Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC: access denied when making a request to ISVC through the local gateway with istio sidecar enabled #216

Open
NohaIhab opened this issue Mar 1, 2024 · 1 comment
Open

RBAC: access denied when making a request to ISVC through the local gateway with istio sidecar enabled #216

NohaIhab opened this issue Mar 1, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@NohaIhab
Copy link
Contributor

NohaIhab commented Mar 1, 2024

Bug Description

ISVCs are not reachable through the local gateway with istio sidecar enabled (the default in kubeflow user namespaces), where a 403 response is received with RBAC: access denied.

To Reproduce

  1. deploy ckf 1.8/stable and configure dashboard access

  2. create a kubeflow user namespace by logging into the dashboard

  3. create an isvc in the kubeflow user namespace:

kubectl apply -n admin -f - <<EOF
apiVersion: "serving.kserve.io/v1beta1"
kind: "InferenceService"
metadata:
  name: "sklearn-iris"
spec:
  predictor:
    model:
      modelFormat:
        name: sklearn
      storageUri: "gs://kfserving-examples/models/sklearn/1.0/model"
EOF
  1. create a temp pod to test requests to the isvc
kubectl run netshoot --rm -i --tty --image nicolaka/netshoot -- /bin/bash

alternatively, you can do the same from a notebook pod

  1. from inside the pod, make a prediction request to the isvc using the ISVC's status.address.url
# prepare inference input
cat <<EOF > "./iris-input.json"
{
  "instances": [
    [6.8,  2.8,  4.8,  1.4],
    [6.0,  3.4,  4.5,  1.6]
  ]
}
EOF

# curl isvc
curl -v -H "Content-Type: application/json" http://sklearn-iris.admin.svc.cluster.local/v1/models/sklearn-iris:predict -d @./iris-input.json

Environment

kubeflow 1.8/stable
microk8s 1.25-strict/stable
juju 3.1/stable

Relevant Log Output

# prepare inference input
cat <<EOF > "./iris-input.json"
{
  "instances": [
    [6.8,  2.8,  4.8,  1.4],
    [6.0,  3.4,  4.5,  1.6]
  ]
}
EOF

# curl the isvc with the input
curl -v -H "Content-Type: application/json" http://sklearn-iris.admin.svc.cluster.local/v1/models/sklearn-iris:predict -d @./iris-input.json
* Host sklearn-iris.admin.svc.cluster.local:80 was resolved.
* IPv6: (none)
* IPv4: 10.152.183.48
*   Trying 10.152.183.48:80...
* Connected to sklearn-iris.admin.svc.cluster.local (10.152.183.48) port 80
> POST /v1/models/sklearn-iris:predict HTTP/1.1
> Host: sklearn-iris.admin.svc.cluster.local
> User-Agent: curl/8.6.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 76
> 
< HTTP/1.1 403 Forbidden
< content-length: 19
< content-type: text/plain
< date: Tue, 27 Feb 2024 13:38:24 GMT
< server: istio-envoy
< x-envoy-upstream-service-time: 25
< 
* Connection #0 to host sklearn-iris.admin.svc.cluster.local left intact
RBAC: access denied


### Additional Context

_No response_
@NohaIhab NohaIhab added the bug Something isn't working label Mar 1, 2024
@syncronize-issues-to-jira Syncronize issues to Jira
Copy link

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5413.

This message was autogenerated

@NohaIhab NohaIhab mentioned this issue Mar 1, 2024
Closed
@NohaIhab NohaIhab mentioned this issue Oct 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NohaIhab