opendatahub-io · israel-hdez · Jul 12, 2023 · Jul 11, 2023 · Jul 11, 2023 · Jul 11, 2023
diff --git a/pkg/webhook/admission/pod/accelerator_injector.go b/pkg/webhook/admission/pod/accelerator_injector.go
@@ -28,7 +28,7 @@ const (
 	NvidiaGPUTaintValue        = "present"
 )
 
-func InjectGKEAcceleratorSelector(pod *v1.Pod) error {
+func InjectGKEAcceleratorSelector(pod *v1.Pod, _ *v1.Namespace) error {
 	gpuEnabled := false
 	for _, container := range pod.Spec.Containers {
 		if _, ok := container.Resources.Limits[constants.NvidiaGPUResourceType]; ok {

diff --git a/pkg/webhook/admission/pod/accelerator_injector_test.go b/pkg/webhook/admission/pod/accelerator_injector_test.go
@@ -94,7 +94,7 @@ func TestAcceleratorInjector(t *testing.T) {
 	}
 
 	for name, scenario := range scenarios {
-		InjectGKEAcceleratorSelector(scenario.original)
+		InjectGKEAcceleratorSelector(scenario.original, nil)
 		// cmd.Diff complains on ResourceList when Nvidia is key. Objects are explicitly compared
 		if diff := cmp.Diff(
 			scenario.expected.Spec.NodeSelector,

diff --git a/pkg/webhook/admission/pod/agent_injector.go b/pkg/webhook/admission/pod/agent_injector.go
@@ -116,7 +116,7 @@ func getLoggerConfigs(configMap *v1.ConfigMap) (*LoggerConfig, error) {
 	return loggerConfig, nil
 }
 
-func (ag *AgentInjector) InjectAgent(pod *v1.Pod) error {
+func (ag *AgentInjector) InjectAgent(pod *v1.Pod, _ *v1.Namespace) error {
 	// Only inject the model agent sidecar if the required annotations are set
 	_, injectLogger := pod.ObjectMeta.Annotations[constants.LoggerInternalAnnotationKey]
 	_, injectPuller := pod.ObjectMeta.Annotations[constants.AgentShouldInjectAnnotationKey]

diff --git a/pkg/webhook/admission/pod/agent_injector_test.go b/pkg/webhook/admission/pod/agent_injector_test.go
@@ -1112,7 +1112,7 @@ func TestAgentInjector(t *testing.T) {
 			loggerConfig,
 			batcherTestConfig,
 		}
-		injector.InjectAgent(scenario.original)
+		injector.InjectAgent(scenario.original, nil)
 		if diff, _ := kmp.SafeDiff(scenario.expected.Spec, scenario.original.Spec); diff != "" {
 			t.Errorf("Test %q unexpected result (-want +got): %v", name, diff)
 		}

diff --git a/pkg/webhook/admission/pod/metrics_aggregate_injector.go b/pkg/webhook/admission/pod/metrics_aggregate_injector.go
@@ -19,6 +19,7 @@ package pod
 import (
 	"encoding/json"
 	"fmt"
+
 	"github.com/kserve/kserve/pkg/constants"
 	v1 "k8s.io/api/core/v1"
 )
@@ -75,7 +76,7 @@ func setMetricAggregationEnvVars(pod *v1.Pod) {
 
 // InjectMetricsAggregator looks for the annotations to enable aggregate kserve-container and queue-proxy metrics and
 // if specified, sets port-related EnvVars in queue-proxy and the aggregate prometheus annotation.
-func (ma *MetricsAggregator) InjectMetricsAggregator(pod *v1.Pod) error {
+func (ma *MetricsAggregator) InjectMetricsAggregator(pod *v1.Pod, _ *v1.Namespace) error {
 	//Only set metric configs if the required annotations are set
 	enableMetricAggregation, ok := pod.ObjectMeta.Annotations[constants.EnableMetricAggregation]
 	if !ok {

diff --git a/pkg/webhook/admission/pod/metrics_aggregate_injector_test.go b/pkg/webhook/admission/pod/metrics_aggregate_injector_test.go
@@ -290,7 +290,7 @@ func TestInjectMetricsAggregator(t *testing.T) {
 	}
 
 	for name, scenario := range scenarios {
-		ma.InjectMetricsAggregator(scenario.original)
+		ma.InjectMetricsAggregator(scenario.original, nil)
 		if diff, _ := kmp.SafeDiff(scenario.expected.Spec, scenario.original.Spec); diff != "" {
 			t.Errorf("Test %q unexpected result (-want +got): %v", name, diff)
 		}

diff --git a/pkg/webhook/admission/pod/mutator.go b/pkg/webhook/admission/pod/mutator.go
@@ -62,7 +62,14 @@ func (mutator *Mutator) Handle(ctx context.Context, req admission.Request) admis
 	// For some reason pod namespace is always empty when coming to pod mutator, need to set from admission request
 	pod.Namespace = req.AdmissionRequest.Namespace
 
-	if err := mutator.mutate(pod, configMap); err != nil {
+	targetNs := &v1.Namespace{}
+	err = mutator.Client.Get(context.TODO(), k8types.NamespacedName{Name: pod.Namespace, Namespace: pod.Namespace}, targetNs)
+	if err != nil {
+		log.Error(err, "Failed to get the target namespace", "name", pod.Namespace)
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
+
+	if err := mutator.mutate(pod, configMap, targetNs); err != nil {
 		log.Error(err, "Failed to mutate pod", "name", pod.Labels[constants.InferenceServicePodLabelKey])
 		return admission.Errored(http.StatusInternalServerError, err)
 	}
@@ -76,7 +83,7 @@ func (mutator *Mutator) Handle(ctx context.Context, req admission.Request) admis
 	return admission.PatchResponseFromRaw(req.AdmissionRequest.Object.Raw, patch)
 }
 
-func (mutator *Mutator) mutate(pod *v1.Pod, configMap *v1.ConfigMap) error {
+func (mutator *Mutator) mutate(pod *v1.Pod, configMap *v1.ConfigMap, targetNs *v1.Namespace) error {
 	credentialBuilder := credentials.NewCredentialBulder(mutator.Client, configMap)
 
 	storageInitializerConfig, err := getStorageInitializerConfigs(configMap)
@@ -116,15 +123,15 @@ func (mutator *Mutator) mutate(pod *v1.Pod, configMap *v1.ConfigMap) error {
 		return err
 	}
 
-	mutators := []func(pod *v1.Pod) error{
+	mutators := []func(pod *v1.Pod, targetNs *v1.Namespace) error{
 		InjectGKEAcceleratorSelector,
 		storageInitializer.InjectStorageInitializer,
 		agentInjector.InjectAgent,
 		metricsAggregator.InjectMetricsAggregator,
 	}
 
 	for _, mutator := range mutators {
-		if err := mutator(pod); err != nil {
+		if err := mutator(pod, targetNs); err != nil {
 			return err
 		}
 	}

diff --git a/pkg/webhook/admission/pod/storage_initializer_injector.go b/pkg/webhook/admission/pod/storage_initializer_injector.go
@@ -41,6 +41,7 @@ const (
 	PvcURIPrefix                            = "pvc://"
 	PvcSourceMountName                      = "kserve-pvc-source"
 	PvcSourceMountPath                      = "/mnt/pvc"
+	OpenShiftUidRangeAnnotationKey          = "openshift.io/sa.scc.uid-range"
 )
 
 type StorageInitializerConfig struct {
@@ -85,7 +86,7 @@ func getStorageInitializerConfigs(configMap *v1.ConfigMap) (*StorageInitializerC
 // for the serving container in a unified way across storage tech by injecting
 // a provisioning INIT container. This is a work around because KNative does not
 // support INIT containers: https://github.com/knative/serving/issues/4307
-func (mi *StorageInitializerInjector) InjectStorageInitializer(pod *v1.Pod) error {
+func (mi *StorageInitializerInjector) InjectStorageInitializer(pod *v1.Pod, targetNs *v1.Namespace) error {
 	// Only inject if the required annotations are set
 	srcURI, ok := pod.ObjectMeta.Annotations[constants.StorageInitializerSourceUriInternalAnnotationKey]
 	if !ok {
@@ -330,12 +331,26 @@ func (mi *StorageInitializerInjector) InjectStorageInitializer(pod *v1.Pod) erro
 		}
 	}
 
-	// Allow to override the uid for the case where ISTIO CNI with DNS proxy is enabled
-	// See for more: https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers.
-	if value, ok := pod.GetAnnotations()[constants.IstioSidecarUIDAnnotationKey]; ok {
-		if uid, err := strconv.ParseInt(value, 10, 64); err == nil {
-			initContainer.SecurityContext.RunAsUser = ptr.Int64(uid)
-		}
+	/*
+		OpenShift uses istio-cni which causes an issue with init-containers when calling external services
+		like S3 or similar. Setting the `uid` for the `storage-initializer` to the same `uid` as the
+		`uid` of the `istio-proxy` resolves the issue. In OpenShift the `istio-proxy` always gets assigned
+		the first `uid` from the namespaces `uid` range + 1 (The range is defined in an annotation on the namespace).
+	*/
+	if initContainer.SecurityContext == nil {
+		initContainer.SecurityContext = &v1.SecurityContext{}
+	}
+	uidStr := targetNs.Annotations[OpenShiftUidRangeAnnotationKey]
+	if uidStr == "" {
+		return fmt.Errorf("could not find OpenShift internal annotation %s on namespace: %s", OpenShiftUidRangeAnnotationKey, targetNs.Name)
+	}
+	uidStrParts := strings.Split(uidStr, "/")
+	if uid, err := strconv.ParseInt(uidStrParts[0], 10, 64); err == nil {
+		// Set the uid to the first uid in the namespaces range + 1
+		uid++
+		initContainer.SecurityContext.RunAsUser = ptr.Int64(uid)
+	} else {
+		return fmt.Errorf("could not parse value %s in annotation %s on namespace: %s", uidStr, OpenShiftUidRangeAnnotationKey, targetNs.Name)
 	}
 
 	// Add init container to the spec

diff --git a/pkg/webhook/admission/pod/storage_initializer_injector_test.go b/pkg/webhook/admission/pod/storage_initializer_injector_test.go
@@ -22,6 +22,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	"knative.dev/pkg/kmp"
+	"knative.dev/pkg/ptr"
 
 	"github.com/kserve/kserve/pkg/constants"
 	"github.com/kserve/kserve/pkg/credentials"
@@ -62,6 +63,17 @@ var (
 			v1.ResourceMemory: resource.MustParse(StorageInitializerDefaultMemoryRequest),
 		},
 	}
+
+	targetNS = &v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "my-ns",
+			Annotations: map[string]string{
+				OpenShiftUidRangeAnnotationKey: "1000740000/10000",
+			},
+		},
+	}
+
+	expectedInitContainerUid = ptr.Int64(1000740001)
 )
 
 func TestStorageInitializerInjector(t *testing.T) {
@@ -182,6 +194,9 @@ func TestStorageInitializerInjector(t *testing.T) {
 									MountPath: constants.DefaultModelLocalMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 						},
 					},
 					Volumes: []v1.Volume{
@@ -252,6 +267,9 @@ func TestStorageInitializerInjector(t *testing.T) {
 									MountPath: constants.DefaultModelLocalMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 						},
 					},
 					Volumes: []v1.Volume{
@@ -332,6 +350,9 @@ func TestStorageInitializerInjector(t *testing.T) {
 									MountPath: constants.DefaultModelLocalMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 						},
 					},
 					Volumes: []v1.Volume{
@@ -354,7 +375,7 @@ func TestStorageInitializerInjector(t *testing.T) {
 			}),
 			config: storageInitializerConfig,
 		}
-		if err := injector.InjectStorageInitializer(scenario.original); err != nil {
+		if err := injector.InjectStorageInitializer(scenario.original, targetNS); err != nil {
 			t.Errorf("Test %q unexpected result: %s", name, err)
 		}
 		if diff, _ := kmp.SafeDiff(scenario.expected.Spec, scenario.original.Spec); diff != "" {
@@ -394,7 +415,7 @@ func TestStorageInitializerFailureCases(t *testing.T) {
 			}),
 			config: storageInitializerConfig,
 		}
-		if err := injector.InjectStorageInitializer(scenario.original); err != nil {
+		if err := injector.InjectStorageInitializer(scenario.original, targetNS); err != nil {
 			if !strings.HasPrefix(err.Error(), scenario.expectedErrorPrefix) {
 				t.Errorf("Test %q unexpected failure [%s], expected: %s", name, err.Error(), scenario.expectedErrorPrefix)
 			}
@@ -493,7 +514,7 @@ func TestCustomSpecStorageUriInjection(t *testing.T) {
 			}),
 			config: storageInitializerConfig,
 		}
-		if err := injector.InjectStorageInitializer(scenario.original); err != nil {
+		if err := injector.InjectStorageInitializer(scenario.original, targetNS); err != nil {
 			t.Errorf("Test %q unexpected result: %s", name, err)
 		}
 
