Getting 302 when talking to InferenceService #1966
Comments
|
After inspection I figured out that the reason for this is:
Because of the above 2 all incluster traffic that is send to an InferenceService, which passes from the |
|
A workaround for this would be to edit the EnvoyFilter to only apply to the 8080 port of the spec:
configPatches:
- applyTo: HTTP_FILTER
...
match:
context: GATEWAY
listeners:
portNumber: 8080
...This should only affect users who are using the AuthService as an OIDC provider, with the provided EnvoyFilter from the manifests. |
|
@kimwnasptd Thanks for opening this. I get instead a 404 error. I am unable to figure out where to start debugging this from istio or knative. All services (inferenceservice and knativeservice) are with status ready |
|
@kimwnasptd do you hit the |
|
Thanks for taking a look @yhwang!
In my case the requests were coming from the same namespace. So the Profile's AuthorizationPolicy allowed the requests from my Pod [Notebook] to hit the InferenceService, since everything was living in the same namespace. |
|
We also tackled this problem in a different way for MiniKF. We didn't like the approach of having Knative's incluster-gateway to use the Ingress Gateway's Pod, since we wanted isolation between ingress and in-cluster traffic. In the end we configured the Knative manifests to have the |
kimwnasptd
added a commit
to arrikto/kubeflow-manifests
that referenced
this issue
Oct 6, 2021
By default Knative's local gateway will use the istio-ingressgateway Pod for configuring traffic and binding VirtualServices. This means that all in-cluster traffic will need to also pass via the ingress gateway. We've noticed 302s from Notebooks curl-ing InferenceServices. This was because the AuthService is authenticating all requests that go through the ingress gateway. But since we now send in-cluster requests via the ingress gateway this means that AuthService will also check them. To avoid the above we provide an overlay for making Knative's local gateway to use Istio's local gateway and not the ingress one. See: kubeflow#1966 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
google-oss-robot
pushed a commit
that referenced
this issue
Oct 7, 2021
By default Knative's local gateway will use the istio-ingressgateway Pod for configuring traffic and binding VirtualServices. This means that all in-cluster traffic will need to also pass via the ingress gateway. We've noticed 302s from Notebooks curl-ing InferenceServices. This was because the AuthService is authenticating all requests that go through the ingress gateway. But since we now send in-cluster requests via the ingress gateway this means that AuthService will also check them. To avoid the above we provide an overlay for making Knative's local gateway to use Istio's local gateway and not the ingress one. See: #1966 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
kimwnasptd
added a commit
to arrikto/kubeflow-manifests
that referenced
this issue
Oct 8, 2021
By default Knative's local gateway will use the istio-ingressgateway Pod for configuring traffic and binding VirtualServices. This means that all in-cluster traffic will need to also pass via the ingress gateway. We've noticed 302s from Notebooks curl-ing InferenceServices. This was because the AuthService is authenticating all requests that go through the ingress gateway. But since we now send in-cluster requests via the ingress gateway this means that AuthService will also check them. To avoid the above we provide an overlay for making Knative's local gateway to use Istio's local gateway and not the ingress one. See: kubeflow#1966 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
google-oss-robot
pushed a commit
that referenced
this issue
Oct 8, 2021
* Update README for 1.4 (#2047) * Update references for 1.4 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Add a table for the common components Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Update K8s version Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Knative: Use istio's local gateway (#2048) By default Knative's local gateway will use the istio-ingressgateway Pod for configuring traffic and binding VirtualServices. This means that all in-cluster traffic will need to also pass via the ingress gateway. We've noticed 302s from Notebooks curl-ing InferenceServices. This was because the AuthService is authenticating all requests that go through the ingress gateway. But since we now send in-cluster requests via the ingress gateway this means that AuthService will also check them. To avoid the above we provide an overlay for making Knative's local gateway to use Istio's local gateway and not the ingress one. See: #1966 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Update components of kubeflow/kubeflow for 1.4 (#2055) * Sync with the 1.4 kubeflow/kubeflow repo Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Update README for 1.4 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
Tomcli
pushed a commit
to IBM/manifests
that referenced
this issue
Oct 11, 2021
* Update README for 1.4 (kubeflow#2047) * Update references for 1.4 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Add a table for the common components Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Update K8s version Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Knative: Use istio's local gateway (kubeflow#2048) By default Knative's local gateway will use the istio-ingressgateway Pod for configuring traffic and binding VirtualServices. This means that all in-cluster traffic will need to also pass via the ingress gateway. We've noticed 302s from Notebooks curl-ing InferenceServices. This was because the AuthService is authenticating all requests that go through the ingress gateway. But since we now send in-cluster requests via the ingress gateway this means that AuthService will also check them. To avoid the above we provide an overlay for making Knative's local gateway to use Istio's local gateway and not the ingress one. See: kubeflow#1966 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Update components of kubeflow/kubeflow for 1.4 (kubeflow#2055) * Sync with the 1.4 kubeflow/kubeflow repo Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com> * Update README for 1.4 Signed-off-by: Kimonas Sotirchos <kimwnasptd@arrikto.com>
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Nov 2, 2021
because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
Tomcli
pushed a commit
to IBM/manifests
that referenced
this issue
Nov 2, 2021
because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Feb 10, 2022
because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
Tomcli
pushed a commit
to IBM/manifests
that referenced
this issue
Feb 10, 2022
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Feb 14, 2022
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (kubeflow#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Feb 14, 2022
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (kubeflow#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Mar 7, 2022
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (kubeflow#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
surajkota
added a commit
to awslabs/kubeflow-manifests
that referenced
this issue
Mar 8, 2022
**Description of your changes:** - Bring in changes from #114: - TODO item from #109 regarding detailed documentation for telemetry component - Changed the name from AWS distribution of Kubeflow to Kubeflow on AWS to be consistent with website and usage tracking documentation - Added a section in vanilla Kubeflow readme: `Exposing Kubeflow over Load Balancer` to this [#67](#67) to expose deployment over LoadBalancer. - adds fixes for a few broken links - Sync the knative manifest for other deployment options with [vanilla](https://github.com/awslabs/kubeflow-manifests/blob/14c17ff16689dbf70af7fb7971deb7da63105690/docs/deployment/vanilla/kustomization.yaml#L17) corresponding to this [change](kubeflow/manifests#1966). This was a missed in initial PR because of looking at 2 branches to create this one **Testing** - links working as expected - tested kfserving model using steps from #82 for the knative overlay change
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Jan 25, 2023
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (kubeflow#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Jan 31, 2023
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (kubeflow#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
yhwang
added a commit
to yhwang/manifests
that referenced
this issue
Aug 10, 2023
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (kubeflow#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
yhwang
added a commit
to IBM/manifests
that referenced
this issue
Aug 10, 2023
* Add IKS files - Add orignal distributions folder as dist and remove non-IKS files, except OpenShift - Add `iks-single` for single user deployment - Add `iks-multi` for multiple user deployment Signed-off-by: Yihong Wang <yh.wang@ibm.com> * remove openshift related files Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Add Application CRD Add Application CRD and an application object to specify kubeflow version and show on centraldashboard. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update doc links on centraldashboard (#27) update doc links on centraldashboard's landing page to point to IKS and pipeline docs. Signed-off-by: Yihong Wang <yh.wang@ibm.com> * Update README for v1.4 Update the README to indicate that this repo is used for Kubeflow on IKS. And point out two specific directories for single and multi-tenant deployments Signed-off-by: Yihong Wang <yh.wang@ibm.com> * use the overlay for knative because of this issue: kubeflow#1966 an overlay is created. need to use it instead of the knative/base Signed-off-by: Yihong Wang <yh.wang@ibm.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When trying out the manifests from KFServing 0.6 and Knative 0.22 #1957 #1965 I could not manage to successfully send a request to a deployed InferenceService. My cluster was deployed using the example manifests which use Dex and AuthService.
Here's the output of a request to an InferenceService from a Pod inside the cluster:
cc @pvaneck @yuzisun
The text was updated successfully, but these errors were encountered: