Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Fix ml pipeline access from kfp step #2795

Merged
merged 3 commits into from
Jul 11, 2024
+22 −2
Merged

Fix ml pipeline access from kfp step #2795

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
723d736
fail gh action if pipeline failed in .github/workflows/pipeline_test.…
kromanow94 Jul 11, 2024
00be029
allow access to ml-pipeline when using trusted requestPrincipal or do…
kromanow94 Jul 11, 2024
4b6f4f0
add more triggers for the workflow
juliusvonkohout Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/pipeline_run_from_notebook.yaml
View file
Original file line number Diff line number Diff line change
@@ -4,10 +4,14 @@ on:
paths:
- .github/workflows/pipeline_run_from_notebook.yaml
- apps/jupyter/notebook-controller/upstream/**
- apps/pipeline/upstream/**
- tests/gh-actions/kind-cluster.yaml
- tests/gh-actions/install_kind.sh
- tests/gh-actions/install_kustomize.sh
- tests/gh-actions/install_istio.sh
- tests/gh-actions/install_cert_manager.sh
- common/cert-manager/**
- common/oidc-client/oauth2-proxy/**
- common/istio*/**
- common/oidc-client/**
- apps/jupyter/**
5 changes: 4 additions & 1 deletion .github/workflows/pipeline_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -90,11 +90,14 @@ jobs:

while True:
status = client.get_run(run_id=run_id).state
if status not in ["SUCCEEDED", "FAILED", "ERROR"]:
if status in ["PENDING", "RUNNING"]:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kromanow94 a bit late to request this change, but could we not have the python code directly on the GH action but convert to a .py file, and use that from the action?

This will allow users to also run the tests locally if they want

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes a lot of sense. Do you mind if I do it next week?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just want to say I also vote for moving to a .py file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a part of a wider topic to reorganize tests. I created an issue for that:

#2797

print(f"Waiting for run_id: {run_id}, status: {status}.")
sleep(10)
else:
print(f"Run with id {run_id} finished with status: {status}.")
if status != "SUCCEEDED":
print("Pipeline failed")
raise SystemExit(1)
break
' "${TOKEN}" "${KF_PROFILE}"

4 changes: 4 additions & 0 deletions apps/kfp-tekton/upstream/base/installs/multi-user/istio-authorization-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -32,6 +32,10 @@ spec:
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
# allow access by any trusted principal
- from:
- source:
requestPrincipals: ["*"]
# For user workloads, which cannot user http headers for authentication
- when:
- key: request.headers[kubeflow-userid]
4 changes: 4 additions & 0 deletions apps/kfp-tekton/upstream/v1/base/installs/multi-user/istio-authorization-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -32,6 +32,10 @@ spec:
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
# allow access by any trusted principal
- from:
- source:
requestPrincipals: ["*"]
# For user workloads, which cannot user http headers for authentication
- when:
- key: request.headers[kubeflow-userid]
7 changes: 6 additions & 1 deletion apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -32,9 +32,14 @@ spec:
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
# allow access by any trusted principal
- from:
- source:
requestPrincipals: ["*"] # allow access by any trusted principal
requestPrincipals: ["*"]
# For user workloads, which cannot user http headers for authentication
- when:
- key: request.headers[kubeflow-userid]
notValues: ['*']
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Loading