Enable istio support for ray

[hansinikarunarathne]

Pull Request Template for Kubeflow manifests Issues

✏️ A brief description of the changes

I enable Istio in ray
I followed the steps in https://docs.ray.io/en/latest/cluster/kubernetes/k8s-ecosystem/istio.html#step-4-create-the-raycluster except the step 3.

inside the notebook

🐛 If this PR is related to an issue, please put the link to the issue here.

#2742

✅ Contributor checklist

• Make sure you have tested with kustomize. See Installation Prerequisites
• All the commits have been signed-off (To pass the DCO check)
• Submit the Contributor License Agreements (To pass the cla/google check)

---

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

[juliusvonkohout]

@alex-treebeard @kevin85421 @wadhah101 can you take a look as well, since you contributed here before?

[hansinikarunarathne]

did the requested changes. please review @juliusvonkohout

[juliusvonkohout]

This must be generic. The namespace could also have another name that you do not know in advance. The same manifests should work for different users.

[hansinikarunarathne]

Is there a way to templating that namespace value without using helm?

[juliusvonkohout]

The Serviceaccount is wrong. It should be default-editor everywhere. Especially in the raycluster itself.

You can take a look at https://istio.io/latest/docs/reference/config/security/authorization-policy/ for ideas and ask gpt4. Maybe you can just whitelist the whole namespace.

I do not need templating, but a general solution that just works without manual effort.

[hansinikarunarathne]

Is it only enough to generalize the service account name(with default-editor)? Because since we are deploying it in a namespace, we have to specify the namespace to give the access to only for that specific namespace(kubeflow-user-example in this case)

[juliusvonkohout]

No the other way around. We need to generalize the namespace. It would be alright to allow all serviceaccounts or all pods from the namespace. But the deployments should still run as default-editor. This must be deployable without manual changes per namespace.

[juliusvonkohout]

Are you setting the default-editor in the raycluster resource itself?

[hansinikarunarathne]

I added the default-editor service account to the deployment.

We need to generalize the namespace.

This means should I add like this,
cluster.local/ns/kubeflow-user-example-com/sa/*

[hansinikarunarathne]

I did the changes . @juliusvonkohout

[juliusvonkohout]

Please remove the part of "## Step 3: Create a namespace" in a follow up PR. There shall be no manual namespace creation. All of this is handled by kubeflow profiles.

[juliusvonkohout]

/lgtm
/approve

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [juliusvonkohout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment