Fixes for Integrating KServe with Openshift #2853
Conversation
skonto
changed the title
|
@yuzisun @alexagriffith gentle ping. |
|
/assign @yuzisun |
skonto
changed the title
|
TODO: support scenario where OCP SM uses a uid other than 1337 to run the Istio side car. |
We could make it configurable? The default in Istio is 1337, but I think users could overwrite it. |
Yes that is my idea too given that OCP requires a project based id that varies. |
skonto
changed the title
|
I have updated the PR. I am using an annotation to pass the uid for the storage initializer. |
|
@yuzisun pls review, this is meant to make the Openshift guide added lately to work out of the box with Istio. |
|
@alexagriffith @yuzisun gentle ping. |
|
@alexagriffith and I am not too familiar with OpenShift, @ckadner can you help review this PR? |
|
@skonto -- I have not deployed KServe in while, and not on OpenShift. Can you point me to how you deployed and configured your cluster? You can find me on Slack |
|
@skonto Can you help sign off the commit following https://github.com/kserve/kserve/pull/2853/checks?check_run_id=13400347618 ? |
skonto
force-pushed
the
fixes_for_ocp
branch
2 times, most recently
from
169556d
to
6793200
Compare
|
@yuzisun I think its ready now. |
| @@ -108,6 +109,14 @@ func createKnativeService(componentMeta metav1.ObjectMeta, | |||
| } | |||
| } | |||
|
|
|||
| // Allow custom annotations for ksvcs that start with serving.knative but not part of serving.knative.dev group name. | |||
| for aKey, _ := range annotations { | |||
| if !strings.HasPrefix(aKey, constants.KnativeServingAPIGroupName) && strings.HasPrefix(aKey, constants.KnativeServingAPIGroupNamePrefix) { | |||
There was a problem hiding this comment.
Is it better to just check the full api group name serving.knative.openshift.io?
There was a problem hiding this comment.
@yuzisun I thought about that but I didnt want to add vendor specific annotations, trying to keep it neutral for future use as well. Do you want me to change that?
There was a problem hiding this comment.
@yuzisun unofrtunately that is per component. The requirement is to set this at the ksvc level, because the OCP Serverless reconciler expects that annotation (serving.knative.openshift.io/enablePassthrough: "true") to be at that level.
For example here is the diff between a kserve ksvc (does not work) and a regular ksvc that works as expected (I tried this using the new feature).
There was a problem hiding this comment.
ok, l'd prefer using a more explicit list, we can add serving.knative.openshift.io/enablePassthrough to managedKsvcAnnotations ?
There was a problem hiding this comment.
Yes that is possible. I will update it.
Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com>
Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com>
|
@yuzisun , @alexagriffith would you mind taking another look? We'd like to do some additional patching in opendatahub-io/kserve which is based on these changes. |
| DefaultMinReplicas = 1 | ||
| ControllerLabelName = KServeName + "-controller-manager" | ||
| DefaultMinReplicas = 1 | ||
| IstioSidecarUIDAnnotationKey = KServeAPIGroupName + "/storage-initializer-uid" |
There was a problem hiding this comment.
Are we planning to make this configurable here also without having to add this annotation to every inference service?
There was a problem hiding this comment.
The "issue" is, that this is specific to the namespace where the service is deployed. At the moment there is no better way than to specify it per InferenceService. We're working with the istio folks to hopefully get rid of the underlying issue.
Looks good, do we need more documentation updates? |
Yes we should definitely update https://github.com/kserve/kserve/blob/master/docs/OPENSHIFT_GUIDE.md#prerequisites. Is it ok if I do a followup PR for this? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: skonto, yuzisun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* fixes for SM and OCP Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> * updates Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> * add pass through annotation support Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> --------- Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com>
* fixes for SM and OCP Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> * updates Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> * add pass through annotation support Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> --------- Signed-off-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> Signed-off-by: iamlovingit <freecode666@gmail.com>
What this PR does / why we need it:
This adds the following fixes for running KServe on Openshift:
The annotation for example
serving.knative.openshift.io/enablePassthrough: “true”needs to be added at the ksvc level for inference services and graphs. This will not allow to add arbitrary annotations, thus should not change current semantics.Right now the security context is copied from the user container but we cant use the same user id there for many reasons eg. is not allowed, security etc. The latter applies if we use pod security context or some other workaround.
The uid can be set to an arbitrary value using the annotation:
serving.kserve.io/storage-initializer-uid: "...".Note that on Openshift that uid is not 1337 but project_id_range+1, so we need this to be configurable.
Note: In a future PR we should be able to setup the Knative Serving init-containers feature flag and avoid the custom injection done or provide some template to allow the user to configure that part.
Type of changes
Please delete options that are not relevant.
Feature/Issue validation/testing:
Tested on OCP 4.12 with the following inference service:
The manager deployment was started with the right env var.
Special notes for your reviewer:
No
Release note: