forked from kubeflow/manifests
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates to enable PodDefault with ODH #110
Open
ykoyfman
wants to merge
1
commit into
opendatahub-io:v1.6-branch-openshift
Choose a base branch
from
ykoyfman:v1.6-branch-openshift
base: v1.6-branch-openshift
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,6 +9,7 @@ bases: | |
|
|
||
| resources: | ||
| - certificate.yaml | ||
| - namespace.yaml | ||
|
|
||
| namespace: kubeflow | ||
|
|
||
|
|
||
4 changes: 4 additions & 0 deletions
4
apps/admission-webhook/upstream/overlays/cert-manager/namespace.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: kubeflow |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know the dashboard team is looking at moving away from making this label required on "data science project" namespaces. This may cause issues in the future if they do move away from requiring this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for letting me know. Is there a better alternative for a consistent matching label to use here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are mostly looking at moving away from labels on data science project namespaces because setting labels via self-provisioning type of users in projects / ProjectRequests is impossible and namespace-access for setting the labels after project creation is really too much. By the way, I don't understand why RedHat does not provide a way to set non-critical and non-system labels on project creation, be it via oc new-project or ProjectRequest / api.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could achieve that with project templates. There would be the standard default template for std projects, and a special template for DSPs that would set labels and anything else needed. That would be the template called by dashboard when creating new DSP, with:
in the specs of the project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I in the past experienced trouble with anything but the standard few labels on a template:
https://docs.openshift.com/container-platform/4.10/applications/projects/configuring-project-creation.html#about-project-creation_configuring-project-creation
Same for annotations. The argument at RedHat is: both annotations and labels should not be left to self-provisioners. Leading to only display-name and description being set by the user using odh dashboard with self-provision role.
https://github.com/opendatahub-io/odh-dashboard/blob/main/frontend/src/api/k8s/projects.ts#L40
@andrewballantyne The annotation at level namespace is then set elsewhere.
https://github.com/opendatahub-io/odh-dashboard/blob/main/backend/src/routes/api/namespaces/namespaceUtils.ts#L58
Currently, it is either modify to all namespaces or none is allowed, with filtering not allowing openshift or kube namespaces purely on the dashboard code level.
At least in our enterprise, the ability to modify anything namespace-related is forbidden for developers, that is, all authenticated users, unless specified elsewhere. And annotations and labels have to be set at level namespace, not at level project. The ability to modify namespace-labels and annotations is also not implicit in ClusterRole Admin for a given project, nor is it in Clusterrole self-provisioners.
I cannot imagine many cluster-admins given such broad rights to ordinary users, especially since it is all-or-nothing in terms of namespaces.
From what gathered from our cluster admin folks, they have custom admission controllers for level namespace that react to a project being created with a certain prefix and with a certain requester id, in our case a serviceaccount. Then, the custom admission controller adds things like default permissions, labels, annotations to the namespace
If I understand dashboard code currectly currently, data science projects would not work for us in terms of creating projects from odh dashboard. We currently have to go with manual project provisioning and namespace label/annotation edit via a Gitops process. We also use custom node selector and taints and tolerations in namespaces, by the way. Our cluster is multi-tenant, with projects other than odh-related, too.
https://docs.openshift.com/container-platform/4.10/rest_api/authorization_apis/selfsubjectaccessreview-authorization-k8s-io-v1.html#spec-resourceattributes
Because of all those problems, currently, the odh-dashboard serviceaccount sets the label at level namespace, suboptimal.
@LaVLaS any thoughts on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, the discussion around making a UI that Trevor noted is the effort behind opendatahub-io/odh-dashboard#1417