fix: bump mlflow-kubernetes-plugins to 1.3.0 for MLflow 3.13 auth coverage

[kramaranya]

Summary

https://redhat.atlassian.net/browse/RHOAIENG-70228

Upstream / Downstream Impact

• Downstream-only change for opendatahub-io/mlflow
• Also affects upstream mlflow/mlflow
• No upstream impact / not applicable

If relevant, add any upstream issue or follow-up link here:

Testing

• CI
• Unit tests
• Manual testing
• Not run (explain why)

Testing details:

Summary by CodeRabbit

• Chores
  • Updated mlflow-kubernetes-plugins dependency to version 1.3.0.

[coderabbitai]

📝 Walkthrough

Walkthrough

requirements/konflux-pypi.in increments the pinned version of mlflow-kubernetes-plugins from 1.2.1 to 1.3.0. requirements/konflux-pypi-requirements.txt reflects this by updating the version string and replacing the two SHA256 hashes with those matching the 1.3.0 artifacts.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Supply chain surface (CWE-829 / CWE-494): Two items require explicit verification before merge:

1. Hash provenance — Confirm the new SHA256 hashes in konflux-pypi-requirements.txt match what PyPI publishes for mlflow-kubernetes-plugins==1.3.0. A substituted hash is the canonical signal of a dependency confusion or package tampering attack.

2. Release integrity — Verify 1.3.0 was published by the expected maintainer on PyPI. No CVE is currently assigned to this package, but an unreviewed minor bump from a Kubernetes-adjacent plugin is relevant to CWE-1104 (use of unmaintained third-party components) and warrants a changelog diff between 1.2.1 and 1.3.0.

🚥 Pre-merge checks | ✅ 9 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	Description includes Jira ticket link and upstream impact checkbox selection, but lacks detail on what security or authentication coverage changes are provided in 1.3.0 and why testing was not performed.	Clarify what specific authentication vulnerabilities or coverage gaps 1.3.0 addresses for MLflow 3.13, and explain why testing was not run despite this being a dependency bump affecting authentication.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the primary change: bumping mlflow-kubernetes-plugins to 1.3.0 for MLflow 3.13 auth coverage.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Contribution Quality And Spam Detection	✅ Passed	PR is a legitimate dependency bump with Jira ticket reference, conventional commit format, and hash verification. First-time contributor with single focused change does not constitute spam given th...
No Hardcoded Secrets	✅ Passed	No hardcoded secrets detected. Files contain only package names, versions, and SHA256 integrity hashes—all public, expected values in Python requirement lock files.
No Weak Cryptography	✅ Passed	PR contains only dependency version bump (mlflow-kubernetes-plugins 1.2.1→1.3.0) with SHA256 hashes. No weak cryptographic primitives (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto, or t...
No Injection Vectors	✅ Passed	The PR changes only two requirement files (konflux-pypi.in and konflux-pypi-requirements.txt), which are plaintext dependency specifications containing only package names, versions, SHA256 hashes,...
No Privileged Containers	✅ Passed	PR only modifies Python dependency files (konflux-pypi.in, konflux-pypi-requirements.txt). No Kubernetes manifests, Helm templates, or Dockerfiles are present—check is not applicable.
No Sensitive Data In Logs	✅ Passed	PR only modifies dependency version pinning in requirements files (konflux-pypi.in/.txt). No logging statements or sensitive data exposure in code changes. Check not applicable to dependency versio...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@requirements/konflux-pypi.in`:
- Line 13: The mlflow-kubernetes-plugins==1.3.0 dependency update in the
konflux-pypi.in file lacks test validation evidence. Run integration tests with
mlflow-kubernetes-plugins 1.3.0 against your locked MLflow version to confirm
runtime compatibility. Additionally, check the transitive dependencies
introduced by mlflow-kubernetes-plugins 1.3.0 (kubernetes >=29.0.0 and
graphql-core >=3.2.0) against the version constraints already locked in
requirements/konflux-aipcc-requirements.txt to verify there are no conflicts or
version mismatches. Document the test results and dependency verification
findings in the pull request to provide the required validation evidence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 206441fc-2400-4f83-a260-dad4070ad06f

📥 Commits

Reviewing files that changed from the base of the PR and between 121043f and 88aac32.

📒 Files selected for processing (2)

• requirements/konflux-pypi-requirements.txt
• requirements/konflux-pypi.in

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What are the changes in mlflow-kubernetes-plugins version 1.3.0 compared to 1.2.1?

💡 Result:

The mlflow-kubernetes-plugins package version 1.3.0, released on June 12, 2026 [1][2], is part of the Kubeflow mlflow-integration repository [2]. While official release notes detailing specific code changes between 1.2.1 and 1.3.0 are not explicitly indexed in public summaries, the package maintains its core functionality as a Kubernetes-backed WorkspaceProvider and an optional Kubernetes RBAC authorization plugin [3][2]. Key information regarding this release: - Repository Migration: The project is now hosted under the kubeflow/mlflow-integration repository [2], having moved from its previous location at opendatahub-io/mlflow-kubernetes-plugins [4]. - Versioning: Version 1.3.0 was released shortly after 1.2.1 (which was released on May 8, 2026) [1][5]. - Dependencies: Version 1.3.0 requires MLflow <4.0.0, >=3.10.0, Kubernetes >=29.0.0, and graphql-core >=3.2.0 [3]. It requires Python >=3.12 [3]. - Scope: The plugin continues to provide workspace mapping to Kubernetes namespaces and Kubernetes-based request authorization [3][2]. For a complete list of commits or granular code changes between versions 1.2.1 and 1.3.0, please consult the commit history directly on the kubeflow/mlflow-integration GitHub repository [2].

Citations:

• 1: https://www.piwheels.org/project/mlflow-kubernetes-plugins/
• 2: https://github.com/kubeflow/mlflow-integration
• 3: https://pypi.org/project/mlflow-kubernetes-plugins/1.3.0/
• 4: https://github.com/opendatahub-io/mlflow-kubernetes-plugins
• 5: https://pypi.org/project/mlflow-kubernetes-plugins/

---

🏁 Script executed:

#!/bin/bash
# Check transitive dependencies of mlflow-kubernetes-plugins 1.3.0
pip show mlflow-kubernetes-plugins 2>/dev/null || echo "Package not installed, checking PyPI metadata"

# Try to fetch package metadata from PyPI
python3 - <<'PY'
import json
import urllib.request

try:
    url = "https://pypi.org/pypi/mlflow-kubernetes-plugins/1.3.0/json"
    with urllib.request.urlopen(url, timeout=10) as response:
        data = json.loads(response.read())
        print("=== mlflow-kubernetes-plugins 1.3.0 Dependencies ===")
        requires = data['info'].get('requires_dist', [])
        if requires:
            for req in requires:
                print(req)
        else:
            print("No requires_dist found")
except Exception as e:
    print(f"Error fetching metadata: {e}")
PY

Repository: opendatahub-io/mlflow

Length of output: 264

---

🏁 Script executed:

#!/bin/bash
# Check if requirements/konflux-aipcc-requirements.txt exists and examine it
if [ -f "requirements/konflux-aipcc-requirements.txt" ]; then
    echo "=== Contents of konflux-aipcc-requirements.txt ==="
    head -50 requirements/konflux-aipcc-requirements.txt
else
    echo "File not found. Searching for similar files:"
    find . -name "*requirements*.txt" -o -name "*requirements*.in" 2>/dev/null | grep -v ".git"
fi

Repository: opendatahub-io/mlflow

Length of output: 2729

---

🌐 Web query:

mlflow-kubernetes-plugins 1.3.0 release notes changelog kubeflow mlflow-integration

💡 Result:

Not enough source evidence was retrieved in this run to provide the actual “release notes/changelog” contents for mlflow-kubernetes-plugins version 1.3.0. What I could verify from authoritative sources - The package exists and is described as providing a Kubernetes-backed workspace provider plus an optional Kubernetes authorization plugin for MLflow workspaces. [1] - In the Kubeflow integration docs, the entry points are: - kubernetes -> MLflow hook mlflow.workspace_provider [2] - kubernetes-auth -> MLflow hook mlflow.app [3] - mlflow-kubernetes-plugins 1.3.0 has dependency constraints for MLflow (>=3.10.0, <4.0.0). [1] What is missing (for 1.3.0 specifically) - I did not find any retrieved page (PyPI, the integration repo, or GitHub release pages indexed in the search results) that contains the text of the 1.3.0 “release notes” or a “what’s changed” changelog section for that exact version. [1] If you want, I can do a second targeted search round specifically for the GitHub release tag “v1.3.0” and/or a compare link “v1.2.x...v1.3.0” to extract the exact changelog entries.

