Introduction
Over the past few years, large language models (LLMs) have transformed how we build intelligent applications. From chatbots to code assistants, these models are used to power production systems across industries. But while training LLMs has become more accessible, deploying them at scale remains a challenge. Models generally come with gigabyte-sized weight files, depend on specific library versions, require careful GPU or CPU resource allocation, and need constant versioning as new checkpoints roll out. More often than not, a model that works in a data scientist's notebook can fail in production because of a mismatched dependency, a missing tokenizer file, or an environment variable that wasn't set.
KitOps (a CNCF project backed by Jozu) offers a solution called ModelKits, which is a standardized artifact that packages an ML model with its dependencies and configuration. This open-source toolkit lets organizations, developers, and data scientists bundle their models into versionable, signable, and portable ModelKits that can be pushed to any OCI-compliant registry. The result is consistent version tracking and reliable model artifacts across all environments, bringing the same level of control we expect from software development to machine learning deployments.
In this guide, we'll show you how to combine KitOps with Kubeflow and KServe to serve large language models at scale. You'll learn how to package an LLM into a ModelKit, deploy it with KServe's inference endpoints, and let Jozu handle the orchestration, all without needing dedicated GPU hardware to follow along—you can take an even deeper dive into production ML on Kubernetes by downloading our full technical guide to Kubernetes ML.
Learning Objectives
- Build and package a TensorFlow LLM model into a ModelKit using KitOps
- Pack and push the ModelKit to Jozu, an OCI-compliant registry built for ModelKits
- Set up Kubeflow and KServe to serve your model in production
- Scale and secure your model deployments in production environments
Prerequisites and Setup
Before we start deploying LLMs at scale, let's make sure you have the right tools installed and configured. This section walks through everything you need such as Python for running your model code, the KitOps CLI for packaging ModelKits, and a Jozu sandbox account for storing and managing your artifacts.
Install Python
For this project, you'll need Python 3.10 or above installed on your system. This ensures compatibility with modern ML libraries like TensorFlow and the dependencies we'll use throughout this guide. If you don't have Python installed yet, grab it from python.org and follow the installation steps for your operating system.
Install the KitOps CLI
The Kit CLI is what we'll use to pack, push, and manage ModelKits. Head over to the KitOps installation page and pick the installation method that matches your OS, whether you're on macOS, Linux, or Windows, and install accordingly.
Once you've installed the CLI, verify it's working by running:
kit version
The output should show the version details:
Sign Up for Jozu
Jozu is your OCI-compliant registry for ModelKits. It's where you'll push packaged models and pull them during deployment. To get started with Jozu, head over to jozu.ml and click Sign Up to create an account. Make sure to note your username and password as you'll need them in the next step to authenticate your CLI.
Authenticate with Jozu
Now let's connect your local Kit CLI to your Jozu account. Open a terminal and run:
kit login jozu.ml
You'll be prompted to enter your username (the email you registered with) and the password you created. If everything is set up correctly, you'll see:
Building a TensorFlow LLM Model
TensorFlow is one of the most popular open-source frameworks for building and training machine learning models. It was developed by Google, and it's particularly well-suited for production environments where you need scalable, efficient model serving across CPUs, GPUs, and TPUs.
TensorFlow shines in enterprise deployments, mobile applications, and in scenarios where you need tight integration with serving infrastructure. In this guide, we'll use TensorFlow to fine-tune a small T5 model that translates corporate jargon into plain language.
Set Up Your Project Directory
Let's start by creating a clean workspace for our model. Run these commands in your terminal to create your project directory:
mkdir corporate-speak
cd corporate-speak
Now create a Python virtual environment to keep dependencies isolated. It is essential to use a virtual environment as it isolates the project's dependencies from your global Python installation, therefore preventing conflicts with other projects and ensuring reproducible results:
python3 -m venv env
source env/bin/activate
Install Dependencies
Create a requirements.txt file in your project root with the following libraries:
tensorflow==2.19.1
transformers==4.49.0
huggingface-hub==0.26.0
tf-keras
fastapi
uvicorn
sentencepiece
Install everything with:
pip install -r requirements.txt
This pulls in TensorFlow for training, Transformers for the T5 model, FastAPI for serving later, and all the supporting libraries we'll need.
Create the Training Data
Before we can train our model, we need some data. Create a data directory in your project root:
mkdir data
Inside the data directory, create a file called corporate\_speak.json and paste this training dataset:
[
{
"term": "Circle back",
"meaning": "We'll talk about this later because we don't want to deal with it right now."
},
{
"term": "Synergy",
"meaning": "Making two teams do one team's job, but with extra meetings."
},
{
"term": "Bandwidth",
"meaning": "How much energy or patience a person has left."
},
{
"term": "Low-hanging fruit",
"meaning": "The easiest task that still lets us look productive."
},
{
"term": "Touch base",
"meaning": "Talk briefly to pretend progress is being made."
},
{
"term": "Pivot",
"meaning": "Our original idea failed; let's rename it and try again."
},
{ "term": "Going forward", "meaning": "Forget what we said last time." },
{ "term": "Alignment", "meaning": "Make sure no one disagrees publicly." }
]
This small dataset gives the model eight examples of corporate jargon and their plain-language meanings. It's just enough to fine-tune T5 for our demonstration without requiring heavy compute resources.
Create the Training Script
Next, make a directory for your application code:
mkdir app
Inside the app directory, create a file called train\_llm.py and add this code:
import os
import json
import tensorflow as tf
from transformers import T5Tokenizer, TFT5ForConditionalGeneration
BASE\_DIR \= os.path.dirname(os.path.dirname(os.path.abspath(\_\_file\_\_)))
DATA\_PATH \= os.path.join(BASE\_DIR, "data", "corporate\_speak.json")
print(f"Base Directory: {BASE\_DIR}")
print(f"Data Path: {DATA\_PATH}")
def load\_data(file\_path):
"""Loads JSON data from the specified file path."""
try:
with open(file\_path, 'r') as f:
data \= json.load(f)
print(f"Successfully loaded {len(data)} records from data file.")
return data
except FileNotFoundError:
print(f"ERROR: Data file not found at {file\_path}")
print("Please ensure you have created the file 'corporate\_speak.json' and the 'data' folder.")
return None
except json.JSONDecodeError:
print(f"ERROR: Could not decode JSON from {file\_path}. Check file format.")
return None
DATA \= load\_data(DATA\_PATH)
if DATA is None:
exit() ## Stop if data loading failed
prompts \= [f"term: {item['term']}" for item in DATA]
responses \= [f"meaning: {item['meaning']}" for item in DATA]
MODEL\_NAME \= 't5-small'
MAX\_LENGTH \= 128
BATCH\_SIZE \= 4
LEARNING\_RATE \= 1e-5
EPOCHS \= 15
print(f"\\nLoading T5 model and tokenizer: {MODEL\_NAME}...")
tokenizer \= T5Tokenizer.from\_pretrained(MODEL\_NAME)
model \= TFT5ForConditionalGeneration.from\_pretrained(MODEL\_NAME)
tokenized\_inputs \= tokenizer(
prompts,
return\_tensors='tf',
max\_length=MAX\_LENGTH,
padding='max\_length',
truncation=True
)
tokenized\_targets \= tokenizer(
responses,
return\_tensors='tf',
max\_length=MAX\_LENGTH,
padding='max\_length',
truncation=True
)
labels \= tokenized\_targets['input\_ids']
dataset \= tf.data.Dataset.from\_tensor\_slices(
(
{'input\_ids': tokenized\_inputs['input\_ids'],
'attention\_mask': tokenized\_inputs['attention\_mask']},
labels
)
).shuffle(buffer\_size=len(DATA)).batch(BATCH\_SIZE)
print("\\n--- Starting Fine-Tuning ---")
optimizer \= tf.keras.optimizers.Adam(learning\_rate=LEARNING\_RATE)
model.compile(optimizer=optimizer)
history \= model.fit(
dataset,
epochs=EPOCHS,
verbose=1
)
print("--- Fine-Tuning Complete ---")
print("\\n--- Testing Model Generation ---")
test\_term\_1 \= "term: Touch base"
test\_input\_1 \= tokenizer(test\_term\_1, return\_tensors='tf').input\_ids
output\_tokens\_1 \= model.generate(test\_input\_1, max\_length=MAX\_LENGTH)
decoded\_meaning\_1 \= tokenizer.decode(output\_tokens\_1[0], skip\_special\_tokens=True)
print(f"Input: '{test\_term\_1}'")
print(f"Output: '{decoded\_meaning\_1}'")
test\_term\_2 \= "term: Alignment"
test\_input\_2 \= tokenizer(test\_term\_2, return\_tensors='tf').input\_ids
output\_tokens\_2 \= model.generate(test\_input\_2, max\_length=MAX\_LENGTH)
decoded\_meaning\_2 \= tokenizer.decode(output\_tokens\_2[0], skip\_special\_tokens=True)
print(f"\\nInput: '{test\_term\_2}'")
print(f"Output: '{decoded\_meaning\_2}'")
MODEL\_SAVE\_PATH \= os.path.join(BASE\_DIR, "1")
os.makedirs(MODEL\_SAVE\_PATH, exist\_ok=True)
model.save(MODEL\_SAVE\_PATH, save\_format='tf')
tokenizer.save\_pretrained(MODEL\_SAVE\_PATH)
print(f"\\nModel saved to: {MODEL\_SAVE\_PATH}")
This script does four things: it loads your training data from a JSON file, tokenizes the inputs and targets for T5, fine-tunes the model for 15 epochs, and saves the trained weights along with the tokenizer to a directory called 1 in your project root.
It is important to save your model in a numbered directory or version number, as the Tensorflow Kserve program, expects to find your model in this format. Anything that deviates from this will prevent your Kserve inference service from working.
Train the Model
To train your model, run the following command from the root directory:
python3 app/train\_llm.py
The training process will kick off, and you'll see output showing the model loading, training progress across epochs, test predictions, and finally confirmation that the model has been saved. When complete, you'll have a new directory called 1 containing your model's saved weights (saved_model.pb), variables, tokenizer config files, and all the assets TensorFlow needs to reload and serve your model later.
Testing the Model with FastAPI
Before we package our model for production, let's make sure it actually works. We'll build a simple FastAPI inference server that loads the trained model and exposes an endpoint for predictions.
Create the Inference Server
In your app directory, create a file called inference.py and add this code:
import os
import tensorflow as tf
from transformers import T5Tokenizer, TFT5ForConditionalGeneration
from fastapi import FastAPI, HTTPException
from pydantic import BaseModel
import uvicorn
app \= FastAPI(
title="Jargon Decoder LLM API",
description="A service to translate corporate jargon using a fine-tuned T5 model.",
version="1.0.0"
)
tokenizer \= None
model \= None
MAX\_LENGTH \= 128
BASE\_DIR \= os.path.dirname(os.path.dirname(os.path.abspath(\_\_file\_\_)))
MODEL\_SAVE\_PATH \= os.path.join(BASE\_DIR, "1")
@app.on\_event("startup")
async def load\_model\_on\_startup():
"""Loads the fine-tuned T5 model and tokenizer when the FastAPI application starts."""
global tokenizer, model
print(f"Base Directory: {BASE\_DIR}")
print(f"Attempting to load model from: {MODEL\_SAVE\_PATH}")
try:
tokenizer \= T5Tokenizer.from\_pretrained(MODEL\_SAVE\_PATH)
model \= TFT5ForConditionalGeneration.from\_pretrained(MODEL\_SAVE\_PATH)
print("Model and tokenizer loaded successfully\! 🚀")
except Exception as e:
print(f"FATAL ERROR: Could not load model from {MODEL\_SAVE\_PATH}.")
print(f"Details: {e}")
class JargonRequest(BaseModel):
"""Schema for the input request."""
term: str \= "Circle back"
class JargonResponse(BaseModel):
"""Schema for the output response."""
original\_term: str
decoded\_meaning: str
def decode\_jargon(term: str, tokenizer, model) -> str:
"""
Core function to run inference on the loaded LLM.
"""
if not tokenizer or not model:
raise HTTPException(status\_code=503, detail="Model is not loaded or ready.")
prompt \= f"term: {term}"
input\_ids \= tokenizer(
prompt,
return\_tensors='tf',
max\_length=MAX\_LENGTH,
padding='max\_length',
truncation=True
).input\_ids
output\_tokens \= model.generate(
input\_ids,
max\_length=MAX\_LENGTH
)
decoded\_meaning \= tokenizer.decode(output\_tokens[0], skip\_special\_tokens=True)
if decoded\_meaning.startswith("meaning: "):
return decoded\_meaning[9:].strip()
return decoded\_meaning.strip()
@app.post("/decode/", response\_model=JargonResponse)
async def decode(request: JargonRequest):
"""
API endpoint to translate a corporate jargon term into plain meaning.
"""
try:
meaning \= decode\_jargon(request.term, tokenizer, model)
return JargonResponse(
original\_term=request.term,
decoded\_meaning=meaning
)
except HTTPException as e:
## Re-raise explicit HTTP exceptions
raise e
except Exception as e:
## Handle unexpected errors
print(f"Inference Error: {e}")
raise HTTPException(status\_code=500, detail=f"Internal server error during inference: {e}")
if \_\_name\_\_ \== "\_\_main\_\_":
uvicorn.run("inference:app", host="0.0.0.0", port=8000, reload=True)
This inference script sets up a FastAPI application that loads your fine-tuned T5 model on startup. The load_model_on_startup function pulls the tokenizer and model from the saved directory, making them available globally. The decode_jargon function handles the actual inference: it takes a corporate term, formats it as a prompt, runs it through the model, and returns the decoded meaning.
The /decode/ endpoint accepts POST requests with a jargon term and responds with the plain-language translation. Pydantic models ensure type safety for requests and responses, while error handling catches issues like missing models or inference failures.
Start the Server
Run the inference server from your project root:
python3 app/inference.py
You'll see output showing the model loading and a confirmation that the FastAPI server is running on http://0.0.0.0:8000. The startup event will trigger immediately, pulling your trained weights into memory so they're ready for inference requests.
Test the Endpoint
To test the endpoint, open a new terminal and send a test request with curl:
curl -X POST "http://localhost:8000/decode/" \\
-H "Content-Type: application/json" \\
-d '{"term": "Synergy"}'
If everything is working, you should see a JSON response with the decoded meaning:
{
"original\_term": "Synergy",
"decoded\_meaning": "Synergy"
}
The code and model is working and producing an output which is what we expect. Now that we've confirmed everything works locally, we can package the entire application code, model, and dependencies into a ModelKit for production deployment.
Packaging with KitOps
To make the workflow repeatable and production ready we'll use KitOps to bundle our trained model, inference code, and training data into a single ModelKit.
Initialize the Kitfile
From your project root directory, run:
kit init .
This creates a Kitfile in your current directory. A Kitfile is a YAML manifest that describes everything needed to reproduce your ML project—model weights, code paths, datasets, and metadata. Think of it like a Dockerfile, but designed specifically for machine learning artifacts. It tells KitOps what to bundle into your ModelKit and how those pieces fit together.
Edit the Kitfile
The generated Kitfile is a good starting point, but it doesn't capture the full structure of our project. Open the Kitfile and replace its contents with this:
manifestVersion: 1.2.0
package:
name: corporate-speak-model
description: A lightweight language model fine-tuned on corporate jargon to explain complex corporate terms in simple English.
authors: [Thoren Oakenshield]
code:
- path: .
description: All necessary scripts, configurations, and application logic
model:
name: T5
path: ./1/
framework: Tensorflow
version: 1.2.0
description: A lightweight language model fine-tuned on corporate jargon to explain complex corporate terms in simple English.
datasets:
- name: corporate-jargon-data
path: ./data/
description: A small JSON dataset containing corporate terms and their real-world meanings.
Let's break down what this Kitfile does. The package section holds metadata which are the model name, a description, and the author. Next, the code section points to your entire project directory, capturing all your scripts, configuration files, and application logic.
Then, the model section specifies where your trained T5 weights live (the ./1/ directory we created during training), what framework they use, and the version. Finally, the datasets section references your training data in ./data/, so anyone pulling this ModelKit knows exactly what data was used to train the model. This single file gives you a complete snapshot of your ML project.
Pack the ModelKit
Now let's bundle everything into a ModelKit, similar to how you build a Docker image. To pack your ModelKit run:
kit pack . -t jozu.ml/<username>/<model-kit-name>:<version>
Replace with your Jozu username and : with your model kit name and version. This command reads your Kitfile, collects all the referenced files (code, model weights, data), and packages them into a single OCI-compliant artifact. You'll see output showing KitOps compressing and layering your files.
