Update kubeflow/notebooks manifests from v2.0.0-alpha.2#3455
Merged
google-oss-prow[bot] merged 3 commits intoMay 21, 2026
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request updates the Kubeflow Workspaces (Notebooks v2) manifests to track kubeflow/notebooks v2.0.0-alpha.2, and removes local overlay patches that are now provided upstream.
Changes:
- Bump synced upstream version from
v2.0.0-alpha.1tov2.0.0-alpha.2(images + sync script). - Align Workspaces RBAC/CRD/samples with upstream (including new
WorkspaceKindConfigMap image source fields). - Restructure namespace + NetworkPolicy handling (introduce namespace-level default-deny and per-component NetworkPolicies) and drop superseded overlay patches.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| scripts/synchronize-kubeflow-workspaces-manifests.sh | Updates the upstream git tag used for synchronization to v2.0.0-alpha.2. |
| applications/workspaces/upstream/frontend/components/istio/network-policy.yaml | Updates frontend NetworkPolicy selectors and ingress sources. |
| applications/workspaces/upstream/frontend/components/istio/kustomization.yaml | Ensures the frontend NetworkPolicy is included in the Istio component resources. |
| applications/workspaces/upstream/frontend/components/istio/authorization-policy.yaml | Updates AuthorizationPolicy workload selector labels. |
| applications/workspaces/upstream/frontend/base/kustomization.yaml | Bumps frontend image tag and adds app label injection. |
| applications/workspaces/upstream/frontend/base/deployment.yaml | Adds pod-level securityContext defaults (non-root + seccomp). |
| applications/workspaces/upstream/controller/samples/jupyterlab_v1beta1_workspacekind.yaml | Updates sample fields for ConfigMap-based icon/logo references. |
| applications/workspaces/upstream/controller/samples/common/workspacekind_imagesource_configmap.yaml | Adds a sample ConfigMap containing an SVG image source. |
| applications/workspaces/upstream/controller/samples/common/kustomization.yaml | Includes the new sample ConfigMap in the samples kustomization. |
| applications/workspaces/upstream/controller/base/namespace/network-policy-default-deny.yaml | Introduces a namespace-wide default-deny ingress NetworkPolicy. |
| applications/workspaces/upstream/controller/base/namespace/namespace.yaml | Keeps the Workspaces namespace definition (minor formatting change). |
| applications/workspaces/upstream/controller/base/namespace/kustomization.yaml | Adds a dedicated kustomization for namespace-scoped resources. |
| applications/workspaces/upstream/controller/base/namespace.yaml | Removes the old single-file namespace manifest in favor of the new folder layout. |
| applications/workspaces/upstream/controller/base/manager/user_cluster_roles.yaml | Refactors aggregated ClusterRoles for Workspaces admin/edit/view. |
| applications/workspaces/upstream/controller/base/manager/kustomization.yaml | Bumps controller image tag to v2.0.0-alpha.2. |
| applications/workspaces/upstream/controller/base/kustomization.yaml | Switches controller base to consume the new namespace/ sub-kustomization. |
| applications/workspaces/upstream/controller/base/crd/kubeflow.org_workspacekinds.yaml | Updates CRD schema for ConfigMap icon/logo references and status fields. |
| applications/workspaces/upstream/backend/components/istio/network-policy.yaml | Updates backend NetworkPolicy selectors and ingress sources. |
| applications/workspaces/upstream/backend/components/istio/kustomization.yaml | Adds backend NetworkPolicy and introduces an Istio-only deployment patch. |
| applications/workspaces/upstream/backend/components/istio/deployment_patch.yaml | Sets PROXY_URL_PREFIX for the backend deployment in the Istio overlay. |
| applications/workspaces/upstream/backend/components/istio/authorization-policy.yaml | Updates AuthorizationPolicy workload selector labels. |
| applications/workspaces/upstream/backend/base/rbac.yaml | Expands backend RBAC to include ConfigMaps. |
| applications/workspaces/upstream/backend/base/kustomization.yaml | Bumps backend image tag and adds app label injection. |
| applications/workspaces/upstream/backend/base/deployment.yaml | Sets pod-level seccomp profile to RuntimeDefault. |
| applications/workspaces/overlays/istio/workspaces-base-edit-clusterrole.yaml | Removes a manual ClusterRole overlay now handled upstream. |
| applications/workspaces/overlays/istio/patches/frontend-pss.yaml | Drops a manual Pod Security Standards patch superseded upstream. |
| applications/workspaces/overlays/istio/patches/backend-pss.yaml | Drops a manual Pod Security Standards patch superseded upstream. |
| applications/workspaces/overlays/istio/network-policies/default-allow-same-namespace.yaml | Removes the prior allow-same-namespace policy in favor of upstream policies. |
| applications/workspaces/overlays/istio/kustomization.yaml | Simplifies overlay now that upstream provides the needed resources/patches. |
Comments suppressed due to low confidence (2)
applications/workspaces/upstream/backend/components/istio/network-policy.yaml:14
- This NetworkPolicy only allows ingress from the
istio-systemnamespace. With the namespace-widedefault-deny-ingresspolicy enabled, this will also block node-originated traffic such as kubelet HTTP liveness/readiness probes to the backend pods on NetworkPolicy-enforcing CNIs. If you want default-deny semantics, add an explicit allow rule for probe traffic (or move probes toexec) so the deployment can become Ready reliably.
applications/workspaces/upstream/frontend/components/istio/network-policy.yaml:14 - This NetworkPolicy only allows ingress from the
istio-systemnamespace. Combined with the namespace-widedefault-deny-ingresspolicy, node-originated traffic (including kubelet HTTP liveness/readiness probes to port 8080) will be denied on clusters that enforce NetworkPolicy, which can prevent the frontend pod from ever becoming Ready. Add an explicit allow rule for probe traffic (or switch probes toexec) to avoid probe failures.
Member
|
@juliusvonkohout this should be ready to review, it upstreams all the stuff we were doing in this repo that was introduced in #3430 and updates to the latest alpha of notebooks v2. The only pending thing is to confirm that the Co-Pilot review in #3455 (comment) was wrong. NOTE: we have a bug which prevents non-admin users from managing PVCs right now, which we will try fix in the next week and cut a quick alpha.3 which should be in time for the first |
Signed-off-by: Christian Heusel <christian@heusel.eu>
The kubeflow/notebooks v2.0.0-alpha.2 release now includes pod security standard labels, security contexts, network policies, and aggregated RBAC ClusterRoles natively. Drop the patches and resources we were maintaining manually in the local overlay. Signed-off-by: Christian Heusel <christian@heusel.eu>
Rebase the workspaces centraldashboard component on top of the latest dashboard configmap, which added a Model Registry menu entry. Signed-off-by: Christian Heusel <christian@heusel.eu>
christian-heusel
force-pushed
the
synchronize-workspaces-manifests-v2.0.0-alpha.2
branch
from
2f002a9 to
976cf88
Compare
5 tasks
Member
|
@juliusvonkohout we should be good to merge this, we will do one more follow up PR with /lgtm |
Member
|
Thank you |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Template for Kubeflow Manifests
✏️ Summary of Changes
📦 Dependencies
none
🐛 Related Issues
none
✅ Contributor Checklist