-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable and document for Kubeflow 1.10 Kserve secure inferencing from inside and outside the cluster with tokens #2811
Comments
@kromanow94 yes we should tackle this for 1.10 |
@juliusvonkohout , makes sense. From conceptual point of view, what do we expect and what are the assumptions? I guess it's easy decision for Out Of Cluster - the What about from in-cluster? Do we expect that access to given kserve endpoint should be enabled without |
"Do we expect that access to given kserve endpoint should be enabled without Authorization header when called from the same namespace?" I am not sure. Actually i like to enforce security everywhere. @kimwnasptd what do you think? |
That would also ease and unify the approach from implementation perspective. |
Add a Notebook that demonstrates how to invoke the KServe Inference Service. NOTE: Do not forget to create an Authorization Policy for the Inference Service. See here: kubeflow/manifests#2811 Signed-off-by: Dimitris Poulopoulos <[email protected]>
Add a Notebook that demonstrates how to invoke the KServe Inference Service. NOTE: Do not forget to create an Authorization Policy for the Inference Service. See here: kubeflow/manifests#2811 Signed-off-by: Dimitris Poulopoulos <[email protected]>
I bump into approval_prompt for v1.9, but yes the docs are missing curl -XPOST -v "http://sklearn-iris.kubeflow-user-example-com.svc.cluster.local/v1/models/sklearn-iris:predict" -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" -d '{"instances": [[6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6]]}' -H "Content-Type: application/json"
< HTTP/1.1 302 Found
|
"@juliusvonkohout do you think we should add this AuthorizationPolicy for cluster-local-gateway to the manifests?" Yes, we have to move one. This is too complex for many users to understand and we need to provide it out of the box. |
So @kromanow94 please create a PR if you have time. |
There seems to be a lot of wrong/outdated stuff in kserve/kserve#3260 and we should probably fix it there as well. |
by my test in kubeflow 1.9 cluster, https://github.com/kserve/kserve/tree/master/docs/samples/istio-dex,this is cant run .
this issue will solve the question? |
Hello, as said before, the kserve documentation is wrong there. Check the first post here on how to get it done with oauth2-proxy. |
KServe is right but for internal K8s JWT tokens not with OAuth-proxy tokens that are generated outside the cluster. |
No, oauth2-proxy is explicitly there to use serviceaccountokens. Whether from inside or outside does not matter. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
/lifecycle frozen |
See also |
Implementation started in #2936 |
Validation Checklist
Version
master
Describe your issue
From @kromanow94
I did some investigation and I found out that this is because the
VirtualServices
created bykserve
are configured by default to usecluster-local-gateway
.istio-ingressgateway
is configured withAuthorizationPolicy
istio-ingressgateway-oauth2-proxy
which enforces the traffic to go throughoauth2-proxy
. There is no suchAuthorizationPolicy
forcluster-local-gateway
.So, I see two options:
cluster-local-gateway
cluster-local-gateway-oauth2-proxy
AuthorizationPolicy
to enforce authentication withoauth2-proxy
:kubeflow-user-example-com
), you also have to configure access to thesklearn-iris
deployment:curl
:istio-ingressgateway
instead ofcluster-local-gateway
. This touches kserve which I don't have a lot of experience with. I tried changing theinferenceservice-config
ConfigMap
to define the"localGatewayService": "istio-ingressgateway.istio-system.svc.cluster.local"
and"localGateway": "kubeflow/kubeflow-gateway"
but that didn't work for some reason, probably something is missing...@juliusvonkohout do you think we should add this
AuthorizationPolicy
forcluster-local-gateway
to the manifests?Steps to reproduce the issue
See above
Put here any screenshots or videos (optional)
No response
The text was updated successfully, but these errors were encountered: