skonto
commented
3 days ago Hi @A923357 I recommend that you ask first at the KServe side. The virtual service Knative touches is the one it generates, cc @ReToCode in case I missed something. Btw I suspect you could debug this by using raw deployments at the KServe side (instead of serverless mode) and see how things work the reconciliation. In any case pls ask Kserve community providing mode details about the resources touched.
ReToCode
Hello everyone,
I'm working on creating an OAuth 2.0 service using Kubeflow, Istio, and KServe. As part of this setup, I need to add a custom response header to my Istio VirtualService, which is managed by a KServe InferenceService. Additionally, I've configured an Istio EnvoyFilter to handle invalid tokens by converting 302 redirects into appropriate 40X error codes.
Initially, everything works perfectly—the custom header is added, and invalid tokens are handled correctly without causing 302 redirects. However, after a few hours, I notice that:
My questions are:
Is Knative-KServe reconciliation the reason why my VirtualService configuration is being overridden?
If so, how can I prevent Knative from overwriting my custom VirtualService configurations, such as adding a custom response header and maintaining the EnvoyFilter settings?
Are there best practices or recommended approaches to persist custom Istio configurations when using Knative and KServe?
I've also posted this issue in the KServe repository but wanted to reach out here for additional insights and assistance.
Any guidance or suggestions on how to resolve this issue would be greatly appreciated!
Thank you for your help.
- knative-serving version: 1.8.1