Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ml pipeline access from kfp step #2795

Conversation

kromanow94
Copy link
Contributor

Fix ml pipeline access from kfp step

✏️ A brief description of the changes

I changed the:

  • GH Action defined in .github/workflows/pipeline_test.yaml to fail if the KF Pipeline Run has failed,
  • AuthorizationPolicy/ml-pipeline to allow access for both scenarios:
    • when request doesn't have kubeflow-userid header to allow access from KFP Steps
    • when request have a valid JWT trusted by Istio to allow programmatic access

📦 List any dependencies that are required for this change

N/A

🐛 If this PR is related to an issue, please put the link to the issue here.

#2794

✅ Contributor checklist

@kimwnasptd , @juliusvonkohout

…yaml

Signed-off-by: Krzysztof Romanowski <krzysztof.romanowski.kr1@roche.com>
…esn't have auth header

Signed-off-by: Krzysztof Romanowski <krzysztof.romanowski.kr1@roche.com>
@juliusvonkohout
Copy link
Member

Thank you for the PR, I think the changes here should also trigger https://github.com/kubeflow/manifests/blob/master/.github/workflows/pipeline_run_from_notebook.yaml.

@juliusvonkohout juliusvonkohout linked an issue Jul 11, 2024 that may be closed by this pull request
7 tasks
Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
@juliusvonkohout
Copy link
Member

/lgtm
/approve

Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 473b103 into kubeflow:master Jul 11, 2024
8 checks passed
@@ -90,11 +90,14 @@ jobs:

while True:
status = client.get_run(run_id=run_id).state
if status not in ["SUCCEEDED", "FAILED", "ERROR"]:
if status in ["PENDING", "RUNNING"]:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kromanow94 a bit late to request this change, but could we not have the python code directly on the GH action but convert to a .py file, and use that from the action?

This will allow users to also run the tests locally if they want

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes a lot of sense. Do you mind if I do it next week?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just want to say I also vote for moving to a .py file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a part of a wider topic to reorganize tests. I created an issue for that:

#2797

@kromanow94 kromanow94 mentioned this pull request Jul 12, 2024
7 tasks
hansinikarunarathne pushed a commit to hansinikarunarathne/kubeflow-manifests that referenced this pull request Jul 22, 2024
* fail gh action if pipeline failed in .github/workflows/pipeline_test.yaml

Signed-off-by: Krzysztof Romanowski <krzysztof.romanowski.kr1@roche.com>

* allow access to ml-pipeline when using trusted requestPrincipal or doesn't have auth header

Signed-off-by: Krzysztof Romanowski <krzysztof.romanowski.kr1@roche.com>

* add more triggers for the workflow

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>

---------

Signed-off-by: Krzysztof Romanowski <krzysztof.romanowski.kr1@roche.com>
Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
Co-authored-by: Krzysztof Romanowski <krzysztof.romanowski.kr1@roche.com>
Co-authored-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
Signed-off-by: hansinikarunarathne <107214435+hansinikarunarathne@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

RBAC Access denied from Pipeline Run pod
4 participants