KEP 831-Kubeflow-Helm-Support: Support Helm as an Alternative for Kustomize #832
Conversation
Signed-off-by: juliusvonkohout <[email protected]>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
There was a problem hiding this comment.
I can see that you re-created the KEP.
/hold for community to review.
cc @kubeflow/wg-training-leads @kubeflow/wg-automl-leads @kubeflow/wg-manifests-leads @kubeflow/wg-data-leads @kubeflow/release-team @kubeflow/wg-pipeline-leads @kubeflow/wg-notebooks-leads @kubeflow/red-hat @kubeflow/wg-deployment-leads @kubeflow/kubeflow-steering-committee
|
Foundationally, this is still a discussion around if we have an "official" distribution or not. This KEP proposes a single "mega" helm chart with all components inside, this is by definition, an opinionated "distribution" of Kubeflow Platform. The community has discussed and rejected having official distributions in the past, for reasons that are still applicable:
PS: I want to stress that your motivations about making Kubeflow easier to use are great, and I am sure some users would love a Kubeflow Distribution that looks like this. (In fact, there are at least 2 that I am aware of which are similar to your proposal already, so perhaps you can collaborate with them). However, it's critical to keep the project neutral and focused on the tools themselves. Also, while it's clearly not the intention of this KEP, there is a separate discussion around if automatically-generated helm charts based on the existing component kustomize manifests would be useful for downstream distributions. But that would be a completely separate proposal. |
@thesuperzapper is this discussion already happening somewhere ? |
|
Thanks for this great feature—it's really going useful for us! As a suggestion, it would be awesome to include some migration documentation on transitioning from Kustomize to Helm in Goals. Also, any guidance on achieving a zero-downtime migration would be much appreciated. It will help users who are willing to utilise this. Thanks again for all the great work! |
Hey @shaikmoeed thanks for the feedback! One thing that would really help with this initiative is if you would be willing to tell us how Helm would help you and what you are looking for from these Helm charts. Your insights would be super awesome! |
@chasecadet Thanks for asking! We maintain a customized local version of kubeflow/manifests (with patches like Istio, OAuth2 and other fixes), which makes our upgrades challenging. As we manage most of our k8s service using Helm with ArgoCD, this initiative would simplify our process by letting us enable only the needed components and manage our patches more cleanly—eliminating the need to maintain local copies and keeping our upgrade PRs much smaller and easier to review. |
Good to know! Also, we'd love to know about how you use Kubeflow and your use cases, but probably for a different medium. Feel free to hit me up on the CNCF slack (chasecadet) if you'd like to share. Also let's ensure your org is on the adopters list so you get credit for being bleeding edge! |
Actually that is not the case. It is not a distribution, since they would still be the community manifests, not derived/deviated from it. But you are right in the sense that we should have helm charts for the individual components and combine them as we combine the kustomize manifests of the individual components. In the end we have a wonderful heterogeneous userbase and they want both options . If possible we should just combine the smaller ones in a meta helm chart or so similar to the kustomize overlay https://github.com/kubeflow/manifests/blob/master/example/kustomization.yaml . In the end the goal is to have something helm based with a similar structure / goal as the current kustomize manifests. Please make constructive suggestions in the KEP how we can emphasize this more. "Also, while it's clearly not the intention of this KEP, there is a separate discussion around if automatically-generated helm charts based on the existing component kustomize manifests would be useful for downstream distributions. But that would be a completely separate proposal. Also here I have to object, this is not a separate discussion. Automatically-generated helm charts are within this KEP. But that is an implementation detail of the single source of truth requirement. CC @lburgazzoli |
Hello, are you familiar with https://github.com/kubeflow/manifests?tab=readme-ov-file#upgrading-and-extending ? Maybe this can help you until the helm manifests are ready. |
|
@shaikmoeed https://github.com/kubeflow/community/blob/master/ADOPTERS.md is the file where you can add your company. |
proposals/831-helm-support/README.MD
Outdated
| @@ -0,0 +1,454 @@ | |||
| # 649-Kubeflow-Helm-Support: Support Helm as an Alternative for Kustomize | |||
There was a problem hiding this comment.
I think, we should find better name for this KEP, something like: Helm Charts for Kubeflow Projects, since we are not planning to stop supporting kustomize.
There was a problem hiding this comment.
It is not just for the individual projects, so maybe just "installing Kubeflow with Helm" ?
There was a problem hiding this comment.
It is not just for the individual projects
We haven't find final agreement on this yet, so I suggest to keep the name of this KEP: Support Helm Charts for Kubeflow Ecosystem.
proposals/831-helm-support/README.MD
Outdated
| As a project, we must ensure that our Helm chart provides a quick and accessible way for users to deploy a complete Kubeflow platform and individual components, enabling them to manage their environments or adopt a vendor solution. | ||
|
|
||
|
|
||
| Simplifying Kubeflow deployment lowers the barrier to entry, increases adoption, and encourages contributions. Just as Kubernetes enabled a new wave of cloud-native startups, a neutral, accessible deployment path can empower AI/ML startups to leverage tools like the Training Operator or Katib without reinventing common patterns. If support becomes burdensome, teams can hire expertise or use a distribution—both of which drive demand for Kubeflow skills. |
There was a problem hiding this comment.
As I mentioned before, I am not sure that Helm Charts will simplify Kubeflow installation, it just provides another method in addition to Kustomize.
There was a problem hiding this comment.
Simplify in the sense that it satisfies company policies and works with the existing setup of users and that they do not need to learn kustomize.
There was a problem hiding this comment.
I changed it to "Simplifying the Kubeflow deployment and customization ..."
As in ehe paragraph above it is also sometimes plain enabling "many potential users and companies that require Helm charts due to company processes/policies"
There was a problem hiding this comment.
that they do not need to learn kustomize.
But they still need to learn Helm, isn't ?
I can see value of Helm Charts for Kubeflow Projects to align with companies processes and policies, but not with simplification, since Kustomize is simple enough and natively integrates with kubectl create -k
proposals/831-helm-support/README.MD
Outdated
|
|
||
|
|
||
| ``` | ||
| kubeflow/manifests/experimental/helm |
There was a problem hiding this comment.
I am not sure that this structure is what we should do, looking at other project like Argo, Grafana, etc.
A few questions:
- How are you planning to maintain centralized values for all charts ?
- How are you planning to sync underlying Helm Charts with this centralized charts.
- How are we going to define Ownership for those charts ?
There was a problem hiding this comment.
@andreyvelich do you have any opinions? I see questions and would love some solutions too! What are your thoughts?
There was a problem hiding this comment.
In the end we want the same for the helm manifests as for the kustomize manifests. Synchronize them form the individual projects. Just at the beginning or as long as they are experimental it makes sense to start in one place with the ci/cd etc. available. You can easily check whether the difference between helm and kustomize is zero in additional ci/cd tests.
There was a problem hiding this comment.
clarified in the text.
There was a problem hiding this comment.
Given that you propose this KEP, I would like to hear your perspective first @chasecadet.
I can comment my thoughts after it.
Just at the beginning or as long as they are experimental it makes sense to start in one place with the ci/cd etc. available
What do you mean by experimental ? WG Manifests goals and charter doesn't say anything about this process: https://github.com/kubeflow/community/blob/master/wg-manifests/charter.md.
There was a problem hiding this comment.
I updated the charter now. contrib (renamed to experimental) was even in the 5 year old charter.
There was a problem hiding this comment.
WG Manifests/Platform Charter
This charter adheres to the conventions, roles and organization management
outlined in [wg-governance].
This charter describes the working mode / reality / status quo of the last 5 years as of March 2025.
Scope
- Enable users to install, extend and maintain Kubeflow as a platform for multiple users
- This includes dependencies, security efforts and examplary integration with popular tools and frameworks.
- Synchronize the manifests (Helm, Kustomize) between working groups
- We try to be compatible with the popular Kubernetes clusters (Kind, Rancher, AKS, EKS, GKE, ...)
- We do not support a specific deployment tool (e.g., ArgoCD, Flux)
- The default installation shall not contain deep integration with external cloud services or closed source solutions
- We provide hints and experimental examples how a user could integrate non-default external authentication (e.g. companies Identity Provider) and popular services on his own
- There is the evolving and not exhaustive list of dependencies for a proper multi-tenant platform installatio: Istio, KNative, Dex, Oauth2-proxy, Cert-Manager, ...
- There is the evolving and not exhaustive list of applications: KFP, Trainer, Dashboard, Workspaces / Noteboks, Kserve, Spark, ...