Citations:

• 1: https://pypi.org/project/mlflow-kubernetes-plugins/1.3.0/
• 2: https://github.com/kubeflow/mlflow-integration/blob/main/docs/workspace-provider.md
• 3: https://github.com/kubeflow/mlflow-integration

---

🏁 Script executed:

#!/bin/bash
# Extract locked MLflow version from konflux-aipcc-requirements.txt to check compatibility
grep "^mlflow==" requirements/konflux-aipcc-requirements.txt | head -5

Repository: opendatahub-io/mlflow

Length of output: 47

---

🌐 Web query:

site:github.com kubeflow/mlflow-integration v1.3.0 release changelog

💡 Result:

The kubeflow/mlflow-integration repository currently lists version v1.3.0 as its latest release, published on June 12, 2026 [1]. There is no publicly available changelog text specifically attached to the v1.3.0 release tag in the repository's release section [1]. It is important to note that the Kubeflow ecosystem previously released a major version labeled v1.3.0 in April 2021 [2]; however, this is distinct from the versioning used by the kubeflow/mlflow-integration repository, which was created in March 2026 [1]. Users should not confuse the repository's v1.3.0 release with the historical Kubeflow 1.3.0 platform release [2][3]. For details on the latest changes, users may refer to the repository's commit history or pull request logs, as the official release page for v1.3.0 does not contain descriptive release notes [1].

Citations:

• 1: https://github.com/kubeflow/mlflow-integration
• 2: https://github.com/kubeflow/website/blob/v1.9-branch/content/en/docs/releases/kubeflow-1.3.md
• 3: https://github.com/kubeflow/manifests/blob/v1.3-branch/README.md

---

🌐 Web query:

mlflow-kubernetes-plugins 1.3.0 transitive dependencies kubernetes graphql-core requirements

💡 Result:

The mlflow-kubernetes-plugins version 1.3.0 package requires the following primary dependencies [1]: - mlflow: >=3.10.0 and <4.0.0 [1] - kubernetes: >=29.0.0 [1] - graphql-core: >=3.2.0 [1] The dependency on graphql-core is listed as a direct dependency of the package [1]. Transitive dependencies are the dependencies of these primary packages, which will vary based on the specific versions of mlflow, kubernetes, and graphql-core installed in your Python environment [1].

Citations:

• 1: https://pypi.org/project/mlflow-kubernetes-plugins/1.3.0/

---

MLflow 3.13 compatibility is satisfied; shift focus to test validation evidence.

The version constraint for mlflow-kubernetes-plugins 1.3.0 explicitly requires MLflow >=3.10.0, <4.0.0—MLflow 3.13 falls within this range. No compatibility risk exists on that axis.

However, dependency bumps remain a supply-chain surface (CWE-1104: Use of Unmaintained Third Party Components). The valid concern is test validation:

Provide:

1. Test results confirming mlflow-kubernetes-plugins 1.3.0 works with your locked MLflow version
2. Verification that transitive dependencies of 1.3.0 (kubernetes >=29.0.0, graphql-core >=3.2.0) do not conflict with locked versions in requirements/konflux-aipcc-requirements.txt

Note: GitHub release page for v1.3.0 contains no descriptive release notes; consult commit history if detailed changelog is required.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@requirements/konflux-pypi.in` at line 13, The
mlflow-kubernetes-plugins==1.3.0 dependency update in the konflux-pypi.in file
lacks test validation evidence. Run integration tests with
mlflow-kubernetes-plugins 1.3.0 against your locked MLflow version to confirm
runtime compatibility. Additionally, check the transitive dependencies
introduced by mlflow-kubernetes-plugins 1.3.0 (kubernetes >=29.0.0 and
graphql-core >=3.2.0) against the version constraints already locked in
requirements/konflux-aipcc-requirements.txt to verify there are no conflicts or
version mismatches. Document the test results and dependency verification
findings in the pull request to provide the required validation evidence.

[DaoDaoNoCode]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DaoDaoNoCode, pmccarthy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [DaoDaoNoCode]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment