-
Notifications
You must be signed in to change notification settings - Fork 899
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Add BentoML Yatai Stack contrib #2350
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
541dce4
to
7f4cd86
Compare
@@ -0,0 +1,34 @@ | |||
apiVersion: apps/v1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yetone could you please add an explanation why we need to DaemonSet? Question from Julius.
|
Thank you for your review, here are some of my answers, I don't know if they answer your questions
|
I am confused about that. There is no docker in modern Kubernetes only containerd, cri-o etc. THen handle image pulling for you. Maybe i need a bit more details. "Does k8s' rbac have the ability to specify the name of a resource?" Yes it does. It is somewhere in the official kubernetes documentation. In only allows a static positive list, no wildcards or regex stuff. "The components do not have any network access to each other, they only communicate through Bento CR" So that means in the networkpolicy i only need to enable the ports of the webhooks if bentoml in the Kubeflow namespace to the kubernetes apiserver? "I can also switch the image build engine to buildah, so at least I can use openshift's anyuid SCC to build the image" So are you using even more dangerous stuff than root so far? I know that at least buildah/podman "only" need root but no additional SYS_CAP_* or priviledged containers. |
To be honest, oci-private-registry-proxy is for users out of the box, because most users use k8s environments (minikube, kind, k3s) with docker, so I can delete this, not automatically install oci registry, and let users specify their own existing oci registry, but it will cause bentoml yatai stack installation will be a bit more troublesome, because of the pre-dependencies
I found it in the documentation, thank you, I will add the resource name
Yes, just open the conversion webhook port of yatai-deployment to k8s and that's it!
We didn't use any dangerous functions, and it feels like kaniko will work in anyuid SCC, I'll try it out Finally, thank you for your reply! |
Also minikube, k3s etc will have to drop Docker at some point in the future. I think even GKE dropped it with Kubernetes 1.19. So if it is only relevant for ancient installations i would drop it, since we require Kuernetes 1.24+ anyway in Kubeflow 1.7. Do you have a detailed documentation of the deamonset? I think even "Docker Desktop" uses containerd nowadays. |
And just that you know we are not fixed on a specific build tool. Podman and Kaniko are fine, they should just have rootless on their roadmap. |
@juliusvonkohout Yes, you are right. I will delete the docker-registry and proxy |
Design ProposalWhy BentoML
User StoriesGoal: From simple Python module to distributed Kubernetes deployment. Consider the following common ML services involve custom pre and post-processing logic and inference of multiple models. Developing on Kubeflow Notebook
Deploying to KubernetesUsers can deploy bentos to the K8s cluster in one of the three ways. Kubernetes Python ClientUsers can deploy bentos through Kubeflow Notebook with Kubernetes Python client kubectlBentoML offers two options to deploy bentos directly to the Kubenetes cluster through The first option relies on The second option relies on the users to provide a URI to the pre-built OCI image of the bento. Users need to manually create a Bento CR with the image field defined as the pre-built OCI image URI. Then create a BentoDeployment CR to reference the Bento CR previously created. Kubeflow Pipeline ComponentThis option will be available in Kubeflow release 1.8. VerificationThe following installation and testing steps demonstrate how to install Yatai components and deploy bentos through InstallationInstall with kustomize command:
TestCreate Bento CR and BentoDeployment CR:
Verifying that the bento deployment is running:
The output of the above command should be like this:
Verifying that the bento service is created:
The output of the above command should look like this:
Port-forwarding the bento service:
Finally you can test the bento service with the curl command:
The output should be:
|
7f4cd86
to
23b7971
Compare
This looks very good. There is a typo (fech instead of fetch) and maybe use the original svg of the diagram instead of png. I am actually in favor of just adding this documentation including images to the PR. Maybe in readme.md Furthermore we got the rootcontainer security exception for Kubeflow 1.7, but you also need to document it in readme.md. and that you plan to solve it for Kubeflow 1.8+ as discussed in the release meeting yesterday. Also documenting how to use a prebuilt image from somewhere else without having to build it with root rights would be good. |
23b7971
to
17ede3a
Compare
@juliusvonkohout Hi, I have updated this PR as per your valuable advice, which includes removing everything related to the docker registry and minimizing the role as much as possible |
17ede3a
to
966a60e
Compare
@yetone @juliusvonkohout IMHO the state of this PR is amazing! The README is one of the best we have in the whole repo. And kudos to @juliusvonkohout for driving the review and exposing the security concerns. I'm more than happy to merge this now, to make sure it's included in the release branch. As @juliusvonkohout pointed out in a Manifests WG meeting we'll also need to update the links for some images, since they are referencing data from a user repo. We've seen this causing problems multiple times in
But, again, let's merge this for now and we can fix these nits afterwards. Again, amazing work! /lgtm |
Thanks, @kimwnasptd. |
Either you become member or you add me and Kimonas in the owners file instead. The membership must be approved by Google which might take some time. |
@@ -0,0 +1,3 @@ | |||
approvers: | |||
- yetone | |||
- yubozhao |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- yubozhao | |
- yubozhao | |
- juliusvonkohout |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yetone could you please approve this suggestion? cc: @juliusvonkohout, @EricBentoML
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes if you keep yubozhao he must be member of Kubeflow as well. If you do not have any members in your company use me and @kimwnasptd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello Julius.
I am part of the release 1.7 team and I should already be part of the kubeflow member.
/lgtm |
/verify-owners |
966a60e
to
32e759f
Compare
/verify-owners |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kimwnasptd, yetone, yubozhao The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Design Proposal
Why BentoML
User Stories
Goal: From simple Python module to distributed Kubernetes deployment.
Consider the following common ML services involve custom pre and post-processing logic and inference of multiple models.
Developing on Kubeflow Notebook
Deploying to Kubernetes
Users can deploy bentos to the K8s cluster in one of the three ways.
Kubernetes Python Client
Users can deploy bentos through Kubeflow Notebook with Kubernetes Python client
kubectl
BentoML offers two options to deploy bentos directly to the Kubenetes cluster through
kubectl
and theBentoRequest
,Bento
, andBentoDeployment
CRDs.The first option relies on
yatai-image-builder
to build the OCI image. Users need to create aBentoRequest
CR andBentoDeployment
CR to deploy a bento. In theBentoDeployment
CR, the name of the bento should be defined as the name of theBentoRequest
CR. If this Bento CR not found,yatai-deployment
will look for the BentoRequest CR by the same name and wait for the BentoRequest CR to generate the Bento CR. This option will build the OCI image by spawning a pod to run the Kaniko build tool. However, the Kaniko build tool requires root user access. If root user access is not available, consider the second option below.The second option relies on the users to provide a URI to the pre-built OCI image of the bento. Users need to manually create a Bento CR with the image field defined as the pre-built OCI image URI. Then create a BentoDeployment CR to reference the Bento CR previously created.
Kubeflow Pipeline Component
This option will be available in Kubeflow release 1.8.
Verification
The following installation and testing steps demonstrate how to install Yatai components and deploy bentos through
kubectl
withBentoRequest
andBentoDeployment
CRDs.Installation
Install with kustomize command:
Test
Create Bento CR and BentoDeployment CR:
Verifying that the bento deployment is running:
The output of the above command should be like this:
Verifying that the bento service is created:
The output of the above command should look like this:
Port-forwarding the bento service:
Finally you can test the bento service with the curl command:
The output should be: