Closed jaffe-fly closed 2 weeks ago
by my test, in my-profile
ns notebook,
from kfp import dsl
from kfp.client import Client
import kfp
token=""
filename="/run/secrets/kubeflow/pipelines/token"
with open(filename, 'r') as file:
token = file.read().rstrip()
print(client.get_kfp_healthz())
will get error
kfp_server_api.exceptions.ApiException: (401)
Reason: Unauthorized
HTTP response headers: HTTPHeaderDict({'www-authenticate': 'Bearer realm="http://ml-pipeline.kubeflow.svc:8888/apis/v2beta1/healthz", error="invalid_token"', 'content-length': '28', 'content-type': 'text/plain', 'date': 'Sun, 28 Jul 2024 04:26:49 GMT', 'server': 'envoy', 'x-envoy-upstream-service-time': '0'})
HTTP response body: Jwt issuer is not configured
client = Client(host="http://ml-pipeline.kubeflow.svc:8888")
print(client.get_kfp_healthz())
# print(client.list_experiments())
our_namespace=client.get_user_namespace()
print(our_namespace)
its ok,this will get
{'multi_user': True}
my-profile
client = Client(host="http://ml-pipeline.kubeflow.svc:8888")
print(client.get_kfp_healthz())
print(client.list_experiments())
will get Jwt issuer is not configured
error
client = Client()
print(client.get_kfp_healthz())
will get Jwt issuer is not configured
error
dont know why
@jaffe-fly could you provide some more information about
oauth2-proxy
components from upstream manifests https://github.com/kubeflow/manifests/tree/master/common/oidc-client/oauth2-proxy/componentsMy hunch is that because in 1.9 Istio must be able to parse the JWT tokens in Authorization: Bearer <>
headers, you are getting this error because you don't have a RequestAuthorization
object in your cluster to tell Istio how to parse JWTs issued by K8s
https://github.com/kubeflow/manifests/blob/v1.9.0/apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml#L36-L38
@jaffe-fly could you provide some more information about
- how you installed Kubeflow
- Are you using any of the
oauth2-proxy
components from upstream manifests https://github.com/kubeflow/manifests/tree/master/common/oidc-client/oauth2-proxy/componentsMy hunch is that because in 1.9 Istio must be able to parse the JWT tokens in
Authorization: Bearer <>
headers, you are getting this error because you don't have aRequestAuthorization
object in your cluster to tell Istio how to parse JWTs issued by K8s https://github.com/kubeflow/manifests/blob/v1.9.0/apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml#L36-L38
install kubeflow from [manifests](https://github.com/kubeflow/manifests)
with Install with a single command
,
while ! kustomize build example | kubectl apply -f -; do echo "Retrying to apply resources"; sleep 20; done
here installed oauth2-proxy
so How should I configure it?
i am having the same issue even after updating AuthorizationPolicy manifest
/transfer manifests
Cc @kromanow94
See also https://github.com/kubeflow/manifests/issues/2832
Please try with Kind first as detailed in the readme. And read our internal oauth2-proxy documentation in kubeflow/manifests/common/oauth2-proxy
@kimwnasptd was correct, in my case (RKE cluster with a non-compliant OIDC setup).
I was able to resolve this issue by manually adding the JWKS public key for my cluster to the RequestAuthentication manifest for machine-to-machine authentication. The m2m cron job should do this normally.
Hey everyone, I am not sure why a CronJob was ever used for this purpose.
We will implement it in the next patch release.
Closed in favor of https://github.com/kubeflow/manifests/issues/2850
Environment
k8s version v1.29.5
How do you deploy Kubeflow Pipelines (KFP)? use kubeflow manifests deploy 1master branch
git log -1
Steps to reproduce
follow this link https://www.kubeflow.org/docs/components/pipelines/user-guides/core-functions/connect-api/#full-kubeflow-subfrom-inside-clustersub
in
my-profile
namespace of kubeflow,and in notebookconfigurations
have add pipeline access token, code isget following errpr:
my
poddefault
ismy
RoleBinding
isExpected result
Materials and reference
Labels
Impacted by this bug? Give it a 👍.