Closed NohaIhab closed 10 months ago
the issue here is that the jupyter-controller pod does not have an istio sidecar, so it is not using mTLS authentication. mTLS is needed because the AuthorizationPolicy specifies a source.principal
, from the istio docs:
This field requires mTLS enabled
this issue is related to https://github.com/canonical/kfp-operators/issues/355
what is blocking the Culling is specifically this rule in the AuthorizationPolicy
applied by kubeflow-profiles
workload:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/jupyter-controller
to:
- operation:
methods:
- GET
paths:
- '*/api/kernels'
to fix this, we need a rule that doesn't check on the source of the request, so the new rule should be:
- to:
- operation:
methods:
- GET
paths:
- '*/api/kernels'
Bug Description
Notebook Culling is not working after upgrading the
kubeflow-profiles
image to1.8.0-rc.2
in PR https://github.com/canonical/kubeflow-profiles-operator/pull/155 , due to the AuthorizationPolicy applied in the profile's namespaces being:To Reproduce
Environment
juju 3.1/stable microk8s 1.25-strict/stable
Relevant log output
Additional context
No response