-
Notifications
You must be signed in to change notification settings - Fork 986
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Model Serving not working on AWS Kubeflow with Cognito #1154
Comments
Issue-Label Bot is automatically applying the labels:
Please mark this comment with 👍 or 👎 to give our bot feedback! |
Issue Label Bot is not confident enough to auto-label this issue. |
I can upgrade to Kubeflow 1.1 and report, I did look at open issues with kfserving and noted this open issue for GCP IAP #824. Will I have similar problem with AWS Cognito trying to get Host routing to work? |
I think so, there is walk-around you can do but we'd definitely recommend upgrading to kubeflow 1.1. |
Ok, let me rebuild the cluster and we can discuss the work-around. Similar to that issue with the work-around will AuthZ need to be disabled? |
Is there an IDP solution that will work with AuthZ, there is the Dex option, https://www.kubeflow.org/docs/started/k8s/kfctl-istio-dex/ ? |
@seizadi checkout the dex example, AuthZ is not integrated with KFServing in kubeflow, so you would still need to either manually create the istio auth policy or disable the sidecar like in the example. |
Ok, I finally was able to upgrade to 1.1.0, it was not as easy as I expected: So I'm back to where I am in applying the model: kubectl -n seizadi apply -f https://raw.githubusercontent.com/kubeflow/kfserving/master/docs/samples/sklearn/sklearn.yaml and get the 404 error, how should I try to patch this to work with Kubeflow 1.1.0? |
I followed instructions for This is the updated python script I used to make request: url = 'https://kubeflow.platform.example.com/kfserving/seizadi/sklearn-iap:predict'
# data to be sent to api
data = { 'instances': [ [6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6] ] }
resp = requests.post(url=url, cookies=cookies, data=data)
if resp.status_code == 403:
print('Service account does not have permission to access the application.')
elif resp.status_code == 404:
print('Host route not available to access the application.')
elif resp.status_code != 200:
print('Bad response from application: {!r} / {!r} / {!r}'.format(
resp.status_code, resp.headers, resp.text))
else:
print(resp.text) The request makes it way to the predictor, but I get a 400 error: ❯ k logs sklearn-iap-predictor-default-stx69-deployment-5844ff4b5c-ttbnc kfserving-container
[I 201106 00:52:49 storage:35] Copying contents of /mnt/models to local
....
[W 201106 00:59:39 web:2250] 400 POST /v1/models/sklearn-iap:predict (127.0.0.1) 1.31ms Here is the error message I get from my client: Bad response from application: 400 / {'Date': 'Fri, 06 Nov 2020 02:23:52 GMT', 'Content-Type': 'text/html; charset=UTF-8', 'Content-Length': '191', 'Connection': 'keep-alive', 'Set-Cookie': 'AWSELBAuthSessionCookie-0=xxxxx; Expires=Fri, 18 Sep 2071 03:28:04 GMT; Path=/; Secure; HttpOnly, AWSELBAuthSessionCookie-1=xxxx; Expires=Fri, 18 Sep 2071 03:28:04 GMT; Path=/; Secure; HttpOnly', 'server': 'istio-envoy', 'x-envoy-upstream-service-time': '5'} / '<html><title>400: Unrecognized request format: Expecting value: line 1 column 1 (char 0)</title><body>400: Unrecognized request format: Expecting value: line 1 column 1 (char 0)</body></html>' Looks like the data is not getting to the I'm not sure how you debug this type of problem, ideally you want to follow the request from ALB -> Ingress Gateway -> Predictor. |
I added small fix to the client script to send out request in JSON: url = 'https://kubeflow.platform.example.com/kfserving/seizadi/sklearn-iap:predict'
# data to be sent to api
data = { 'instances': [ [6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6] ] }
resp = requests.post(url=url, cookies=cookies, json=data)
if resp.status_code == 403:
print('Service account does not have permission to access the application.')
elif resp.status_code == 404:
print('Host route not available to access the application.')
elif resp.status_code != 200:
print('Bad response from application: {!r} / {!r} / {!r}'.format(
resp.status_code, resp.headers, resp.text))
else:
print(resp.text) It generates the prediction result: {"predictions": [1, 1]} |
@seizadi could you maybe provide some more explanation on what you did here? I am similarly not able to get the cookie-based auth to route correctly. I am following the AWS end-to-end instructions. Have posted an issue relating to that here: kubeflow/website#2378 Are you suggesting that one should use the GCloud IAP approach as above instead? Also, why is your url |
I don't work on this project so I don't get notification like the one you posted on kubeflow/website#2378. Probably need a guide like GCloud IAP written for AWS Cognito, so you have guide to follow. I read your issue and looks like you have not upgraded to Kubelow 1.1.x from 1.0.2 so that will be the first thing to do as there are changes you need from that release and you don't want to patch 1.0.2 with those changes. To answer your last question once you read the GCloud IAP guide, similarly AWS Cognito, exposes what is called path-based routing. In contrast KFserving uses host-based routing. The solution is described here in using Istio Virtual Service. In this model you have path-based routing exposed to the public and you map is to a host-based route that kfserving can consume. |
@seizadi do the changes relate to Kubeflow 1.1.x or does it have to do with a newer version of KFServing? We are not upgrading to 1.1 (or 1.2 for that matter) yet because the multi-tenancy for Pipelines also faces authentication problems at the moment which we don't have a suitable solution for. We are currently running KFServing 0.3.0. |
/kind bug
I have a Kubeflow on AWS EKS using AWS Cognito with ALB. Kubeflow dashboard, notebook server and pipelines work fine. I have problem with kfserving model API access for model prediction. The model deploys in my namespace:
I get the session cookie from my browser and try a regular request to make sure my session cookie is valid:
This request works fine and now I try to create a kfserving model prediction request:
What did you expect to happen:
I would expect the API request to return model prediction result, but
instead I get 404 error in response.
From istio-gateway looks like this request is not routed properly, it is sent to centraldashboard.kubeflow.svc.cluster.local
Environment:
Istio Version:1.1.6
Knative Version:
kubectl get namespace knative-serving -o 'go-template={{index .metadata.labels "serving.knative.dev/release"}}'
v0.11.1%
KFServing Version:
image: gcr.io/kfserving/kfserving-controller:0.2.2
Kubeflow version:
❯ kfctl version
kfctl v1.0.2-0-ga476281
Server:
kfctl_aws_cognito.v1.0.2.yaml
https://github.com/kubeflow/manifests/blob/master/kfdef/kfctl_aws_cognito.v1.0.2.yaml
Kfdef:[k8s_istio/istio_dex/gcp_basic_auth/gcp_iap/aws/aws_cognito/ibm]
aws_cognito
Minikube version:
Kubernetes version: (use
kubectl version
):OS (e.g. from
/etc/os-release
):AWS EKS
The text was updated successfully, but these errors were encountered: