support separate pipeline for each namespace #4197
Comments
|
FYI, in existing to be released KF 1.1, pipeline runs are already in user namespaces. but the static pipeline yaml files are not separated. Do you want this additionally? |
|
Related to #1223 |
|
There are more clarification in #1223 (comment). If you agree with the proposal in #1223 (comment), can you rephrase your description to just focus on pipeline resource for this issue. |
|
I think the pipeline yaml files should be supported also for E2E separation. Thanks. Already upvote in #1223 . |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
/frozen |
stale
bot
removed
the
lifecycle/stale
|
Sorry, I'm kind of oversubscribed because of extra Kubeflow duties recently, so I may not be able to take this issue soon. Leaving my previous thoughts about this: For use-case context: some users want full separation of pipelines, and some want no separation. The distinction is mostly organization culture and I think both requests are valid. So I think a MVP UX I can imagine that satisfies both is to:
Benefits:
Probably there are cases I haven't fully thought through. I'd suggest anyone who's willing to push this issue forward to do the following:
|
|
/cc @yanniszark |
|
and |
Do we want user to upload their pipeline to share space? Should they use Managed Contributor instead like we did for experiments and runs?
Pipeline schema doesn't have namespace concept yet. seamless migration here means implicitly migration, right? for all previous pipeline, we can think they have all empty namespace |
Some customers I worked with prefer this shared space though. A problem with manage contributor is that, they want to take a pipeline from shared space and run it in their own namespace. This will not be possible with adding contributors. (It might be a good idea, to allow specifying pipelines in other users' namespace and KFP backend checks for that permission like contributors. Is that what you are proposing?)
If we do not introduce the shared pipeline concept, then we either need to figure out which pipeline belongs to which namespace or make all past pipelines inaccessible after an upgrade. This is fairly tricky to deal with. |
Got it, they like to "folk" the pipeline into their own namespace. Managed contributor can only manage pipeline between users but not able to public to all. I think this makes sense.
I think what you propose is a simple and better way to support isolated and shared pipelines.
I notice UI actually determine namespace from centralboard. pipelines/frontend/src/lib/KubeflowClient.tsx Lines 23 to 33 in 935a9b5 Do you think it's better to figure out username and corresponding namespace via headers and KFAM? With this we can decouple centraldashboard from KFP. I think multi-user KFP can be used separated with Central dashboard. (probably only need KFAM profile and istio) |
|
Regarding namespace selector, I think the topic was brought up before too, if we plan to let KFP support multi user mode without central dashboard, we can build a namespace selector similar to the one in centraldashboard. It won't be so much effort on the UI side (it was designed to be very decoupled in UI code from the beginning). Regarding to KFAM, we have decided to deprecate it, @elikatsis has sent out a PR a few days ago: #4723. Let's move related discussion to that PR, and keep discussion here focused on separating pipeline resources. |
Shall we have Namespace in pipeline_versions schema? For example I see Description is in pipelines but not in pipeline_versions. Not sure what is the criteria to decide here, but seems users are not allowed to edit or change pipelines once loaded, right?
A config option shall allow organizations to enable/disable the possibility pipelines can be public. Where do you think this config can be set (DB, configMap, config.json)? |
Versions are sub resources of pipelines, so they should be in the same namespace of the pipeline. Description was more of an unfinished migration to version API, ideally we should have description field on versions too.
You should use viper to get this config like other configs in API server, so that it will be configurable via config map, config.json or env var directly. |
I hope you can see that Maybe the one day off is the European time difference. |
|
@chensun @james-jwu @zijianjoy Following up from our discussion about namespaced pipelines during last week's community meeting, here is a design doc that details our proposal: https://docs.google.com/document/d/1fM4y2L1IVqVj-iiNjYFRRktdCh7FQXgU2XpaYLaqt-A/edit?usp=sharing&resourcekey=0-kd5loyP7w3PBD0ug6ECmLQ Note that this doc is about supporting uploading and viewing namespaced pipeline definitions. Dealing with artifacts isolation is not part of this effort and is something @juliusvonkohout is working on. Please take a look and let me know if you agree with the plan! Happy to discuss and iterate. |
I had to request access, are you sure that is is properly public? |
|
@juliusvonkohout Indeed I had pasted the wrong link, sorry for that. I amended my comment above. Here is the correct link again https://docs.google.com/document/d/1fM4y2L1IVqVj-iiNjYFRRktdCh7FQXgU2XpaYLaqt-A/edit?usp=sharing&resourcekey=0-kd5loyP7w3PBD0ug6ECmLQ |
This looks very good. I hope you can merge it soon. The sooner it is merged, the sooner we can modify it for minio namespace isolation. |
|
@juliusvonkohout Thanks for the kind words. Let's wait for feedback from the KFP folks :) |
I have tried to incorporate some answers to the questions in the community meeting and enabled commenting. You can also reach me via slack. |
|
Minio and pipeline definition per namespace isolation is planned for the future and was the main talking point of the last pipeline community meeting. James Liu @zijianjoy wants to split it into multiple PRs.
In total this would yield a rather pleasant multi-user enterprise-level readiness. The next big step would then to repair the insecure namespace sharing ("Manage contributors" in the UI). Currently it can be easily exploited to access other users namespaces even after they have removed you as contributor or removed you completely from the kubeflow instance (e.g. employee leaving the company). The reason is that serviceaccounts and secrets are not recreated when removing contributors. |
|
I have something elegant and mergeable ready #7725 |
|
Hi there, are namespaced pipelines something the community still wants to support? Can we at least support the namespace param when uploading pipelines and pipeline versions in the python SDK? It would be really useful for our use case Thanks |
You need to ask @StefanoFioravanzo and attend the KFP meeting on Wednesday |
|
@hanakawamomo @juliusvonkohout Hi! Please see #8196. The PR include the backend and client changes to support namespaced pipelines. As soon as that one gets merges, we will open a PR that includes the UI changes described in the doc #4197 (comment) |
|
During the preparation of the frontend PR, which as mentioned above depends on merging #8196, we realized a better UX on a specific part. If you take a look at the Frontend part of the design doc you will notice a screenshot corresponding to the "Upload pipeline or pipeline version" page. When uploading a new pipeline version, the decision on whether it will be private or shared is implicitly taken and its dependent on the parent pipeline. Thus, the toggle
However, upon choosing a pipeline to upload a new version for, we can improve the UX dramatically by showing whether it's "Private" or "Shared". To unlock this better UX, we need to be able to tell whether a pipeline belongs in a namespace or not. For this reason, we decided to also augment the API response for a Pipeline to include the namespace as a resource reference, identically to what happens with Experiments (source). The change is pretty trivial, we have the PR on its way and I'll edit this comment to link to it: #8375 cc @jlyaoyuli @zijianjoy @chensun @Linchin @juliusvonkohout @StefanoFioravanzo |
That sounds very reasonable |
…8511) * feat(backend) Fix authentication in upload requests Fix the way KFP API server authenticates pipeline upload requests. We leverage 'isAuthenticated()` function which requires proper initialization of the context object to include user identity. * feat(backend): Add namespace field in pipeline upload swagger definition Extend swagger defintion of the pipeline upload API with a namespace parameter in order to support uploading namespaced pipelines. * chore(backend): Generate Go & Python clients Autogenerate the Go and Python clients after extending the swagger definitions of upload pipeline APIs with a namespace field.
…ow#4197 (kubeflow#8511) * feat(backend) Fix authentication in upload requests Fix the way KFP API server authenticates pipeline upload requests. We leverage 'isAuthenticated()` function which requires proper initialization of the context object to include user identity. * feat(backend): Add namespace field in pipeline upload swagger definition Extend swagger defintion of the pipeline upload API with a namespace parameter in order to support uploading namespaced pipelines. * chore(backend): Generate Go & Python clients Autogenerate the Go and Python clients after extending the swagger definitions of upload pipeline APIs with a namespace field.
EDIT from @Bobgy: This issue got 47 upvotes when requesting user feedback: #1223 (comment).
Proposed change
Currently with 1.0.2 version, Kubeflow Deployment with kfctl_k8s_istio shares pipelines for all namespaces defined in user profile. Separate pipeline support for each namespace is needed because the multi-user notebook server separation is already supported. It is natural to support pipeline separation.
Alternative options
NA
Who would use this feature?
A lot of enterprises will benefit from this feature as allocating different namespaces to different teams is a common practice in Kubernetes and resources in existing namespaces can be effectively used.
Suggest a solution
NA
The text was updated successfully, but these errors were encountered: