-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scope Kubeflow components in given namespace #4781
Comments
/assign @Ark-kun Do you know if there's any potential caveat besides caching in this case? |
pipelines/manifests/kustomize/base/cache-deployer/cluster-scoped/cache-deployer-clusterrole.yaml Line 21 in ec721fe
ClusterRole : https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole.
That was the reason we included those |
If a namespaced install do not need caching feature, then you can install the CRDs and multiple namespaced installations. |
I see. that would be the blocker to create multiple namespaced installations. We can either remove cache-deployer as you suggest, or make some changes in deployer to create different webhooks like |
If making a pure namespaced mode KFP is of high value to you, we can accept a PR for a KFP env without cache. |
Sounds good. I file a PR #4796 |
The cache deployer already does that.
Do you think this solves your issue?
This is pretty easy to do, but please note that P.S. I wonder about scoping other services like Minio and Argo. |
Yes, I checked the source and the webhook get created using given namespace. cache-deployer still need cluster level resources. As I said In the #4781 (comment), each installation can share same cluster role but still need to create different cluster role bindings. The real world case is tenancy can not create cluster resource and their permission is scoped to the namespace. I feel like in this case, it's better to get ride of any cluster level resources
Argo supported managed namespace https://argoproj.github.io/argo/managed-namespace/. I think minio or mysql doesn't need to be scoped. |
That would be ideal, but might not be always feasible. For example, CRDs like Argo Workflow are cluster scoped. I really wish Kubernetes had support for namespace-scoped mutating webhooks. Another alternative would be to integrate hook support into Argo. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
In my current company, there're few orgs/platforms like to leverage KFP. Besides multi-user KFP, I am also evaluating if it's possible to deploy KFP per namespace since users are ok to share experiments in the same namespace.
If we see instruction to install Kubeflow in single-user mode. There're some cluster-scoped-resources.
https://github.com/kubeflow/pipelines/blob/master/manifests/kustomize/cluster-scoped-resources/kustomization.yaml#L10-L12
Besides CRD, I see there's some cluster-role and bindings in
cache-deployer
https://github.com/kubeflow/pipelines/tree/master/manifests/kustomize/base/cache-deployer/cluster-scoped
Seems the code level already support
NAMESPACE_TO_WATCH
that means cluster scope permissions is not needed. I think I can file a PR to remove it?Does anyone know pitfalls to use KFP per namespace?
/kind question
The text was updated successfully, but these errors were encountered: