it will come with kustomize v3.9. In not far future, people will be able to use a relatively new version of kustomize from kubectl. That can be an onboarding experience improvement if kubectl is the only tool people need. I think the urgency isn't so much considering the speed people upgrade kubernetes clusters, it could be enough that we start supporting later kustomize versions starting from Kubeflow 1.4. |
@davidspek I want to remind you why we decided to use load restrictor none, read https://bit.ly/kf_kustomize_v3. It was introduced mainly because we want people to build reusable patches that people can compose, instead of relying on overlays (which is inheritance model and people cannot compose). So far, I think https://kubectl.docs.kubernetes.io/guides/config_management/components/ is a feature designed to solve this problem -- allow reusable composition of kustomization transformation without turning off security check. but I haven't used it much and I don't see much of the community using it, I wonder how people think about it. |
@Bobgy I understand why the load-restrictor was useful, but currently only 1 component still needs it (and those manifests are better suited with overlays if you ask me). Indeed the components feature is something I ran into as well, but this cannot be used at this point because for some reason kustomize 3.2.1 is being used (the load restrictor can be using with newer version, and all the manifests build with newer versions). |
Good point! Then I agree it's very useful fixing katib and let everyone stop using the flag, that makes manifest compatible between v3 and v4. |
@Bobgy For reference, here is the PR for updating the Katib manifests: kubeflow/katib#1498. |
@berndverst we have merged all linked PRs necessary in order to use kustomize 4.0.5.
I tested the current example kustomization and it actually failed. Did you also encounter this problem? |
@yanniszark I think we should better break up installation to several steps to avoid the race condition in the first place. There is no guarantee how long each webhook server takes to start either. |
I've deployed the manifests manually with Kustomize 4.0.5 as well and have only run into the chicken & egg situation a few times and rerunning the command (instantly) like what is stated in the current instructions solved it. @yanniszark It looks like there is an existing discussion about the ordering, see kubernetes-sigs/kustomize#821. In particular this comment and the following one are about the ordering of MutatingWebhookConfigurations. |
True, but this is not a problem with the current single command installation right? Because if a webhook Pod is not up yet, then kubectl exits with non-zero code and is retried.
@davidspek you are referring to the scenario described by @Bobgy right? That is, trying to create an object while its registered webhook Service does not have any ready Pods yet. In the scenario I described, I believe retrying won't help, as the Pods need to be recreated in order to be injected with the Istio sidecar.
Yeap! I am currently going through the relevant kustomize PRs / issues and I will open an upstream issue to discuss. |
@Bobgy @yanniszark The PR to make Katib’s manifests not need the load-restrictor (and some other enhancements/optimizations) has just been merged: kubeflow/katib#1498. It does still need to be picked into the current release branch. After this is done, the load-restrictor shouldn’t be needed for any of the Kubeflow manifests anymore and v3/v4 should both work without issue. I’ve been deploying everything with 4.0.5 and without the load-restrictor flag. |
@yanniszark I think we are talking about the same problem, if istio sidecars are not injected, retry doesn't help. So I suggest separating steps as necessary -- e.g. Istio setup should finish before anything may depend on it. It's ok to not separate steps for race conditions that can be resolved via retry. Right now, it seems we need two steps:
|
@Bobgy for this:
We already have the step-by-step instructions. From the later message, I see that you are talking about just 2 steps, instead of a full step-by-step installation. This is definitely a possible workaround, but there might still be some webhook configurations that are skipped because of kustomize's new ordering, so we need to look into that carefully if we decide to go down this way. In addition, I have opened an upstream issue in kustomize and I'm testing a fix: |
Just for reference, I've not seen this issue with the Istio sidecars not being injected and causing problems when deploying with Argo CD. I'm not sure if this is just luck, or if Argo CD is handling this is some way behind the scenes. |
Are manifests going to revert to referencing the 'upstream' manifests through URL's for the next release or is this planned for further in the future? This would drastically reduce the overhead of pulling in all the upstream manifests into this repository, it would simply be a link |
That is something that should be discussed for after the 1.3 release. @connorlwilkes would you like to open an issue to propose this change and the benefits / drawbacks? cc @davidspek who has also used this method in Argoflow. |
@yanniszark @connorlwilkes After the release I was also planning on starting this discussion. I think this will be particularly useful once I have Renovate properly configured for everything, as the only upkeep would then be merge auto-created PRs. Distributions would then simply for the repo and add their customizations to it, similarly to how people are using my Argo installation now. But indeed, this is off the topic of this issue and should be discussed somewhere else. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in one week if no further activity occurs. Thank you for your contributions. |
@yanniszark any updates? |
When could we expect that kubeflow manifests support kustomize v4+? |
Hey folks, just a quick update that the PR to introduce support for custom ordering in kustomize is in the final review stage: kubernetes-sigs/kustomize#4019 |
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com>
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com>
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com>
Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com>
* common: Add Istio v1.16.0 manifests Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Update kustomization file in example to deploy istio-1-16 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * tests: Update install Istio GH action script Use Istio 1.16 for testing Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * common: Remove PodDisruptionBudget resources for Istio Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: #1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: #2325 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Update README Use the --cluster-specific flag when generating Istio 1.16 manifests for K8s-1.25. See: * istio/istio#41220 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * tests: Update GH Action workflows Trigger the workflows when the Istio version changes Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com>
Kustomize PR is merged: kubernetes-sigs/kustomize#4019 |
@yanniszark is there an easy way to enable the ordering in kustomize 4 and who is going to change the install instructions? |
@juliusvonkohout the way to customize the order is through a new This would go in the |
* common: Add Istio v1.16.0 manifests Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Update kustomization file in example to deploy istio-1-16 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * tests: Update install Istio GH action script Use Istio 1.16 for testing Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * common: Remove PodDisruptionBudget resources for Istio Istio 1.6.0 generated manifests include some policy/v1 PodDisruptionBudget resources that we need to remove. See: - istio/istio#12602 - istio/istio#24000 The current manifests utilize two "delete" patches: - common/istio-1-16/istio-install/base/patches/remove-pdb.yaml - common/istio-1-16/cluster-local-gateway/base/patches/remove-pdb.yaml However these patches do not work with kustomize v3.2.0. The root cause is that v3.2.0 doesn't have the appropriate openapi schema for the policy/v1 API version resources. This is fixed in kustomize v4+. See: - kubernetes-sigs/kustomize#3694 (comment) - kubernetes-sigs/kustomize#4495 Changes: - We disable the delete patches until we upgrade to kustomize v4+. - tracked in: kubeflow#1797 - As a temporary workaraound we remove PodDisruptionBudget resources manually with yq before deploying Istio manifests. - Update README file with instructions. Refs: kubeflow#2325 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * Update README Use the --cluster-specific flag when generating Istio 1.16 manifests for K8s-1.25. See: * istio/istio#41220 Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> * tests: Update GH Action workflows Trigger the workflows when the Istio version changes Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com> Signed-off-by: Apostolos Gerakaris <apoger@arrikto.com>
We are now at kustomize 5 /close There has been no activity for a long time. Please reopen if necessary. |
@juliusvonkohout: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
From the README of kubeflow/manifests: https://github.com/kubeflow/manifests#prerequisites, it is a prerequisite to use Kustomize
v3.2.0
for building resources. However, Kustomize v4+ is available. Can we upgrade prerequisite to use new version of Kustomize?One thing that needs to be changed is that: flag name
load_restrictor
is changed in Kustomize v4+, we need to make the following updates in docs and build commands:Change from
--load_restrictor=none
to--load-restrictor LoadRestrictionsNone
. Note the difference between_
and-
.The text was updated successfully, but these errors were encountered: