From 473b1035304f847063ecaf0a44686182c437db64 Mon Sep 17 00:00:00 2001 From: Krzysztof Romanowski Date: Thu, 11 Jul 2024 14:10:21 +0200 Subject: [PATCH] Fix ml pipeline access from kfp step (#2795) * fail gh action if pipeline failed in .github/workflows/pipeline_test.yaml Signed-off-by: Krzysztof Romanowski * allow access to ml-pipeline when using trusted requestPrincipal or doesn't have auth header Signed-off-by: Krzysztof Romanowski * add more triggers for the workflow Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --------- Signed-off-by: Krzysztof Romanowski Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Co-authored-by: Krzysztof Romanowski Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- .github/workflows/pipeline_run_from_notebook.yaml | 4 ++++ .github/workflows/pipeline_test.yaml | 5 ++++- .../installs/multi-user/istio-authorization-config.yaml | 4 ++++ .../installs/multi-user/istio-authorization-config.yaml | 4 ++++ .../installs/multi-user/istio-authorization-config.yaml | 7 ++++++- 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index aa7e814121..52c80bd021 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -4,10 +4,14 @@ on: paths: - .github/workflows/pipeline_run_from_notebook.yaml - apps/jupyter/notebook-controller/upstream/** + - apps/pipeline/upstream/** - tests/gh-actions/kind-cluster.yaml - tests/gh-actions/install_kind.sh - tests/gh-actions/install_kustomize.sh - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - common/oidc-client/oauth2-proxy/** - common/istio*/** - common/oidc-client/** - apps/jupyter/** diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 06b08c9aff..0fbf4b3e21 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -90,11 +90,14 @@ jobs: while True: status = client.get_run(run_id=run_id).state - if status not in ["SUCCEEDED", "FAILED", "ERROR"]: + if status in ["PENDING", "RUNNING"]: print(f"Waiting for run_id: {run_id}, status: {status}.") sleep(10) else: print(f"Run with id {run_id} finished with status: {status}.") + if status != "SUCCEEDED": + print("Pipeline failed") + raise SystemExit(1) break ' "${TOKEN}" "${KF_PROFILE}" diff --git a/apps/kfp-tekton/upstream/base/installs/multi-user/istio-authorization-config.yaml b/apps/kfp-tekton/upstream/base/installs/multi-user/istio-authorization-config.yaml index a9a45e5eb1..8b3144ad39 100644 --- a/apps/kfp-tekton/upstream/base/installs/multi-user/istio-authorization-config.yaml +++ b/apps/kfp-tekton/upstream/base/installs/multi-user/istio-authorization-config.yaml @@ -32,6 +32,10 @@ spec: - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache + # allow access by any trusted principal + - from: + - source: + requestPrincipals: ["*"] # For user workloads, which cannot user http headers for authentication - when: - key: request.headers[kubeflow-userid] diff --git a/apps/kfp-tekton/upstream/v1/base/installs/multi-user/istio-authorization-config.yaml b/apps/kfp-tekton/upstream/v1/base/installs/multi-user/istio-authorization-config.yaml index a9a45e5eb1..8b3144ad39 100644 --- a/apps/kfp-tekton/upstream/v1/base/installs/multi-user/istio-authorization-config.yaml +++ b/apps/kfp-tekton/upstream/v1/base/installs/multi-user/istio-authorization-config.yaml @@ -32,6 +32,10 @@ spec: - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache + # allow access by any trusted principal + - from: + - source: + requestPrincipals: ["*"] # For user workloads, which cannot user http headers for authentication - when: - key: request.headers[kubeflow-userid] diff --git a/apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml b/apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml index 3a08bf32c3..8b3144ad39 100644 --- a/apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml +++ b/apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml @@ -32,9 +32,14 @@ spec: - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache + # allow access by any trusted principal - from: - source: - requestPrincipals: ["*"] # allow access by any trusted principal + requestPrincipals: ["*"] + # For user workloads, which cannot user http headers for authentication + - when: + - key: request.headers[kubeflow-userid] + notValues: ['*'] --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy