Update for model registry operator

[typhoonzero]

Summary by CodeRabbit

• Documentation
  • Converted Model Registry install docs from Helm chart to OperatorHub/operator-based deployment; added step-by-step operator install and instance creation plus expanded parameter guidance (Name, Namespace, MySQL storage, DisplayName, Description) and namespace/UI notes.
  • Added Kubeflow how-to guides: Model Registry usage, Notebooks, Pipelines, TensorBoards, Volumes & KServe, overview and intro pages.
  • Noted Kubeflow Trainer v2 minimum Kubernetes version requirement (>= 1.32.3).

[coderabbitai]

Walkthrough

Replaces chart-based Kubeflow Model Registry deployment with an OperatorHub-based workflow; adds ModelRegistry instance creation steps and parameters, updates namespace/visibility and authorization notes, and adds multiple new Kubeflow how-to documentation pages (pipelines, notebooks, model-registry, tensorboards, volumes-kserve) plus index/intro pages.

Changes

Cohort / File(s)	Summary
Installation doc docs/en/installation/kubeflow.mdx	Replaces Helm chart references with the Model Registry Operator (model-registry-operator); updates deployment flow to OperatorHub/MarketPlace; adds ModelRegistry instance creation steps, parameter guidance (Name, Namespace, MySQL storage class/size, DisplayName, Description), namespace binding and UI visibility notes, and authorization policy placeholder usage.
Model Registry how-to docs/en/kubeflow/how_to/model-registry.mdx	New guide: accessing Model Registry UI, registering models via UI and Python client (examples for S3), retrieving model/version/artifact info, and deploying a registered model to KServe with example InferenceService YAML/usage.
Notebooks how-to docs/en/kubeflow/how_to/notebooks.mdx	New guide: Notebook server concepts, creating/configuring notebook servers, custom images, PodDefault examples, environment/kernel setup, storage and object storage access, and best practices.
Pipelines how-to docs/en/kubeflow/how_to/pipelines.mdx	New guide: Kubeflow Pipelines SDK install, object storage config (ConfigMap example), quick start pipeline example, submission, and UI usage (upload, runs, recurrence, logs).
Tensorboards how-to docs/en/kubeflow/how_to/tensorboards.mdx	New guide: TensorBoard prerequisites (PVC/object store), log generation example, creating/configuring TensorBoard instances, access, usage scenarios, and cleanup.
Volumes & KServe how-to docs/en/kubeflow/how_to/volumes-kserve.mdx	New guide: managing PVCs/volumes, attaching to notebooks, deploying and testing KServe InferenceService endpoints, and related UI workflows.
Index & Intro pages docs/en/kubeflow/index.mdx, docs/en/kubeflow/intro.mdx	New top-level Kubeflow index and intro pages (frontmatter, overview, integration summary, PSA namespace note).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add kubeflow deploy doc #95: Prior changes to Kubeflow installation docs covering Model Registry deployment (chart-based) that this PR replaces with operator-based instructions.
• Fix kubeflow install doc #109: Overlapping modifications to the same Kubeflow installation doc around namespace binding, RBAC, and post-deployment setup.

Suggested reviewers

• zhaomingkun1030

Poem

🐇 I hopped through docs both near and far,

Charts laid down, an operator’s star.
Namespaces bound, registries bloom,
Models find a cozy room.
Hooray — the docs now hum a tune! 🎶

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update for model registry operator' is vague and doesn't clearly convey the specific nature of the changes; the word 'Update' is non-descriptive and doesn't summarize the main change meaningfully.	Consider a more specific title that describes the main change, such as 'Replace Kubeflow Model Registry Helm chart with operator-based deployment' or 'Update Kubeflow Model Registry installation to use operator instead of Helm chart'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update_model_registry_install_with_operator

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/en/installation/kubeflow.mdx`:
- Line 217: The docs assume `<model-registry-name>` is known but Kubeflow may
create AuthorizationPolicy resources with different names (e.g.,
`ns-owner-access-istio`), causing "resource not found"; update the instruction
to first list AuthorizationPolicy resources in the target namespace using
`kubectl -n <your-namespace> get authorizationpolicy` to discover the actual
resource name and then run the edit command using that discovered
AuthorizationPolicy resource name (i.e., replace `<model-registry-name>` with
the name returned by the get command).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 717dc992-d273-48f0-8eb6-16ff3a93dc83

📥 Commits

Reviewing files that changed from the base of the PR and between b451348 and 19dc4fd.

📒 Files selected for processing (1)

• docs/en/installation/kubeflow.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and view the context around line 217
git ls-files docs/en/installation/kubeflow.mdx

Repository: alauda/aml-docs

Length of output: 92

---

🏁 Script executed:

# View the specific line and surrounding context
sed -n '210,225p' docs/en/installation/kubeflow.mdx

Repository: alauda/aml-docs

Length of output: 1554

---

🌐 Web query:

Kubeflow model-registry-operator AuthorizationPolicy naming convention

💡 Result:

In Kubeflow (including when accessing Model Registry through Istio), the Profile controller / KFAM uses these Istio AuthorizationPolicy naming conventions:

• Profile owner policy: ns-owner-access-istio (kubeflow.org)
• Contributor policy (edit/view): user-<SAFE_USER_EMAIL>-clusterrole-<USER_ROLE> (kubeflow.org)
  • <SAFE_USER_EMAIL> = user email lowercased, with special characters replaced by - (kubeflow.org)
  • <USER_ROLE> = edit or view (kubeflow.org)

Citations:

• 1: https://www.kubeflow.org/docs/components/central-dash/profiles/
• 2: https://www.kubeflow.org/docs/components/central-dash/profiles/
• 3: https://www.kubeflow.org/docs/components/central-dash/profiles/
• 4: https://www.kubeflow.org/docs/components/central-dash/profiles/

---

🌐 Web query:

Kubeflow model-registry ModelRegistry CRD AuthorizationPolicy resource relationship

💡 Result:

• They’re different layers and don’t “point to” each other.

  • ModelRegistry is a Kubernetes Custom Resource (CR) (backed by a ModelRegistry CRD in operator-style installs) that a controller reconciles into the runtime resources (Deployment/Service/etc.) for a Model Registry instance. (github.com)
  • AuthorizationPolicy is an Istio security resource that controls which authenticated/identified callers can reach workloads (typically at the namespace/workload level). In Kubeflow, Profiles create per-namespace Istio AuthorizationPolicy objects for the owner and contributors. (kubeflow.org)

• Where the “relationship” shows up in practice (Kubeflow multi-user):

  1. Kubeflow recommends installing Model Registry into a user Profile namespace (not the shared kubeflow namespace) so it fits Kubeflow’s multi-user isolation model. (kubeflow.org)
  2. A Profile namespace automatically gets Istio AuthorizationPolicy objects (e.g., ns-owner-access-istio, and per-contributor policies). These policies commonly apply namespace-wide (no workload selector), so they effectively govern access to all services in that namespace, including the Model Registry API/UI you deployed there. (kubeflow.org)

• So: the ModelRegistry CR/CRD creates the Model Registry workloads; the Profile-created Istio AuthorizationPolicy restricts network access to those workloads—without any explicit ownerReference or direct linkage between the two resource kinds. (github.com)

Citations:

• 1: https://github.com/opendatahub-io/model-registry-operator
• 2: https://www.kubeflow.org/docs/components/central-dash/profiles/
• 3: https://www.kubeflow.org/docs/components/model-registry/installation/
• 4: https://www.kubeflow.org/docs/components/central-dash/profiles/
• 5: https://github.com/opendatahub-io/model-registry-operator

---

Clarify the AuthorizationPolicy identification step to prevent command failures.

The documentation assumes <model-registry-name> is the AuthorizationPolicy resource name, but Kubeflow's Profile controller generates AuthorizationPolicy with different naming conventions (e.g., ns-owner-access-istio). Users following this instruction verbatim will encounter a "resource not found" error. Add a step to identify the correct AuthorizationPolicy before editing:

kubectl -n <your-namespace> get authorizationpolicy

Then use the actual resource name in the edit command.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/installation/kubeflow.mdx` at line 217, The docs assume
`<model-registry-name>` is known but Kubeflow may create AuthorizationPolicy
resources with different names (e.g., `ns-owner-access-istio`), causing
"resource not found"; update the instruction to first list AuthorizationPolicy
resources in the target namespace using `kubectl -n <your-namespace> get
authorizationpolicy` to discover the actual resource name and then run the edit
command using that discovered AuthorizationPolicy resource name (i.e., replace
`<model-registry-name>` with the name returned by the get command).

[cloudflare-workers-and-pages]

Deploying alauda-ai with    Cloudflare Pages

Latest commit:	19dc4fd
Status:	✅  Deploy successful!
Preview URL:	https://0887d15b.alauda-ai.pages.dev
Branch Preview URL:	https://update-model-registry-instal.alauda-ai.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

docs/en/installation/kubeflow.mdx (1)

217-217: ⚠️ Potential issue | 🟡 Minor

Use the actual AuthorizationPolicy name here, not the ModelRegistry name.

This command still assumes <model-registry-name> is the policy resource name, but Kubeflow profile namespaces typically use different AuthorizationPolicy names. Readers will hit NotFound unless you first show them how to discover the policy, for example with kubectl -n <your-namespace> get authorizationpolicy, and then edit the returned name.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/installation/kubeflow.mdx` at line 217, The docs currently instruct
editing `authorizationpolicy <model-registry-name>` but uses the ModelRegistry
name which is often incorrect; update the text to tell users to first discover
the actual AuthorizationPolicy resource name (e.g., run `kubectl -n
<your-namespace> get authorizationpolicy`) and then edit that returned resource
(reference the `AuthorizationPolicy` kind and the `kubectl -n <your-namespace>
edit authorizationpolicy <policy-name>` command), replacing
`<model-registry-name>` with the discovered `<policy-name>` so readers won’t get
NotFound errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/en/kubeflow/how_to/pipelines.mdx`:
- Around line 43-46: Replace the hardcoded namespace value under
metadata.namespace in the kfp-launcher manifest (currently "wy-testns") with a
clear placeholder like "<your-profile-namespace>" and update the surrounding
text to state explicitly that this value must match the namespace where Pipeline
runs execute so the kfp-launcher ConfigMap is visible to those runs.

In `@docs/en/kubeflow/intro.mdx`:
- Line 10: The note currently instructs setting the namespace PSA to privileged
for Kubeflow broadly; change the wording to avoid recommending a blanket
namespace-wide privileged PSA by scoping the guidance to only the specific
workloads that require lower PSA (e.g., creating Notebook instances) and/or list
the minimal PSA setting per component; update the sentence that mentions
"namespace PSA to privileged" to instead reference targeted workloads (for
example "set PSA to privileged for the Notebook instance namespace or the
specific pod/service account that requires elevated permissions") and add a
brief pointer to the installation guide or a short table describing the minimal
PSA requirement for each Kubeflow component.

---

Duplicate comments:
In `@docs/en/installation/kubeflow.mdx`:
- Line 217: The docs currently instruct editing `authorizationpolicy
<model-registry-name>` but uses the ModelRegistry name which is often incorrect;
update the text to tell users to first discover the actual AuthorizationPolicy
resource name (e.g., run `kubectl -n <your-namespace> get authorizationpolicy`)
and then edit that returned resource (reference the `AuthorizationPolicy` kind
and the `kubectl -n <your-namespace> edit authorizationpolicy <policy-name>`
command), replacing `<model-registry-name>` with the discovered `<policy-name>`
so readers won’t get NotFound errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cadb0e88-1150-4be6-94e6-b5b9dca96930

📥 Commits

Reviewing files that changed from the base of the PR and between 19dc4fd and bc0aabd.

📒 Files selected for processing (8)

• docs/en/installation/kubeflow.mdx
• docs/en/kubeflow/how_to/model-registry.mdx
• docs/en/kubeflow/how_to/notebooks.mdx
• docs/en/kubeflow/how_to/pipelines.mdx
• docs/en/kubeflow/how_to/tensorboards.mdx
• docs/en/kubeflow/how_to/volumes-kserve.mdx
• docs/en/kubeflow/index.mdx
• docs/en/kubeflow/intro.mdx

✅ Files skipped from review due to trivial changes (3)

• docs/en/kubeflow/how_to/tensorboards.mdx
• docs/en/kubeflow/how_to/model-registry.mdx
• docs/en/kubeflow/how_to/volumes-kserve.mdx

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Replace the hardcoded sample namespace before users copy this manifest.

metadata.namespace: wy-testns makes the example non-portable. If readers apply it verbatim, the kfp-launcher ConfigMap lands in the wrong namespace and Pipeline runs in their profile namespace will not see it. Use a placeholder such as <your-profile-namespace> and explicitly say it must match the namespace where the runs execute.

Suggested doc fix

 metadata:
   name: kfp-launcher
-  namespace: wy-testns
+  namespace: <your-profile-namespace>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/kubeflow/how_to/pipelines.mdx` around lines 43 - 46, Replace the
hardcoded namespace value under metadata.namespace in the kfp-launcher manifest
(currently "wy-testns") with a clear placeholder like "<your-profile-namespace>"
and update the surrounding text to state explicitly that this value must match
the namespace where Pipeline runs execute so the kfp-launcher ConfigMap is
visible to those runs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid documenting privileged PSA as a blanket Kubeflow prerequisite.

This note makes a namespace-wide privileged PSA level sound required for all Kubeflow components, but the installation guide in this PR only scopes PSA lowering to cases like creating Notebook instances. That can steer users toward a broader-than-necessary security posture. Narrow this to the workloads that actually need elevated permissions, or document the minimal PSA setting per component.

🧰 Tools

🪛 LanguageTool

[style] ~10-~10: Consider a more concise word here.
Context: ... to set the namespace PSA to privileged in order to use Kubeflow components. Please contact...

(IN_ORDER_TO_PREMIUM)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/en/kubeflow/intro.mdx` at line 10, The note currently instructs setting
the namespace PSA to privileged for Kubeflow broadly; change the wording to
avoid recommending a blanket namespace-wide privileged PSA by scoping the
guidance to only the specific workloads that require lower PSA (e.g., creating
Notebook instances) and/or list the minimal PSA setting per component; update
the sentence that mentions "namespace PSA to privileged" to instead reference
targeted workloads (for example "set PSA to privileged for the Notebook instance
namespace or the specific pod/service account that requires elevated
permissions") and add a brief pointer to the installation guide or a short table
describing the minimal PSA requirement for each Kubeflow component.