mirror of
https://github.com/bitnami/charts.git
synced 2026-02-10 20:27:38 +08:00
Bitnami package for MLflow
MLflow is an open-source platform designed to manage the end-to-end machine learning lifecycle. It allows you to track experiments, package code into reproducible runs, and share and deploy models.
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
TL;DR
helm install my-release oci://registry-1.docker.io/bitnamicharts/mlflow
Looking to use MLflow in production? Try VMware Tanzu Application Catalog, the commercial edition of the Bitnami catalog.
⚠️ Important Notice: Upcoming changes to the Bitnami Catalog
Beginning August 28th, 2025, Bitnami will evolve its public catalog to offer a curated set of hardened, security-focused images under the new Bitnami Secure Images initiative. As part of this transition:
- Granting community users access for the first time to security-optimized versions of popular container images.
- Bitnami will begin deprecating support for non-hardened, Debian-based software images in its free tier and will gradually remove non-latest tags from the public catalog. As a result, community users will have access to a reduced number of hardened images. These images are published only under the “latest” tag and are intended for development purposes
- Starting August 28th, over two weeks, all existing container images, including older or versioned tags (e.g., 2.50.0, 10.6), will be migrated from the public catalog (docker.io/bitnami) to the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates.
- For production workloads and long-term support, users are encouraged to adopt Bitnami Secure Images, which include hardened containers, smaller attack surfaces, CVE transparency (via VEX/KEV), SBOMs, and enterprise support.
These changes aim to improve the security posture of all Bitnami users by promoting best practices for software supply chain integrity and up-to-date deployments. For more details, visit the Bitnami Secure Images announcement.
Introduction
This chart bootstraps a MLflow deployment on a Kubernetes cluster using the Helm package manager.
Python is built for full integration into Python that enables you to use it with its libraries and main packages.
Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure
- ReadWriteMany volumes for deployment scaling
Installing the Chart
To install the chart with the release name my-release:
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mlflow
Note: You need to substitute the placeholders
REGISTRY_NAMEandREPOSITORY_NAMEwith a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.ioandREPOSITORY_NAME=bitnamicharts.
The command deploys mlflow on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.
Tip
: List all releases using
helm list
Configuration and installation details
Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the resourcesPreset values, which automatically sets the resources section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcesPreset is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.
Prometheus metrics
This chart can be integrated with Prometheus by setting tracking.metrics.enabled to true. This will expose MLFlow native Prometheus endpoint in the service. It will have the necessary annotations to be automatically scraped by Prometheus.
Prometheus requirements
It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the Bitnami Prometheus helm chart or the Bitnami Kube Prometheus helm chart to easily have a working Prometheus in your cluster.
Integration with Prometheus Operator
The chart can deploy ServiceMonitor objects for integration with Prometheus Operator installations. To do so, set the value tracking.metrics.serviceMonitor.enabled=true. Ensure that the Prometheus Operator CustomResourceDefinitions are installed in the cluster or it will fail with the following error:
no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
Install the Bitnami Kube Prometheus helm chart for having the necessary CRDs and the Prometheus Operator.
Securing traffic using TLS
MLflow can encrypt communications by setting tracking.tls.enabled=true. The chart allows two configuration options:
- Provide your own secret using the
tracking.tls.certificatesSecretvalue. Also set the correct name of the certificate files using thetracking.tls.certFilename,tracking.tls.certKeyFilenameandtracking.tls.certCAFilenamevalues. - Have the chart auto-generate the certificates using
tracking.tls.autoGenerated=true.
Backup and restore
To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. Find the instructions for using Velero in this guide.
Parameters
Global parameters
| Name | Description | Value |
|---|---|---|
global.imageRegistry |
Global Docker image registry | "" |
global.imagePullSecrets |
Global Docker registry secret names as an array | [] |
global.defaultStorageClass |
Global default StorageClass for Persistent Volume(s) | "" |
global.security.allowInsecureImages |
Allows skipping image verification | false |
global.compatibility.openshift.adaptSecurityContext |
Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | auto |
Common parameters
| Name | Description | Value |
|---|---|---|
kubeVersion |
Override Kubernetes version | "" |
apiVersions |
Override Kubernetes API versions reported by .Capabilities | [] |
nameOverride |
String to partially override common.names.name | "" |
fullnameOverride |
String to fully override common.names.fullname | "" |
namespaceOverride |
String to fully override common.names.namespace | "" |
commonLabels |
Labels to add to all deployed objects | {} |
commonAnnotations |
Annotations to add to all deployed objects | {} |
clusterDomain |
Kubernetes cluster domain name | cluster.local |
extraDeploy |
Array of extra objects to deploy with the release | [] |
diagnosticMode.enabled |
Enable diagnostic mode (all probes will be disabled and the command will be overridden) | false |
diagnosticMode.command |
Command to override all containers in the deployment | ["sleep"] |
diagnosticMode.args |
Args to override all containers in the deployment | ["infinity"] |
MLflow common Parameters
| Name | Description | Value |
|---|---|---|
image.registry |
mlflow image registry | REGISTRY_NAME |
image.repository |
mlflow image repository | REPOSITORY_NAME/mlflow |
image.digest |
mlflow image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | "" |
image.pullPolicy |
mlflow image pull policy | IfNotPresent |
image.pullSecrets |
mlflow image pull secrets | [] |
image.debug |
Enable mlflow image debug mode | false |
gitImage.registry |
Git image registry | REGISTRY_NAME |
gitImage.repository |
Git image repository | REPOSITORY_NAME/git |
gitImage.digest |
Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | "" |
gitImage.pullPolicy |
Git image pull policy | IfNotPresent |
gitImage.pullSecrets |
Specify docker-registry secret names as an array | [] |
MLflow Tracking parameters
| Name | Description | Value |
|---|---|---|
tracking.enabled |
Enable Tracking server | true |
tracking.replicaCount |
Number of mlflow replicas to deploy | 1 |
tracking.host |
mlflow tracking listening host. Set to "[::]" to use ipv6. | 0.0.0.0 |
tracking.containerPorts.http |
mlflow HTTP container port | 5000 |
tracking.livenessProbe.enabled |
Enable livenessProbe on mlflow containers | true |
tracking.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 5 |
tracking.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
tracking.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
tracking.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 5 |
tracking.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
tracking.readinessProbe.enabled |
Enable readinessProbe on mlflow containers | true |
tracking.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 5 |
tracking.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 10 |
tracking.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
tracking.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 5 |
tracking.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
tracking.startupProbe.enabled |
Enable startupProbe on mlflow containers | false |
tracking.startupProbe.initialDelaySeconds |
Initial delay seconds for startupProbe | 5 |
tracking.startupProbe.periodSeconds |
Period seconds for startupProbe | 10 |
tracking.startupProbe.timeoutSeconds |
Timeout seconds for startupProbe | 5 |
tracking.startupProbe.failureThreshold |
Failure threshold for startupProbe | 5 |
tracking.startupProbe.successThreshold |
Success threshold for startupProbe | 1 |
tracking.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
tracking.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
tracking.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
tracking.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tracking.resources is set (tracking.resources is recommended for production). | medium |
tracking.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
tracking.podSecurityContext.enabled |
Enabled mlflow pods' Security Context | true |
tracking.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
tracking.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
tracking.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
tracking.podSecurityContext.fsGroup |
Set mlflow pod's Security Context fsGroup | 1001 |
tracking.containerSecurityContext.enabled |
Enabled containers' Security Context | true |
tracking.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
tracking.containerSecurityContext.runAsUser |
Set containers' Security Context runAsUser | 1001 |
tracking.containerSecurityContext.runAsGroup |
Set containers' Security Context runAsGroup | 1001 |
tracking.containerSecurityContext.privileged |
Set containers' Security Context privileged | false |
tracking.containerSecurityContext.runAsNonRoot |
Set containers' Security Context runAsNonRoot | true |
tracking.containerSecurityContext.readOnlyRootFilesystem |
Set containers' Security Context readOnlyRootFilesystem | true |
tracking.containerSecurityContext.allowPrivilegeEscalation |
Set container's privilege escalation | false |
tracking.containerSecurityContext.capabilities.drop |
Set container's Security Context runAsNonRoot | ["ALL"] |
tracking.containerSecurityContext.seccompProfile.type |
Set container's Security Context seccomp profile | RuntimeDefault |
tracking.auth.enabled |
Enable basic authentication | true |
tracking.auth.username |
Admin username | user |
tracking.auth.password |
Admin password | "" |
tracking.auth.flaskServerSecretKey |
Flask server secret key (required for enabling CSRF protection) | "" |
tracking.auth.existingSecret |
Name of a secret containing the admin password | "" |
tracking.auth.existingSecretUserKey |
Key inside the secret containing the admin password | "" |
tracking.auth.existingSecretPasswordKey |
Key inside the secret containing the admin password | "" |
tracking.auth.existingSecretFlaskServerSecretKey |
Key inside the secret containing the flask server secret key | "" |
tracking.auth.extraOverrides |
Add extra settings to the basic_auth.ini file | {} |
tracking.auth.overridesConfigMap |
Name of a ConfigMap containing overrides to the basic_auth.ini file | "" |
tracking.tls.enabled |
Enable TLS traffic support | false |
tracking.tls.autoGenerated |
Generate automatically self-signed TLS certificates | false |
tracking.tls.certificatesSecret |
Name of an existing secret that contains the certificates | "" |
tracking.tls.certFilename |
Certificate filename | "" |
tracking.tls.certKeyFilename |
Certificate key filename | "" |
tracking.tls.certCAFilename |
CA Certificate filename | "" |
tracking.command |
Override default container command (useful when using custom images) | [] |
tracking.args |
Override default container args (useful when using custom images) | [] |
tracking.extraArgs |
Add extra arguments together with the default ones | [] |
tracking.runUpgradeDB |
Add an init container to run mlflow db upgrade | false |
tracking.automountServiceAccountToken |
Mount Service Account token in pod | false |
tracking.hostAliases |
mlflow pods host aliases | [] |
tracking.podLabels |
Extra labels for mlflow pods | {} |
tracking.podAnnotations |
Annotations for mlflow pods | {} |
tracking.podAffinityPreset |
Pod affinity preset. Ignored if .affinity is set. Allowed values: soft or hard |
"" |
tracking.podAntiAffinityPreset |
Pod anti-affinity preset. Ignored if .affinity is set. Allowed values: soft or hard |
soft |
tracking.pdb.create |
Enable/disable a Pod Disruption Budget creation | true |
tracking.pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | "" |
tracking.pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable | "" |
tracking.autoscaling.hpa.enabled |
Enable HPA | false |
tracking.autoscaling.hpa.minReplicas |
Minimum number of replicas | "" |
tracking.autoscaling.hpa.maxReplicas |
Maximum number of replicas | "" |
tracking.autoscaling.hpa.targetCPU |
Target CPU utilization percentage | "" |
tracking.autoscaling.hpa.targetMemory |
Target Memory utilization percentage | "" |
tracking.autoscaling.vpa.enabled |
Enable VPA | false |
tracking.autoscaling.vpa.annotations |
Annotations for VPA resource | {} |
tracking.autoscaling.vpa.controlledResources |
VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | [] |
tracking.autoscaling.vpa.maxAllowed |
VPA Max allowed resources for the pod | {} |
tracking.autoscaling.vpa.minAllowed |
VPA Min allowed resources for the pod | {} |
tracking.autoscaling.vpa.updatePolicy.updateMode |
Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod | Auto |
tracking.nodeAffinityPreset.type |
Node affinity preset type. Ignored if .affinity is set. Allowed values: soft or hard |
"" |
tracking.nodeAffinityPreset.key |
Node label key to match. Ignored if .affinity is set |
"" |
tracking.nodeAffinityPreset.values |
Node label values to match. Ignored if .affinity is set |
[] |
tracking.affinity |
Affinity for mlflow pods assignment | {} |
tracking.nodeSelector |
Node labels for mlflow pods assignment | {} |
tracking.tolerations |
Tolerations for mlflow pods assignment | [] |
tracking.updateStrategy.type |
mlflow statefulset strategy type | RollingUpdate |
tracking.priorityClassName |
mlflow pods' priorityClassName | "" |
tracking.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | [] |
tracking.schedulerName |
Name of the k8s scheduler (other than default) for mlflow pods | "" |
tracking.terminationGracePeriodSeconds |
Seconds Redmine pod needs to terminate gracefully | "" |
tracking.lifecycleHooks |
for the mlflow container(s) to automate configuration before or after startup | {} |
tracking.extraEnvVars |
Array with extra environment variables to add to mlflow nodes | [] |
tracking.extraEnvVarsCM |
Name of existing ConfigMap containing extra env vars for mlflow nodes | "" |
tracking.extraEnvVarsSecret |
Name of existing Secret containing extra env vars for mlflow nodes | "" |
tracking.extraVolumes |
Optionally specify extra list of additional volumes for the mlflow pod(s) | [] |
tracking.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the mlflow container(s) | [] |
tracking.sidecars |
Add additional sidecar containers to the mlflow pod(s) | [] |
tracking.enableDefaultInitContainers |
Add default init containers to the deployment | true |
tracking.initContainers |
Add additional init containers to the mlflow pod(s) | [] |
MLflow Tracking Traffic Exposure Parameters
| Name | Description | Value |
|---|---|---|
tracking.service.type |
mlflow service type | LoadBalancer |
tracking.service.ports.http |
mlflow service HTTP port | 80 |
tracking.service.ports.https |
mlflow service HTTPS port | 443 |
tracking.service.nodePorts.http |
Node port for HTTP | "" |
tracking.service.nodePorts.https |
Node port for HTTPS | "" |
tracking.service.clusterIP |
mlflow service Cluster IP | "" |
tracking.service.loadBalancerIP |
mlflow service Load Balancer IP | "" |
tracking.service.loadBalancerSourceRanges |
mlflow service Load Balancer sources | [] |
tracking.service.labels |
Add labels to the service object | {} |
tracking.service.externalTrafficPolicy |
mlflow service external traffic policy | Cluster |
tracking.service.annotations |
Additional custom annotations for mlflow service | {} |
tracking.service.extraPorts |
Extra ports to expose in mlflow service (normally used with the sidecars value) |
[] |
tracking.service.sessionAffinity |
Control where client requests go, to the same pod or round-robin | None |
tracking.service.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
tracking.ingress.enabled |
Enable ingress record generation for mlflow | false |
tracking.ingress.pathType |
Ingress path type | ImplementationSpecific |
tracking.ingress.hostname |
Default host for the ingress record | mlflow.local |
tracking.ingress.ingressClassName |
IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
tracking.ingress.path |
Default path for the ingress record | / |
tracking.ingress.annotations |
Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | {} |
tracking.ingress.tls |
Enable TLS configuration for the host defined at ingress.hostname parameter |
false |
tracking.ingress.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
tracking.ingress.extraHosts |
An array with additional hostname(s) to be covered with the ingress record | [] |
tracking.ingress.extraPaths |
An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
tracking.ingress.extraTls |
TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
tracking.ingress.secrets |
Custom TLS certificates as secrets | [] |
tracking.ingress.extraRules |
Additional rules to be covered with this ingress record | [] |
tracking.networkPolicy.enabled |
Enable creation of NetworkPolicy resources | true |
tracking.networkPolicy.allowExternal |
The Policy model to apply | true |
tracking.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
tracking.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
tracking.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
tracking.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
tracking.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
MLflow Tracking Persistence Parameters
| Name | Description | Value |
|---|---|---|
tracking.persistence.enabled |
Enable persistence using Persistent Volume Claims | true |
tracking.persistence.mountPath |
Path to mount the volume at. | /bitnami/mlflow |
tracking.persistence.subPath |
The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services | "" |
tracking.persistence.storageClass |
Storage class of backing PVC | "" |
tracking.persistence.labels |
Persistent Volume labels | {} |
tracking.persistence.annotations |
Persistent Volume Claim annotations | {} |
tracking.persistence.accessModes |
Persistent Volume Access Modes | ["ReadWriteOnce"] |
tracking.persistence.size |
Size of data volume | 8Gi |
tracking.persistence.existingClaim |
The name of an existing PVC to use for persistence | "" |
tracking.persistence.selector |
Selector to match an existing Persistent Volume for MLflow data PVC | {} |
tracking.persistence.dataSource |
Custom PVC data source | {} |
MLflow Tracking Other Parameters
| Name | Description | Value |
|---|---|---|
tracking.serviceAccount.create |
Specifies whether a ServiceAccount should be created | true |
tracking.serviceAccount.name |
The name of the ServiceAccount to use. | "" |
tracking.serviceAccount.annotations |
Additional Service Account annotations (evaluated as a template) | {} |
tracking.serviceAccount.automountServiceAccountToken |
Automount service account token for the server service account | false |
MLflow Tracking Metrics Parameters
| Name | Description | Value |
|---|---|---|
tracking.metrics.enabled |
Enable the export of Prometheus metrics | false |
tracking.metrics.annotations |
Annotations for the tracking service in order to scrape metrics | {} |
tracking.metrics.serviceMonitor.enabled |
if true, creates a Prometheus Operator ServiceMonitor (also requires metrics.enabled to be true) |
false |
tracking.metrics.serviceMonitor.namespace |
Namespace in which Prometheus is running | "" |
tracking.metrics.serviceMonitor.annotations |
Additional custom annotations for the ServiceMonitor | {} |
tracking.metrics.serviceMonitor.labels |
Extra labels for the ServiceMonitor | {} |
tracking.metrics.serviceMonitor.jobLabel |
The name of the label on the target service to use as the job name in Prometheus | "" |
tracking.metrics.serviceMonitor.honorLabels |
honorLabels chooses the metric's labels on collisions with target labels | false |
tracking.metrics.serviceMonitor.interval |
Interval at which metrics should be scraped. | "" |
tracking.metrics.serviceMonitor.scrapeTimeout |
Timeout after which the scrape is ended | "" |
tracking.metrics.serviceMonitor.metricRelabelings |
Specify additional relabeling of metrics | [] |
tracking.metrics.serviceMonitor.relabelings |
Specify general relabeling | [] |
tracking.metrics.serviceMonitor.selector |
Prometheus instance selector labels | {} |
MLflow Run Parameters
| Name | Description | Value |
|---|---|---|
run.enabled |
Enable Run deployment | true |
run.useJob |
Deploy as job | false |
run.backoffLimit |
set backoff limit of the job | 10 |
run.restartPolicy |
set restart policy of the job | OnFailure |
run.extraEnvVars |
Array with extra environment variables to add to run nodes | [] |
run.extraEnvVarsCM |
Name of existing ConfigMap containing extra env vars for run nodes | "" |
run.extraEnvVarsSecret |
Name of existing Secret containing extra env vars for run nodes | "" |
run.annotations |
Annotations for the run deployment | {} |
run.command |
Override default container command (useful when using custom images) | [] |
run.args |
Override default container args (useful when using custom images) | [] |
run.terminationGracePeriodSeconds |
Run termination grace period (in seconds) | "" |
run.customLivenessProbe |
Custom livenessProbe that overrides the default one | {} |
run.customReadinessProbe |
Custom readinessProbe that overrides the default one | {} |
run.customStartupProbe |
Custom startupProbe that overrides the default one | {} |
run.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if run.resources is set (run.resources is recommended for production). | small |
run.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
run.podSecurityContext.enabled |
Enabled Run pods' Security Context | true |
run.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
run.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
run.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
run.podSecurityContext.fsGroup |
Set Run pod's Security Context fsGroup | 1001 |
run.containerSecurityContext.enabled |
Enabled Run containers' Security Context | true |
run.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
run.containerSecurityContext.runAsUser |
Set Run containers' Security Context runAsUser | 1001 |
run.containerSecurityContext.runAsGroup |
Set Run containers' Security Context runAsGroup | 1001 |
run.containerSecurityContext.runAsNonRoot |
Set Run containers' Security Context runAsNonRoot | true |
run.containerSecurityContext.privileged |
Set Run containers' Security Context privileged | false |
run.containerSecurityContext.readOnlyRootFilesystem |
Set Run containers' Security Context runAsNonRoot | true |
run.containerSecurityContext.allowPrivilegeEscalation |
Set Run container's privilege escalation | false |
run.containerSecurityContext.capabilities.drop |
Set Run container's Security Context runAsNonRoot | ["ALL"] |
run.containerSecurityContext.seccompProfile.type |
Set Run container's Security Context seccomp profile | RuntimeDefault |
run.lifecycleHooks |
for the run container(s) to automate configuration before or after startup | {} |
run.runtimeClassName |
Name of the runtime class to be used by pod(s) | "" |
run.automountServiceAccountToken |
Mount Service Account token in pod | false |
run.hostAliases |
run pods host aliases | [] |
run.labels |
Extra labels for the run deployment | {} |
run.podLabels |
Extra labels for run pods | {} |
run.podAnnotations |
Annotations for run pods | {} |
run.podAffinityPreset |
Pod affinity preset. Ignored if run.affinity is set. Allowed values: soft or hard |
"" |
run.podAntiAffinityPreset |
Pod anti-affinity preset. Ignored if run.affinity is set. Allowed values: soft or hard |
soft |
run.nodeAffinityPreset.type |
Node affinity preset type. Ignored if run.affinity is set. Allowed values: soft or hard |
"" |
run.nodeAffinityPreset.key |
Node label key to match. Ignored if run.affinity is set |
"" |
run.nodeAffinityPreset.values |
Node label values to match. Ignored if run.affinity is set |
[] |
run.affinity |
Affinity for Run pods assignment | {} |
run.nodeSelector |
Node labels for Run pods assignment | {} |
run.tolerations |
Tolerations for Run pods assignment | [] |
run.topologySpreadConstraints |
Topology Spread Constraints for pod assignment spread across your cluster among failure-domains | [] |
run.priorityClassName |
Run pods' priorityClassName | "" |
run.schedulerName |
Kubernetes pod scheduler registry | "" |
run.updateStrategy.type |
Run statefulset strategy type | RollingUpdate |
run.updateStrategy.rollingUpdate |
Run statefulset rolling update configuration parameters | {} |
run.extraVolumes |
Optionally specify extra list of additional volumes for the Run pod(s) | [] |
run.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the Run container(s) | [] |
run.sidecars |
Add additional sidecar containers to the Run pod(s) | [] |
run.enableDefaultInitContainers |
Deploy default init containers | true |
run.initContainers |
Add additional init containers to the Run pod(s) | [] |
run.networkPolicy.enabled |
Enable creation of NetworkPolicy resources | true |
run.networkPolicy.allowExternal |
The Policy model to apply | true |
run.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
run.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
run.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
run.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
run.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
run.source.type |
Where the source comes from: Possible values: configmap, git, custom | configmap |
run.source.launchCommand |
deepspeed command to run over the project | "" |
run.source.configMap |
List of files of the project | {} |
run.source.existingConfigMap |
Name of a configmap containing the files of the project | "" |
run.source.git.repository |
Repository that holds the files | "" |
run.source.git.revision |
Revision from the repository to checkout | "" |
run.source.git.extraVolumeMounts |
Add extra volume mounts for the Git container | [] |
run.serviceAccount.create |
Enable creation of ServiceAccount for Run pods | true |
run.serviceAccount.name |
The name of the ServiceAccount to use | "" |
run.serviceAccount.automountServiceAccountToken |
Allows auto mount of ServiceAccountToken on the serviceAccount created | false |
run.serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
Mlflow Run persistence paramaters
| Name | Description | Value |
|---|---|---|
run.persistence.enabled |
Use a PVC to persist data | false |
run.persistence.storageClass |
discourse & sidekiq data Persistent Volume Storage Class | "" |
run.persistence.existingClaim |
Use a existing PVC which must be created manually before bound | "" |
run.persistence.mountPath |
Path to mount the volume at | /bitnami/mlflow/data |
run.persistence.subPath |
subPath to use for mounting the volume | "" |
run.persistence.accessModes |
Persistent Volume Access Mode | ["ReadWriteOnce"] |
run.persistence.dataSource |
Custom PVC data source | {} |
run.persistence.selector |
Selector to match an existing Persistent Volume for the run data PVC | {} |
run.persistence.size |
Size of data volume | 8Gi |
run.persistence.labels |
Persistent Volume labels | {} |
run.persistence.annotations |
Persistent Volume annotations | {} |
Init Container Parameters
| Name | Description | Value |
|---|---|---|
volumePermissions.enabled |
Enable init container that changes the owner/group of the PV mount point to runAsUser:fsGroup |
false |
volumePermissions.image.registry |
OS Shell + Utility image registry | REGISTRY_NAME |
volumePermissions.image.repository |
OS Shell + Utility image repository | REPOSITORY_NAME/os-shell |
volumePermissions.image.pullPolicy |
OS Shell + Utility image pull policy | IfNotPresent |
volumePermissions.image.pullSecrets |
OS Shell + Utility image pull secrets | [] |
volumePermissions.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | nano |
volumePermissions.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
volumePermissions.containerSecurityContext.enabled |
Set container security context settings | true |
volumePermissions.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
volumePermissions.containerSecurityContext.runAsUser |
Set init container's Security Context runAsUser | 0 |
waitContainer.image.registry |
Init container wait-container image registry | REGISTRY_NAME |
waitContainer.image.repository |
Init container wait-container image name | REPOSITORY_NAME/os-shell |
waitContainer.image.digest |
Init container wait-container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | "" |
waitContainer.image.pullPolicy |
Init container wait-container image pull policy | IfNotPresent |
waitContainer.image.pullSecrets |
Specify docker-registry secret names as an array | [] |
waitContainer.containerSecurityContext.enabled |
Enabled containers' Security Context | true |
waitContainer.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
waitContainer.containerSecurityContext.runAsUser |
Set containers' Security Context runAsUser | 1001 |
waitContainer.containerSecurityContext.runAsGroup |
Set containers' Security Context runAsGroup | 1001 |
waitContainer.containerSecurityContext.runAsNonRoot |
Set containers' Security Context runAsNonRoot | true |
waitContainer.containerSecurityContext.privileged |
Set containers' Security Context privileged | false |
waitContainer.containerSecurityContext.readOnlyRootFilesystem |
Set containers' Security Context runAsNonRoot | true |
waitContainer.containerSecurityContext.allowPrivilegeEscalation |
Set container's privilege escalation | false |
waitContainer.containerSecurityContext.capabilities.drop |
Set container's Security Context runAsNonRoot | ["ALL"] |
waitContainer.containerSecurityContext.seccompProfile.type |
Set container's Security Context seccomp profile | RuntimeDefault |
PostgreSQL chart configuration
| Name | Description | Value |
|---|---|---|
postgresql.enabled |
Switch to enable or disable the PostgreSQL helm chart | true |
postgresql.auth.username |
Name for a custom user to create | bn_mlflow |
postgresql.auth.password |
Password for the custom user to create | "" |
postgresql.auth.database |
Name for a custom database to create | bitnami_mlflow |
postgresql.auth.existingSecret |
Name of existing secret to use for PostgreSQL credentials | "" |
postgresql.architecture |
PostgreSQL architecture (standalone or replication) |
standalone |
postgresql.primary.service.ports.postgresql |
PostgreSQL service port | 5432 |
postgresql.primary.initdb.scripts |
Map with init scripts for the PostgreSQL database | {} |
External PostgreSQL configuration
| Name | Description | Value |
|---|---|---|
externalDatabase.dialectDriver |
Database Dialect(+Driver) | postgresql |
externalDatabase.host |
Database host | "" |
externalDatabase.port |
Database port number | 5432 |
externalDatabase.user |
Non-root username | postgres |
externalDatabase.password |
Password for the non-root username | "" |
externalDatabase.database |
Database name | mlflow |
externalDatabase.authDatabase |
Database name for the auth module (only if tracking.auth.enabled=true) | mlflow_auth |
externalDatabase.existingSecret |
Name of an existing secret resource containing the database credentials | "" |
externalDatabase.existingSecretPasswordKey |
Name of an existing secret key containing the database credentials | db-password |
MinIO® chart parameters
| Name | Description | Value |
|---|---|---|
minio |
For full list of MinIO® values configurations please refere here | |
minio.enabled |
Enable/disable MinIO® chart installation | true |
minio.auth.rootUser |
MinIO® root username | admin |
minio.auth.rootPassword |
Password for MinIO® root user | "" |
minio.auth.existingSecret |
Name of an existing secret containing the MinIO® credentials | "" |
minio.defaultBuckets |
Comma, semi-colon or space separated list of MinIO® buckets to create | mlflow |
minio.provisioning.enabled |
Enable/disable MinIO® provisioning job | true |
minio.provisioning.extraCommands |
Extra commands to run on MinIO® provisioning job | ["mc anonymous set download provisioning/mlflow"] |
minio.tls.enabled |
Enable/disable MinIO® TLS support | false |
minio.service.type |
MinIO® service type | ClusterIP |
minio.service.loadBalancerIP |
MinIO® service LoadBalancer IP | "" |
minio.service.ports.api |
MinIO® service port | 80 |
minio.console.enabled |
Enable MinIO® Console | false |
External S3 parameters
| Name | Description | Value |
|---|---|---|
externalS3.host |
External S3 host. When using AWS S3, include appropriate regional code, e.g. "eu-central-1.amazonaws.com | "" |
externalS3.port |
External S3 port number | 443 |
externalS3.useCredentialsInSecret |
Whether to use a secret to store the S3 credentials | true |
externalS3.accessKeyID |
External S3 access key ID | "" |
externalS3.accessKeySecret |
External S3 access key secret | "" |
externalS3.existingSecret |
Name of an existing secret resource containing the S3 credentials | "" |
externalS3.existingSecretAccessKeyIDKey |
Name of an existing secret key containing the S3 access key ID | root-user |
externalS3.existingSecretKeySecretKey |
Name of an existing secret key containing the S3 access key secret | root-password |
externalS3.protocol |
External S3 protocol | https |
externalS3.bucket |
External S3 bucket | mlflow |
externalS3.serveArtifacts |
Whether artifact serving is enabled | true |
External Google Cloud Storage parameters
| Name | Description | Value |
|---|---|---|
externalGCS.bucket |
GCS bucket name. Activate gcs artifact storage if set | "" |
externalGCS.googleCloudProject |
Google Cloud Project to use (optional, needed when using "default application credentials") | "" |
externalGCS.useCredentialsInSecret |
Whether to read the GCS application credentials from a secret | false |
externalGCS.existingSecret |
Name of an existing secret key containing the application credentials file (required when useCredentialsInSecret is true) | "" |
externalGCS.existingSecretKey |
Key in the existing secret containing the application credentials (required when useCredentialsInSecret is true) | "" |
externalGCS.serveArtifacts |
Whether artifact serving is enabled | true |
External Azure Blob Storage parameters
| Name | Description | Value |
|---|---|---|
externalAzureBlob.storageAccount |
Azure Blob Storage account name. Activate azure artifact storage if set, | "" |
externalAzureBlob.accessKey |
Azure Blob Storage access key. Optional if connectionString is set | "" |
externalAzureBlob.connectionString |
Azure Blob Storage connection string. Optional if accessKey is set. | "" |
externalAzureBlob.containerName |
Azure Blob Storage container name | mlflow |
externalAzureBlob.clientId |
Azure Blob Storage client ID | "" |
externalAzureBlob.tenantId |
Azure Blob Storage tenant ID | "" |
externalAzureBlob.clientSecret |
Azure Blob Storage client secret | "" |
externalAzureBlob.useCredentialsInSecret |
Whether to read the Azure Blob Storage credentials from a secret | false |
externalAzureBlob.existingSecret |
Name of an existing secret key containing the Azure Blob Storage credentials (required when useCredentialsInSecret is true) | "" |
externalAzureBlob.existingAccessKeyKey |
Key in the existing secret containing the Azure Blob Storage access key (required when useCredentialsInSecret is true) | "" |
externalAzureBlob.existingConnectionStringKey |
Key in the existing secret containing the Azure Blob Storage connection string (required when useCredentialsInSecret is true) | "" |
externalAzureBlob.clientSecretKey |
Key in the existing secret containing the Azure Blob Storage client secret (required when useCredentialsInSecret is true) | "" |
externalAzureBlob.serveArtifacts |
Whether artifact serving is enabled | true |
The MLflow chart supports three different ways to load your files in the run deployment. In order of priority, they are:
- Existing config map
- Add files in the values.yaml
- Cloning a git repository
This means that if you specify a config map with your files, it won't check the files defined in values.yaml directory nor the git repository.
In order to use an existing config map, set the run.source.existingConfigMap=my-config-map parameter.
To add your files in the values.yaml file, set the run.source.configmap object with the files.
Finally, if you want to clone a git repository you can use those parameters:
run.source.type=git
run.source.git.repository=https://github.com/my-user/my-project
run.source.git.revision=master
Troubleshooting
Find more information about how to deal with common errors related to Bitnami's Helm charts in this troubleshooting guide.
Upgrading
To 4.0.0
This major updates the minio subchart to its newest major, 17.0.0. For more information on this subchart's major, please refer to minio upgrade notes.
To 3.0.0
This major updates the minio subchart to its newest major, 16.0.0. For more information on this subchart's major, please refer to minio upgrade notes.
To 2.3.0
This version introduces image verification for security purposes. To disable it, set global.security.allowInsecureImages to true. More details at GitHub issue.
To 2.0.0
This major updates the PostgreSQL subchart to its newest major, 16.0.0, which uses PostgreSQL 17.x. Follow the official instructions to upgrade to 17.x.
To 1.0.0
This major bump changes the following security defaults:
resourcesPresetis changed fromnoneto the minimum size working in our test suites (NOTE:resourcesPresetis not meant for production usage, butresourcesadapted to your use case).global.compatibility.openshift.adaptSecurityContextis changed fromdisabledtoauto.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
License
Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.