-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(deployment) Replace minio with seaweedfs as object store #10998
base: master
Are you sure you want to change the base?
Conversation
Hi @pschoen-itsc. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
For now I just replaced to minio component in one of the overlays. Don't know what would be the best way to integrate this. New overlays for seaweedfs? |
@pschoen-itsc I think this definitely looks like something we should bring up in the KFP meeting for a wider discussion. |
|
Ah and I forgot
|
Back in March, I did some exploration into a minio replacement for the KFP community. I came up with a rough list of requirements, and then charted out various alternatives against those requirements. (Note: these requirements are not authoritative. I mostly came up with them myself as a way to compare alternatives) Requirements, from a Kubeflow Pipelines perspective: R0 Can store and retrieve objects using S3 API This is the chart I came up with: @pschoen-itsc would you be so kind as to give a quick look at these requirements and tell us how you think SeaweedFS does at fulfilling them? If we were to add SeaweedFS as a row 8 in that table, what would be in the columns? Thanks. |
R0: Yes (tested) |
There is also a CLI to configure S3 access. SeaweedFs uses this in their own helm charts to set some settings after deployment. They create a Job which then connect to the running master / cluster and use the CLI 1 . So I think we could do something similar with the existing sync.py script.
I would say we generate the credentials in sync.py , then create the secret in the new namespace and create the identity in seaweedfs with the permissions:
where "kubeflow" is the bucket name and "project1" the project name. Listing of objects is only possible to set globally, but as far as I know, this is just a limitation of S3.
Service is no problem of course. And also secret should work, because when we use the CLI for dynamic user creation, seaweedfs does not have to read the secret. Changing credentials would then require manual intervention.
There are some in the official docs (could be biased) and also some more independent testing. It depends on how you set it up, just a single service with all components or you scale it horizontally with multiple filer / volume nodes. They provide helm charts for setting this up, so I could do my own tests if needed.
There are multiple options. Depends own desired performance / fault tolerance / resource usage. You have the 3 main services master, volume and filer which can be scaled independently or you can have everything in one container. You could even deploy separate gateways for S3 / WebDAV / etc. instead of let this run on the filer. |
Their helm chart looks like this is given. But of course some testing should be done.
As far as I understand, yes.
According to their helm charts all services (except a dedicated S3 service) should be statefulsets.
Yes, see my comment to R3 above. |
Can you elaborate a bit more on the global Listing?
with read/write/list access ?
Who is then able to modify ACLs?
Can we use a single statefulset that starts a pod with all three services and scale this statefulset or is scaling only possible with three statefulsets (master, volume, filer)? Is 32 GB the file size limit for the time being? |
Because ListObjects is a bucket level operation it is not possible to control the permissions via the resource, like you can do it with put / read. In AWS S3 there seems to be a way to implement this using IAM policies with conditions. But they also have to first give the user listing permissions for the whole bucket. |
Can we live without the list operation? is it enough to have read/write? |
@pschoen-itsc can you create a PR with customize components for kubeflow/manifests/contrib/seaweedfs ? Then we can start there with integration testing. |
/ok-to-test |
Yes, will do it tomorrow. |
@pschoen-itsc: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
@pschoen-itsc I also want to confirm that SeaweedFS would support IAM policies that restrict object access based on key prefixes? For example, a profile might use an IAM policy that looks like this, which only allows them to read/write objects under a specific path: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<BUCKET_NAME>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<BUCKET_NAME>/artifacts/<PROFILE_NAME>/*",
"arn:aws:s3:::<BUCKET_NAME>/v2/artifacts/<PROFILE_NAME>/*"
]
}
]
} |
Object access based on key prefixes is supported. So you can set equivalent ACLs for the provided example. There is just no separation of PUT and DELETE object, just |
Currently the list operation is used by KFP at least for retrieving input artifacts. I tested this for kubeflow/manifests#2826. If you really just want to PUT and GET objects you don't need it. But that should then be in the implementation of argoexec. |
Its fine for cluster.local/ns/kubeflow/sa/ml-pipeline and other admin level service account such as the Kubeflow UI. We just need to prevent that user workloads can access other users artifacts. |
Any progress on this PR? Is slightly strange that kubeflow/manifests#2826 was merged, but this wasn't... |
@umka1332 I am still working on integration of profiles with seaweedfs, which poses some unexpected challenges. Also I wanted to contribute that to kubeflow/manifests first to complete the feature there. |
Yes we need the ACLs and user management similar to #7725 and some more cicd tests to verify that you cannot access other users artifacts, but your own. Adding this is PoC in manifests/contrib is easier and can then when it is done be merged here as well. |
Description of your changes:
Replace the old minio deployment with seaweedfs as object store. Seaweedfs is licensed under Apache 2.0 and supports ACLs inside the buckets, so you can give read / write permissions for paths only to specific users.
Checklist: