Feat: Make RayCluster head node ingress optional #6852
Conversation
Signed-off-by: Fabio Grätz <fabio@cusp.ai>
fg91
added
security
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #6852 +/- ##
==========================================
+ Coverage 56.95% 56.96% +0.01%
==========================================
Files 929 929
Lines 58152 58152
==========================================
+ Hits 33121 33127 +6
+ Misses 21989 21983 -6
Partials 3042 3042
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…buf message Signed-off-by: Fabio Grätz <fabio@cusp.ai>
| enableIngress := true | ||
| cfg := GetConfig() | ||
|
|
||
| enableIngress := cfg.EnableIngress |
There was a problem hiding this comment.
nit: I think we can put EnableIngress: & cfg.EnableIngress directly in HeadGroupSpec, as it's the only place that use this
There was a problem hiding this comment.
We could but the ServiceType - which is also part of the RayCluster's HeadGroupSpec - is also in our top level plugin config. My preference would be to try to keep it consistent here at least?
This is not a strong opinion though.
|
@fg91 I think the flyteplugins test CI failed. Could you please take a look? Thanks! |
Signed-off-by: Fabio Grätz <fabio@cusp.ai>
|
#6905 and this PR tackled the same issue (ray clusters being hardcoded to create ingresses) in parallel with the difference that I argue for actually disabling the ingress by default, see PR description:
As a platform engineer, I'd admittedly be quite alarmed to discover that jobs launched by platform users have been creating potentially public ingresses without me being aware. This is why I don't like the default of enabling the ingress.
upon which you, @mickjermsurawong-openai, changed your initial Would you be ok with merging this PR too which goes back to This PR also adds a unit test for |
|
Fabio, curious without ingress, is Ray dashboard still available? My understanding is no (pls correct me i just started using the ray plugin). My thought is i'd setup KubeRay API for dashboard instead, although it's experimental feature, and we can set pod-template for ray job to add the right annotation. |
|
I'm fine changing the flag back to EnableIngress! |
Sovietaced
left a comment
Sovietaced
left a comment
There was a problem hiding this comment.
Marking this as a breaking change since the behavior does change and requires folks to update things.
Hi @mickjermsurawong-openai, |
I think it's safer to keep the default as enable that aligns with the current behavior, to prevent users's confusion. For example when they upgrade the newer flyte version, and Ray Dashboard cannot be accessed, they might not know what's happening |
5 participants
Why are the changes needed?
Currently, the flytepropeller ray plugin hardcodes the creation of an ingress for the ray cluster's head node, see here.
This is a potential security problem as the ray head node might be exposed to the public internet in clusters with a default ingress class without the user knowing.
What changes were proposed in this pull request?
EnableIngressto the ray plugin configHow was this patch tested?
Check all the applicable boxes
Related PRs
flyteorg/flytekit#3365