Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notebook cannot implicitly connect to/launch runs in the Pipelines client #423

Closed
ca-scribner opened this issue Jan 27, 2022 · 5 comments
Closed

Notebook cannot implicitly connect to/launch runs in the Pipelines client #423

ca-scribner opened this issue Jan 27, 2022 · 5 comments
Assignees
@ca-scribner
Labels
enhancement New feature or request

Comments

@ca-scribner
Copy link
Contributor

Currently in a notebook, this does not work:

import kfp
client = kfp.Client()

reporting:

ERROR:root:Failed to read a token from file '/var/run/secrets/kubeflow/pipelines/token' ([Errno 2] No such file or directory: '/var/run/secrets/kubeflow/pipelines/token').
WARNING:root:Failed to set up default credentials. Proceeding without credentials...

I think this is because, when switching to multi-user isolation for pipelines, we missed adding this to the PodDefaults for each user.

As a temporary workaround, used can from a terminal on cluster create a PodDefault in their namespace:

apiVersion: kubeflow.org/v1alpha1
kind: PodDefault
metadata:
  name: access-ml-pipeline
  namespace: "<YOUR_USER_PROFILE_NAMESPACE>"
spec:
  desc: Allow access to Kubeflow Pipelines
  selector:
    matchLabels:
      access-ml-pipeline: "true"
  volumes:
    - name: volume-kf-pipeline-token
      projected:
        sources:
          - serviceAccountToken:
              path: token
              expirationSeconds: 7200
              audience: pipelines.kubeflow.org      
  volumeMounts:
    - mountPath: /var/run/secrets/kubeflow/pipelines
      name: volume-kf-pipeline-token
      readOnly: true
  env:
    - name: KF_PIPELINES_SA_TOKEN_PATH
      value: /var/run/secrets/kubeflow/pipelines/token

which will then enable new notebook servers to select KFP access in the Configurations section of the new notebook page.

Another hack that will let you use kfp from an existing notebook is to copy your session cookie from your browser's development tools, then do:

cookies = 'authservice_session=<your cookie from your browser>'
client = kfp.Client(
    host="http://10.64.140.43.nip.io/pipeline",
    cookies=cookies,
)
@Barteus
Copy link

Barteus commented Jan 28, 2022

Workaround with PodDefault works for me, thanks!

@ca-scribner
Copy link
Contributor Author

kubeflow/pipelines#5138 discusses this problem and some possible fixes. The fixes are not merged and the discussion seems stale but I'll see if I can revive anything.

@ca-scribner
Copy link
Contributor Author

We can do kubeflow/pipelines#6629 ourselves (we already run a modified version of the sync.py file in our profile-controller charm anyway). That effectively puts the PodDefault above in every user's namespace, meaning that all users will see the configuration button for pipelines on the notebook creation page by default.

Users still need to select that configuration button to get pipeline access in their notebook, but the situation would be better than it is now. Fixing/closing this issue should include a change to our documentation to instruct users about the button

@ca-scribner
Copy link
Contributor Author

Nevermind, we can also make the trivial patch to our notebook spawner default config from kubeflow/kubeflow#6160 and the button is checked by default!

ca-scribner added a commit to canonical/notebook-operators that referenced this issue Jan 28, 2022
@ca-scribner
add default access to pipelines from notebook
d9dbba4 
This is part of the fix for canonical/bundle-kubeflow#423.

This change automatically selects the "Allow access to Kubeflow Pipelines" PodDefault configuration for new notebooks, provided it has been already been added to the user's namespace.  Adding the PodDefault is handled separately.
ca-scribner added a commit to canonical/kfp-operators that referenced this issue Jan 28, 2022
@ca-scribner
adds a PodDefault for pipelines access to all Profiles
c974456 
This change partly addresses canonical/bundle-kubeflow#423

This updates the kfp metacontroller managed by the kfp-profile-controller to add a new PodDefault to all user namespaces (Profiles).  This PodDefault, when selected, lets Notebooks access the pipelines client without explicitly authenticating.

The change here adds the PodDefault, but it does not automatically enable the kfp access.  PodDefaults in a user's namespace are noticed by the notebook controller (charm: jupyter-ui) and shown to a user in the Notebook spawner UI under "Configurations".  To enable this kfp integration, users must enable this new configuration "Allow access to Kubeflow Pipelines".

This PodDefault can also be used by other workloads that might need access, such as a step of a pipeline.  See the [admission-webhook readme](https://github.com/kubeflow/kubeflow/blob/master/components/admission-webhook/README.md) for more info.
This was referenced Jan 28, 2022
Merged
Merged
@rohank07 rohank07 mentioned this issue Feb 9, 2022
Closed
@bryanpaget bryanpaget mentioned this issue Feb 10, 2022
Closed
@ca-scribner ca-scribner self-assigned this Feb 15, 2022
@ca-scribner ca-scribner added the enhancement New feature or request label Feb 15, 2022
ca-scribner added a commit to canonical/notebook-operators that referenced this issue Feb 22, 2022
@ca-scribner
add default access to pipelines from notebook
45d18cc 
This is part of the fix for canonical/bundle-kubeflow#423.

This change automatically selects the "Allow access to Kubeflow Pipelines" PodDefault configuration for new notebooks, provided it has been already been added to the user's namespace.  Adding the PodDefault is handled separately.

Also changed:

* remove unused environment variable from tests
* fix integration testing by
  * pinning istio to 1.5 for tests
  * revert integration tests to use istio 1.5
  * add test instructions in README.md
  * convert `kubectl` calls in tests to `lightkube` calls.
  * add patch to istio-ingressgateway role to fix bug with istio 1.5 charm
  * add automatic cleanup of non-juju created objects required for testing
  * deduplicating test runs
ca-scribner added a commit to canonical/notebook-operators that referenced this issue Feb 22, 2022
@ca-scribner
add default access to pipelines from notebook
dec4eb9 
This is part of the fix for canonical/bundle-kubeflow#423.

This change automatically selects the "Allow access to Kubeflow Pipelines" PodDefault configuration for new notebooks, provided it has been already been added to the user's namespace.  Adding the PodDefault is handled separately.

Also changed:

* remove unused environment variable from tests
* fix integration testing by
  * pinning istio to 1.5 for tests
  * revert integration tests to use istio 1.5
  * add test instructions in README.md
  * convert `kubectl` calls in tests to `lightkube` calls.
  * add patch to istio-ingressgateway role to fix bug with istio 1.5 charm
  * add automatic cleanup of non-juju created objects required for testing
  * deduplicating test runs
DomFleischmann pushed a commit to canonical/notebook-operators that referenced this issue Feb 23, 2022
@ca-scribner
add default access to pipelines from notebook (#24)
60f4eaa 
This is part of the fix for canonical/bundle-kubeflow#423.

This change automatically selects the "Allow access to Kubeflow Pipelines" PodDefault configuration for new notebooks, provided it has been already been added to the user's namespace.  Adding the PodDefault is handled separately.

Also changed:

* remove unused environment variable from tests
* fix integration testing by
  * pinning istio to 1.5 for tests
  * revert integration tests to use istio 1.5
  * add test instructions in README.md
  * convert `kubectl` calls in tests to `lightkube` calls.
  * add patch to istio-ingressgateway role to fix bug with istio 1.5 charm
  * add automatic cleanup of non-juju created objects required for testing
  * deduplicating test runs
@ca-scribner
Copy link
Contributor Author

Closed by canonical/kfp-operators#49 and canonical/notebook-operators#24

DnPlas added a commit to canonical/notebook-operators that referenced this issue Jul 15, 2022
@DnPlas
fix: add access-ml-pipeline value to spawner config due to canonical/…
ba046fa 
…bundle-kubeflow#423
DnPlas added a commit to canonical/notebook-operators that referenced this issue Jul 20, 2022
@DnPlas
fix: add access-ml-pipeline value to spawner config due to canonical/…
e1e6d71 
…bundle-kubeflow#423
DnPlas added a commit to canonical/notebook-operators that referenced this issue Jul 21, 2022
@DnPlas
fix: add access-ml-pipeline value to spawner config due to canonical/…
d4fb6f6 
…bundle-kubeflow#423
@qiuyuanyi1867 qiuyuanyi1867 mentioned this issue Jun 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ca-scribner ca-scribner

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Barteus @ca-scribner