kubeflow · akagami-harsh · Apr 11, 2025 · Jun 9, 2025 · Jun 9, 2025 · Jun 9, 2025
diff --git a/.github/workflows/model_registry_test.yaml b/.github/workflows/model_registry_test.yaml
@@ -20,7 +20,7 @@
    - name: Install KinD, Create KinD cluster and Install kustomize
      run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh

    - name: Remove AppArmor profile for mysql in KinD on GHA # https://github.com/kubeflow/manifests/issues/2507
      run: |
        set -x
        sudo apt-get install apparmor-profiles
@@ -45,7 +45,7 @@
       run: ./tests/multi_tenancy_install.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Create KF Profile
       run: kustomize build common/user-namespace/base | kubectl apply -f -
@@ -88,11 +88,8 @@
           -H 'accept: application/json'
 
     # for these steps below ensure same steps as kserve (ie: Istio with external authentication, cert-manager, knative) so to achieve same setup
-    - name: Port forward Istio gateway
-      run: |
-        INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
-        nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
-        while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
+    - name: Port forward
+      run: ./tests/port_forward_gateway.sh
 
     - name: Dry-run KF Model Registry REST API
       run: |

diff --git a/.github/workflows/notebook_controller_test.yaml b/.github/workflows/notebook_controller_test.yaml
@@ -34,7 +34,7 @@
       run: ./tests/oauth2-proxy_install.sh
 
     - name: Install kubeflow-istio-resources
-      run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
+      run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
 
     - name: Install KF Multi Tenancy
       run: ./tests/multi_tenancy_install.sh
@@ -50,11 +50,8 @@
       run: kustomize build common/user-namespace/base | kubectl apply -f -
 
     - name: Port forward
-      run: |
-        INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
-        nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
-        while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
-
+      run: ./tests/port_forward_gateway.sh
+
     - name: List notebooks over API with authorized SA Token
       run: |
         KF_PROFILE=kubeflow-user-example-com

diff --git a/apps/centraldashboard/upstream/overlays/istio/authorizationpolicy.yaml b/apps/centraldashboard/upstream/overlays/istio/authorizationpolicy.yaml
@@ -8,7 +8,7 @@ spec:
     - from:
         - source:
             principals:
-              - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+              - cluster.local/ns/istio-system/sa/kubeflow-gateway-istio
   selector:
     matchLabels:
       app: centraldashboard
diff --git a/apps/centraldashboard/upstream/overlays/istio/kustomization.yaml b/apps/centraldashboard/upstream/overlays/istio/kustomization.yaml
@@ -7,37 +7,18 @@ resources:
 namespace: kubeflow
 replacements:
 - source:
-    fieldPath: metadata.namespace
+    fieldPath: metadata.name
     kind: Service
     name: centraldashboard
     version: v1
   targets:
   - fieldPaths:
-    - spec.http.0.route.0.destination.host
-    options:
-      delimiter: .
-      index: 1
+    - spec.rules.0.backendRefs.0.name
     select:
-      group: networking.istio.io
-      kind: VirtualService
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
       name: centraldashboard
-      version: v1alpha3
-- source:
-    fieldPath: data.CD_CLUSTER_DOMAIN
-    kind: ConfigMap
-    name: centraldashboard-parameters
-    version: v1
-  targets:
-  - fieldPaths:
-    - spec.http.0.route.0.destination.host
-    options:
-      delimiter: .
-      index: 3
-    select:
-      group: networking.istio.io
-      kind: VirtualService
-      name: centraldashboard
-      version: v1alpha3
+      version: v1beta1
 configurations:
 - params.yaml
 labels:

diff --git a/apps/centraldashboard/upstream/overlays/istio/params.yaml b/apps/centraldashboard/upstream/overlays/istio/params.yaml
@@ -1,3 +1,3 @@
 varReference:
-- path: spec/http/route/destination/host
-  kind: VirtualService
+- path: spec/rules/backendRefs/name
+  kind: HTTPRoute
diff --git a/apps/centraldashboard/upstream/overlays/istio/virtual-service.yaml b/apps/centraldashboard/upstream/overlays/istio/virtual-service.yaml
@@ -1,20 +1,22 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
 metadata:
   name: centraldashboard
 spec:
-  gateways:
-  - kubeflow-gateway
-  hosts:
-  - '*'
-  http:
-  - match:
-    - uri:
-        prefix: /
-    rewrite:
-      uri: /
-    route:
-    - destination:
-        host: centraldashboard.CD_NAMESPACE_PLACEHOLDER.svc.CD_CLUSTER_DOMAIN_PLACEHOLDER
-        port:
-          number: 80
+  parentRefs:
+  - name: kubeflow-gateway
+    namespace: istio-system
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: centraldashboard
+      port: 80
diff --git a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/authorization-policy.yaml b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/authorization-policy.yaml
@@ -8,7 +8,7 @@ spec:
     - from:
         - source:
             principals:
-              - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+              - cluster.local/ns/istio-system/sa/kubeflow-gateway-istio
   selector:
     matchLabels:
       app: jupyter-web-app
diff --git a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/destination-rule.yaml b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/destination-rule.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
   name: jupyter-web-app

diff --git a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/params.yaml b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/params.yaml
@@ -1,3 +1,3 @@
 varReference:
-- path: spec/http/route/destination/host
-  kind: VirtualService
+- path: spec/rules/backendRefs/name
+  kind: HTTPRoute
diff --git a/apps/jupyter/jupyter-web-app/upstream/overlays/istio/virtual-service.yaml b/apps/jupyter/jupyter-web-app/upstream/overlays/istio/virtual-service.yaml
@@ -1,24 +1,27 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
 metadata:
   name: jupyter-web-app-jupyter-web-app
 spec:
-  gateways:
-  - kubeflow-gateway
-  hosts:
-  - '*'
-  http:
-  - headers:
-      request:
+  parentRefs:
+  - name: kubeflow-gateway
+    namespace: istio-system
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /jupyter/
+    filters:
+    - type: RequestHeaderModifier
+      requestHeaderModifier:
         add:
-          x-forwarded-prefix: /jupyter
-    match:
-    - uri:
-        prefix: /jupyter/
-    rewrite:
-      uri: /
-    route:
-    - destination:
-        host: jupyter-web-app-service.$(JWA_NAMESPACE).svc.$(JWA_CLUSTER_DOMAIN)
-        port:
-          number: 80
+        - name: x-forwarded-prefix
+          value: /jupyter
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: jupyter-web-app-service
+      port: 80
diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/istio-authorizationpolicy.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/istio-authorizationpolicy.yaml
@@ -12,4 +12,5 @@ spec:
   rules:
     - from:
         - source:
-            principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
+                    principals:
+        - "cluster.local/ns/istio-system/sa/kubeflow-gateway-istio"
diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/params.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/params.yaml
@@ -1,4 +1,4 @@
 ---
 varReference:
-  - path: spec/http/route/destination/host
-    kind: VirtualService
+  - path: spec/rules/backendRefs/name
+    kind: HTTPRoute
diff --git a/apps/katib/upstream/installs/katib-with-kubeflow/ui-virtual-service.yaml b/apps/katib/upstream/installs/katib-with-kubeflow/ui-virtual-service.yaml
@@ -1,21 +1,23 @@
 ---
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
 metadata:
   name: katib-ui
 spec:
-  gateways:
-    - kubeflow-gateway
-  hosts:
-    - "*"
-  http:
-    - match:
-        - uri:
-            prefix: /katib/
-      rewrite:
-        uri: /katib/
-      route:
-        - destination:
-            host: katib-ui.$(KATIB_UI_NAMESPACE).svc.cluster.local
-            port:
-              number: 80
+  parentRefs:
+  - name: kubeflow-gateway
+    namespace: istio-system
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /katib/
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /katib/
+    backendRefs:
+    - name: katib-ui
+      port: 80
diff --git a/apps/kserve/models-web-app/base/istio.yaml b/apps/kserve/models-web-app/base/istio.yaml
@@ -1,21 +1,23 @@
-apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
 metadata:
   name: kserve-models-web-app
   namespace: kserve
 spec:
-  gateways:
-  - knative-serving/knative-ingress-gateway
-  hosts:
-  - '*'
-  http:
-  - match:
-    - uri:
-        prefix: /kserve-endpoints/
-    rewrite:
-      uri: /
-    route:
-    - destination:
-        host: kserve-models-web-app.kserve.svc.cluster.local
-        port:
-          number: 80
+  parentRefs:
+  - name: kubeflow-gateway
+    namespace: istio-system
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /kserve-endpoints/
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: kserve-models-web-app
+      port: 80
diff --git a/apps/kserve/models-web-app/overlays/kubeflow/kustomization.yaml b/apps/kserve/models-web-app/overlays/kubeflow/kustomization.yaml
@@ -35,8 +35,8 @@ labels:
 patches:
 - path: patches/web-app-vsvc.yaml
   target:
-    group: networking.istio.io
-    kind: VirtualService
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
     name: kserve-models-web-app
     namespace: kserve
     version: v1beta1

diff --git a/apps/kserve/models-web-app/overlays/kubeflow/patches/web-app-vsvc.yaml b/apps/kserve/models-web-app/overlays/kubeflow/patches/web-app-vsvc.yaml
@@ -1,14 +1,10 @@
 - op: replace
-  path: /spec/gateways
+  path: /spec/parentRefs
   value:
-    - kubeflow/kubeflow-gateway
+    - name: kubeflow-gateway
+      namespace: istio-system
 - op: replace
-  path: /spec/http/0/route/0/destination
+  path: /spec/rules/0/backendRefs/0
   value:
-    host: kserve-models-web-app.kubeflow.svc.cluster.local
-    port:
-      number: 80
-- op: replace
-  path: /spec/gateways
-  value:
-    - kubeflow/kubeflow-gateway
+    name: kserve-models-web-app
+    port: 80
diff --git a/apps/kserve/models-web-app/overlays/kubeflow/web-app-authorization-policy.yaml b/apps/kserve/models-web-app/overlays/kubeflow/web-app-authorization-policy.yaml
@@ -15,4 +15,4 @@ spec:
   - from:
     - source:
         principals:
-        - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+        - cluster.local/ns/istio-system/sa/kubeflow-gateway-istio
diff --git a/apps/model-registry/upstream/options/istio/destination-rule.yaml b/apps/model-registry/upstream/options/istio/destination-rule.yaml
@@ -1,4 +1,4 @@
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
   name: model-registry-service