Merge branch 'main' into pr/add-changelog-for-2.0.0

Author: minrk

.github/workflows/vuln-scan.yaml

@@ -87,7 +87,7 @@ jobs:
       # Action reference: https://github.com/aquasecurity/trivy-action
       - name: Scan latest published image
         id: scan_1
-        uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20
+        uses: aquasecurity/trivy-action@81b9a6f5abb1047d697af7a3ca18c13f55a97315
         with:
           image-ref: ${{ steps.image.outputs.spec }}
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
@@ -110,7 +110,7 @@ jobs:
       - name: Scan rebuilt image
         id: scan_2
         if: steps.rebuild.outcome == 'success'
-        uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20
+        uses: aquasecurity/trivy-action@81b9a6f5abb1047d697af7a3ca18c13f55a97315
         with:
           image-ref: rebuilt-image
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
@@ -169,7 +169,7 @@ jobs:
 
       - name: Describe vulnerabilities
         if: steps.rebuild.outcome == 'success'
-        uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20
+        uses: aquasecurity/trivy-action@81b9a6f5abb1047d697af7a3ca18c13f55a97315
         with:
           image-ref: rebuilt-image
           format: table

.pre-commit-config.yaml

@@ -21,7 +21,7 @@
 repos:
   # Autoformat: Python code, syntax patterns are modernized
   - repo: https://github.com/asottile/pyupgrade
-    rev: v2.37.1
+    rev: v2.37.3
     hooks:
       - id: pyupgrade
         args:

docs/source/administrator/upgrading/upgrade-1-to-2.md

@@ -66,6 +66,9 @@ Default permissions are mostly unchanged, but a few have:
 - Servers' own API tokens have limited permissions by default, which can be expanded by defining the `server` role. The previous behavior was the maximum permission of `inherit`.
 - `admin_access` as a concept is removed, so disabling it has no effect. In 2.0, admins by definition can do everything, including access servers. To limit user permissions, assign them to roles which have only the needed permissions.
 
+KubeSpawner has replaced the [`kubernetes`] library with [`kubernetes_asyncio`](https://github.com/tomplus/kubernetes_asyncio).
+If you have extended the JupyterHub image and you rely on the kubernetes library you will need to modify your extensions.
+
 See
 [Notable dependencies updated](notable-dependencies-200)
 for more information on other upgraded hub components.
@@ -75,17 +78,15 @@ for more information on other upgraded hub components.
 The default singleuser server is [JupyterLab](https://jupyterlab.readthedocs.io/), running on [Jupyter server](https://jupyter-server.readthedocs.io/en/latest/).
 To switch back to Jupyter Notebook either configure/rebuild your singleuser image to default to notebook, or see [the documentation on user interfaces](user-interfaces)
 
-## Default to using the container image's command instead of `jupyterhub-singleuser` [#2449](https://github.com/jupyterhub/zero-to-jupyterhub-k8s/pull/2449)
+## KubeSpawner prevents privilege escalation such as sudo by default
 
-Z2JH now launches the container's default command (as set e.g. by `CMD` in a `Dockerfile`) instead of overriding it.
-This ensures that containers that use a custom start command to configure their environment, such as some
-[Jupyter Docker Stacks](https://jupyter-docker-stacks.readthedocs.io/en/latest/)
-images, will work without any changes.
-To restore the old behaviour set:
+By default processes cannot escalate their privileges.
+For example, a user cannot use sudo to switch to root.
+If you have configured sudo or some other privilege escalation method inside your singleuser image you must set `singleuser.allowPrivilegeEscalation: true`.
 
 ```yaml
 singleuser:
-  cmd: jupyterhub-singleuser
+  allowPrivilegeEscalation: true
 ```
 
 If you want to add custom arguments to the command, you must specify the full command and any arguments in `singleuser.cmd`, for example:

docs/source/jupyterhub/customizing/user-environment.md

@@ -44,6 +44,9 @@ image containing useful tools and libraries for data science, complete these ste
        # https://github.com/jupyter/docker-stacks/tree/HEAD/datascience-notebook/Dockerfile
        name: jupyter/datascience-notebook
        tag: latest
+       # `cmd: null` allows the custom CMD of the Jupyter docker-stacks to be used
+       # which performs further customization on startup.
+       cmd: null
    ```
 
    ```{note}
@@ -244,10 +247,9 @@ FROM jupyter/minimal-notebook:latest
 RUN pip install --no-cache-dir astropy
 
 # set the default command of the image,
-# if the parent image will not launch a jupyterhub singleuser server.
-# The JupyterHub "Docker stacks" do not need to be overridden.
-# Set either here or in `singleuser.cmd` in your values.yaml
-# CMD ["jupyterhub-singleuser"]
+# if you want to launch more complex startup than the default `juptyerhub-singleuser`.
+# To launch an image's custom CMD instead of the default `jupyterhub-singleuser`
+# set `singleuser.cmd: null` in your config.yaml.
 ```
 
 ```{note}
@@ -529,25 +531,33 @@ this is best done in the ENTRYPOINT of the image,
 and not in the CMD, so that overriding the command does not skip your preparation.
 ```
 
-By default, zero-to-jupyterhub will launch the default CMD that is specified in your chosen image,
-respecting any startup customization that image may have.
-If the image doesn't launch `jupyterhub-singleuser` by default,
-you will additionally need to specify `singleuser.cmd`
-in your `values.yaml` as the command to launch,
-so that it ultimately launches `jupyterhub-singleuser`.
-The simplest version:
+By default, zero-to-jupyterhub will launch the command `jupyterhub-singleuser`.
+If you have an image (such as `jupyter/scipy-notebook` and other Jupyter Docker stacks)
+that defines a CMD with startup customization and ultimately launches `jupyterhub-singleuser`,
+you can chose to launch the image's default CMD instead by setting:
 
 ```yaml
 singleuser:
-  cmd: jupyterhub-singleuser
+  cmd: null
 ```
 
-```{versionchanged} 2.0
-Prior to 2.0, the default behavior of zero-to-jupyterhub was to launch `jupyterhub-singleuser` explicitly,
-ignoring what was in the image.
-The default command is now whatever the image runs by default.
+Alternately, you can specify an explicit custom command as a string or list of strings:
+
+```yaml
+singleuser:
+  cmd:
+    - /usr/local/bin/custom-command
+    - "--flag"
+    - "--other-flag"
 ```
 
+:::{note}
+Docker has `ENTRYPOINT` and `CMD`,
+which k8s calls `command` and `args`.
+zero-to-jupyterhub always respects the ENTRYPOINT of the image,
+and setting `singleuser.cmd` only overrides the CMD.
+:::
+
 ## Disable specific JupyterLab extensions
 
 Sometimes you want to temporarily disable a JupyterLab extension on a JupyterHub

docs/source/jupyterhub/installation.md

@@ -107,7 +107,7 @@ can try with `nano config.yaml`.
    a different terminal:
 
    ```
-   kubectl get pod --namespace jhub
+   kubectl get pod --namespace <k8s-namespace>
    ```
 
    To remain sane we recommend that you enable autocompletion for kubectl

docs/source/kubernetes/microsoft/step-zero-azure-autoscale.md

@@ -263,7 +263,7 @@ If you prefer to use the Azure portal see the [Azure Kubernetes Service quicksta
 
    This should take a few minutes and provide you with a working Kubernetes cluster!
 
-9. If you're using the Azure CLI locally, install [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), a tool
+9. If you're using the Azure CLI locally, install [kubectl](https://kubernetes.io/docs/reference/kubectl/), a tool
    for accessing the Kubernetes API from the commandline:
 
    ```

docs/source/kubernetes/microsoft/step-zero-azure.md

@@ -227,7 +227,7 @@ If you prefer to use the Azure portal see the [Azure Kubernetes Service quicksta
 
    This should take a few minutes and provide you with a working Kubernetes cluster!
 
-8. If you're using the Azure CLI locally, install [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/), a tool
+8. If you're using the Azure CLI locally, install [kubectl](https://kubernetes.io/docs/reference/kubectl/), a tool
    for accessing the Kubernetes API from the commandline:
 
    ```

docs/source/kubernetes/ovh/step-zero-ovh.md

@@ -1,8 +1,8 @@
 (ovh)=
 
-# Kubernetes on [OVHcloud](https://www.ovh.ie/) (OVH)
+# Kubernetes on [OVHcloud](https://www.ovhcloud.com/) (OVH)
 
-[OVHcloud](https://www.ovh.com/) is a leader in the hosted private cloud services space in Europe.
+[OVHcloud](https://www.ovhcloud.com/) is a leader in the hosted private cloud services space in Europe.
 
 They offer a managed Kubernetes service as well as a managed private registry for Docker images.
 

docs/source/resources/community.md

@@ -111,7 +111,7 @@ kubectl --namespace=<NAMESPACE> get pod -o <json|yaml|wide|name...>
 ```
 
 You can find more information on what kinds of output you can generate at
-[the kubectl information page](https://kubernetes.io/docs/reference/kubectl/overview/).
+[the kubectl information page](https://kubernetes.io/docs/reference/kubectl/).
 (click and search for the text "Output Options")
 
 This is a community maintained list of organizations / people using the Zero to

images/network-tools/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3
 
-# VULN_SCAN_TIME=2022-04-11_01:44:28
+# VULN_SCAN_TIME=2022-07-25_05:26:46
 
 RUN apk add --no-cache iptables