-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable istio-injection in namespace profile controller creates? #3935
Comments
Issue-Label Bot is automatically applying the label Links: app homepage, dashboard and code for this bot. |
@lluunn @kunmingg Should we not inject ISTIO side cars by default and instead just turn it on for our notebooks and other resources that need it? @richardsliu Any idea if this was/should have been caught by the E2E tests? @Jeffwan How does the training job fail? I would expect training jobs to still work even if they are sending traffic through ISTIO. An issue I encountered kubeflow/examples#619 is that you might need to wait for the ISTIO side car to start before you can communicate with other services. Is it possible that's what's happening? |
Yeah. I think that's similar problem Looks like istio-proxy is not up at the beginning and it failed readiness on 15020. Once a while, sidecar starts up but tensorflow pod is already failed at that time.
|
Do we know why it takes so long for sidecar container to be up? |
@jlewi |
Just chiming in, I very much want all components to have sidecars injected. Some compliance requirements mandate traffic encrypted in transit and Istio mTLS can provide this for many use cases. |
/cc @krishnadurai |
I second what @tmc is saying. I have a lot of regulations to follow since we're in clinical genomics, and I would prefer to have as many components as possible have sidecars injected. I have tried recently to enable sidecar injection in the kubeflow namespace, but this causes the metadata deployment to always drop into error/crashbackoff. [EDIT] Actually, I think it might be wrong headed to have sidecar injection in the kubeflow namespace (we don't use sidecars in kube/istio-system namespace why in the kubeflow one?). I think encrypted pod overlay is enough for me to meet my hippa/gdpr requirements. |
I think we should distinguish between what the defaults are and turning it on/off. @Jamesthegiantpeach if you have observed problems with specific services and ISTIO can you open specific bugs for each service. |
FWIW if you have istio sidecar injection on the namespace where you run kubeflow pipelines then you find argo jobs getting stuck - argoproj/argo-workflows#1616 (and kubeflow/pipelines#1774 and argoproj/argo-workflows#1282). This does not seem to be on by default, just something to be aware of (I happened to turn injection on at namespace level and so I hit the problem). |
I ran into the same problem when trying to run workflows in namespaces created by the profile controller. I also agree there is a case to be made for istio injection by default. We need a solution to run argo workflows in the profile controller namespaces for kubeflow/pipelines#1223 anyway. |
@discordianfish I suppose the pipelines DSL could be extended with an option to add the |
We will need to support running KFP pipelines in profile controlled namespaces as part of the multi-user support in pipelines kubeflow/pipelines/issues/1223 @Ark-kun Does the pipelines DSL already support setting labels on individual pods in the workflow? This allows the default behavior of istio side car injection to be changed on the per pod level and overrides the namespace setting. ISTIO side car injection can also be controlled at the namespace level. So if you have a namespace where you are running pipelines and nothing else you could add the label to the namespace to disable side car injection. The issue I see with making disabling istio-sidecar injection an option in the profile controller is now every application needs to support both possible default values. e.g. if we disable side car injection by default for a namespace, then the jupyter web app now needs to explicitly add the annotation to add the side car to jupyter pods which need it for access control |
Correction; I misunderstood the meaning of the namespace label. The namespace label is not a default value. The namespace label is used to enable the istio side car mutating webhook for a particular namespace. So if we want to enable ISTIO for any pods in a namespace this would need to be set to true. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
/kind enhancement
Why you need this feature:
Training job by default is not working because profile controller enables istio-injection in the namespace data scientist will work on.
In order to ask istio not inject sidecar, user has to explicitly add annotations to pods like this
I am thinking if we should make it namespace level switch on by default. If there're more workloads using istio, it's worth, otherwise, it's better use pod level control.
Seems user uses jupyter notebook needs sidecar. For most other components, there's no need to inject sidecar
Describe the solution you'd like:
Namespace:
istio-injection=disabled
Pod: sidecar.istio.io/inject: "true"
Anything else you would like to add:
The text was updated successfully, but these errors were encountered: