-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP namespace isolation for artifacts and pipeline definitions #7406
Conversation
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
Took 4 hours 32 minutes
Took 15 minutes
Took 2 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 3 hours 37 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 15 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 10 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 1 minute
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 27 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 28 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 2 hours 31 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
Took 4 hours 32 minutes
Took 15 minutes
Took 2 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 3 hours 37 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 15 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 10 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 1 minute
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 27 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 28 minutes
Signed-off-by: Gabor Nyerges <gabor@nyerg.es> Took 2 hours 31 minutes
Took 1 hour 8 minutes
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
@Bobgy @zijianjoy @StefanoFioravanzo @chensun i would really like to know from you whether this has a chance to be merged. It really separates the users and would make v1 pipelines enterprise ready from a security perspective. |
@gabornyerges #7447 is a pull request that also implements the frontend part and passes the unittests. We could also wait for #4197 (comment) and merge this here without the frontend changes. |
i will look into both PRs. |
FWIW I'd like to see the bucket-per-user namespace parts merged regardless of which frontend implementation PR gets selected, and it looks like you've done a huge amount of work here. For me the Arikkto approach to the frontend is okay, although maybe overkill since the feedback we've had from users is overwhelmingly that they want pipelines isolated per user namespace. Anyway I've made my PR a draft for now. Looking at the failed e2e test - looks like you didn't run
|
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
Signed-off-by: Gabor Nyerges <gabor@nyerg.es>
@arllanos @maganaluis this might be relevant for you too, since you started working on it last spring https://docs.google.com/document/d/1DVHbT1RIv_VaIzWz77YCBYlBX7WEMW61AAm-ZHdWZFU/edit?usp=sharing |
@juliusvonkohout: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Due to newly discovered funtionality in argo we will not use multiple buckets but just multiple folders and the following iam policy. Furtheremore e.g. AWS has a limit of 100 buckets so we should definitely stick with 1 bucket. One bucket multiple folder namespace isolation
|
closed in favor of #7725 |
Description of your changes:
Fixes #4649 by using one bucket per user/namespace
Fixes #5084 as seen on the screenshot. The kfp python SDK should also get an update
Fixes #4197
The detailed proposal is in the first failed approach #7219 (comment) and in this proposal
KFP Namespace isolation for pipeline definition and execution.docx
@ca-scribner @jacobmalmberg please test. You have to do the user and bucket management yourself. I have a working version with user, policy and bucket management but this is the first step.
@gabornyerges will make it mergeable
Checklist: