Major upgrade: 1.* to 2.*#

Z2JH 2 contains several breaking changes, including some that affect the security of your deployment. This guide will help you upgrade from 1.* to 2.*.

Security: breaking change to *.networkPolicy.egress#

NetworkPolicy egress rules have been extended with a new property. If you have configured any of:

  • hub.networkPolicy.egress

  • proxy.chp.networkPolicy.egress

  • proxy.traefik.networkPolicy.egress

  • singleuser.networkPolicy.egress

you must review your configuration as additional default egress routes have been added. Previously *.networkPolicy.egress controlled all egress but a new property *.networkPolicy.egressAllowRules add additional egress rules by default.

If you have configured *.networkPolicy.egress for hub, proxy.chp, proxy.traefik or singleuser to restrict the permissions to establish outbound network connections, then this upgrade is likely to escalate those permissions unless you revise your configuration. The new configuration *.networkPolicy.egressAllowRules are by default granting most of the egress permissions previously granted by default via the *.networkPolicy.egress configuration, and *.networkPolicy.egress are now by default not providing any permissions.

If you for example had overridden the previously very permissive default value of singleuser.networkPolicy.egress to be less permissive, you should consider disabling all singleuser.networkPolicy.egressAllowRules like this to not risk escalating the permissions.

singleuser:
  networkPolicy:
    egressAllowRules:
      cloudMetadataServer: false
      dnsPortsPrivateIPs: false
      nonPrivateIPs: false
      privateIPs: false

For more details, see the documentation on Kubernetes Network Policies and the configuration reference entries under *.networkPolicy.egress and *.networkPolicy.egressAllowRules.

JupyterLab and Jupyter Server#

The default singleuser server is JupyterLab, running on Jupyter server. To switch back to Jupyter Notebook either configure/rebuild your singleuser image to default to notebook, or see the documentation on user interfaces

KubeSpawner prevents privilege escalation such as sudo by default#

By default processes cannot escalate their privileges. For example, a user cannot use sudo to switch to root. If you have configured sudo or some other privilege escalation method inside your singleuser image you must set singleuser.allowPrivilegeEscalation: true.

singleuser:
  allowPrivilegeEscalation: true

If you want to add custom arguments to the command, you must specify the full command and any arguments in singleuser.cmd, for example:

singleuser:
  cmd:
    - jupyterhub-singleuser
    - "--collaborative"
    - "--debug"

Configuration in jupyterhub_config.d has a higher priority than hub.config #2457#

Previously if hub.config was used to configure some JupyterHub traitlets it would override any custom configuration files mounted into jupyterhub_config.d in the hub container. In 2.0.0 all extra customisations (e.g. using hub.extraConfig to provide in-line configuration, or hub.extraFiles to mount files into jupyterhub_config.d) will always take precedence over any Helm chart values.

User scheduler plugin configuration has changed to match kubescheduler.config.k8s.io/v1beta3 #2590#

Advanced customisation of the user scheduler using plugins now requires Kubernetes 1.21+, and the configuration must follow kubescheduler.config.k8s.io/v1beta3. Customisation is no longer possible with Kubernetes 1.20.

If you are using the user scheduler without custom plugin configuration you are not affected.

Kubernetes version 1.20+ is required #2635#

This Helm chart uses Kubernetes resources that are not available in Kubernetes versions prior to 1.20.

hub.fsGid is replaced by hub.podSecurityContext #2720#

In previous versions of Z2JH hub.fsGid set a supplemental group ID, which is required on some K8s systems to ensure JupyterHub has permissions to read/write files on a volume. This has been replaced by the more general hub.podSecurityContext. To upgrade set:

hub:
  podSecurityContext:
    fsGroup: GROUP-ID

Hub image is based on Debian instead of Ubuntu #2733#

The hub container base image has switched from ubuntu:20.04 to python:3.9-slim-bullseye which is based on debian:bullseye-slim. If you have extended the Z2JH hub image please review the hub Dockerfile. Note the singleuser image is not affected.

Disabling RBAC requires setting multiple properties, rbac.enable is removed #2736 #2739#

If you previously disabled RBAC using rbac.enable: False you should set

rbac:
  create: False
hub:
  serviceAccount:
    create: false
proxy:
  traefik:
    serviceAccount:
      create: false
scheduling:
  userScheduler:
    serviceAccount:
      create: false
prePuller:
  hook:
    serviceAccount:
      create: false

When you have updated your configuration follow the rest of the upgrade guide.