-
Notifications
You must be signed in to change notification settings - Fork 830
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add Model Registry networkpolicy #2724
add Model Registry networkpolicy #2724
Conversation
Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>
lgtm, but need to test it manually in a deployment |
@lampajr please add explicit port numbers for the service. |
Hi @juliusvonkohout, given that we should make accessible all ports that are exposed by the model registry pod (@tarilabs can you confirm that?) I think that it is acceptable as it is (without any port specification, similarly to what other components are already doing) |
I would rather have this pov: this networkpolicy proposal aligns with other examples as suggested by action item out of previous meeting (notes). In short we need 2 "endpoints": REST API (8080) and gRPC (9090). Could someone kindly comment regardings how to A/B test it, per original message, please? |
It is rather trivial and best practices to list those two ports in the networkpolicy. A networkpolicy is just a firewall rule. If you install a full Kubeflow and can still reach both ports it is fine. For standalone tests I would add a deny all networkpolicy and this policy here on top to test. |
I've added 31345c9 |
31345c9
to
b06906f
Compare
Signed-off-by: tarilabs <matteo.mortari@gmail.com>
b06906f
to
5778fca
Compare
Next to my 2 comments I would like to add that gpt4 can write you such policies. Just input your service and deployments and it will figure it out. |
Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>
Tested with: diff --git a/common/networkpolicies/base/kustomization.yaml b/common/networkpolicies/base/kustomization.yaml
index 3592bc9a..33bf626c 100644
--- a/common/networkpolicies/base/kustomization.yaml
+++ b/common/networkpolicies/base/kustomization.yaml
@@ -16,6 +16,7 @@ resources:
- minio.yaml
- ml-pipeline-ui.yaml
- ml-pipeline.yaml
+ - model-registry.yaml
- poddefaults.yaml
- pvcviewer-webhook.yaml
- seldon.yaml
diff --git a/common/networkpolicies/base/model-registry.yaml b/common/networkpolicies/base/model-registry.yaml
new file mode 100644
index 00000000..801a2145
--- /dev/null
+++ b/common/networkpolicies/base/model-registry.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: model-registry
+ namespace: kubeflow
+spec:
+ podSelector:
+ matchExpressions:
+ - key: component
+ operator: In
+ values:
+ - model-registry-server
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/part-of
+ operator: In
+ values:
+ - kubeflow-profile
+ - namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - istio-system
+ ports:
+ - protocol: TCP
+ port: 8080
+ - protocol: TCP
+ port: 9090
+ policyTypes:
+ - Ingress per latest reviews. Without network policy: WITH network policy: Notes on testing environment usedSince I've tested locally on Minikube, I needed to ensure "calico".
Caution the outputs as (on my linux box)
(notice the calico line explicitly output) Additional notesThis might actually be analogous as experienced by end-user with: |
/approve |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thank you @juliusvonkohout 🙏 🚀 |
@tarilabs I tested it on Microk8s 1.28. It works. |
* add Model Registry networkpolicy Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com> * implement review feedback Signed-off-by: tarilabs <matteo.mortari@gmail.com> * implement code review feedback Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com> --------- Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com> Signed-off-by: tarilabs <matteo.mortari@gmail.com>
Raising as draft following indication on #2701 but not yet sure how to manually verify: I've tested with
1.9.0-rc.0
on a local cluster, both with and without this network policy, I can reach the service both externally the cluster (authenticated call) and from another pod in a different namespace (namespace "default" using wget from an hello-world pod).Which issue is resolved by this Pull Request:
Resolves #2701
Description of your changes:
Checklist:
Make sure you have installed kustomize == 5.2.1+
make generate-changed-only
make test