feat(backend): mount EmptyDir volumes for launcher write locations #10538
Conversation
Launcher writes input artifacts to root paths /gcs, /minio, and /s3. These paths are not accessible by non-root users by default, which is problematic in locked-down Kubernetes installations and/or OpenShift. /gcs is currently a contract for KFP v2 python component wrappers, so the path cannot be changed. Mount an EmptyDir scratch volume to these paths to work around this. Additionally, /.local and /.cache are written to by pip, so add EmptyDir mounts for those too. Fixes: kubeflow#5673 Fixes: kubeflow#7345
|
Hi @gregsheremeta. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Thanks @gregsheremeta, just wondering is there anyway we can reduce the amount of the volume mount definition? Due to the k8s yaml size limitation, we won't able to fit more tasks if the individual container definition is too big.
|
/ok-to-test |
There was a problem hiding this comment.
@gregsheremeta You also need to update the unit tests because you modified the container spec in this PR.
|
@gregsheremeta: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@Tomcli Maybe add a condition to mount one of the 3 possible options? |
|
This will not solve the BTW: where/how do I tell Kubeflow which launcher image to use? That's because the root cause for the original error is that the installer creates Brief Demo$ docker run --rm -it alpine
/ # adduser -D demo
/ # su - demo
05decfa077fd:~$ mkdir -m 0644 demo
05decfa077fd:~$ mkdir demo/test
mkdir: can't create directory 'demo/test': Permission denied
05decfa077fd:~$
/ # mkdir /home/demo/demo/test
/ # ls -lR /home/demo
/home/demo:
total 4
drw-r--r-- 3 demo demo 4096 Apr 14 11:16 demo
/home/demo/demo:
total 4
drwxr-xr-x 2 root root 4096 Apr 14 11:16 test
/home/demo/demo/test:
total 0
/ # BTW, that also explains why creating alternate images with world-read-write I tracked this down by mounting a PVC at |
This fix was introduced in KFP 2.0.2 |
Yes, I'm well aware. GitHub shows that quite prominently. BUT, that doesn't really help me or answer my question. |
|
Kubeflow 1.7 comes with an alpha release of KFP. You should either fully upgrade your kubeflow installation to 1.8 or you can upgrade individually kfp. Just a reminder that if you choose the later one, you need to use the multi-user manifests, as you probably deployment Kubeflow w/ multi-user support. |
I guess I wasn't sufficiently clear, when I said I have to use Kubeflow 1.7. My re-stated question becomes: as a Kubeflow user, can I somehow instruct BTW, I can use custom images for my pipeline stages with world-read-write |
If, and only if, you upgrade your KFP installation to at least 2.0.5 release, you can parametrize the launcher and driver images. |
I see. Thanks for the info, and your patience! 😏 Given that the code changes you linked appear to be |
|
Yes, this is not a simple SDK upgrade or code changes. You will need to upgrade your entire KFP installation. |
|
@rimolive can you please describe a hotfix how I can use this patch with kubeflow 1.8.1. Because for now kfp is not usable :( |
|
FYI, this comment describes a short term solution (that depends on kyverno): #10397 (comment) |
|
@gregsheremeta is currently out, due to the expressed urgency and prioritzation of this, I'm picking this PR up here: #10857 please forward any further discussions to the pr above I'll bring this up in the next KFP call as well if it is not merged by then /close |
|
@HumairAK: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Launcher writes input artifacts to root paths
/gcs,/minio, and/s3. These paths are not accessible by non-root users by default, which is problematic in locked-down Kubernetes installations and/or OpenShift./gcsis currently a contract for KFP v2 python component wrappers, so the path cannot be changed.Mount an EmptyDir scratch volume to these paths to work around this.
Additionally,
/.localand/.cacheare written to by pip, so add EmptyDir mounts for those too.Fixes: #5673
Fixes: #7345