Kubeflow: Upstream vs. Charmed

What is the difference between Charmed Kubeflow and (upstream) Kubeflow? Like any Charmed product, Charmed Kubeflow is packaged as a set of charms and run using Juju. As an official distribution of upstream Kubeflow, Charmed Kubeflow is like a wrapper around Kubeflow.

But why do we need to wrap Kubeflow? Well, Kubeflow isn’t really a packaged, polished product. It’s a collection of loosely coupled Kubernetes components. To deploy, maintain and correctly customise these components requires both knowledge and effort.

Enter Charmed Kubeflow (CKF). CKF comes pre-packaged with charm logic that handles the complexity of interacting directly with Kubernetes. This removes the administrative burden from whoever is maintaining the application. It also lessens the need for specialised Kubernetes knowledge.

The caveat is that while CKF is less complex than Kubeflow, it is less configurable. However, the configurations available in CKF and its default settings cover the vast majority of cases seen in real-world deployments. And the CKF team is constantly expanding the functionality of CKF, usually due to user demand.


User maintenance

User maintenance is simplified in CKF vs. Kubeflow.


In upstream Kubeflow, updating the default user credentials involves a number of steps, outlined in changing default Kubeflow password. First, a hash of the password must be created. Then, we have to edit the Dex config map with the desired username and the generated hash. Since the ConfigMap is already applied in the cluster, it would need to be edited in place e.g. by calling kubectl edit -n dex configmaps dex and then making the required edits.


In CKF, juju config provides a simpler interface for updating the default user credentials. The Dex charm provides two configurations: static-username and static-password and the charm code handles the complexity of applying the change to the underlying Kubernetes cluster.

Updating the username and password is as simple as setting these two options:

juju config dex-auth static-username=user123
juju config dex-auth static-password=supersecretpassword


On the one hand, configuring the default username and password is simpler in CKF vs. Kubeflow. On the other hand, CKF is restricted to only allow a single static user. There is an open issue to allow multiple static users in CKF.

Security, stability, and maintenance

Charmed Kubeflow benefits from the following:

  • Upgrade guides.
  • Automated security scanning: The bundle is scanned periodically.
  • Security patching: Charmed Kubeflow follows Canonical’s process and procedure for security patching. Vulnerabilities are prioritised based on severity, the presence of patches in the upstream project, and the risk of exploitation.
  • Comprehensive testing: Charmed Kubeflow is thoroughly tested on multiple platforms, including public cloud, local workstations, on-premises deployments, and various CNCF-compliant Kubernetes distributions.


Charmed Kubeflow provides integration capabilities, including:

  • Customised Prometheus exporter metrics.
  • Customised Kubeflow dashboard for Grafana.
  • Seamless integration with the Canonical Observability Stack (COS).
  • Integration with Charmed MLflow: including the ability use the MLflow registry directly from Kubeflow pipelines and notebooks.

Enterprise Offering

Charmed Kubeflow offers an enterprise offering from Canonical, which includes:

  • 24/7 support for deployment, up-time monitoring, and security patching with Charmed Kubeflow.
  • Hardening features and compliance with standards like Federal Risk and Authorisation Management Program, Health Insurance Portability and Accountability Act, and Payment Card Industry Digital Signature Standard, making it suitable for enterprises running AI/ML workloads in highly regulated environments.
  • Timely patches for common vulnerabilities and exposures (CVEs).
  • A ten-year security maintenance commitment.
  • Hybrid cloud and multi-cloud support.
  • Bug fixing.
  • Optionally managed services, allowing your team to focus on development rather than operations.
  • Consultancy services to assess the best tools and architecture for your specific use cases.
  • A simple per-node subscription model.

For enterprise enquiries, please contact us.