Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to call kfp.Client() in jupyter notebook #153

Closed
rohank07 opened this issue Feb 9, 2022 · 5 comments · Fixed by #155
Closed

Failed to call kfp.Client() in jupyter notebook #153

rohank07 opened this issue Feb 9, 2022 · 5 comments · Fixed by #155
Assignees
@zachomedia @sylus @rohank07
Labels
area/engineering Requires attention from engineering: focus on foundational components or platform DevOps component/kubeflow Kubeflow Related priority/soon size/M 2-3 days

Comments

@rohank07
Copy link
Contributor

rohank07 commented Feb 9, 2022
edited
Loading

Unable to call kfp.Client()
image

We would have to use access-ml-pipeline PodDefault (canonical/bundle-kubeflow#423)

apiVersion: kubeflow.org/v1alpha1
kind: PodDefault
metadata:
  name: access-ml-pipeline
  namespace: "<YOUR_USER_PROFILE_NAMESPACE>"
spec:
  desc: Allow access to Kubeflow Pipelines
  selector:
    matchLabels:
      access-ml-pipeline: "true"
  volumes:
    - name: volume-kf-pipeline-token
      projected:
        sources:
          - serviceAccountToken:
              path: token
              expirationSeconds: 7200
              audience: pipelines.kubeflow.org      
  volumeMounts:
    - mountPath: /var/run/secrets/kubeflow/pipelines
      name: volume-kf-pipeline-token
      readOnly: true
  env:
    - name: KF_PIPELINES_SA_TOKEN_PATH
      value: /var/run/secrets/kubeflow/pipelines/token

Using PodDefault https://www.kubeflow.org/docs/components/pipelines/sdk/connect-api/#multi-user-mode
Waiting for https://github.com/kubeflow/pipelines/pull/6629/files to be merged (pipelines-profile-controller needs PodDefault updates)
@sylus sylus added area/engineering Requires attention from engineering: focus on foundational components or platform DevOps component/kubeflow Kubeflow Related priority/soon size/M 2-3 days labels Feb 9, 2022
@rohank07 rohank07 self-assigned this Feb 10, 2022
@rohank07 rohank07 mentioned this issue Feb 11, 2022
Closed
@sylus sylus linked a pull request Feb 11, 2022 that will close this issue
feat(pipelines): Multi user mode connect to pipelines same cluster #155
Merged
@sylus sylus reopened this Feb 12, 2022
@sylus
Copy link
Member

sylus commented Feb 12, 2022

I got this to finally work the last thing we need to do is remove the EnvoyFilter logic we had for KF 1.2 which will fix us getting access denied in KF 1.3.

    - when:
        - key: 'request.headers[kubeflow-userid]'
          notValues:
            - '*'
  selector:
    matchLabels:
      app: ml-pipeline

https://github.com/StatCan/aaw-kubeflow-controller/blob/master/istio.go#L17

@rohank07
Copy link
Contributor Author 

        - key: 'request.headers[kubeflow-userid]'
          notValues:
            - '*'
  selector:
    matchLabels:
      app: ml-pipeline

What is this snippet from? Were there other modifications made to the manifests?

@sylus
Copy link
Member

sylus commented Feb 12, 2022

Its comes from kubeflow and we need to remove our personalized envoy filters which force add kubeflow-userid so it never passes RBAC.

https://github.com/kubeflow/pipelines/blob/74c7773ca40decfd0d4ed40dc93a6af591bbc190/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml#L36

@sylus
Copy link
Member

sylus commented Feb 14, 2022

Performed the following steps:

a) Removed the legacy logic that breaks in KF 1.3

b) Removed all the created envoyfilters of name "kubeflow-pipelines" in dev cluster

@sylus sylus closed this as completed Feb 14, 2022
@rohank07 rohank07 mentioned this issue Feb 15, 2022
Closed
@rohank07 rohank07 mentioned this issue Apr 22, 2022
Closed
11 tasks
@zachomedia
Copy link
Contributor

Cleanup in prod performed with the following command:

kubectl get all envoyfilter -o json | jq -r '.items[] | select(.metadata.name == "kubeflow-pipelines") | "kubectl -n \(.metadata.namespace) delete envoyfilter \(.metadata.name) --wait=false"' | xargs -n1 -d "\n" -- bash -c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zachomedia zachomedia

@sylus sylus

@rohank07 rohank07

Labels
area/engineering Requires attention from engineering: focus on foundational components or platform DevOps component/kubeflow Kubeflow Related priority/soon size/M 2-3 days
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(pipelines): Multi user mode connect to pipelines same cluster StatCan/aaw-kubeflow-manifests
3 participants
@zachomedia @sylus @rohank07