Scope Kubeflow components in given namespace #4781
Comments
|
/assign @Ark-kun Do you know if there's any potential caveat besides caching in this case? |
ClusterRole: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole.
That was the reason we included those |
|
If a namespaced install do not need caching feature, then you can install the CRDs and multiple namespaced installations. |
I see. that would be the blocker to create multiple namespaced installations. We can either remove cache-deployer as you suggest, or make some changes in deployer to create different webhooks like |
|
If making a pure namespaced mode KFP is of high value to you, we can accept a PR for a KFP env without cache. |
|
Sounds good. I file a PR #4796 |
The cache deployer already does that. Do you think this solves your issue?
This is pretty easy to do, but please note that P.S. I wonder about scoping other services like Minio and Argo. |
Yes, I checked the source and the webhook get created using given namespace. cache-deployer still need cluster level resources. As I said In the #4781 (comment), each installation can share same cluster role but still need to create different cluster role bindings. The real world case is tenancy can not create cluster resource and their permission is scoped to the namespace. I feel like in this case, it's better to get ride of any cluster level resources
Argo supported managed namespace https://argoproj.github.io/argo/managed-namespace/. I think minio or mysql doesn't need to be scoped. |
That would be ideal, but might not be always feasible. For example, CRDs like Argo Workflow are cluster scoped. I really wish Kubernetes had support for namespace-scoped mutating webhooks. Another alternative would be to integrate hook support into Argo. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. |
stale
bot
removed
the
lifecycle/stale
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
lifecycle/stale
stale
bot
removed
the
lifecycle/stale
In my current company, there're few orgs/platforms like to leverage KFP. Besides multi-user KFP, I am also evaluating if it's possible to deploy KFP per namespace since users are ok to share experiments in the same namespace.
If we see instruction to install Kubeflow in single-user mode. There're some cluster-scoped-resources.
https://github.com/kubeflow/pipelines/blob/master/manifests/kustomize/cluster-scoped-resources/kustomization.yaml#L10-L12
Besides CRD, I see there's some cluster-role and bindings in
cache-deployerhttps://github.com/kubeflow/pipelines/tree/master/manifests/kustomize/base/cache-deployer/cluster-scoped
Seems the code level already support
NAMESPACE_TO_WATCHthat means cluster scope permissions is not needed. I think I can file a PR to remove it?Does anyone know pitfalls to use KFP per namespace?
/kind question
The text was updated successfully, but these errors were encountered: