add storage-initializer uid handling for OpenShift with istio-cni #18
Conversation
| if initContainer.SecurityContext == nil { | ||
| initContainer.SecurityContext = &v1.SecurityContext{} | ||
| } | ||
| uidStr := targetNs.Annotations[OpenShiftUidRangeAnnotationKey] |
There was a problem hiding this comment.
As far as I see this mechanism is replacing the IstioSidecarUIDAnnotationKey alternative. Do you think it could make sense to keep it as fallback if OpenShiftUidRangeAnnotationKey is not available?
There was a problem hiding this comment.
Hm not sure if it is better to fail or not (if the annotation is not there, something went pretty wrong on OCP). As the user in OCP probably will never know about the issue and how to resolve it (needing to know to add 1 for example), do we expect that he even could bring the correct user? I'm currently favouring erroring I think.
There was a problem hiding this comment.
I don't think that this mechanism with "+1" would work as Istio itself would not find that range, right ? I'm not sure what Istio/Service Mesh would do as a fallback when the range is not available as an annotation. I would then probably do the same here, too.
There was a problem hiding this comment.
Yeah, I think it should be fine to assume it is there or error out.
There was a problem hiding this comment.
I think I'm more in agreement with @danielezonca here.
I think the code should honor the IstioSidecarUIDAnnotationKey if present. Otherwise, apply OpenShift logic. If both the OpenShift annotations and IstioSidecarUIDAnnotationKey aren't there, continue without doing any change and without error .
That logic ^ would make the code compatible with both upstream Istio-cni (which will want the 1337 annotation) and Maistra/OSSM (which will use OpenShift annotations). And the code would also remain compatible with an upstream non-cni-Istio installation (which presumably works well without UID hacking), in case community wants to try that.
There was a problem hiding this comment.
...I'm also thinking that such logic ^ (despite being a workaround) is perhaps more feasible to push to upstream, as it is less invasive.
There was a problem hiding this comment.
I like your proposal and explanation. I think that makes sense. I updated the PR accordingly, please re-review.
|
/lgtm |
There was a problem hiding this comment.
/lgtm
I would like to have @Jooho or @israel-hdez approval too before merging
|
@ReToCode @Jooho @israel-hdez Please review when you have time :) |
I'm still testing it with quay.io/rlehmann/kserve-controller:fix-anyuid. I'm targeting it to be ready today. |
ReToCode
changed the title
|
I'm done with testing. Looks good. Please also see https://redhat-internal.slack.com/archives/C05742W6F7T/p1689149577193889 for a demo link. |
|
If the user actually wants to have anyuid in their namespace because they are running something privileged in there they could still use |
Hm not sure if we even would want that, but you can run your user-container as privileged, the istio-container would still be 1337 or the OCP one (we just set the storage-initializer to the same id as istio). I doubt that there is a case for running the storage-initializer privileged. Or what case are you thinking of? |
It seems to me that we only set it to project range uid + 1 unless there is some annotation that passes a specific uid. If user sets anyuid without setting any annotation, istio side car will run with 1337 but storage-initializer will run with a project range id no?
It is not about the storage-initializer and probably this part will need some form of documentation. Given the fact that we dont control what users do (we had a recent case with setting anyuid in our operator ns causing problems) this might break stuff in some scenarios. As for the case that this may appear imagine a user wants to store some results in nfs in a ns and run his inference svc there (any such combination is a challenge I guess). |
I think this fully depends on which Mesh flavor you are using. If you use Maistra/OSSM, AFAIK, the Istio sidecars will always use In any case, the initContainer must run with the same UID that the sidecar would use. Otherwise, the initContainer will have no network. EDIT: And keep in mind that this is just a requirement for the CNI case.
So, automating Quite doable, but I think, for now, I prefer to keep things simple. |
Ok if so makes sense then, however what I remember from my experiments when I was using anyuid in a ns, OSSM was picking 1337 for the Istio sidecar. Anyway I will double check. |
|
@israel-hdez here are two fresh runs one without scc anyuid applied and one with scc anyuid applied. These are pods for the same knative svc created twice one for each run. The setup is done using Reto's repo and its Maistra/SM on OCP 4.12. As you see the istio sidecar uses 1337 in the second case. So I don't think this case is covered unless user knows and passes manually the right uid via the annotation (this case is not project range related). Probably some form of documentation would help here. |
|
@skonto Thanks for the test. I think there are very few people who want to use |
That's quite interesting. Good find! So, I was wrong. Digging on Maistra's code, for reference this is how they implement it: https://github.com/maistra/istio/blob/98f70f7641d14db1351c4b8f5ae1d8f19fc79a92/pkg/kube/inject/webhook.go#L922-L959. Looks like uid
I'm quite in agreement with JooHo comment and this is supposed to be a workaround. Perhaps, if we see that this workaround won't go away, we will need to improve it. So, I'm 👍 to cover it with docs for the time being. I'll create a ticket. |
**What this does / why we need it**:
This PR adds custom code to make KServe run on OpenShift without the need for anyuid SCC.
**More context**:
OpenShift uses istio-cni which causes an issue with init-containers when calling external services
like S3 or similar. Setting the uid for the storage-initializer to the same uid as the
uid of the istio-proxy resolves the issue. In OpenShift the istio-proxy always gets assigned
the first uid from the namespaces uid range + 1 (The range is defined in an annotation on the namespace).
**Release note**:
```release-note
The `storage-initializer` container will now run with the same `uid` as the `istio-proxy` which resolves an issue when istio-cni is used.
```
---
Squashed commit titles:
* add storage-initializer uid handling for OpenShift with istio-cni
* update storage_initializer_injector tests
* Also use annotation on pod to override uid
…ream-merge Merge upstream/release-v0.11 into master
What this PR does / why we need it:
anyuidSCC.More context:
OpenShift uses istio-cni which causes an issue with init-containers when calling external services
like S3 or similar. Setting the
uidfor thestorage-initializerto the sameuidas theuidof theistio-proxyresolves the issue. In OpenShift theistio-proxyalways gets assignedthe first
uidfrom the namespacesuidrange + 1 (The range is defined in an annotation on the namespace).Type of changes
Feature/Issue validation/testing:
Tested on OpenShift according to documentation in https://github.com/ReToCode/knative-kserve and opendatahub-io/odh-manifests#838.
Logs
Installation setup and documentation here.
Checklist:
Release note:
/hold WIP - making tests pass.