Avoid depending on port-forwarded ambassador service #1080
Comments
|
@jingzhang36 I remember you are working on istio integration. How is it going? |
|
@IronPan I think we discussed this offline. ISTIO or a service mesh is a requirement. If users want to customize the ISTIO gateway config to disable auth to allow port-forwarding they can do that. This would require editing various config files to disable AuthZ at the ISTIO gateway. |
|
@IronPan Is this done? |
|
@jingzhang36 Do you have any update on this? |
|
@IronPan @hongye-sun I would suggest trying out master as soon as possible to see if its working. |
|
IAP should be working on master; basic auth seems to be having problems on master #3562 |
|
Regarding istio, I feel tensorboard /data hack is no longer blocking istio since #1237 is recently merged (and Gabriel's PR kubeflow/kubeflow#3036 is already in master). Are there any other things that need to be done to complete istio integration? E.g., remove old routing rules? |
|
@IronPan Have you or someone else verified that the pipelines SDK works with IAP? I believe that was the original genesis of this issue. In particular the goal of this issue was to ensure the could connect via the secure public endpoint of KF to pipelines from outside the cluster. /cc @jessiezcc |
|
Verified the KFP client works well with a v0.6 KF cluster with IAP. |
* fix nested loop counter param bug * address comments
…kubeflow#1087) * cheerypick(sdk): Fix counter param cherrypick (kubeflow#1080) (kubeflow#1082) * fix nested loop counter param bug * Update _tekton_handler.py * fix inline spec for new features * Update _tekton_handler.py
Kubeflow is moving away from ambassador, in favor of istio, and proxy the cluster using cloud endpoint with IAP or simple auth. In both cases, we should use the ingress endpoint instead of depending on port-forwarding to access the cluster.
The text was updated successfully, but these errors were encountered: