-
Notifications
You must be signed in to change notification settings - Fork 885
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rootless Kubeflow part one (istio-cni) #2455
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
To clarify, this pull request is the rootful daemonset with rootless sidecar solution? |
yes. The damonset is completely isolated and can be managed by the cluster operators. It resides in kube-system so it becomes part of the underlying cluster then. There is no network interaction at all |
@agilgur5 do you have any thoughts about this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are also running istio-cni to remove sidecar root requirement privileges, it is working fine us
We ended up shifting to use a dedicated physical cluster instead of a virtual cluster for kubeflow, but we still want to try out this model to improve our security footprint. Looking forward to when this work is merged |
@moorthy156 do you want to help with an upstream implementation? If yes, please contact me on slack. |
@juliusvonkohout what's the state of this PR? Is it ready for review? My only concern with the CNI is the initContainer redirection, which could break KServe etc that also has init container that fetches data #2014 (comment). What's the state with this? |
I would love too. Can i get directions on this |
I would also like to be part of it. @juliusvonkohout @moorthy156 Can we arrange a small point on this? |
Yes, always reach out in the Kubeflow slack. |
6854548
to
a6ddca7
Compare
The istio package is upgraded to the latest stable version, 1.18.1. This upgrade is needed for running Kubeflow with rootless containers, as there are a lot of improvements in the latest istio version for that. Signed-off-by: Tzvetomir Stoyanov (VMware) <tz.stoyanov@gmail.com>
bbd3c70
to
2d5d31b
Compare
common/istio-1-17/istio-install/base/patches/istiod-remove-pdb.yaml
Outdated
Show resolved
Hide resolved
I will just remove /contrib from this PR for now. I think the istio changes should stay together here. |
The Istio CNI functionality is still experimental, that's why the github action is triggered manually for now. Added an automatic trigger as well - on every PR that uses ISTIO CNI code. Signed-off-by: Tzvetomir Stoyanov (VMware) <tz.stoyanov@gmail.com>
@annajung comments are addressed, please can you take a look again |
@@ -0,0 +1,59 @@ | |||
name: Build & Apply KServe manifests in KinD, using istio CNI | |||
on: | |||
workflow_dispatch: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand the trigger correctly, only people with write access will have access to trigger the workflow based on workflow_dispatch. So, not sure if it's necessary to keep
Co-authored-by: Anna <antheaj@vmware.com>
Trigger the test on every PR which changes istio-cni code only. Signed-off-by: Tzvetomir Stoyanov (VMware) <tz.stoyanov@gmail.com>
rename to istio-cni
Thanks everyone! cc @kimwnasptd |
Thanks for the review @annajung! I'll also try to take a look within the weekend and merge this |
@juliusvonkohout The knative serving and kubeflow pods are still stuck with isito-init failing as described in Issue #2338. I was trying to run on Openshift 4.12.x and 4.13.x.
|
@mpaulgreen The istio-cni documentation says that for openshifts special cni implementation you need the networkattachmentdefinitions. But we will not cover this here. And the logs you posted there look like the normal istio. This PR here is for istio-CNI. I used both istios on Openshift, so it works. But you have to configure both specifically for Openshift, since Openshift has some special defaults and a different CNI plugin that needs extra settings. As said in the other issue consulting is available, just reach out on slack or linkedin. But please only discuss istio-CNI here. This PR is for development, not paid support. |
@juliusvonkohout You are correct. There are some additional configuration required istio-cni for OpenShift. I will stop posting defects of kubeflow with istio here. |
Tested as well in a KinD cluster and everything worked as expected. Great to see this in, thank you everyone that worked hard! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout, kimwnasptd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Which issue is resolved by this Pull Request:
Resolves #2014
Description of your changes:
The main steps are adding an additional profile for istio-cni or ambient mesh, updating the documentation and manifest generation process. Then adding the baseline and restricted PSS as kustomize component to /contrib and extending the profile controller to annotate user namespaces with configurable PSS labels.
First Stage:
Second stage in a second PR:
4. Add pod security standards (https://kubernetes.io/docs/concepts/security/pod-security-standards/) base/restricted to manifests/contrib
5. Add istio-ambient to Kubeflow 1.9
6. Enforce PSS baseline (here you can still build OCI containers via Podman and buildah) in Kubeflow 1.9. It works with any istio
7. Optionally Enforce PSS restricted (this is where minor corner cases are affected) in Kubeflow 1.10
Third stage:
10. Upgrade Istio to 1.19 and use ambient service mesh by default in Kubeflow 1.10
Checklist:
Make sure you have installed kustomize == 3.2.1
make generate-changed-only
make test