3 Jun 2022 |
Benjamin Tan | For the namespace:
kind: Namespace
apiVersion: v1
metadata:
name: kfserving-test
labels:
serving.kubeflow.org/inferenceservice: "enabled" | 08:21:16 |
Benjamin Tan | gcloud iam service-accounts add-iam-policy-binding google-service-account-that-can-access-gcs-buckets \
--role roles/iam.workloadIdentityUser \ (or storage list role)
--member "serviceAccount: GOOGLE PROJECT NAME .svc.id.goog[kfserving-test/default]" | 08:23:28 |
Benjamin Tan | Something like that | 08:23:34 |
Benjamin Tan | Relevant docs here: https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-gcloud | 08:23:46 |
Christian Lehre | Very good input, thank you Benjamin Tan! I will let you know if it works π | 08:24:12 |
Benjamin Tan | π | 08:25:35 |
Christian Lehre | Redacted or Malformed Event | 09:04:21 |
Christian Lehre | Benjamin Tan Seems like the role roles/storage.objectViewer (thats the least privileged role to have list access to GCS) is not supported for the service account...
ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/storage.objectViewer is not supported for this resource. | 09:52:38 |
Benjamin Tan | Do u have workload identity set up? | 09:53:29 |
Christian Lehre | I granted the service account the iam.workloadIdentityUser role. Apart from the kubeflow deployment I have not setup workload identity myself (not sure if its set up by the kubeflow deployment) | 09:55:00 |
Benjamin Tan | Ooo try and see if workload identity works for u | 09:55:36 |
Christian Lehre | Worload identity is enabled in the GKE cluster. Anything else I need to setup for it to work? | 09:56:20 |
Benjamin Tan | I'm heading out so responses would be slow | 09:56:25 |
Benjamin Tan | Not really. That should be sufficient | 09:56:36 |
Benjamin Tan | Double check that u have a default service account in the namespace too | 09:56:56 |
Benjamin Tan | kubectl get sa default -n namespaceupicked | 09:57:34 |
Christian Lehre | Yes, i already checked that. Should i use the workload identity namespace somehow? | 09:57:42 |
Benjamin Tan | Workload identity is based on the google service account which has access to GCS | 09:58:37 |
Benjamin Tan | U then bind it with the kubernetes service account In ur nameapace of your choosing | 09:58:57 |
Christian Lehre | Benjamin Tan no success.. Im binding to a principal with list access to cloud storage (kubeflow-user@ project .iam.gserviceaccount.com), but it says that the storage.objectViewer role is not supported for this resource | 11:02:47 |
Dan Sun | https://github.com/kserve/kserve/blob/master/docs/samples/v1beta1/advanced/timeout.yaml#L7 | 11:15:49 |
zorba(μμ£Όν) | yeah but this is not about terminationGracePeriodSecond.
itβs timeout of calling predictor service (In seconds).
As in the document.
apiVersion: "serving.kserve.io/v1beta1"
kind: "InferenceService"
metadata:
name: "pytorch-cifar10"
spec:
predictor:
timeout: 60
minReplicas: 1
batcher:
maxBatchSize: 32
maxLatency: 5000
pytorch:
storageUri: " gs://kfserving-examples/models/torchserve/image-classifier "
β’ maxBatchSize : the max batch size for triggering a prediction.
β’ maxLatency : the max latency for triggering a prediction (In milliseconds).
β’ timeout : timeout of calling predictor service (In seconds).
| 11:39:20 |
Christian Lehre | Nevermind, I figured it out. Had to annotate the service account in the namespace with the gcp service principal. Thank you so much for your help, you really guided me into the right track π | 11:54:12 |
Benjamin Tan | Yayyyyy | 11:57:14 |
Benjamin Tan | Awesome π π π | 11:57:19 |
@californiatl:matrix.org | I'll help 10 individuals how to earn $20,000 in just 72 hours from the crypto market. But you will pay me 10% commission when you receive your profit. if interested send me a direct message via WhatsApp by asking me HOW for more details on how to get started
+1 (2297781881 | 11:58:06 |
Sebastian Lehrig | any admin here to get rid of this spam? | 12:01:49 |
Dan Sun | The termination grace period is controlled by timeout because you need to wait for the request to drain and finish processing before shutting down the pod. | 12:36:22 |
Dan Sun | Thatβs why it is not allowed setting termination grace period directly | 12:36:50 |
zorba(μμ£Όν) | very nice. thanks | 13:24:57 |