25 May 2022 |
Dan Sun | it is the gmeet link on the doc | 19:46:01 |
Rachit Chauhan | Dan Sun: found the detailed reasoning why they still want sidecars even though the communication will not be over TLS (as it’s PERMISSIVE )
https://github.com/knative-sandbox/net-istio/issues/150
Not having sidecars will lead to loss of metrics.
ref: this comment | 21:34:45 |
Dan Sun | ye if you have strict security and audit requirement, you would need the sidecar | 21:41:22 |
Rachit Chauhan | For audits => logs and metrics
But for security purposes, STRICT was expected but it would cause failure as kube-apiserver is not part of the mesh and doesn’t have envoy | 21:43:47 |
Dan Sun | ye that makes sense | 21:51:41 |
26 May 2022 |
| _slack_kubeflow_U03H27PMSMR joined the room. | 06:03:04 |
| Kuba Dawczynski joined the room. | 08:13:24 |
| Kuba Dawczynski changed their display name from _slack_kubeflow_U03HSETDZPA to Kuba Dawczynski. | 09:07:31 |
| Kuba Dawczynski set a profile picture. | 09:07:32 |
Kuba Dawczynski | Hi everyone.
I have one question maybe someone already had this issue.
We are using kubeflow 1.4 and when we create new InferenceService, kserver is creating new virtual service with internal and external endpoint
where external endpoint is looking like
http://{name_of_model}.{namespace}.{domain}
unfortunately our network setup is a little bit complex and we would like to expose it like:
http://{domain}/{namespace}/{name_of_model}
I've tried to dig in this channel and github to get some information but i haven't found nothing | 09:07:33 |
| John Paulett joined the room. | 10:59:09 |
Alexandre Brown | Hello, maybe try modifying the domain template to replace the . with /
kubectl edit configmap config-network -n knative-serving | 11:19:05 |
| John Paulett changed their display name from _slack_kubeflow_U01B8DPEY01 to John Paulett. | 11:19:41 |
| John Paulett set a profile picture. | 11:19:43 |
Kuba Dawczynski | there was my idea also, but no luck 😕
i've putted
domainTemplate: "{{.Domain}}/{{.Namespace}}/{{.Name}}"
also i've tried to add - instead of / but this not change anything | 12:50:14 |
Alexandre Brown | Have you tried deploying a new inference service after applying the changes ? (not patching an existing deployment) | 12:51:25 |
Kuba Dawczynski | yes, i created new inference service couple of times, and i also recreated kserver itself
and it like for domain change in domain config file everyting went well that for this i don't see any changes
unless i'm doing something wrong in config-network cm
apiVersion: v1
data:
mydomain.com: ,
domainTemplate: "{{.Domain}}/{{.Namespace}}/{{.Name}}"
where in mydomain.com i've putted domain which i'm using in config-domain cm | 12:56:33 |
Alexandre Brown | On my side I didn't put the mydomain.com inside this config map, I put inside
kubectl edit configmap config-domain -n knative-serving
Perhaps you can try moving mydomain.com to this config map and only modifying the domain template in the config-network configmap ?
kubectl edit configmap config-network -n knative-serving | 13:02:28 |
Kuba Dawczynski | ok but as default in config-network configimap
apiVersion: v1
data:
_example: , | 13:04:43 |
Alexandre Brown | Yes I believe what is under _example is not applied and only there for documentation purposes | 13:05:47 |
Alexandre Brown | Maybe try this :
config-network
apiVersion: v1
data:
domainTemplate: "{{.Domain}}/{{.Namespace}}/{{.Name}}"
_example: ,
config-domain
apiVersion: v1
data:
mydomain.com: ""
_example: , | 13:07:41 |
Kuba Dawczynski | ok give me the second | 13:08:14 |
Kuba Dawczynski | ```error: configmaps "config-network" could not be patched: admission webhook "config.webhook.serving.knative.dev" denied the request: validation failed: domain template has url path: /bar/foo
You can run `kubectl replace -f /var/folders/m1/c6dp897x6jb4p9k0j32_mqbh0000gq/T/kubectl-edit-2589593085.yaml` to try this update```
validation failed | 13:33:05 |
Alexandre Brown | Now this makes more sense, it clearly states that having url path /bar/foo is not allowed and so I'd be inclined to think it's simply not feasible | 13:34:15 |
Kuba Dawczynski | ok, thx for information and your time | 13:41:18 |
Rachit Chauhan | Due to some limitations at our org, we have to use namespace other than knative-serving for knative’s control plane. Will it have any problems with kserve ? | 19:45:23 |
Dan Sun | you might need to create additional virtual service for the path rewrite | 19:47:29 |
Dan Sun | Kunming checkout this example https://github.com/kserve/kserve/blob/master/docs/samples/gcp-iap/virtual-service.yaml | 19:48:10 |
Dan Sun | should be fine, probably need a few configuration changes | 19:48:48 |
Rachit Chauhan | ok. I see there are references to knative-serving namespace (for ingresses) in kserve.yaml :
1. https://github.com/kserve/kserve/blob/master/install/v0.8.0/kserve.yaml#L14995
2. https://github.com/kserve/kserve/blob/master/install/v0.8.0/kserve.yaml#L14850
3. https://github.com/kserve/kserve/blob/master/install/v0.8.0/kserve.yaml#L14852 | 19:52:55 |