Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users cannot create TrainedModel and inferencegraph resources #2974

Open
6 of 7 tasks
gigabyte132 opened this issue Feb 4, 2025 · 4 comments
Open
6 of 7 tasks

Users cannot create TrainedModel and inferencegraph resources #2974

gigabyte132 opened this issue Feb 4, 2025 · 4 comments
Assignees
@juliusvonkohout
Milestone
1.10

Comments

@gigabyte132
Copy link

Validation Checklist

  • Is this a Kubeflow issue?
  • Are you posting in the right repository ?
  • Did you follow the Kubeflow installation guideline ?
  • Is the issue report properly structured and detailed with version numbers?
  • Is this for Kubeflow development ?
  • Would you like to work on this issue?
  • You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

1.9

Describe your issue

The default kubeflow user service account forbids users to create resources of type TrainedModel, this is useful for a bunch of serving use cases where you want to serve multiple models in the same InferenceService.

I will shortly open a PR to fix this issue as well, as it is just a matter of adding trainedmodels to the kubeflow-kserve-edit and kserve-kubeflow-view ClusterRoles in contrib/kserve/kserve/kserve_kubeflow.yaml

Versions:
kubeflow: 1.9.1
k8s: v1.30.2

Steps to reproduce the issue

As a normal kubeflow user, in multi-user mode at least, you will get the following error when trying to create a resource of type TrainedModel from inside a Notebook. the serviceaccounts default-editor and default-viewer do not currently have permissions to create/view such a resource.

Error from server (Forbidden): error when retrieving current configuration of:
Resource: "serving.kserve.io/v1alpha1, Resource=trainedmodels", GroupVersionKind: "serving.kserve.io/v1alpha1, Kind=TrainedModel"
Name: "simple-string", Namespace: "rchiores"
from server for: "model2.yaml": trainedmodels.serving.kserve.io "simple-string" is forbidden: User "system:serviceaccount:rchiores:default-editor" cannot get resource "trainedmodels" in API group "serving.kserve.io" in the namespace "rchiores"

Put here any screenshots or videos (optional)

No response
@gigabyte132 gigabyte132 mentioned this issue Feb 4, 2025
Closed
@juliusvonkohout
Copy link
Member

Please do not modify contrib/kserve/kserve/kserve_kubeflow.yaml directly. This must be fixed upstream and synchronized here with https://github.com/kubeflow/manifests/blob/master/hack/synchronize-kserve-kserve-manifests.sh. So fix it upstream first please

@gigabyte132
Copy link
Author

Closing, in favor of opening another issue upstream in kserve.

@juliusvonkohout
Copy link
Member

But lets leave it open here.

@gigabyte132
Copy link
Author

Relevant Upstream issue with PR kserve/kserve#4224 kserve/kserve#4225

@juliusvonkohout juliusvonkohout self-assigned this Feb 4, 2025
@juliusvonkohout juliusvonkohout added this to the 1.10 milestone Feb 6, 2025
@juliusvonkohout juliusvonkohout changed the title Users cannot create TrainedModel type resources Users cannot create TrainedModel and inferencegraph resources Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juliusvonkohout juliusvonkohout

Labels
None yet
Projects
None yet
Milestone
1.10
Development

No branches or pull requests
2 participants
@juliusvonkohout @gigabyte132