@@ -597,6 +618,9 @@ func TestCredentialInjection(t *testing.T) {
 									MountPath: constants.DefaultModelLocalMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 							Env: []v1.EnvVar{
 								{
 									Name: s3.AWSAccessKeyId,
@@ -702,6 +726,9 @@ func TestCredentialInjection(t *testing.T) {
 									MountPath: gcs.GCSCredentialVolumeMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 							Env: []v1.EnvVar{
 								{
 									Name:  gcs.GCSCredentialEnvKey,
@@ -790,6 +817,9 @@ func TestCredentialInjection(t *testing.T) {
 							Name:  "storage-initializer",
 							Image: StorageInitializerContainerImage + ":" + StorageInitializerContainerImageVersion,
 							Args:  []string{"s3://my-bucket/foo/bar", constants.DefaultModelLocalMountPath},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 							Env: []v1.EnvVar{
 								{
 									Name: credentials.StorageConfigEnvKey,
@@ -885,6 +915,9 @@ func TestCredentialInjection(t *testing.T) {
 							Name:  "storage-initializer",
 							Image: StorageInitializerContainerImage + ":" + StorageInitializerContainerImageVersion,
 							Args:  []string{"s3://my-bucket/foo/bar", constants.DefaultModelLocalMountPath},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 							Env: []v1.EnvVar{
 								{
 									Name: credentials.StorageConfigEnvKey,
@@ -944,7 +977,7 @@ func TestCredentialInjection(t *testing.T) {
 			credentialBuilder: builder,
 			config:            storageInitializerConfig,
 		}
-		if err := injector.InjectStorageInitializer(scenario.original); err != nil {
+		if err := injector.InjectStorageInitializer(scenario.original, targetNS); err != nil {
 			t.Errorf("Test %q unexpected failure [%s]", name, err.Error())
 		}
 		if diff, _ := kmp.SafeDiff(scenario.expected.Spec, scenario.original.Spec); diff != "" {
@@ -1008,6 +1041,9 @@ func TestStorageInitializerConfigmap(t *testing.T) {
 									MountPath: constants.DefaultModelLocalMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 						},
 					},
 					Volumes: []v1.Volume{
@@ -1037,7 +1073,7 @@ func TestStorageInitializerConfigmap(t *testing.T) {
 				StorageSpecSecretName: StorageInitializerDefaultStorageSpecSecretName,
 			},
 		}
-		if err := injector.InjectStorageInitializer(scenario.original); err != nil {
+		if err := injector.InjectStorageInitializer(scenario.original, targetNS); err != nil {
 			t.Errorf("Test %q unexpected result: %s", name, err)
 		}
 		if diff, _ := kmp.SafeDiff(scenario.expected.Spec, scenario.original.Spec); diff != "" {
@@ -1272,7 +1308,7 @@ func TestDirectVolumeMountForPvc(t *testing.T) {
 				EnableDirectPvcVolumeMount: true, // enable direct volume mount for PVC
 			},
 		}
-		if err := injector.InjectStorageInitializer(scenario.original); err != nil {
+		if err := injector.InjectStorageInitializer(scenario.original, targetNS); err != nil {
 			t.Errorf("Test %q unexpected result: %s", name, err)
 		}
 		if diff, _ := kmp.SafeDiff(scenario.expected.Spec, scenario.original.Spec); diff != "" {
@@ -1385,6 +1421,9 @@ func TestTransformerCollocation(t *testing.T) {
 									MountPath: constants.DefaultModelLocalMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 						},
 					},
 					Volumes: []v1.Volume{
@@ -1563,6 +1602,9 @@ func TestTransformerCollocation(t *testing.T) {
 									MountPath: constants.DefaultModelLocalMountPath,
 								},
 							},
+							SecurityContext: &v1.SecurityContext{
+								RunAsUser: expectedInitContainerUid,
+							},
 						},
 					},
 					Volumes: []v1.Volume{
@@ -1594,7 +1636,7 @@ func TestTransformerCollocation(t *testing.T) {
 			}),
 			config: scenario.storageConfig,
 		}
-		if err := injector.InjectStorageInitializer(scenario.original); err != nil {
+		if err := injector.InjectStorageInitializer(scenario.original, targetNS); err != nil {
 			t.Errorf("Test %q unexpected result: %s", name, err)
 		}
 		if diff, _ := kmp.SafeDiff(scenario.expected.Spec, scenario.original.Spec); diff != "" {