Push to Jozu
Once the pack completes, push your ModelKit to Jozu by running:
kit push jozu.ml/<username>/<model-kit-name>:<version>
The CLI uploads your ModelKit layers to the registry. When it finishes, head to your Jozu account at jozu.ml, click on My Repositories, and you should see your newly pushed package listed.
Setting Up the Serving Infrastructure
Before we can deploy our model with KServe, we need to set up the complete infrastructure stack. This includes Docker for containerization, Kubernetes for orchestration, Kubeflow for ML workflows, and KServe for model serving. Let's walk through each installation step by step.
Install Docker
Docker is the container runtime that Minikube will use. If you're on Linux, run:
sudo apt-get update && sudo apt-get install docker.io -y
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
For macOS or Windows users, head to the official Docker website and follow the installation instructions for your operating system.
Install kubectl
kubectl is the command-line tool for interacting with Kubernetes clusters. It lets you deploy applications, inspect resources, and manage cluster operations.
To Install it run:
sudo snap install kubectl --classic
kubectl version --client ## Verify installation
Install Minikube
Next is Minikube. Minikube runs a local Kubernetes cluster on your machine which is perfect for development and testing without needing cloud resources. TO download and install it, run:
curl -LO https://github.com/kubernetes/minikube/releases/latest/download/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube && rm minikube-linux-amd64
minikube version
Start Minikube
It's important to start your local Kubernetes cluster with enough resources to handle model serving else your cluster will fail in the process of serving your model. To start minikube run:
minikube start --cpus=4 --memory=10240 --driver=docker
kubectl get nodes
kubectl cluster-info
This spins up a single-node cluster with 4 CPUs and 10GB of memory. The kubectl get nodes command confirms your cluster is running, and kubectl cluster-info shows the control plane endpoint.
Install Kubeflow Pipelines
Kubeflow is an open-source platform for running ML workflows on Kubernetes. It provides tools for orchestrating complex pipelines, tracking experiments, and managing model training. We'll install Kubeflow Pipelines, which handles the deployment and serving orchestration:
export PIPELINE\_VERSION=2.4.0
kubectl apply -k "github.com/kubeflow/pipelines/manifests/kustomize/cluster-scoped-resources?ref=$PIPELINE\_VERSION"
kubectl wait --for condition=established --timeout=60s crd/applications.app.k8s.io
kubectl apply -k "github.com/kubeflow/pipelines/manifests/kustomize/env/platform-agnostic?ref=$PIPELINE\_VERSION"
This installation can take a few minutes. To check if all components are ready, run:
kubectl get pods -n kubeflow
Wait until all pods show Running status. You should see output similar to this:
NAME READY STATUS RESTARTS AGE
cache-deployer-deployment-85b76bcb6-fmslx 1/1 Running 0 21h
cache-server-66bd9b7875-rxdvl 1/1 Running 0 21h
metadata-envoy-deployment-746744dfb8-zdgtx 1/1 Running 0 21h
metadata-grpc-deployment-54654fc5bb-9cvdg 1/1 Running 6 (21h ago) 21h
metadata-writer-68658fdf4b-7zpbn 1/1 Running 1 (20h ago) 21h
minio-85cd46c575-gt7kp 1/1 Running 0 21h
ml-pipeline-6978d6f776-p4zt9 1/1 Running 3 (20h ago) 21h
ml-pipeline-persistenceagent-7d4c675666-28qnz 1/1 Running 1 (20h ago) 21h
ml-pipeline-scheduledworkflow-695b7b8988-swzdj 1/1 Running 0 21h
ml-pipeline-ui-88467988b-4c6md 1/1 Running 0 21h
ml-pipeline-viewer-crd-bf5dc64dd-5xqv9 1/1 Running 0 21h
ml-pipeline-visualizationserver-5584ff64d7-jr686 1/1 Running 0 21h
mysql-6745b5984c-dn4r6 1/1 Running 0 21h
workflow-controller-5b84568b94-tjjcz 1/1 Running 0 21h
Install KServe
KServe is a Kubernetes-native platform for serving ML models. It handles autoscaling, canary rollouts, and provides a unified inference protocol across different model frameworks. You can install it with:
curl -s "https://raw.githubusercontent.com/kserve/kserve/release-0.14/hack/quick\_install.sh" | bash
Once the installation completes, verify that KServe and its dependencies are running with the following commands:
kubectl get pods -n kserve
kubectl get pods -n istio-system
kubectl get pods -n knative-serving
You should see output confirming all components are operational:
NAME READY STATUS RESTARTS AGE
kserve-controller-manager-86869697f-mcgrd 2/2 Running 0 20h
NAME READY STATUS RESTARTS AGE
istio-ingressgateway-698fff54fb-bbqh7 1/1 Running 0 20h
istiod-7fdcb55c9c-qtwf5 1/1 Running 0 20h
NAME READY STATUS RESTARTS AGE
activator-5967d4d645-fgfhw 1/1 Running 0 20h
autoscaler-598c65f5bc-9pdt4 1/1 Running 0 20h
autoscaler-hpa-5b45c655dc-hx4qd 1/1 Running 0 20h
controller-7cf55b567b-x45bn 1/1 Running 0 20h
knative-operator-76b6894f45-58xlt 1/1 Running 0 20h
net-istio-controller-54b458f57b-7cqj7 1/1 Running 0 20h
net-istio-webhook-7bc64cfff6-mslz9 1/1 Running 0 20h
operator-webhook-565c994ff9-f7hzq 1/1 Running 0 20h
webhook-7f575896d6-gc4qc 1/1 Running 0 20h
Create Registry Credentials
KServe needs credentials to pull your ModelKit from Jozu. To set up these credentials in your project directory, create a file called kitops-jozu-secret.yaml and add the following:
apiVersion: v1
kind: Secret
metadata:
name: jozu-registry-secret
type: Opaque
data:
KIT\_USER: <YOUR USERNAME ENCODED IN BASE 64>
KIT\_PASSWORD: <YOUR PASSWORD ENCODED IN BASE 64>
Replace the base64-encoded values with your own Jozu credentials. You can encode your username and password by running:
echo -n "your-username" | base64
echo -n "your-password" | base64
Serving the Model with KServe
Now that our infrastructure is ready and our ModelKit is in the registry, let's deploy it with KServe. This section walks through configuring KServe to pull ModelKits, defining the inference service, and making predictions against the deployed endpoint.
Configure the Storage Initializer
KServe uses storage initializers to fetch model artifacts from registries before starting the inference container. We need to tell KServe how to pull ModelKits using the KitOps storage initializer. To do this create a file called kitops-storage-initializer.yaml:
apiVersion: serving.kserve.io/v1alpha1
kind: ClusterStorageContainer
metadata:
name: kitops
spec:
container:
name: storage-initializer
image: ghcr.io/kitops-ml/kitops-kserve:latest
imagePullPolicy: Always
env:
- name: KIT\_UNPACK\_FLAGS
value: ""
- name: KIT\_USER
valueFrom:
secretKeyRef:
name: jozu-registry-secret
key: KIT\_USER
optional: true
- name: KIT\_PASSWORD
valueFrom:
secretKeyRef:
name: jozu-registry-secret
key: KIT\_PASSWORD
optional: true
resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 1Gi
supportedUriFormats:
- prefix: kit://
This ClusterStorageContainer defines a custom storage initializer that understands kit:// URIs. When KServe sees a storageUri starting with kit://, it uses this initializer to authenticate with Jozu (via the credentials in kit-secret), pull the ModelKit, unpack it, and mount the model artifacts into the inference container. The resource limits ensure the initializer doesn't consume too much memory during the download and unpacking phase.
Create the InferenceService
An InferenceService is KServe's core resource for deploying models. It handles routing, autoscaling, canary deployments, and connects your model to a scalable serving runtime. Create a file called kitops-kserve-inference.yaml:
apiVersion: serving.kserve.io/v1beta1
kind: InferenceService
metadata:
name: corporate-speak-model-tensorflow
spec:
predictor:
model:
modelFormat:
name: tensorflow
resources:
requests:
cpu: "250m"
memory: "1Gi"
limits:
cpu: "500m"
memory: "2Gi"
storageUri: kit://jozu.ml/<username>/<model-kit-name>:<version>
Replace the storageUri with your actual ModelKit reference from Jozu (username, repository name, and tag). The modelFormat: tensorflow tells KServe to use the TensorFlow serving runtime, while the resource requests and limits ensure your model has enough CPU and memory to handle inference without monopolizing cluster resources.
Deploy the Service
Apply all three manifests to your cluster:
kubectl apply -f kitops-jozu-secret.yaml
kubectl apply -f kitops-storage-initializer.yaml
kubectl apply -f kitops-kserve-inference.yaml
If successful, you'll see:
secret/jozu-registry-secret
clusterstoragecontainer.serving.kserve.io/kitops created
inferenceservice.serving.kserve.io/corporate-speak-model-tensorflow created
The deployment takes a few minutes as KServe pulls the ModelKit, unpacks it, and starts the inference pod. You can monitor the progress with:
kubectl get pods
Wait until you see your predictor pod running:
NAME READY STATUS RESTARTS AGE
corporate-speak-model-tensorflow-predictor-00001-deploymenwcc2n 2/2 Running 0 2m
Access the Inference Endpoint
Once the pod is running, find the service endpoint. You can do this by running:
kubectl get services | grep corporate-speak-model-tensorflow
You'll see several services created by KServe:
corporate-speak-model-tensorflow ExternalName <none> knative-local-gateway.istio-system.svc.cluster.local <none> 20h
corporate-speak-model-tensorflow-predictor ExternalName <none> knative-local-gateway.istio-system.svc.cluster.local 80/TCP 20h
corporate-speak-model-tensorflow-predictor-00001 ClusterIP 10.103.234.235 <none> 80/TCP,443/TCP 20h
corporate-speak-model-tensorflow-predictor-00001-private ClusterIP 10.104.180.43 <none> 80/TCP,443/TCP,9090/TCP,9091/TCP,8022/TCP,8012/TCP 20h
For local testing, forward the private service to your machine:
kubectl port-forward service/corporate-speak-model-tensorflow-predictor-00001-private 8080:80
You should see:
Forwarding from 127.0.0.1:8080 -> 8012
Forwarding from [::1]:8080 -> 8012
Now you can test your inference service.
Testing the Deployment with Tokenized Input
Before testing it is important to know that, KServe's standard TensorFlow serving runtime expects numerical tensors that correspond to the model's signature. Since our T5 model was fine-tuned using token IDs, we must tokenize the input locally before sending the request.
First, you'll need a quick script to generate the correct numerical payload. To do this, create a temporary Python script generate\_payload.py in your project root to handle the tokenization and generate the JSON payload:
import tensorflow as tf ## Required for Tensors
from transformers import T5Tokenizer
import json
import os
MODEL\_SAVE\_PATH \= os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(\_\_file\_\_))), "1")
tokenizer \= T5Tokenizer.from\_pretrained(MODEL\_SAVE\_PATH)
MAX\_LENGTH \= 128
term \= "Synergy" ## You can change the term here
prompt \= f"term: {term}" ## T5 was trained to expect this prefix
inputs \= tokenizer(
prompt,
return\_tensors='tf',
max\_length=MAX\_LENGTH,
padding='max\_length',
truncation=True
)
input\_ids\_list \= inputs['input\_ids'][0].numpy().tolist()
attention\_mask\_list \= inputs['attention\_mask'][0].numpy().tolist()
payload \= {
"instances": [
{
"input\_ids": input\_ids\_list,
"attention\_mask": attention\_mask\_list ## KServe needs both for attention
}
]
}
with open('test\_payload.json', 'w') as f:
json.dump(payload, f, indent=2)
In a new terminal, run the script to create the file:
python3 generate\_payload.py
Now, use curl to send the generated test_payload.json file to the KServe endpoint.
curl -X POST http://localhost:8080/v1/models/corporate-speak-model-tensorflow:predict \\
-H "Content-Type: application/json" \\
-d @test\_payload.json
KServe will route the request containing the numerical IDs to the TensorFlow serving runtime, which passes it directly to the T5 model's generation function. You should see a JSON response with the decoded meaning:
{
"predictions": [
{
"output": "Synergy"
}
]
}
Scaling and Securing Your Deployment
Running a model in production requires thinking beyond basic functionality. As time goes on you will need autoscaling to handle traffic spikes, resource limits to prevent runaway costs, and security measures to protect your models and data. KServe and KitOps give you the tools to handle all of this without the need to build custom infrastructure.
Autoscaling with KServe
KServe integrates with Knative Serving to provide automatic scaling based on request load. By default, your InferenceService will scale down to zero replicas when idle and scale up as traffic increases. You can customize this behavior by adding autoscaling annotations to your InferenceService manifest.
To do this, edit your kitops-kserve-inference.yaml to include autoscaling configuration:
apiVersion: serving.kserve.io/v1beta1
kind: InferenceService
metadata:
name: corporate-speak-model-tensorflow
annotations:
autoscaling.knative.dev/target: "10"
autoscaling.knative.dev/minScale: "1"
autoscaling.knative.dev/maxScale: "5"
spec:
predictor:
model:
modelFormat:
name: tensorflow
resources:
requests:
cpu: "250m"
memory: "1Gi"
limits:
cpu: "500m"
memory: "2Gi"
storageUri: kit://jozu.ml/<username>/<model-kit-name>:<version>
The target annotation sets the concurrency target per pod (10 requests), minScale ensures at least one pod is always running for faster response times, and maxScale caps the maximum number of replicas to 5, preventing runaway scaling costs. Knative will automatically add or remove pods based on incoming traffic patterns.
Resource Management
The resource limits in your InferenceService prevent a single model from consuming all cluster resources. The requests section tells Kubernetes how much CPU and memory to reserve, while limits sets the maximum the pod can use. For production deployments, you can tune these values based on your model's actual memory footprint and inference latency requirements.
If you're running multiple models, consider creating separate namespaces for isolation:
kubectl create namespace production-models
kubectl apply -f kitops-kserve-inference.yaml -n production-models
This keeps production models separate from staging or experimental deployments and makes it easier to apply different resource quotas and network policies per environment.
Securing ModelKits with Cosign
ModelKit signing ensures that the artifacts you deploy haven't been tampered with between packaging and deployment. You can use Cosign to sign your ModelKits immediately after pushing them to Jozu:
cosign generate-key-pair
cosign sign jozu.ml/<username>/<model-kit-name>:<version> --key cosign.key
This creates a cryptographic signature attached to your ModelKit. In production, you can configure KServe to verify signatures before pulling models, rejecting any unsigned or tampered artifacts. The signature verification happens during the storage initialization phase, before the model ever loads into memory.
Model Versioning and Rollback
One of KitOps' biggest advantages is version control for models. Every ModelKit you push to Jozu is immutable and tagged. If a new model version causes issues in production, rolling back is as simple as updating the storageUri in your InferenceService:
storageUri: kit://jozu.ml/<username>/<model-kit-name>:<the-previous-version>
Note: When a ModelKit is pushed to Jozu, it is automatically run through 5 different vulnerability scanning tools to ensure that your model is safe and secure. Jozu also creates a downloadable audit log, consisting of the model’s complete lineage.
Apply the change, and KServe will perform a blue-green deployment, spinning up new pods with the old model version while draining traffic from the problematic version. You can also use KServe's canary deployment features to test new model versions with a percentage of traffic before fully rolling out:
apiVersion: serving.kserve.io/v1beta1
kind: InferenceService
metadata:
name: corporate-speak-model-tensorflow
spec:
predictor:
model:
modelFormat:
name: tensorflow
storageUri: kit://jozu.ml/<username>/<model-kit-name>:<a-new-version>
canaryTrafficPercent: 20
This routes 20% of traffic to the new model while keeping 80% on the stable version. Monitor metrics, and if everything looks good, increase the percentage until you're confident enough to promote the canary to full production.
Wrapping Up
Having a good model isn't enough to serve machine learning applications at scale. The combination of KitOps, Kubeflow, KServe, and Jozu brings software development best practices, like containerization, version control, and automated scaling, into the ML workflow. KitOps standardizes your LLM into a portable ModelKit for reproducible packaging and security, while KServe handles reliable, production-grade serving and automated scaling on Kubernetes, eliminating the need for custom engineering.
This guide demonstrated how to build a TensorFlow LLM, package it with KitOps, push it to an OCI registry, and deploy it using KServe on Kubernetes. The steps covered key operational patterns like configuring autoscaling, securing ModelKits with signatures, managing resource allocation across environments, and performing deployment rollbacks. This consistent methodology scales effortlessly from development environments like Minikube to high-volume production clusters like EKS, GKE, or on-premises systems.
To learn more about KitOps visit kitops.org. To try Jozu Hub in your private environment, you can contact the Jozu team to start a free two-week POC.
Top comments (0)