Communication Tasks
With Application Owners
- Aid the application owner in creating manifests (Helm, Kustomize) for his application
- Aid the application owner regarding security best practices
- Communicate with the application owner regarding releases and versioning
With Distribution Owners
- Distributions are strongly opinionated derivatives of Kubeflow platform / manifests, for example replacing all databases with closed source managed databases from AWS, GKE, Azure, ...
- A distribution can be created by an arbitrary amount of users / companies in private or in public, see the definition above
- Coordinate with "distribution owners" / users to take part in the testing of Kubeflow releases.
There was a problem hiding this comment.
I think, the scope of Manifests WG should be discussed separately and we should get consensus from all other WGs:
@kubeflow/kubeflow-steering-committee @kubeflow/wg-training-leads @kubeflow/wg-automl-leads @kubeflow/wg-pipeline-leads @kubeflow/wg-notebooks-leads @kubeflow/wg-manifests-leads
Check this: #356
There was a problem hiding this comment.
@lphiri would love your thoughts here.
There was a problem hiding this comment.
For reference, I see that @juliusvonkohout raised a proposal to update the Manifests WG charter:
Having a discussion around the scope of the Manifest WG (and coming to a community consensus) is probably critical before committing to expansion of the Manifests WG scope.
Especially given how controversial the initial formation of the Manifests WG was (see #434)
proposals/831-helm-support/README.MD
Outdated
| ## Design Details | ||
|
|
||
|
|
||
| ### Helm Chart Structure |
There was a problem hiding this comment.
Currently, it doesn't fit under Manifests WG scope: https://github.com/kubeflow/community/blob/master/wg-manifests/charter.md#code-binaries-and-services
There was a problem hiding this comment.
@andreyvelich help me understand what specifically you are calling out.
There was a problem hiding this comment.
"Provide a catalog (centralized repository) of Kubeflow application manifests." Helm manifests fit that as well as kustomize manifests
There was a problem hiding this comment.
But yes we should update the charter in general and make it leaner.
There was a problem hiding this comment.
Nevertheless that might be for a separate PR.
There was a problem hiding this comment.
As you can see, here is the scope of Manifests WG @chasecadet.
Maintain tooling to automate copying manifests from upstream app repos.
The manifests should just copy the code assets from the upstream app repos.
This is not what is proposed here.
There was a problem hiding this comment.
And that is far far away from the last 5 years of reality. "Maintain tooling to automate copying manifests from upstream app repos." Is actually just one very small part (maybe 2 % of the total effort) and even the least important part and gives users almost nothing in value. It would render the repository, kubeflow releases and this KEP useless and obsolete. With only that Kubeflow would fail completely as a platform and we could archive the repository and kubeflow releases in general.
The value for users in kubeflow/manifests is created by combining and integrating with multi-tenancy, servicemesh etc and the other shared platform components providing a full platform installation. They get components that are glued together, work together and are tested together. That is what users use the repository for. Otherwise they can just go to the individual project repositories and have a bunch of independent single-tenant applications without unified authentication and authorization. That might be useful enough for some, but you would loose 50+% of the current user base. Please also see the updated scenarios in the KEP for clarification.
So yes I can try to update the charter by 5+ years and get it to the reality of 2025 and what the actual usage is in this PR here.
There was a problem hiding this comment.
With only that Kubeflow would fail completely as a platform and we could archive the repository and kubeflow releases in general.
Can you elaborate on this more please ? From my point of view, the value of Kubeflow ecosystem is not in multi-tenancy or auth, but rather in AI/ML capabilities.
Yes, we can provide our "opinionated" solution for auth with Dex and Istio, but this is not mandatory for folks to integrate with Kubeflow projects.
They get components that are glued together, work together and are tested together. That is what users use the repository for.
Can we actually gather a feedback from real users who are using kubeflow/manifests today and complaining about Kustomize ?
I would like to understand how the proposed Helm Chart in this KEP would enhance their experience within Kubeflow Ecosystem?
As we've discussed multiple times with @johnugeorge and other members of @kubeflow/kubeflow-steering-committee, kubeflow/manifests is a good starting point to explore Kubeflow's capabilities.
I believe, Kustomize works well for this purpose.
There was a problem hiding this comment.
"Can you elaborate on this more please ? From my point of view, the value of Kubeflow ecosystem is not in multi-tenancy or auth, but rather in AI/ML capabilities."
That might not be relevant for you. For me for example Katib and trainer is not relevant so far, but Kubeflow Platform and KFP is. That does not mean that it is not relevant for other users. We are just two different users.
Most companies I know want to have one isolated namespace per user, where he can login and run his jupyterlabs, pipelines, inferenceservices, model registries etc. Then comes user 2-999 who also needs to have his jupyterlab etc. and must have hard isolation from the other users or the CISO will just say no to Kubeflow.
So authentication and authorization, networkpolicies, podsecuritystandards is mandatory to even get this basic setup with one isolated namespace per user and access to KFP, Jupyterlabs etc. running. I talked to hospitals, banks, insurances, and many other companies who use Kubeflow that way, that is also the reason they install from kubeflow/manifests in the first place. Otherwise you have to set up one Kubeflow per user, so hundreds of single-tenant Kubeflows with insane resource overhead (Teraybytes of memory).
"Yes, we can provide our "opinionated" solution for auth with Dex and Istio, but this is not mandatory for folks to integrate with Kubeflow projects." Oauth2-proxy and Dex is not really opinionated. They are just the two endpoints where companies connect to the companies internal IDP for the single-sign-on. They do not build the authentication in Kubeflow themselves (way to expensive). They just hook in via SingleSignOn. This is where it becomes opinionated based on the companies preferences.
"Can we actually gather a feedback from real users who are using kubeflow/manifests today and complaining about Kustomize" it is one of the most requested features and you can take a look at the kubeflow-helm channel. That is what you typically hear at conferences and from companies (requiring it to even start with Kubeflow) as well. That is also why there are 10 different community efforts for helm charts. CC @chasecadet
Please have a look at the current Kubeflow architecture. This is from 2023, but still has the most important parts. Now imagine 1000 user namespaces and that within these components there is authentication and authorization to check which user can access which namespace and services.
This KEP is about Helm manifests, not changing the Platform architecture.
Signed-off-by: juliusvonkohout <[email protected]>
|
New changes are detected. LGTM label has been removed. |
Signed-off-by: juliusvonkohout <[email protected]>
Signed-off-by: Julius von Kohout <[email protected]>
Signed-off-by: Julius von Kohout <[email protected]>
Signed-off-by: Julius von Kohout <[email protected]>
|
@andreyvelich, let's try a well-known technique: Observation, Feeling, Need, Request. This approach can help us unpack details rather than relying on "certainty in correctness," which is something I constantly challenge myself on while staying curious. I appreciate all the great insights you're sharing here. I noticed you said: Feeling I'm feeling a bit confused because I’ve seen community members express concerns that Kustomize is too complex and instead request a Helm chart. I suspect this stems from a misalignment in who Kustomize is best suited for. My perspective is that Kustomize works well for experts like you—SMEs in manifests who deploy custom components at a high level. However, many users seem to prefer Helm because it abstracts away complexity with its templating engine.
Need I want to better understand what makes you uncomfortable or unsatisfied with this request. Request Would you be open to unpacking your full perspective so I can understand it more clearly? Overcommunication here would really help me. One additional thought: Do we need to explore a new approach?
Looking forward to your thoughts! 😊 |
|
First, I want to thank everyone for their passion for Kubeflow. I especially want to thank @juliusvonkohout for his work on My understanding is that this KEP comes from discussions with your customers that want to deploy and manage a Kubeflow Platform with Helm and ArgoCD. You make a compelling case why some users want Helm+ArgoCD, however, I'm trying to understand why this deployment method needs to be officially developed under the Kubeflow organization? Was the alternative of making a Kubeflow Distribution considered? |
Thank you, the goal of this KEP is to make platform/manifests more attractive for the end users, whether it is a one man private distribution or a large companies public distribution. I think we need to improve at a high technical speed to stay relevant as the platform for orchestrating ML Workflows on Kubernetes.
Regarding "My understanding is that this KEP comes from discussions with your customers that want to deploy and manage a Kubeflow Platform with Helm and ArgoCD." and "You make a compelling case why some users want Helm+ArgoCD; however, I'm trying to understand why this deployment method needs to be officially developed under the Kubeflow organization?" I have to politely say no. You can see here that I even want to write the opposite: """ Scope
Communication TasksWith Application Owners
With Users / Distribution Owners
""" "Was the alternative of making a Kubeflow Distribution considered?" I have my personal distribution; I do not need another one. As I said, this is not for me, and I personally do not need Helm, because I mostly build the helm templating functionality myself on top of kustomize, but many end users want Helm for that functionality. The question is rather, how do we not miss out on the users/companies that require Helm manifests? How do we make it simple to modify, maintain, and extend Kubeflow for full multi-user installations to keep it attractive? How do we consolidate the ten different Helm approaches with synergy to avoid spending ten times the amount of time on maintaining manifests and reinventing the wheel? How can we get distributions to work more together? How can we get them to upstream some changes so that the platform as a whole progresses and each distribution has reduced maintenance overhead? In the end, we need to have a good product that offers ML as a platform without requiring every adopter to reinvent the wheel. We are failing the ML platform goal if only third-party derivative projects offer essential features like Helm manifests or robust multi-tenancy and enforced security best practices. I (subjectively) see the multiple single-tenant approach as a lower value offering or only an offering for a special edge case / subset of the user base with significant additional integration efforts for the end user for each separate component compared to the (subjectively more valuable) less integration and maintenance effort multi-tenancy platform way. But no one should be blocked from building individually from scratch and no one should be blocked from experiencing and contributing to an integrated End-to-end platform. Let the people choose how they want to build and contribute. We, or at least I, do not have the time and priority to redesign each individual component with individual authentication and multi-tenancy from scratch as individual mini platform in the short term with a proper upgrade path from our current architecture. This is an effort I am pushing for the community, not for myself. But it is getting too broad since this clear Helm manifests discussion becomes tangled up with architecture restructuring discussions as well as other topics. For other topics such as authentication architectural redesigns everyone is free to create a separate non-helm KEP, to keep this one here focused. It also often deteriorates into a broad political governance discussion rather than a constructive search for in-scope (status quo with Helm for GSoC PoC ) solutions. This amount of derailing / defocusing and debating instead of constructive in-scope code / text suggestions and direct improvements is slowing us down and might result in losing platform users and synergies. @chasecadet, I tried to push for community synergies and Kubeflow platform Helm user adoption, but I can only do so much with a limited amount of time. |
Signed-off-by: Julius von Kohout <[email protected]>
Signed-off-by: Julius von Kohout <[email protected]>
|
To have a more focused discussion I have moved the charter into #837. |
|
From the long discussion on slack: "Another interesting thing is that more and more manifests come in helm form (spark, istio, etc) and right now we render them out to be usable with kustomize. At some point it could be more feasible to just call them directly from kustomize with the right values, since kustomize has some form of helm integration. I tried it recently to include a helm manifest with parameters via kustomize. This way we could step by step replace the kustomize parts with templatable helm manifests and keep the same ci/cd to make sure that stuff is not breaking and the output stays the same." See https://github.com/kubernetes-sigs/kustomize/blob/master/examples/chart.md for examples. |
|
See for example this example from the proposal from one of the GSOC students https://github.com/akagami-harsh/manifests/blob/helm-charts/kustomize-helm-poc/README.md It uses the trainer helm chart via kustomize @akagami-harsh |
Thanks for sharing this! And big thanks to @akagami-harsh for the effort 🙌 |
|
Hey, i made a helm chart to install kubeflow. Check it out and open to feedback https://github.com/TheCodingSheikh/helm-charts/tree/main/charts/kubeflow |
This is awesome! I think what the KSC is working on determining is whether this is a "distribution" or something we move within the main Kubeflow repos. The boundaries of what is core Kubeflow vs. component manifests we support etc.. Right now you can in theory install everything with a single kustomize command, but using best in breed cloud services or other configurations requires effort. Then do you template the patches and how do you potentially tie that into a CI/CD system nicely or just use ArgoCD. This is a great contribution and we eagerly await the KSCs decision so we can figure out the best path forward. Please continue to give feedback here if you have it! |
|
From the @kubeflow/kubeflow-steering-committee meeting today: Voted for by all meeting attending KSC members (4).
Not more not less, so do not interpret too much. This is not supposed to answer all questions and possibilities, but to allow us to move forward with the GSOC project and see how far we get. |
|
Good news! Thank you for sharing the information. |
Helm KEP from @varodrig @chasecadet @juliusvonkohout
Fixed branch from #830
Placeholder: #831
Implementation: kubeflow/manifests#2730