Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using admin-gcp-sa and user-gcp-sa for different ContainerOp in same pipeline doesn't work #1376

Closed
aakashbajaj opened this issue May 23, 2019 · 3 comments · Fixed by #1379
Closed

Using admin-gcp-sa and user-gcp-sa for different ContainerOp in same pipeline doesn't work #1376

aakashbajaj opened this issue May 23, 2019 · 3 comments · Fixed by #1379
Assignees
@Ark-kun
Labels
area/sdk/dsl/compiler area/sdk kind/bug priority/p0

Comments

@aakashbajaj
Copy link
Contributor

Using Kubeflow pipeline SDK, I'm preparing following components where first container requires user service account and second container requires admin service account (as it creates deployment and services using kubectl in the underlying cluster).

tensorboard = dsl.ContainerOp(
    name='tensorboard',
    image=SOME_IMAGE_PATH,
    arguments=[
....
      ],
      ).apply(gcp.use_gcp_secret('user-gcp-sa'))  

  tfserve = dsl.ContainerOp(
    name='tfserve',
    image=SOME_IMAGE_PATH,
    arguments=[
....
      ],
      ).apply(gcp.use_gcp_secret('admin-gcp-sa'))

But the generated source yaml file for the pipeline contains only one user-gcp-sa volume mount for the workflow. I have checked and there is no other admin-gcp-sa mount in the file.

  volumes:
  - name: gcp-credentials
    secret:
      secretName: user-gcp-sa

It causes the tfserve module to fail as user-gcp-sa doesn't enough permissions to create deployments in the cluster.
@aakashbajaj
Copy link
Contributor Author

Following is secret volume mount in same pipeline yaml file.
tfserve was mentioned to use admin-gcp-sa but is provided with user-gcp-sa

env:
      - name: GOOGLE_APPLICATION_CREDENTIALS
        value: /secret/gcp-credentials/user-gcp-sa.json
      - name: CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
        value: /secret/gcp-credentials/user-gcp-sa.json
      image: gcr.io/speedy-aurora-193605/retina-tfserve:latest
      volumeMounts:
      - mountPath: /secret/gcp-credentials
        name: gcp-credentials

@Ark-kun Ark-kun self-assigned this May 23, 2019
@Ark-kun
Copy link
Contributor

Ark-kun commented May 23, 2019

This is a bug. Currently the DSL compiler does not properly de-duplicate volumes.

pipelines/sdk/python/kfp/compiler/compiler.py

Line 504 in 2a9bbdf

#TODO: check for duplicity based on the serialized volumes instead of just name.

I'll add a workaround which will use the secret name as volume name.

If you want to unblock yourself right now, please copy and modify the code of use_gcp_secret to generate different volume names.

@Ark-kun Ark-kun mentioned this issue May 23, 2019
Merged
@gaoning777
Copy link
Contributor

Also, check your IAM and you will find an admin service account created during the deployment. The service account is called DEPLOYMENT_NAME-user@PROJECT_NAME.iam.gserviceaccount.com

@aakashbajaj aakashbajaj mentioned this issue May 24, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ark-kun Ark-kun

Labels
area/sdk/dsl/compiler area/sdk kind/bug priority/p0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SDK - Use different volume names for different secrets Ark-kun/pipelines
4 participants
@Ark-kun @gaoning777 @aakashbajaj @vicaire