search

Azure / kubeflow-aks

Official repository for the Kubeflow on Azure and AKS project
https://azure.github.io/kubeflow-aks/main/
MIT License
26 stars 18 forks source link

Allow AKS to create istio side car in Kubeflow namespace #18

Closed wadhah101 closed 1 year ago

wadhah101 commented 1 year ago

Currently istio is not able to to inject side cars within pods in kubeflow namespace due to the auto injection of this rule Within MutatingWebhookConfiguration - istio-sidecar-injector

    - key: control-plane
      operator: DoesNotExist

and Kubeflow namespace contains the annotation control-plane : kubeflow which makes the webhook ignore it

This break the destination rules containing

 tls:
      mode: ISTIO_MUTUAL

Even with TLS properly configured, the notebooks and other pages can't be reached

More detail can be found in this issue https://github.com/kubeflow/pipelines/issues/5244 and https://learn.microsoft.com/en-us/azure/aks/faq#can-i-use-admission-controller-webhooks-on-aks

This can be solved by adding the following annotation admissions.enforcer/disabled: "true"

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    admissions.enforcer/disabled: "true"
  name: istio-sidecar-injector

more details are mentioned in this comment https://github.com/kubeflow/pipelines/issues/5244#issuecomment-844144159

Should I add this within the TLS docs ? Should I create a patch to solve this and instruction to apply it within the TLS doc ?

mosabami commented 1 year ago

this can be closed as it was fixed in v1.7.0 @wadhah101. thanks for your comment.