Skip to content

Adds kfserving ingressgateway for Istio 1.1.6 #949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k8s-ci-robot merged 6 commits into from
Mar 9, 2020
Merged

Adds kfserving ingressgateway for Istio 1.1.6 #949

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
422effb
Adds kfserving ingressgateway for Istio 1.1.6
krishnadurai Feb 25, 2020
e949539
Updates configs for Istio 1.1.6
krishnadurai Feb 25, 2020
e316ef0
Updates tests for istio 1.1.6
krishnadurai Feb 25, 2020
0e69a9d
Adding kfserving gateway to kfdefs having istio-1-1-6
krishnadurai Feb 25, 2020
4af63c4
Gateway name correction for kfserving config
krishnadurai Feb 25, 2020
a1cc341
Adds HPA config to gateway
krishnadurai Mar 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 168 additions & 0 deletions istio/kfserving-gateway/base/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kfserving-ingressgateway
labels:
app: kfserving-ingressgateway
kfserving: ingressgateway
spec:
selector:
matchLabels:
app: kfserving-ingressgateway
kfserving: ingressgateway
template:
metadata:
labels:
app: kfserving-ingressgateway
kfserving: ingressgateway
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: istio-ingressgateway-service-account
containers:
- name: istio-proxy
image: "docker.io/istio/proxyv2:1.1.6"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 15020
- containerPort: 80
- containerPort: 443
- containerPort: 31400
- containerPort: 15029
- containerPort: 15030
- containerPort: 15031
- containerPort: 15032
- containerPort: 15443
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --log_output_level=default:info
- --drainDuration
- '45s' #drainDuration
- --parentShutdownDuration
- '1m0s' #parentShutdownDuration
- --connectTimeout
- '10s' #connectTimeout
- --serviceCluster
- kfserving-ingressgateway
- --zipkinAddress
- zipkin:9411
- --proxyAdminPort
- "15000"
- --statusPort
- "15020"
- --controlPlaneAuthPolicy
- NONE
- --discoveryAddress
- istio-pilot:15010
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 40Mi

env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
volumeMounts:
- name: istio-certs
mountPath: /etc/certs
readOnly: true
- name: ingressgateway-certs
mountPath: "/etc/istio/ingressgateway-certs"
readOnly: true
- name: ingressgateway-ca-certs
mountPath: "/etc/istio/ingressgateway-ca-certs"
readOnly: true
volumes:
- name: istio-certs
secret:
secretName: istio.istio-ingressgateway-service-account
optional: true
- name: ingressgateway-certs
secret:
secretName: "istio-ingressgateway-certs"
optional: true
- name: ingressgateway-ca-certs
secret:
secretName: "istio-ingressgateway-ca-certs"
optional: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
19 changes: 19 additions & 0 deletions istio/kfserving-gateway/base/horizontal-pod-autoscaler.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app: kfserving-ingressgateway
kfserving: ingressgateway
name: kfserving-ingressgateway
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: kfserving-ingressgateway
7 changes: 7 additions & 0 deletions istio/kfserving-gateway/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: istio-system
resources:
- deployment.yaml
- horizontal-pod-autoscaler.yaml
- service.yaml
50 changes: 50 additions & 0 deletions istio/kfserving-gateway/base/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
apiVersion: v1
kind: Service
metadata:
name: kfserving-ingressgateway
labels:
app: kfserving-ingressgateway
kfserving: ingressgateway
spec:
type: LoadBalancer

@yuzisun yuzisun Feb 27, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks the kubeflow istio ingressgateway is using NodePort https://github.com/kubeflow/manifests/blob/master/istio/istio-install/base/istio-noauth.yaml#L14047
Would this work for on prem setup?

@krishnadurai krishnadurai Feb 27, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yuzisun The reason for istio-ingressgateway being NodePort is because of Google's IAP needing it to be NodePort.

Would this work for on prem setup?

If an on-premise setup has some component to provision a LoadBalancer, then LoadBalancer will get its IP. If not, the NodePorts are still accessible though the IP field for LoadBalancer will be in state.

NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                                                                                      AGE
istio-ingressgateway   LoadBalancer   10.103.151.45   <pending>     15020:30047/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30370/TCP,15030:31766/TCP,15031:32168/TCP,15032:31581/TCP,15443:30268/TCP   2d12h

IMO, This should be acceptable. WDYT?

@yuzisun yuzisun Feb 28, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are using this ingress gateway in GCP IAP setup, so that's ok ?

@krishnadurai krishnadurai Feb 28, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In istio-ingressgateway for GCP IAP, the ingress gateway service is exposed to an Identity Aware Proxy (which has auth checking) by the NodePort and the intention is to disallow access through any other mechanism other than this proxy.
Since we don't want to have auth checks, LoadBalancer should be alright.

@yuzisun yuzisun Feb 29, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got it, thanks for the explanation! btw we also need to also add the HPA for this ingress gateway?

@krishnadurai krishnadurai Mar 2, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion @yuzisun. I'll include the definition for HPA.

@krishnadurai krishnadurai Mar 4, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yuzisun I've included an HPA.

selector:
app: kfserving-ingressgateway
kfserving: ingressgateway
ports:
- name: status-port
port: 15020
targetPort: 15020
- name: http2
nodePort: 32380
port: 80
targetPort: 80
- name: https
nodePort: 32390
port: 443
- name: tcp
nodePort: 32400
port: 31400
- name: tcp-pilot-grpc-tls
port: 15011
targetPort: 15011
- name: tcp-citadel-grpc-tls
port: 8060
targetPort: 8060
- name: tcp-dns-tls
port: 853
targetPort: 853
- name: https-kiali
port: 15029
targetPort: 15029
- name: http2-prometheus
port: 15030
targetPort: 15030
- name: http2-grafana
port: 15031

@animeshsingh animeshsingh Feb 26, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are these ports for kiali/grafana/prometheus always constant? do we deploy them with kubeflow?

@krishnadurai krishnadurai Feb 27, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@animeshsingh yes they are associated with the deployment config and are constant. We do deploy these services with Istio in Kubeflow.

@animeshsingh animeshsingh Mar 4, 2020

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thaks - great to know. What's the total infra cost of these 3 services - believe a container each? Are any customized Kubeflow metrics configured to flow to them

@krishnadurai krishnadurai Mar 5, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@animeshsingh These require a container each. Prometheus, Graphana etc do come with the default istio install in Kubeflow.

Kubeflow does report Prometheus metrics through various operators or services like tfjob-operator or profile-controller. Likewise, the gateway container istio-proxy also reports metrics.

These ports in question are ports which the istio-proxy container exposes. The container istio-proxy is a part of the deployment servicing kfserving-gateway. These ports host https end-points for each of these services like Prometheus to poll these (gateway) services for metrics.

targetPort: 15031
- name: https-tracing
port: 15032
targetPort: 15032
- name: tls
port: 15443
targetPort: 15443
8 changes: 8 additions & 0 deletions kfdef/kfctl_gcp_basic_auth.v1.0.0.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/kfctl_gcp_basic_auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/kfctl_gcp_iap.v1.0.0.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/kfctl_gcp_iap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/kfctl_ibm.v1.0.0.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/kfctl_ibm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/kfctl_k8s_istio.v1.0.0.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/kfctl_k8s_istio.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/source/master/kfctl_gcp_basic_auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
8 changes: 8 additions & 0 deletions kfdef/source/master/kfctl_gcp_iap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,14 @@ spec:
name: manifests
path: istio/cluster-local-gateway
name: cluster-local-gateway
- kustomizeConfig:
parameters:
- name: namespace
value: istio-system
repoRef:
name: manifests
path: istio/kfserving-gateway
name: kfserving-gateway
- kustomizeConfig:
parameters:
- name: clusterRbacConfig
Expand Down
Loading