pipelines icon indicating copy to clipboard operation
pipelines copied to clipboard
verified publisher icon kubeflow

Scope Kubeflow components in given namespace

Open Jeffwan opened this issue 5 years ago • 13 comments

In my current company, there're few orgs/platforms like to leverage KFP. Besides multi-user KFP, I am also evaluating if it's possible to deploy KFP per namespace since users are ok to share experiments in the same namespace.

If we see instruction to install Kubeflow in single-user mode. There're some cluster-scoped-resources. https://github.com/kubeflow/pipelines/blob/master/manifests/kustomize/cluster-scoped-resources/kustomization.yaml#L10-L12

Besides CRD, I see there's some cluster-role and bindings in cache-deployer https://github.com/kubeflow/pipelines/tree/master/manifests/kustomize/base/cache-deployer/cluster-scoped

Seems the code level already support NAMESPACE_TO_WATCH that means cluster scope permissions is not needed. I think I can file a PR to remove it?

Does anyone know pitfalls to use KFP per namespace?

/kind question

Jeffwan avatar Nov 18 '20 23:11 Jeffwan

/assign @Ark-kun

Do you know if there's any potential caveat besides caching in this case?

numerology avatar Nov 18 '20 23:11 numerology

https://github.com/kubeflow/pipelines/blob/ec721fe94dbcaa054b1057e5503e4f9823fdf2a5/manifests/kustomize/base/cache-deployer/cluster-scoped/cache-deployer-clusterrole.yaml#L21 is a cluster-scoped resource and RBAC for cluster-scoped resource can only be granted via ClusterRole: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole.

That was the reason we included those

Bobgy avatar Nov 19 '20 04:11 Bobgy

If a namespaced install do not need caching feature, then you can install the CRDs and multiple namespaced installations. Namespaced installation is indeed a feature we support.

Bobgy avatar Nov 19 '20 04:11 Bobgy

https://github.com/kubeflow/pipelines/blob/ec721fe94dbcaa054b1057e5503e4f9823fdf2a5/manifests/kustomize/base/cache-deployer/cluster-scoped/cache-deployer-clusterrole.yaml#L21

is a cluster-scoped resource and RBAC for cluster-scoped resource can only be granted via ClusterRole: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole. That was the reason we included those

I see. that would be the blocker to create multiple namespaced installations. We can either remove cache-deployer as you suggest, or make some changes in deployer to create different webhooks like cache-webhook-${namespace} and use NamespaceSelector in request matching, multiple namespaced installation can share same cluster role but to create different cluster role bindings.. This is not elegant and I think removing cache makes more sense

Jeffwan avatar Nov 19 '20 06:11 Jeffwan

If making a pure namespaced mode KFP is of high value to you, we can accept a PR for a KFP env without cache.

Bobgy avatar Nov 19 '20 08:11 Bobgy

Sounds good. I file a PR #4796

Jeffwan avatar Nov 21 '20 00:11 Jeffwan

make some changes in deployer to create different webhooks like cache-webhook-${namespace}

The cache deployer already does that. https://github.com/kubeflow/pipelines/blob/b0a87e78af445dbb271027837b5aa22f7e2b0e6d/backend/src/cache/deployer/deploy-cache-service.sh#L28

Do you think this solves your issue?

use NamespaceSelector in request matching

This is pretty easy to do, but please note that NamespaceSelector cannot match on namespace name, only on labels. 🤦

P.S. I wonder about scoping other services like Minio and Argo.

Ark-kun avatar Nov 21 '20 08:11 Ark-kun

Do you think this solves your issue?

Yes, I checked the source and the webhook get created using given namespace. cache-deployer still need cluster level resources. As I said In the https://github.com/kubeflow/pipelines/issues/4781#issuecomment-730168430, each installation can share same cluster role but still need to create different cluster role bindings. The real world case is tenancy can not create cluster resource and their permission is scoped to the namespace. I feel like in this case, it's better to get ride of any cluster level resources

P.S. I wonder about scoping other services like Minio and Argo.

Argo supported managed namespace https://argoproj.github.io/argo/managed-namespace/. I think minio or mysql doesn't need to be scoped.

Jeffwan avatar Nov 23 '20 01:11 Jeffwan

I feel like in this case, it's better to get ride of any cluster level resources

That would be ideal, but might not be always feasible. For example, CRDs like Argo Workflow are cluster scoped.

I really wish Kubernetes had support for namespace-scoped mutating webhooks.

Another alternative would be to integrate hook support into Argo.

Ark-kun avatar Nov 23 '20 04:11 Ark-kun

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 09 '21 22:06 stale[bot]

This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.

stale[bot] avatar Apr 19 '22 08:04 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Jun 24 '24 07:06 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Aug 25 '24 07:08 github-actions[bot]

This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.

github-actions[bot] avatar Sep 16 '24 07:09 github-actions[bot]