||The deployment chart to use, default is platform||
||The deployment version to use, this is important if you are using polyaxon-cli to avoid accidentally deploying/upgrading to a version without noticing||
||The namespace that will be used by Polyaxon to create operations and communicate with other services||
||Use Kubernetes role-based access control (RBAC)||
The gateway is the service fronting the traffic to/from Polyaxon. By default it's deployed with
You can use port forwarding to access the API and dashboard on localhost:
By running Polyaxon CLI, you will automatically auto-configure the cli and clients:
Or using kubectl:
kubectl port-forward -n polyaxon svc/polyaxon-polyaxon-gateway 8000:80
||Use Kubernetes ingress||
||Kubernetes ingress path||
||Kubernetes ingress pathType (e.g. on GKE
||Kubernetes ingress hostName||``|
||Use Ingress TLS (Secrets must be manually created in the namespace)||
||Gateway Service type||
||Gateway Service annotations||
This chart provides support for an Ingress resource.
If you enable ingress, please set the gateway service type value to:
- ClusterIP or NodePort
- NodePort or LoadBalancer on GKE
Note: using TLS requires either:
- a preconfigured secret with the TLS secrets in it
- or the user of cert-manager to auto request certs from let's encrypt and store them in a secret.
It's also possible to use a service like externalDNS to auto create the DNS entry for the polyaxon API service.
ingress.kubernetes.io/ssl-redirect: "false" ingress.kubernetes.io/rewrite-target: / ingress.kubernetes.io/add-base-url: "true" ingress.kubernetes.io/proxy-connect-timeout: "600" ingress.kubernetes.io/proxy-read-timeout: "600" ingress.kubernetes.io/proxy-send-timeout: "600" ingress.kubernetes.io/send-timeout: "600" ingress.kubernetes.io/proxy-body-size: 4G
If you have your own certificate you can make a new secret with the
tls.crt and the
then set the secret name in the values file.
To automate the creation and registration of new domain name you can use the following services:
once installed, you can set the values for
ingress: enabled: true hostName: polyaxon.acme.com tls: - secretName: polyaxon.acme-tls hosts: - polyaxon.acme.com
TLS can have more than one host.
In order to get the domain registration to work you need to set the value of
to the annotation needed for your domain:
annotations: domainName: polyaxon.my.domain.com
||To set ssl and serve https with Polyaxon deployed with NodePort service||
NGINX acts as a reverse proxy for the Polyaxon's front-end server, meaning NGINX proxies external HTTP (and HTTPS) requests to the Polyaxon API.
To use an ingress on GKE, the configuration should look like:
ingress: enabled: true hostName: polyaxon.acme.com pathType: ImplementationSpecific path: /* annotations: kubernetes.io/ingress.class: "gce" kubernetes.io/ingress.global-static-ip-name: IP_NAME networking.gke.io/managed-certificates: INGRESS_TLS_CERT_NAME kubernetes.io/ingress.allow-http: "false" ingress.kubernetes.io/rewrite-target: "/"
To use Https in Polyaxon on Kubernetes you can set an ingress-nginx for cluster running on Kubernetes.
Polyaxon's helm chart comes with an ingress resource that you can use with an ingress controller where you should use TLS so that all traffic will be served over HTTPS.
Create a TLS secret that contains your TLS certificate and private key.
kubectl create secret tls polyaxon-tls --key $PATH_TO_KEY --cert $PATH_TO_CERT
Add the tls configuration to Polyaxon's Ingress values. (Do not use CluserIP on GKE)
gateway: service: type: ClusterIP ingress: enabled: true hostName: polyaxon.acme.com tls: - secretName: polyaxon.acme-tls hosts: - polyaxon.acme.com
For more information visit the Nginx Ingress Integration
To enable ssl for Polyaxon API running with NodePort service on Kubernetes, you need to provide an ssl certificate and SSL certificate key.
you can provide a self-signed certificate or a browser trusted certificate.
Create a secret for your certificate:
kubectl create -n polyaxon secret generic polyaxon-cert --from-file=/path/to/certs/polyaxon.com.crt --from-file=/path/to/certs/polyaxon.com.key
Make sure to update your deployment config with reference to the certificate
ssl: enabled: true secretName: 'polyaxon-cert'
Set the service type to
NodePortand update the API's service port to 443.
N.B. By default Polyaxon mounts the SSL certificate and key to
/etc/ssl, this value can be updated using the
||DNS configuration for cluster running with custom dns setup||
Several users deploy Polyaxon on Kubernetes cluster created with kubespray, and by default Kubespray creates Kubernetes with CoreDNS as a cluster DNS server.
Although we could provide logic to detect the DNS used in the cluster, this would require cluster wide RBAC that we think it's unnecessary. The default DNS backend used by Polyaxon is KubeDNS, to set it to a different DNS, you can provide this value in your Polyaxon's deployment config:
dns: backend: "coredns"
Since the DNS service is generally deployed on
kube-system namespace, the default DNS prefix is
coredns.kube-system if you update the previous option.
You can also provide the complete DNS prefix, and not use the DNS backend options:
dns: prefix: "kube-dns.other-kube-system"
OpenShift has a different DNS configuration, the default prefix is:
dns: prefix: "dns-default.openshift-dns"
The default dns cluster used in Polyaxon to resolve routes is
cluster.local, you can provide a Custom Cluster DNS, by setting:
dns: customCluster: "custom.cluster.name"
To set a different time zone for application (convenient for the dashboard and admin interface) you can can provide a valid time zone value
||The timezone to use||
||Node selector for core pod assignment||
||Tolerations for core pod assignment||
||Affinity for core||Please check the values|
Dependent charts can also have values overwritten. Preface values with
Polyaxon comes with a couple of node selectors options to assign pods to nodes for polyaxon's core platform.
Additionally every dependency in the helm package, exposes a node selector option.
By providing these values, or some of them, you can constrain the pods belonging to that category to only run on particular nodes or to prefer to run on particular nodes.
nodeSelector: # Global node selector ... api: nodeSelector: # If null, the global node selector will be used ... scheduler: nodeSelector: # If null, the global node selector will be used ... gateway: nodeSelector: # If null, the global node selector will be used ... streams: nodeSelector: # If null, the global node selector will be used ... operator: nodeSelector: # If null, the global node selector will be used ... postgresql: nodeSelector: ... redis: master: nodeSelector: ... slave: nodeSelector: ... rabbitmq-ha: nodeSelector: ...
If one or more taints are applied to a node, and you want to make sure some pods should not deploy on it, Polyaxon provides tolerations option for the core platform, as well as for all dependencies, e.i. database, broker, expose their own tolerations option.
tolerations: # Global tolerations ... api: tolerations: # If null, the global tolerations will be used ... scheduler: tolerations: # If null, the global tolerations will be used ... gateway: tolerations: # If null, the global tolerations will be used ... streams: tolerations: # If null, the global tolerations will be used ... operator: tolerations: # If null, the global tolerations will be used ... postgresql: tolerations: ... redis: master: tolerations: ... slave: tolerations: ... rabbitmq-ha: tolerations: ...
It allows you to constrain which nodes your pod is eligible to schedule on, based on the node's labels.
Polyaxon has a default
Affinity values for its core components to ensure that they deploy on the same node.
Polyaxon's default affinity:
affinity: podAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: type operator: In values: - "polyaxon-core" topologyKey: "kubernetes.io/hostname"
You can update your config deployment file to set affinity for each dependency:
affinity: # Global affinity ... api: affinity: # If null, the global affinity will be used ... scheduler: affinity: # If null, the global affinity will be used ... gateway: affinity: # If null, the global affinity will be used ... streams: affinity: # If null, the global affinity will be used ... operator: affinity: # If null, the global affinity will be used ... postgresql: affinity: ... redis: master: affinity: ... slave: affinity: ... rabbitmq-ha: affinity: ...
In order to restrict IP addresses and hosts that can communicate with the API
allowedHosts: - 127.0.0.1 - 188.8.131.52 - .mysite.com # (Will consume every subdomain of mysite.com)
In order to receive email and notification with a clickable links to the objects on the platform
Polyaxon UI comes with several flags to:
- Disable the UI in case the API is used for submitting jobs and programmatic use with other tools.
- Enable the admin Dashboard.
- Enable the offline mode, by default some dependencies are loaded from CDN and require access to the internet, if the end users have no access to the internet you can serve these dependencies using the offline mode.
ui: enabled: true offline: false adminEnabled: false
||enable security context||
||security context UID||
||security context GID||
||security context FS||
||Controls whether a process can gain more privileges than its parent process||
||Indicates that the container must run as a non-root user||
||defines behavior of changing ownership and permission of the volume before being exposed inside Pod|
Polyaxon runs all containers as root by default, this configuration is often fine for several deployment, however, in some use cases it can expose a compliance issue for some teams.
Polyaxon provides a simple way to enable a security context for all core components.
securityContext: enabled: false runAsUser: 2222 runAsGroup: 2222 fsGroup: 2222 allowPrivilegeEscalation: false runAsNonRoot: true fsGroupChangePolicy:
securityContext: enabled: true
Or enable with custom UID/GID other than 2222/2222:
securityContext: enabled: true user: 1111 group: 1111
Define behavior of changing ownership and permission of the volume before being exposed inside Pod:
securityContext: enabled: true fsGroupChangePolicy: OnRootMismatch
This will enable a security context to run all containers using a UID/GID == 1111/1111.
N.B. If you are using a host path or a volume for the artifacts store, make sure to allow the UID/GID to access it.
By default Polyaxon does not set limits on the resources for the core components it deploys, in order to enable the resources limits, your config yaml file should include:
This will force Polyaxon to set the resources limits on all services if they include the limits subsections.