manifests icon indicating copy to clipboard operation
manifests copied to clipboard
verified publisher icon kubeflow

Support Istio-compatible deployment with Cilium

Open juliusvonkohout opened this issue 1 year ago • 9 comments

Validation Checklist

  • [X] Is this a Kubeflow issue?
  • [X] Are you posting in the right repository ?
  • [X] Did you follow the installation guide https://github.com/kubeflow/manifests?tab=readme-ov-file ?
  • [X] Is the issue report properly structured and detailed with version numbers?
  • [X] Is this for Kubeflow development ?
  • [ ] Would you like to work on this issue?
  • [X] Join our slack channel using wg-manifests.

Version

master

Describe your issue

See https://github.com/kubeflow/kubeflow/issues/7553#issue-2251830611

@adriantorrie @AndersBennedsgaard @Apsu

Steps to reproduce the issue

Try cilium with Kubeflow

Put here any screenshots or videos (optional)

No response

juliusvonkohout avatar May 25 '24 10:05 juliusvonkohout

As one of the @kubeflow/wg-notebooks-leads I want to highlight that many of the components have a fairly hard dependency on specifically Istio including Notebooks, Profiles, Volumes, TensorBoards, and KServe.

Given this, we would have to see a specific need from users/distributions that cant be achieved with Istio for it to make sense from a developer time perspective.

And I don't see an easy way to remove the need for a service mesh altogether (in multi-user, AKA "kubeflow platform" mode), as this would require implementing authentication into every app.

thesuperzapper avatar May 26 '24 18:05 thesuperzapper

Did you really want to mention me?

krom avatar May 28 '24 17:05 krom

As one of the @kubeflow/wg-notebooks-leads I want to highlight that many of the components have a fairly hard dependency on specifically Istio including Notebooks, Profiles, Volumes, TensorBoards, and KServe.

Given this, we would have to see a specific need from users/distributions that cant be achieved with Istio for it to make sense from a developer time perspective.

And I don't see an easy way to remove the need for a service mesh altogether (in multi-user, AKA "kubeflow platform" mode), as this would require implementing authentication into every app.

The intention of the request isn't to remove the need for a service mesh. It's to not force the need for Istio's implementation of a service mesh (in favour of using a Cilium service mesh for example, or any other project that supports the underlying Ingress/Gateway APIs).

Just to further clarify from my original request:

  • Cilium supports cluster mesh and service mesh
  • Cilium supports both K8S Gateway API and K8S Ingress
  • Cilium can integrate with Keycloak via K8S Gateway API

From my perspective, the above would show that Cilium supports what you've called the "kubeflow platform" mode, and it would seem my request is merely asking for abstraction instead of hard-coding the use of Istio objects?

Once Cilium is installed on a cluster it's capabilities make the need for Istio being on that same cluster redundant, from what I can tell.

adriantorrie avatar Jun 03 '24 02:06 adriantorrie

@adriantorrie @AndersBennedsgaard are you willing to implement cilium as an option? I need someone responsible for driving this and willing to put in the time and effort. Only then i can review it.

juliusvonkohout avatar Jun 04 '24 08:06 juliusvonkohout

@adriantorrie @AndersBennedsgaard are you willing to implement cilium as an option? I need someone responsible for driving this and willing to put in the time and effort. Only then i can review it.

I'm happy to pitch in and help

adriantorrie avatar Jun 10 '24 00:06 adriantorrie

Hello, are you both on the new Slack in #kubeflow-platform ? See https://www.kubeflow.org/docs/about/community/

juliusvonkohout avatar Jun 10 '24 08:06 juliusvonkohout

I will most likely not be able to contribute in this matter (but yes, I am on the new Slack channels)

AndersBennedsgaard avatar Jun 10 '24 08:06 AndersBennedsgaard

Hello, are you both on the new Slack in #kubeflow-platform ? See https://www.kubeflow.org/docs/about/community/

@juliusvonkohout Yes

adriantorrie avatar Jun 11 '24 08:06 adriantorrie

@adriantorrie then please write up a proposal as we have it for rootless Kubeflow etc.

juliusvonkohout avatar Jun 11 '24 12:06 juliusvonkohout

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Aug 11 '24 00:08 github-actions[bot]

Is anyone here still interested?

juliusvonkohout avatar Aug 12 '24 10:08 juliusvonkohout

It seems to work according to https://github.com/kubeflow/manifests/issues/2858#issuecomment-2310378404 and https://github.com/kubeflow/manifests/issues/2858#issuecomment-2310378404

juliusvonkohout avatar Aug 26 '24 14:08 juliusvonkohout

So https://docs.cilium.io/en/latest/network/servicemesh/istio/ is probably the solution and will close the issue if nothing comes up.

juliusvonkohout avatar Aug 26 '24 14:08 juliusvonkohout

Closing due to inactivity and it's probably solved by the cilium documentation

juliusvonkohout avatar Sep 03 '24 19:09 juliusvonkohout